So in the package manager page? What pfSense version was that in?

Steve

@musthafa said in New Installation - No internet on LAN:

@JonathanLee said in New Installation - No internet on LAN:

Sometimes it holds on to records. Also have you set a rule to allow port 53 on your firewall ACL lists? Or nat ?

No. I'm new to pfSense. please guide me on it

https://docs.netgate.com/pfsense/en/latest/services/dns/index.html

Netgate has a docs page that’s amazing. I recommend you look at a configuration recipe. They have some configuration instructions like it’s a cookbook with terminology “recipe”

Do you restrict the number of states allowed on some connections? I noticed once I said for example 1 state allowed at a time for GUI it start to speed up a lot. Some I added expire timers on like my VPNs etc.

ACL for the HA proxy system should only have how many states??? Maybe just one as it is linked to the other proxy.

Screenshot 2024-03-15 at 13.15.33.png

I don't know if that helps, but some cookies kept creating multiple states for some weird reason and slowing everything down. But that was just me this fixed it for me with KEA use also.

If your ISP is offering some sort of translation to v6 upstream then you may be able to use that. Or potentially you could host your own translation node to do that. But it would still be easier to just tunnel or encapsulate the v6 to something you host.

The interfaces in the widget are simply parsed in the order they appear in the config. The only options there are to hide interfaces. You could potentially reorder the interfaces in the config if it's really important to you.

@stephenw10

Looks like just a reboot has done it. I have a backup negate box that I swapped over with the same config, so I could work on the said problem box, interestingly when SSH'd onto the unit, it was not loading the menu, but it did allow me to send the reboot command to it and after it came back up it behaved as normal - I swapped it back into the production network and all looks good. No recurrence of the error so far. Hopefully now OK.

Thanks for your help :)

@stephenw10 Unfortunately, no. It only seems to show up at startup fortunately. If I catch it again I'll screenshot it.

@stephenw10

Thank you So Much

Will nice in near future will all some options to manage the fw & nat rules. over command line.

right now pfsense start be used very large scale in datacenter for secure layer apps.

can be i game changer for pfsense to be massive deploy a large scale.

thank you

have a nice time.

Hmm, I was going to recommend disabling the audio hardware in the BIOS:

hdacc0: <Realtek ALC897 HDA CODEC> at cad 0 on hdac0 hdaa0: <Realtek ALC897 Audio Function Group> at nid 1 on hdacc0 pcm0: <Realtek ALC897 (Right Analog)> at nid 20 and 24 on hdaa0 hdacc1: <Intel Kaby Lake HDA CODEC> at cad 2 on hdac0 hdaa1: <Intel Kaby Lake Audio Function Group> at nid 1 on hdacc1 pcm1: <Intel Kaby Lake (HDMI/DP 8ch)> at nid 3 on hdaa1

But you probably can't do that in Coreboot.

You can see in your output though that it is booting with Video as the primary console:
Dual Console: Video Primary, Serial Secondary

If you have a serial connection I recommend setting serial as the primary console if only because it's much easier to log and copy and output from a serial terminal.

Since you changed nothing on pfSense (at least directly), I would go looking for the root cause in the Nutanix Cluster update process. My first guess would be during the move from node to node the Nutanix process changed something about the VNICs (could have been a MAC address, could have been something related to VLAN IDs if used, etc.). Changes to the VNIC could leave pfSense "confused" about which interface is LAN and which is WAN, for example.

@stephenw10
It is too early to tell but my internet fell-over today so multiple disconnects and re-connection attempts...

...and the router didn't crash.

There is hope.

☕️

@stephenw10

Hey there, sorry for the late reply, had some personal issues and I wasn't available. I'm gonna try again and update as soon as I can. ISP is sadly still pretty unresponsive...

Thanks again.

Ah you actually have an interface group for the WANs with the rule on it?

Yes, if you do that reply-to tags cannot works because the rule applies to multiple interfaces. It cannot know which interface (gateway) to reply to.
For reply-to tagging to work incoming traffic must be passed on the interface itself. It's the same reason that OpenVPN traffic must be passed on an assigned interface for repy-to to work. The group openvpn interface will not tags it.

@Sergei_Shablovsky said in [SOLVED] NTP not answering on 2-nd uplink WAN:

And in System / Routing / Gateways this BALANCED group set as “Default Gateway IPv4”

That's still invalid. The system default gateway should only be a specific gateway or a failover group. You cannot load-balance traffic like that.

Steve

@NollipfSense said in Connecting to CloudFlare, surely its possible.:

@deanfourie I think a better question would be what about REST API that was promised for pfSense 2.6 but didn't make it? Has pfSense moved away from implementing that strategy? With REST API, it would be very easy to run containers and other micro-services...

Beside the Netgate promises, the idea to running micro-services and especially containers inside pfSense - very bad idea.

I prefer to look on pfSense as solid system with a fraction of 3-rd packages (but VERY WELL TESTED an bug-free!).

@stephenw10 Thanks sir!

@Gertjan said in Package list is empty:

@Gblenn said in Package list is empty:

Still don't understand why the package list is empty?

The pfSene Plus without license : you need the license to connect to package update system. No license means : no connection, and that can explain the empty package list.
Please take note : I presume it works like this (i'm just a pfSense user like you), and what I make of it while reading this.

The CE 2.7.2 is not the same product, and is free.

I've found "Issue with going from 2.7.0 to 2.7.2" which has probably a solution for you.

You may be right that there is no connection to the package update system without a license. But then I think it needs to be added to the current statement which sais: "the ability to get timely updates with bug fixes and improved features may be limited".
I don't really see that it would be necessary to remove the packages in order to limit updates?

BTW, the solution provided by SteveITS was also in the thread you found... so thanks for finding the link.

@Sergei_Shablovsky said in Speedtest (Ookla) on device? What’s the latest?:

BTW, does anyone actually get 1 Gb on a 1 Gb connection? Seems to me there should be some overhead accounted for. I also get around 920 with iperf over my LAN.

Please read (or look on YouTube) basic of networking, what is tcp/ip, ICMP, VPNs and other protocols, what is levels, datagrams, what is routers/switches, how ISP works etc. ;)

I guess you haven't noticed me on this forum for years providing advice to others. My comment was to point out that if you have a 1 Gb connection, you will not see 1 Gb because of the various overheads. We're also running into hardware limits that we didn't see before, because the bandwidth we received was less than what our hardware was capable of. In my own example, my account is supposed to be 1.5 Gb, but my firewall, switch and computers are only capable of 1 Gb. I also did a comparison on my network, with Speedtest from my computer to my ISPs server and also from my computer to firewall with iperf3 and got similar results, which showed I was being hardware limited, not Internet limited to the Speedtest server.

BTW, I have long worked in the telecom industry, mostly as a technician, going back to 1972, have worked with computers since 1977, first LAN experience in 1978, Cisco CCNA and more. I also had TCP/IP courses at a local college and IBM. I also spent almost 4 years at IBM Canada, providing software support (mostly 3rd level). So, I do have some idea about what happens with networks & the Internet.

You can see the rules in the rules.debug file, for example:

# allow our DHCPv6 client out to the BT pass in quick on $BT proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000005711 label "allow dhcpv6 client in BT" pass in quick on $BT proto udp from any port = 547 to any port = 546 ridentifier 1000005712 label "allow dhcpv6 client in BT" # Add Priority to dhcp6c packets if enabled pass out quick on $BT proto udp from any port = 546 to any port = 547 ridentifier 1000005713 label "allow dhcpv6 client out BT"

That is above the block bogons rule:

# block bogon networks (IPv6) # https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $BT from <bogonsv6> to any ridentifier 11004 label "block bogon IPv6 networks from BT"

Steve

@Malvazar Well, who cares, the important thing is that it works now!

@johnpoz said in Speed Test Panel Under Pfsense 2.7.0 Free BSD14:

@Unoptanio as to your values - I have been saying for years - depending on your hardware (pfsense) which isn't meant as a client running speed tests directly on it or too it can show varying results..

But this give understanding about whole ISP uplink bandwidth. (Of course this measurement must be doing WITHOUT any other “everyday normal work” net flow.
Better to measure at 10-11am, and 4:30-5:30pm daytime and 7:30-10:00pm (when ISP appliances are maximum loaded) WITHOUT any other “normal work” net activity.

While its fine for say a benchmark, he pfsense shows 100, and now its 50 - then something prob not right.. But when you route through pfsense you see your full say 200 speed.

If your going to run speedtest like this or iperf directly on pfsense - you need to understand that. The test of a firewall/router function for routing and firewalling - is through it, not to or from it..

You are right but 8 of 10 questions here on forum are ABOUT UPLINK BANDWIDTH!!! People not interested in “testing pfSense router”, but interested in “how fast my internet”.

Look at this not from router developer position (I understand clearly, pfSense are like Your child), but FROM ORDINARY USERS PERSPECTIVE.

Only 10-15% interested in measuring VPN connect, or how shaping/limiting working well. (And yes traffic generators and iperf3 are kings here).

I wouldn't put much stock in the values don't meet your expectations.. Test from a client through pfsense to see if your getting what you should be getting, etc.