There isn't going to be a pfSense release specifically for the FreeBSD 14 release. Since we're already on 14 the change there is minimal.

Yup, testing the card in a different host is really the only way to know for sure.

@johnpoz Thanks. We were having a bandwidth throughput problem with the ISP. Long story short, the issue with throughput has been resolved and it was the provisioning the ISP had on the modem. But in the process of trying to diagnose the issue, I was going through all the settings on the gateway and noticed the broadcast address on the WAN.

The interesting thing about the issue we were having is when we plugged a laptop directly into the modem, we were getting the advertised bandwidth. When we placed the Netgate 6100 between the modem and laptop, the throughput would only be 1/4 of the advertised rating.

I ended up putting another laptop with iperf3 on the internal and external sides of the gateway as proof to the ISP the gateway was not limiting the bandwidth. The ISP re-provisioned the modem and that ended up resolving the issue.

@guyz said in Two Lans, possible routing issue:

come from the factory with a 10.224.0.0/16 IP already and it saves me time to reconfigure ...

haha - thanks.. Well that makes sense then..

didthematch.jpg

@stephenw10 yeah avahi per their own website

"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite"

I wouldn't have any use for DLNA discovery.. Which would be SSDP on port 1900 pretty sure..

@jimp thank you

@johnpoz

Thanks. I figured we've beaten this thread for all it's worth and I should post additional FW questions in the proper section of the forum, so I had tried to post:

You seem surprised. Did I mention that I'm just learning all this? :)
My AP has no reference to or configuration options for a 'Management IP', so I had no idea the auth would be on anything other than the network that it was using that auth on.
I know now, and I appreciate all the help I'm receiving here.
But be prepared, I'll continue to have "dumb" questions, especially about the FW, until I... get it.
Like this one for instance

If you allow direct remote connections to the local PCs using port forwards or some other similar mechanism that anyone that knows you address can hit, that's very insecure (e.g. RDP, VNC, etc, directly exposed to WANs).

If you have them connect to a VPN first (WireGuard, IPsec, or OpenVPN) and then connect to a local system, that's not so bad.

Beyond that the risk is in how much you trust the people connecting in. Ideally they'd connect to PCs/VMs in an isolated network/VLAN away from your own personal home network so they don't have any opportunity to disrupt or access your other systems.

@Gertjan July Netgate in A.png

I see what you mean by spacers, that's a lot more "horsepower" than I have, just a peer to peer setup for me. I have no IT experience, I guess that shows😁 No server here, just a hodge podge of things I found on the cheap, except the 4100. It's such an overkill. what I ask it to do.
What I really appreciate is the knowledge and experience, one can find here, and the help offered.

@stephenw10 Sorry I didn't get back to you; I must have missed the reply.

I saw cores for lighttpd, pkg-static, sudo, and I think squidGuard and snort.

It looked like everything went through, according to /conf/upgrade_log.latest.txt, but the last reboot didn't finish. I had to manually reset it. After that, it said it was fine.

I had to put this on hold for a bit (I didn't have a USB-serial adapter handy), but eventually got it working without a reinstall:

I happened across pkg-static.pkgsave, which did work. (It has the same md5sum as the pkg-static on the installation CD.) I used the command prompt at /diag_command.php, which I discovered runs commands as root, to create an ersatz su (a copy of /bin/sh that's mode 4755) I used that to run pkg-static.pkgsave bootstrap -f to reinstall pkg. The pkg command, because of a quirk of implementation, can’t update the packages database when run under my ersatz su (it uses faccessat to check the database, which checks with the real uid, not the euid). But, now that pkg was working, I could use the GUI to reinstall sudo. Using sudo, I was able to run pkg-static install -fy pkg pfSense-repo pfSense-upgrade and pkg-static upgrade -f. I later found all of my add-on packages were locked; the pkg command and the GUI would just note that they were updating the database. They wouldn’t upgrade the packages, or print a message. I ended up using pkg unlock on them.

I know this is all pretty rough-and-ready work, and I’ll need to do a clean install to make sure that everything really is cleaned up. But this at least got me going until I can afford the downtime to do a clean install.

The key here had been pkg-static.pkgsave; I only happened across it by accident while I was tab-completing. It may be valuable to put a note about this on the Troubleshooting Upgrades page.

@NollipfSense said in Unable to resolve acb.netgate.com notifications every 10 seconds for hours…:

acb,netgate.com

Check : it's acb.netgate.com

A not filtered DNS, default DNS settings, using plain resolving, gives me :

[23.05.1-RELEASE][root@pfSense.bhf.net]/root: host acb.netgate.com acb.netgate.com has address 208.123.73.212

So far, so good! No crashes after about 10 days since updating the BIOS/microcode. Let's hope it stays that way!

@johnpoz Yes, as above "I can ping all the IP addresses returned by the pools." and as is the nature of the pools, you likely get different responses which each subsequent uncached DNS query.
However those IP addresses can be pinged as well..

Nothing has really changed in my configuration and clearly it has stopped around the time I applied the last system update.
But not a DNS issue for sure.

No FW rules have even been changed since it worked last. The log file I originally attached in the first message has IP address, all check.

4.png

I setup a packet trace to check for 123 outbound on the Wan. I don't have an old log file, but I'm pretty sure it use to log the finding and changing of the active.
Meanwhile
The packet trace lead to a WTH moment.
The requests are coming from an IP that I don't use in my network. (10.10.
ifconfig, it is bound to localhost.
Wait localhost, why that? (I don't even listen on localhost.)

5.png

But what I did, was select (WAN, LAN, localhost) on the above screen, then clear WAN, localhost) and NTP almost immediately started working again.
Not sure why, but I pulled an old config and localhost has never been selected.
Seems something in the update made the system think it was, and the system was listening to itself, even though I couldn't see this in the dialog as only LAN appeared selected.

6.png

The behaviour has been patched in 2.7.0, details here, the details indicate it should be less aggressive now, so will run without my patch for a while on 2.7.0, and if the old behaviour comes back will submit my patch, I didnt submit before as been on 2.6.0 code would have been too far away from dev code, was planning to update to dev branch and then 2.7.0 got released. :)

https://redmine.pfsense.org/issues/12619

@matthewgcampbell Good, glad it's working! Yeah most likely the repeat pings were being blocked for some reason and then pfSense presumes the gateway is down. I personally almost always disable the gateway monitoring action if I only have a single WAN (since there is no need for failover) just in case some issue arises causing pf to think it's down.

@michelbinkhorst

The patches proposed above are valid for 2.7.0.
"2.7.0" is like "2.6.0", with hundreds of issues less.

So....finally figured out I had the incorrect credentials when I couldn't get it to log in using the No-IP software. Using a group, the login field is format groupname:account-username not groupname:dyndns-first-part-of-hostname. 🤕 However, I am left wondering why it "succeeded" so often using pfSense, in that I only got the "mysterious" credential error sometimes.

@1s440 - I have not uninstalled then installed packages again. Maybe doing so you have a corrupted package (or packages) in your config that is causing issues. It might be that your only recourse is to install 2.7 from scratch ☹

@robato You may want to change the IP used for the monitoring the gateway as well. This way when your internet connection goes down, but not he ISP router, it will reflect the correct status. You could use google or cloud flares DNS servers (1.1.1.1 or 8.8.8.8).

@r0utevv3

A VLAN is a means of separating logical networks over a physical network. As I mentioned, I have a guest WiFi, which is allowed to only access the Internet. The way I did this was to configure a 2nd SSID on my access point, which connects to the VLAN. My main SSID connects to the native LAN. This means both the main and guest WiFi travel over the same cable, but are logically separate. I do not separate my main WiFi from my main LAN. Both wired and wireless devices are on the same subnet.