@georgelza said in Network performance issue using pfSense v.2.7.0 running as router: pkg-static -d update ok... we're back cooking with gas, as the saying goes, got haproxy installed and my external exposed services are working again. Would have been great if the restore allowed me to re-attempt the installation of previously installed packages. G

@milindhvijay A test, and you need the console or SSH to execute it : On the main menu, use option 8. Then : dig @127.0.0.1 google.com This test executes a dns request on port 53, 127.0.0.1. Unbound should be listening on that port. Another test : sockstat -4 | grep 'unbound' This shows you on which interfaces unbound is listening. I see : unbound unbound 83642 5 udp4 *:53 *:* unbound unbound 83642 6 tcp4 *:53 *:* which means : unbound listens on every (like "all") interfaces, for IPv4 and IPv6, on port '53' (of course), using TCP and UDP. This means that this : dig @192.168.1.1 google.com should0 give an answer = the IPv4 of Google Btw : I presume your LAN IPv4 is 192.168.1.1 - take yours if yours is different. This : dig @192.168.1.1 google.com AAAA should give the IPv6 is you have a working IPv6 setup.

@axot said in Intel igb optimizations (EEE): igb1: Connected to a WiFI Router igb2: Connected to NAS (can be woken up via magic packet and goes to sleep when inactive) igb3: Connected to Mac Studio (wakes up from sleep when needed) These are end-user devices and not switches ?!! So, in case of a power glitch, all interfaces will flap. That's normal.

@keyser Oh I see, thank you so much for your explaination, I went toward freeradius webpage and they did listed TLS only supported cleartext password. I have also made sure to disable weak protocol like MD5 or anythig less than TTLS. Thank you so much for your time

@sstatjm Curious... Did you ever get this sorted out? I am building out the 3rd node for a ceph cluster and planned to use it in Debian (Proxmox VE) and pass it thru to my VM of pfsense kinda like ive been doing on two other machines in a cluster + CARP setup :-\

@stephenw10 Hi Steve, Ok, I got around to this this morning. Your steps were all that was needed to install the alternative Realtek driver. Was able to install the new driver, activate it, and was able to see from the log that the new had been loaded successfully. Both firewalls are now updated. I will need to wait a while to see if this resolves my crash issue. Hopefully this will. Learnt a bit about freebsd in the process. Again, thank you for your generous help. Regards Rudolf

Better to be overly vigilant!

@provels said in RAMdisk or not?: Can you tell me where these lists exist after reboot if they're not in the db directory? the DNSBL you've highlight are with unbound. @jrey said in RAMdisk or not?: it backs up unbound that is what is "providing" the DNSBL function -- pfB just aggregates sources of data to build lists(alias) then used by unbound or rules. The data pfB uses is just the "step" between in that process of getting from source and using in DNSBL/firewall. Source (Download) -> Originals (raw as provided by source) -> (Process to) (Deny, Match, Native, Permit etc) -> (provide to) DNSBL(unbound) OR (alias firewall) (process to) = options like de-duplication, CIDR Aggregation etc -- not all options you've selected apply to all Originals. (check the info blocks, usually provided with each option to determine what happens for a given option) so for example in the IP settings De-Duplication -- "Only used for IPv4 Deny Lists"

@zennb1 Thanks, but that did not work with my card. It seems though that any change I do to the settings, like shifting from Automatic to 10G full duplex, triggers som initiation of the device which resolves the issue. Disabling and enabling for example, has the same effect. But nothing that I do seems to "stick"... And since I have the driver SW as a shortcut it's quite simple to just run it...

Hmm, still unable to replicate it here without any optional fields on the CA or cert: [image: 1729720582109-multi-san-cert-3.jpg] Do you have all the recommended patches applied?

@stephenw10 No further crashes since carrying out those repairs etc so that's great. 36 lan in errors for 1.8 TiB of data of which the majority have come from that annoying intel wifi adapter!....

@stephenw10 Thank you!

@JKnott Well aren't you special? Some of us are not as privileged who want to run our servers behind a pfSense frontend over at Vultr lol.

If you boot the new Net Installer you can select the config to recover then drop to the shell and do what you like with it. At worst you can just cat it to the command line and copy/paste it from the console. You should be able to do that with the legacy installer too if you just escape the installer after recovering the config. Or by dropping to the shell and trying to run the recovery script manually: /root/recover_configxml.sh. Steve

So a 4 port 1GbaseT NIC. I'd always look for something Intel based. An i350 based card would be top of my list but almost any Intel NIC would be fine. Check this link to find used OEM branded cards which are often cheaper and, importantly, not fake! https://forums.servethehome.com/index.php?threads/list-of-nics-and-their-equivalent-oem-parts.20974/

@Gertjan said in System Log Settings: You have a 5100, and you've MAXimized it, don't bother of protecting the SSD drive. I've chosen the 4100 MAX version for the same reason : Lots of log space, if needed, as a detailed log over a xx days span is part of the the security : logs shows what happens to the system. I also remote 'syslog' my logs, for backup purposes, to a NAS. Last week I started writing to remote syslog on NAS and see my pfSense logs still going so that is why I asked about disabling local logging. But I get it : You've lost a 'disk' (the emmc) ones, but now you've a sata drive (aka : the 5100 MAX). It won't happen again ^^ he SSD might die again, but no hassle, they always do, like the hard disks we use before. Easy to change, and after a "couple of years" you'll upgrade the entire device anyway ^^ Thanks. The SSD is 64gb so hopefully at my age it will last long enough that I won't need to upgrade. But I seem to say that about every piece of hardware I buy.

Delays like that are not just latency or shaping issues. There is no way anything could be delays that long. It's more likely connections failing and retrying multiple times. I would run a packet capture for that traffic and check it. See if the connection is showing multiple retries. Or anything else. It's probably going to be pretty obvious with that sort of error. Steve

@elvisimprsntr said in General question about Tailscale: https://forum.netgate.com/post/1187667 Thanks for the cross-link to the manual package update. I'm gonna try that next. BTW, it's not about expiring keys -- there's something funky in the officially release package that causes Tailscale to not come up after a restart. It won't come up manually (tailscale up fails) either. I'm whining here because that always seems to happen when I am away. I have to delete the machine in the Tailscale admin, purge everything in pfSense, then reinstall. Really messes things up.