@Gertjan said in Not sure this is normal: stashed somewhere in an obscure registry key Not sure I would call obscure Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

@johnpoz Does Netgate have a cook book recipe for configuring Squid externally, like the old one for internally? If I had this it would make it easy, I just wonder how to do this as it has to go into squid and back up to the internet etc, makes my brain hurt I only have done it inside pfsense

@jogovogo what I forgot: what pfSense version are you using? There was an issue with changing rule orders in certain situations on pfSense+ 23 and 24. https://forum.netgate.com/topic/196601/rules-order-randomly-changes https://redmine.pfsense.org/issues/16076

I'm facing a similar problem; after authenticating on the captive portal, the user is redirected to another gateway, and after that, the upload speed drops to 0.5. The download works normally, but the upload doesn't.

@johnpoz Thanks for your help with knowledge about openwrt

@the-other , Thank you for your answer, and sorry for the late response. I have just finished some experiments with firewall rules. Based on your advice, I moved all rules from the generic OpenVPN tab to the OVPN1 tab, leaving no rules at that tab. Everything works in the same way compared to the previous configuration. I also read that page in the pfSense manual you shared before I raised my post, but I did not fully understand. After reading your example, it became clearer, and after the mentioned experiments with rules, it is fully clear. Hopefully, all my findings are correct: Rules on the OpenVPN tab have priority over the OVPN1 tab (=> In case an incoming packet matches some OpenVPN tab rule, OVPN1 rules are ignored => Rules on the OpenVPN tab are meant to be generic and common for all OpenVPN servers.) If there are no rules on the OpenVPN tab, there is a default message saying "No rules are currently defined for this interface All incoming connections on this interface will be blocked until pass rules are added. Click the button to add a new rule". This confused me. I was convinced that a state without any rule is fully equivalent to a state with a "block all" rule (IPv4+IPv6, any protocol, any IP, any port, etc.). But at least for the OpenVPN tab, this is not true, as I tested that in case there are no rules on the OpenVPN tab, rules from OVPN1 are applied, and everything just works. I just tried to add a "block all" rule on the OpenVPN tab, and remote clients lost connection. So the mentioned message is quite confusing in this case. Because if that message was correct, remote clients would not have had a connection. Thanks, Jan

OK! Turns out that in: firewall > rules > lan ...there were several old rule sets with alias's that mapped to those files. I deleted them as they were no longer in use then applied the config. Problem solved! Thanks.

@Felix-4 I have been in this biz for too long I guess - I don't need to see every little thing.. Some stray SA is meaningless - its noise, or stray udp packets to any single port, etc.. Its just noise.. I have a rule at the end that blocks syn to my address and logs.. I have other rules that log specific senders, that I block from scanning my ports, etc. I log those, etc. But some stray packet hitting my ip is many times just noise that clutters up the log with stuff I don't want to see. If I am troubleshooting something and want/need to see everything its click of button to turn back on default deny logging ;)

That's it guys,... Thankyou,.. I now have a log file that has 'useful stuff' in it and will allow me to track the problem I was really trying to solve....

My settings, filters, etc. load almost instantly (<1sec) at home. It's running on a rather old HP Intel I5 with 4GB memory.

@viragomann I figured it out I just had to restart my nas.

UP, is there any way for this to resume?

@johnpoz And thank you for pointing out that the outbound blocking rules don't do what I thought they did! :-)

@Uglybrian, Thank you, I will give that a try. Stuart

For other people's future reference. I had to switch to Ruckus Router Code and upgrade to their L3 Premium license to use the Policy-Based Routing feature. Once this feature was enabled, the policy-based routing was very simple. Similar to Cisco policy-based routing. However, it seems, as far as I can tell, due to the state-based nature of the Netgate, the policy-based routes I was trying to set up just did not work. Unfortunately, no one on this forum was able to provide a workaround using the pfsense platform.

@tross9 yes. There should be a tooltip if you hover over the X.

Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.