@SteveITS Seems liek this was the issue! This option should be disabled by default. And of course it should be logged.

@SteveITS Thank you for your quick answer!

@Gertjan said in Not sure this is normal: stashed somewhere in an obscure registry key Not sure I would call obscure Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

@johnpoz Does Netgate have a cook book recipe for configuring Squid externally, like the old one for internally? If I had this it would make it easy, I just wonder how to do this as it has to go into squid and back up to the internet etc, makes my brain hurt I only have done it inside pfsense

@jogovogo what I forgot: what pfSense version are you using? There was an issue with changing rule orders in certain situations on pfSense+ 23 and 24. https://forum.netgate.com/topic/196601/rules-order-randomly-changes https://redmine.pfsense.org/issues/16076

I'm facing a similar problem; after authenticating on the captive portal, the user is redirected to another gateway, and after that, the upload speed drops to 0.5. The download works normally, but the upload doesn't.

@johnpoz Thanks for your help with knowledge about openwrt

@the-other , Thank you for your answer, and sorry for the late response. I have just finished some experiments with firewall rules. Based on your advice, I moved all rules from the generic OpenVPN tab to the OVPN1 tab, leaving no rules at that tab. Everything works in the same way compared to the previous configuration. I also read that page in the pfSense manual you shared before I raised my post, but I did not fully understand. After reading your example, it became clearer, and after the mentioned experiments with rules, it is fully clear. Hopefully, all my findings are correct: Rules on the OpenVPN tab have priority over the OVPN1 tab (=> In case an incoming packet matches some OpenVPN tab rule, OVPN1 rules are ignored => Rules on the OpenVPN tab are meant to be generic and common for all OpenVPN servers.) If there are no rules on the OpenVPN tab, there is a default message saying "No rules are currently defined for this interface All incoming connections on this interface will be blocked until pass rules are added. Click the button to add a new rule". This confused me. I was convinced that a state without any rule is fully equivalent to a state with a "block all" rule (IPv4+IPv6, any protocol, any IP, any port, etc.). But at least for the OpenVPN tab, this is not true, as I tested that in case there are no rules on the OpenVPN tab, rules from OVPN1 are applied, and everything just works. I just tried to add a "block all" rule on the OpenVPN tab, and remote clients lost connection. So the mentioned message is quite confusing in this case. Because if that message was correct, remote clients would not have had a connection. Thanks, Jan

OK! Turns out that in: firewall > rules > lan ...there were several old rule sets with alias's that mapped to those files. I deleted them as they were no longer in use then applied the config. Problem solved! Thanks.

@Felix-4 I have been in this biz for too long I guess - I don't need to see every little thing.. Some stray SA is meaningless - its noise, or stray udp packets to any single port, etc.. Its just noise.. I have a rule at the end that blocks syn to my address and logs.. I have other rules that log specific senders, that I block from scanning my ports, etc. I log those, etc. But some stray packet hitting my ip is many times just noise that clutters up the log with stuff I don't want to see. If I am troubleshooting something and want/need to see everything its click of button to turn back on default deny logging ;)

That's it guys,... Thankyou,.. I now have a log file that has 'useful stuff' in it and will allow me to track the problem I was really trying to solve....

My settings, filters, etc. load almost instantly (<1sec) at home. It's running on a rather old HP Intel I5 with 4GB memory.

@viragomann I figured it out I just had to restart my nas.

UP, is there any way for this to resume?

@johnpoz And thank you for pointing out that the outbound blocking rules don't do what I thought they did! :-)