@konstanti уважаемый товарищ!
Искренне благодарю за помощь. Всё починилось.
Решение : использовать NAT-T c обеих сторон туннеля.
Политики трафик перехватывают как нужно.
TCP-MSS = 1300 с обеих сторон.

00d31061-93df-435d-a9e4-21514a52afab-изображение.png

e8e44ad9-0891-4fbf-8689-e85d678fb0c9-изображение.png

а вот почему на upd / 500 не работало - вопрос.

@afcarvalho Many thanks to @jarhead and @stephenw10 for their infinite patience with me.

A

It's possible, though hard to say for sure. It seems similar at least.

@comet424 said in unable to access ips on vlan after changing Gateway/dns:

i did try looking up the unif but didnt see where you can do multiple vlans

Did you look at the summary page for say the U6-lite, one of their popular models currently

https://store.ui.com/collections/unifi-network-wireless/products/u6-lite-us

BSSID 8 per radio
VLAN 802.1Q

I am not aware of any of their models that don't support vlans.. I have 3 different models of their older wifi 5 models, the pro, the lite and the LR.. And before that I had one of their first models that all supported multiple vlans. I currently have 4 different SSIDs running on mine, all on different vlans.

As to what is better dd-wrt, I would say the unifi are true APs.. the dd-wrt is 3rd party firmware to run on soho wifi routers. While it can vastly improve the feature set over native firmware. Your still at the mercy of the hardware, not saying some soho hardware is not fine. But unifi AP are designed to be actual AP.. they are all powered by poe, so you can proper mount them where a AP belongs, etc.. I would never ever go back to running soho wifi routers as my wifi APs..

@bmeeks ok so I came home today to begin testing of the changing of the NIC port. Lo and behold it just started working. So I think that solves it. Something on the integration was causing a flood of traffic and ended up getting something banned. The good news is it seems it was temporary. I feel like an idiot spending so much time and effort trying to solve it but in the end I got to really deep dive into various settings. I Learned a lot more about DNS and how it should be set up properly and other various items that I can’t say I knew anything about before so it isn’t all bad! I want to thank you specifically for sure and everyone else that helped support this! We might not of figured out the root cause but man you all helped me learn a lot!

@njaimo ...I get it I misunderstood the "score" bit, it is not login attempts... :)
Cheers

@michmoor said in PFSENSE WIFI CALLING:

lots of CP changes in the new releases i see

You mean 22.05 as you talk about a 6100 ?

22.05 doesn't use the good old second firewall 'ipfw', as 2.6.0, but uses a new, modified 'pf' so it can also handle MAC ( ! ). It was Netgate that changed 'pf' upstream for the entire FreeBSD community 👍
22.05 native has issues : the "one queue for all connected users" is one of them. There is a patch.
Look quickly over the last 10, 20 (skip the please help posts) captive portal forum posts, you find them all.

If you are a heavy (hundreds of connected users) portal consumer, then watch your memory as there is a small memory leak in the new pf code. This can't be patched, as it needs binary changes, and the upcoming 23.0x will solve that.

@elmojo It would be an additional network... you can have them that way but they're on different broadcast domains -- so things that require broadcast calls (like streaming devices, or backup solutions) don't work and require other tools to work like avahi.

I use VLANs and single interfaces and APs that support VLANs.

@nollipfsense actually this also stopped working and I’m back at the issue.

I haven't read through all of the replies, but you cannot eliminate the AT&T gateway. First off, the newer models like the one shown have the ONT built-in. Secondly, the fiber service requires certificate-based authentication, so even if you clone the AT&T gateway's MAC address on your pfSense it will not work.

The previous workarounds also do not work like they did with previous AT&T gateways and separate ONT module. If you want any fiber plan over 1 gig, then you will be issued the same gateway as in the original post. Also note the LAN ports are all 1 gig with the exception of first port which is blue and will support 5 gig, 2.5 gig, or 1 gig.

@jbeez I worked at the other Blue cable company. VZ tech guys had some Fked up stories. Both company employees eventually shared the same employment multiple times back and forth. It's like the Philly cheese steak cooks immigrated to NYC and then back to Philly and then told stories. No, the grass is not greener! Don't ever call tech and tip them off is all that I'll say. "Their job is to collect more revenue on the quota chain you just don't know it." One can go months straight under the radar...until someone does their admin network monitoring job. Watch this Video and you'll laugh

Stay low my friends and never call in for anything if you don't have to. Just open up that ONT yourself on the side of your house. Unplug that black box for a few minutes then plug it back in and close the ONT unit. P.S. this is not good tech advice at all... I ate too many lead paint chips!

For the entrepreneur, you certainly can use a dual wan but the primary should be business static and one of them can be a residential DHCP but not both. Plus, google will index higher-ranking static IPs over ever-changing residential IPs. A simple way to check is to go to Business Static IP check Type = business or residential?

I just want to hear a few stories of customers winning on DHCP leases. Meaning maybe it changes once per year. The problem is just when you think you won they change the IP address more than normal. Now back to paint chips.

Might be a long shot, but do your configurations on those VMs have the serial console enabled even though they don't have COM ports mapped in Hyper-V?

There is a known issue in that area with FreeBSD on Azure Gen2 VMs but I wouldn't think it would manifest on local Hyper-V setups since even though the VM contains COM port configurations it doesn't actually have any uart controllers or serial ports visible to the guest.

@michmoor said in Blog suricata-vs-snort - Snort 3.0?:

@bmeeks This is extremely insightful here. Thanks for the added detail that im glad i know about now.

So the way i see it, the IPS is only 'useless' on pf from the standpoint of lack of integration with any MITM process. In a perfect world with unlimited resources if there can be some integration then the IPS component would be of more value.
As it stands, its pretty useless (no disrespect to you of course), and this is more in line with what you have been saying for quite some time about its usefulness.

Correct. But it's not just pf. The same is true with many other operating system configurations.

My point in my other postings about the "usefulness" of IPS is that on the perimeter it is becoming less and less effective due to the encryption. Thus having it on the firewall inspecting traffic flowing between hosts is not really doing a whole lot unless the payload data is cleartext.

I did a factory reset of my config and set my WAN and LAN interfaces (dev 2.7 1/9). Never even logged in and I'm still getting query refused with ipv6. I just wanted to rule out any of my config changes as the issue.

Then I loaded a clean install of stable 2.6 and it seems to be working as expected

Thanks everybody,
I founded my error : a typo in the Dnsname!
This case can be closed.

Ah, then try capturing on em0 directly so you can see the VLAN tagged packets.

Capturing on the VLAN won't show that. And it also won't show any replies that aren't using that VLAN tag.

@ricardo-rocha maravilha meu nobre, aqui funcionou, no firewall eu já tinha feito as liberações, agora ao colocar todos os endereços na regras do proxy e as exceções dentro de opções de internet ele funcionou perfeitamente, obrigado pela ajuda.

@bleve said in Australian NBN connection stops after random time:

@stephenw10 thank you, that worked a treat!

I popped a USB powered case fan on top of this little box, and the newly reported 52 degrees is now 35 (Celcius). Win!

Thank you again for your advice and assistance.

Couldn't make BigBlueButton work behind pfsense/opnsense with 1:1 NAT + Reflection etc., so I gave up on that approach. I still found a solution assigning the second public IP directly to the BBB VM, which I documented here: https://serverfault.com/questions/1121061/assigned-second-public-ip-to-vm-from-outside-not-reachable/1121266#1121266

@bmeeks Thank you so much. I did send you the full log separately. Please let me know if I can get you anything else. And you needn’t do any more. I’m more than happy with what I’ve learned. Cheers!

Ah ja ok stimmt, die DNS Regel auf Localhost mache ja Sinn, aber nur wenn das Ziel !This Firewall ist.

no worries i just switch to an old intel x540-t2 should be fine until i upgrade the rest of my network to multi-gig thank you for all your help. i hope it gets fixed at some point i have always herd that Chelsio nics were the best with bsd maybe that is changing now

@rcoleman-netgate said in 7100 1u vlan addition question:

@hescominsoon You're welcome. That one took me a bit to grasp when I first bought a device with a Marvell switch.

yeah..i won't be doing that again..i know its a cost point thing and it's valid..i just do not like the gymnastics you ahve to do..<G>

@johnpoz ok understood thank you so much for the help!!

@jimp ok thanks for the explanation.
Understood and makes sense, but it is hard to see if there is ram left for eg plug-ins or not.

Except that we've seen in the other thread that doing so is triggering, at least, dpinger to restart. So it could be doing more than you think.

@werter said in Снижение скорости:

@dekor238
Тут есть цикл заметок по нему )
Сперва попробуйте pve в виде вирт. машины развернуть на esxi , включив nested-виртул-цию предварительно на ней.

:))))
не... это уже сложно для меня... я не так силен в этих виртуализациях...
проще сразу перейти на проксмокс и поставить pfSense с бекапом данных, чтобы не перенастраивать...

@arjay Not NAT, but outbound NAT.
Did you add that?

The nomap capability should be easy to disable but it appears ifconfig may not have caught up yet. I can't find a syntax that works. But I doubt that would make any difference here.

I also compared the options between 22.05 and 23.01 from the same config in the 8200 and saw the same.

If it's a ZFS install you should be ble to roll back the BE snapshot.

Well it caused me to go ahead and clean up the v6 configuration on mine. I was not having this issue but I did have some things running that likely did not need to be as well as the outside and inside picking up v6 addresses. May as well keep it simple.

That worked. For some reason, when I initially told the setup to create a new certificate, it just created a private key and not the certificate. Jan 24 build however worked!

@robinh but that is not your webgui port, so that you ha proxy... Restart your web gui, most likely it didn't restart..

I get even more and more the feeling that either:

a) my ISP is doing something weird or
b) my VDSL Modem is doing weird stuff.

I just noticed that even Playing CS:GO is not working anymore. After a couple of seconds I get the Message not possible to official Servers with following log:

Refreshing ping measurements SDR RelayNetworkStatus: avail=OK config=OK anyrelay=OK (Refreshing ping measurements) SteamNetworkingSockets lock held for 5.6ms. (Performance warning.) ServiceThread,SteamDatagramClientThinker::Think,EnsureDataCenterRoutesValid,ThinkPingProbes,CreateServerDataForCluster(x10),SendUDPacket(x10) This is usually a symptom of a general performance problem such as thread starvation. Host_WriteConfiguration: Wrote cfg/config.cfg Ping measurement completed Ping location: mlx1=14+1,mst1=19+1/20+1,fra=/22+1,ams=/25+1,lhr=/32+1,vie=/33+1,par=/37+1,mad=/40+1,waw=/42+1,mny1=85+8/86+8,iad=/91+8,mmi1=124+12/119+8 SDR RelayNetworkStatus: avail=OK config=OK anyrelay=OK (Refreshing ping measurements) Ping measurement complete after 5.0s. Sending sample to GC ams: 25ms via mlx1 (front=14ms, back=11ms) can: 185ms via tsnu (front=149ms, back=36ms) canm: 193ms via tsnu (front=149ms, back=44ms) cant: 184ms via tsnu (front=149ms, back=35ms) canu: 183ms via tsnu (front=149ms, back=34ms) dfw: 132ms via mny1 (front=85ms, back=47ms) lhr: 32ms via mlx1 (front=14ms, back=18ms) mam1: 25ms via mlx1 (front=14ms, back=11ms) mas1: 93ms via mny1 (front=85ms, back=8ms) mat1: 104ms via mny1 (front=85ms, back=19ms) mch1: 105ms via mny1 (front=85ms, back=20ms) mdc1: 92ms via mny1 (front=85ms, back=7ms) mdf1: 122ms via mny1 (front=85ms, back=37ms) mfr1: 22ms via mst1 (front=19ms, back=3ms) mla1: 149ms via mny1 (front=85ms, back=64ms) mln1: 32ms via mlx1 (front=14ms, back=18ms) mlx1: 14ms via direct route mmi1: 119ms via mny1 (front=85ms, back=34ms) mny1: 86ms via direct route mpx1: 157ms via mny1 (front=85ms, back=72ms) msa1: 139ms via mny1 (front=85ms, back=54ms) msj1: 150ms via mny1 (front=85ms, back=65ms) msl1: 110ms via mny1 (front=85ms, back=25ms) mst1: 20ms via direct route par: 37ms via mst1 (front=19ms, back=18ms) pwg: 183ms via tsnu (front=149ms, back=34ms) pwj: 150ms via tsnu (front=149ms, back=1ms) pwu: 158ms via tsnu (front=149ms, back=9ms) pww: 170ms via tsnu (front=149ms, back=21ms) pwz: 177ms via tsnu (front=149ms, back=28ms) sea: 150ms via mny1 (front=85ms, back=65ms) sha: 175ms via tsnu (front=149ms, back=26ms) sham: 174ms via tsnu (front=149ms, back=25ms) shat: 174ms via tsnu (front=149ms, back=25ms) shau: 169ms via tsnu (front=149ms, back=20ms) shb: 174ms via tsnu (front=149ms, back=25ms) sto2: 49ms via mlx1 (front=14ms, back=35ms) tsn: 150ms via tsnu (front=149ms, back=1ms) tsnm: 149ms via tsnu (front=149ms, back=0ms) tsnt: 149ms via tsnu (front=149ms, back=0ms) tsnu: 149ms via direct route tyo1: 267ms via msj1 (front=160ms, back=107ms) Host_WriteConfiguration: Wrote cfg/config.cfg Started tracking Steam Net Connection to =[A:1:2737553413:22553]:0, handle ceb4929 [#216746281 SDR server steamid:90168859682390021 vport 0] Requesting session from mlx1#71 (188.42.190.100:27047). Ping = 414 = 14+400 (front+back). [#216746281 SDR server steamid:90168859682390021 vport 0] Requesting session from mst1#57 (151.106.18.227:27041). Ping = 419 = 19+400 (front+back). [#216746281 SDR server steamid:90168859682390021 vport 0] Selecting mlx1#71 (188.42.190.100:27047) as primary. (Ping = 414 = 14+400+0 (front+interior+remote).) [#216746281 SDR server steamid:90168859682390021 vport 0] Selecting mst1#57 (151.106.18.227:27041) as backup #1 (Ping = 419 = 19+400+0 (front+interior+remote).) Already have a ticket for server 'steamid:90168859682390021' with older expiry 1675206188. Discarding and replacing with new ticket expiring at 1675206254 Received Steam datagram ticket for server steamid:90168859682390021 vport 0. Host_WriteConfiguration: Wrote cfg/config.cfg [#216746281 SDR server steamid:90168859682390021 vport 0] problem detected locally (4001): Timeout; remote problem. Rx age server (never) relay 0.4s Steam Net connection #216746281 SDR server steamid:90168859682390021 vport 0 problem detected locally, reason 4001: Timeout; remote problem. Rx age server (never) relay 0.4s **** Unable to localize '#GenericConfirmText_Label' on panel descendant of 'PopupManager' Closing Steam Net Connection to (unknown), handle ceb4929 (2001 Matchmaking failed. We never heard from gameserver) Summary of connection to #216746281 SDR server steamid:90168859682390021 vport 0: End-to-end connection: closed due to problem detected locally, reason code 4001. (Timeout; remote problem. Rx age server (never) relay 0.4s) Remote host is in data center 'fra' Current rates: Sent: 0.0 pkts/sec 0.0 K/sec Recv: 0.0 pkts/sec 0.0 K/sec Ping:414ms Max latency variance: ???ms Est avail bandwidth: 1024.0KB/s Bytes buffered: 0 Lifetime stats: Totals Sent: 21 pkts 6,597 bytes Recv: 0 pkts 0 bytes No ping distribution available. (1 samples) No connection quality distribution available. (0 measurement intervals) Latency variance histogram not available No rate stats received from remote host No lifetime stats received from remote host Primary router: mlx1#71 (188.42.190.100:27047) Ping to relay = -1 Current rates: Sent: 2.0 pkts/sec 0.6 K/sec Recv: 2.2 pkts/sec 0.0 K/sec Quality: 100% (Dropped:0.00% WeirdSeq:0.00%) Bytes buffered: 0 Lifetime stats: Totals Sent: 21 pkts 6,597 bytes Recv: 21 pkts 204 bytes Recv w seq: 21 pkts Dropped : 0 pkts 0.00% OutOfOrder: 0 pkts 0.00% Duplicate : 0 pkts 0.00% SeqLurch : 0 pkts 0.00% No ping distribution available. (0 samples) No connection quality distribution available. (1 measurement intervals) Latency variance histogram not available No rate stats received from remote host No lifetime stats received from remote host Backup router: mst1#57 (151.106.18.227:27041) Ping = -1+-1=-2 (front+back=total) Removing Steam Net Connection for =[A:1:2737553413:22553]:0, handle ceb4929 [#216746281 SDR server steamid:90168859682390021 vport 0] Discarding inactive session mst1#57 (151.106.18.227:27041). ConnectionShutdown [#216746281 SDR server steamid:90168859682390021 vport 0] Discarding inactive session mlx1#71 (188.42.190.100:27047). ConnectionShutdown

While die PCAP ( CSGO.zip ) shows incoming and outgoing Traffic ... To be 100% sure I just ordered a new VDSL Modem...

@stephenw10 said in Perplexing Problem with PFSense:

@itworxnz said in Perplexing Problem with PFSense:

It's always the same two blocks out of seven that seem to cause it, but everyone is affected.

If the router/gateway went down everyone would be affected but the different hosts in the same subnet would still be able to connect to each other. Can we assume that isn't case?

Still need that questions answering to determine what sort of problem you are dealing with. And I would still do this:

When this happens if you run a pcap somewhere do you see anything incoming?

This doesn't seem like a bad cable to me or a bad switch port. Those would only effect devices connected to them. For something to take down the entire subnet across multiple switches such that no traffic can move across the network at all it pretty much has to be a flood of some sort.

But if things can still ping other local hosts just not the local gateway I'd be looking for a rogue dhcp server or something doing ARP poisoning perhaps.

You should really be using VLANs to separate these user groups out. That would prevent something like a rogue dhcp server affecting everyone.

Steve

@johnpoz Agreed, I too hope IoT catch up soon on security related stuff. Many nice gadgets only have wifi, and as is, I don't feel entirely comfortable using that for IoT. Of course it can and imho should, be zoned in contained vlans, but just the fact your wifi is offering your network to anyone who (can) listen, is not comforting, but very convenient.
I've learned a lot on this exercize, enough to wanting to read more - WPA2 to WPA3 was indeed a big leap, and perhaps time for me to re-evaluate wifi for my purposes... :) (for now still excluding IoT)

@stephenw10 it certainly does look more like a proxy.

@viragomann I was saying that if I want to use the main site like a VPN to access the internet, just like a commercial VPN provider, I would have a rule on the remote site that says LAN to any using VPN as gateway. This rule will be placed in NAT -> outbound. What I found with doing this with the VPN made from the main site is that it messed up the site to site VPN for the remote side. Somehow that outbound rule messes up the working remote site to main site connection.

Hello Sir @stephenw10 After working with my boss at our office we were able to get in the commands to get the driver updated and I have not had a problem since. I will let you know if it fails again but for now the issues is resolved.

Thank you!

@johnpoz said in I'm sick of neer-do-wells hitting my WAN with TCP:SYN:

If your phone ringer is off, does it really matter if a spammer calls you - you don't answer the phone anyway because the phone doesn't ring.. But you might not like picking up your phone and see missed calls.

My ringer is on as I have an IPSec VPN & SFTP server local 😁