@jsmiddleton4 Thank you. I appreciate that! You are right, probably no one is going to hack into my APs but being in IT for years, I also know how us IT nerds are, so its more I want to just be aware. I cant be aware of everything nor will i know how everything works but the more I know about my network and what looks right/doesnt the better off i'll be. Its all fun and learning for me especially now that im in more of a project management role instead of IT i actually WANT to work on these types of projects and learn for fun.

Let alone, watching Mr. Robot did not help in the 'people are hacking you' thoughts. lol.

DHCP6 will come down the road. My next goal is setting the plugins up and watching everything. I am curious because i just got alerted that im over my data cap again!

Something is def. off since its not every month. Ive already got a good idea of whats on my network but i've been running ip scanner for a few months now and just noticed a few more things that im gonna double-check.

Good information to note in regards to the NICs etc.

@mcury ola meu amigo, muito obrigado.
criei um topico.
https://forum.netgate.com/topic/169293/conectar-voip-pela-vpn-n%C3%A3o-consigo/1

Nothing I can think if currently. Yeah any sort of packet loss will kill throughput.

@johnpoz So, strike my previous comment. It looks like the nginx message is actually created by PfSense (i get the same message if i try to connect PfSense with a forced HTTPS that originates as an HTTP connection

What I dont understand is why? SM i missing something in my settings (frontend/backend) that is causing PfSense to think im trying to connect with an insecure connection?

Well after hours of trying different things. I think I might have found the fix. I have no idea if this was the fix because of the number of things I was trying at the end but this makes since to me. I didn't have these boxes checked and when pfSense made the gateways it didn't check the boxes automatically.

24bde76f-16f2-4739-9ca8-a7ec475914ae-image.png

@steve1515 said in SG-2440 Upload Speed Limited After a Few Minuites:

Any tips on finding this device other than unhooking things each hour?

Bisecting search.

Unhook half of your devices & test Then unhook half the devices in the error half & test etc

Ah, well similar deal if the VPN client is routing all your traffic over the VPN.

Hyperthreading enabled.

Screenshot 2022-01-07 172457.png

Hyperthreading disabled.

Screenshot 2022-01-07 173308.png

@jsmiddleton4 said in What are the road signs we're getting close to a released version of 2.6?:

All but the names are consistent with the last backup for 2.6.0.
How the names stuck???

The configuration file contains the customisation you have done to pfsense including any renaming you have done.

So when a configuration is restored the names are restored.

If names are restored they were in the configuration file you imported.

So the part of your question which does not make sense to me is why you expected the names not to be restored on this occasion. Perhaps:

you believe they were not set in this particular configuration backup you assumed configuration backup for 2.6 would be very different to the configuration file for 2.7 (despite then being currently a few days different in code freeze)

Please clarify why you feel the names being there was unexpected then perhaps more helpful replies would be possible.

@johnpoz said in traffic in wan:

And gain your "users" have no complaints of anything be slow or not working?

Exactly, nobody is complaining about anything and in the firewall you continue to see this type of traffic.

@sven72 said in IOT VLAN not reaching internet:

well I disabled the logging but indee

I never said turn off all logging, rules you create by default do not log. Only stuff that falls through to the default deny would be logged by default.

So just create a rule that blocks that host from going to 8.8.8.8 and don't log it in the rule.

Example my work laptop generates lots of noise trying to get to stuff it can't get to when on home network.. I have no desire to see that, so there is a rule no logging for my work laptop trying to go to any private IPs that is not logged.

notlog.jpg

You can see the specific rules above and blow it are set to log

logrules.jpg

Cool. Not sure what happened there then but I guess take the win . 😉

@jathagrimon said in Projekt: FritzBox raus und pfSense rein:

Spanning Tree finde ich in der Config so direkt nicht, aber vielleicht heisst das bei Netgate einfach nur anders.

Aus diesem Grund sind meine Webinterfaces meist auf Englisch gestellt. Also nicht, weil ich das besser kann, sondern weil ich die Begriffe besser verstehe als die oft fantasiereiche deutsche Übersetzung.

Hier wird das die Loop Erkennung sein.

@mcury @viragomann
Thanks!
I guess my mechanical brain wanted to see a hardwire to a port that was a physical public IP. That was probably the issue that would not let me see/understand the virtual IP solution.

Thanks again for all the help.

@hfarinha forgot to mention that I had to add acl's manually as well under DNS resolver otherwise dns resolution does not work.

@stephenw10 hello Steve,
i was posted on his forum but seems they considered this is an error strange

@viragomann
Sollte alles so haben
be3e534b-ee68-490f-8166-a32461311c51-image.png

945a6f76-a0a2-4ff3-9fab-2cc72f535a39-image.png

werde mal auch in der zwischen Zeit mal System logs durchwühlen

Danke für eure Hilfe !!

Makes sense, thanks! I was thinking somehow the operating system was shutting down the NIC, but I see now this is likely a hardware problem just coincidental with my pfsense upgrade. Will attend to it tonight when I get back, thanks again guys!!!

@horizon82 said in UDP blocked - NAT reflection unable to connect over UDP:

manual outbound and vpn had no impact

It wouldn't have an impact unless you messed with them, or added another network and not an outbound nat and then wondered why it wasn't working ;)

Its just bad setup to switch to manual, and then create the nat required for the vpn, when you could just add the hybrid nat for the vpn..

I don't use nat reflection, since in my opinion its an abomination to all things networking ;) Now in some instances true it can be useful. When some client is is hard coded to use a public IP, or when it is using external dns and no way to have it use internal for whatever reason.

As to having to set a default gateway, might have to do with having a vpn setup which your pulling routes with and it gets set as the default gateway regardless of what might be shown in the gui.. Again more bad advice from the vpn providers - but then again they want you to send all traffic to them, not just the traffic you want to send.

Yeah, it 'feels' like something that takes too long to process which would be load dependent. Anything less that 5s always seems to fail though.
Add anything that might be relevant to the bug there.

Steve

@stephenw10
well I disable darkstat, even removed it. It did nothing. I can't see anything else packages wise that would cause this problem as I think I only really install darkstat, and cron...

I found the problem. I had a freaking traffic shaper! A while nack I was fiddling with trying to get a level balance of all primary devices. Once I disabled this I could get my speeds. All that for this!!

Screen Shot 2022-01-02 at 2.26.59 PM.png

well it was a good deep dive I guess, and I sure know what I sohuld be looking for in the future.

Thanks to all

Guy

@stephenw10 agreed, but I would argue its never "better" to bridge ;) hehehe

Not saying it doesn't have use cases.. But it should be the last freaking choice, and only as a stop gap measure until you can get the equipment needed not to do it ;)

If I was out of switch ports, and I could not disconnect something - and I had an extra port on pfsense. I would still prob just bring that up on its own network.. If I HAD to have it on the same L2 as xyz.. ok then setup a bridge. But this would only until I could either disconnect something and free up the switch port. Or my order for another switch or bigger switch came in ;)

Even in that scenario - I would most likely look for something I could move off the switch to an interface on pfsense that could be another network. So I could put this thing I needed on network xyz on the switch ;)

I had thought this only applied to the vmxnet NICs but if you look at the diff on the patch it actually applied to the VMWare PCI bridge so I guess this could still be in play.
It is odd though, it still comes up with 6 queues in the above example, just using MSI not MSIX.

@jegr said in Problem mit dem Service pfBlockerNG:

Die alte 2er bin ich mir gerade nicht sicher ob das nicht immer alles lief.

Dass weiß ich auch nicht mehr - ist schon rel. lange seit ich auf devel umgestiegen bin ...

@johnpoz yeah don’t worry I know they’re not the same but I’ve even tried to route through internally through PFSENSE by the host overrides and still nothing I am baffled

@mathschut
Wenn Hostnamen, IP und Zertifikat passen, muss es funktionieren, anderenfalls ist irgendwas faul.

Wenn du mit OpenSSL vertraut bist, könntest du damit überprüfen, ob das gelieferte Zertifikat passt.
Es gibt auch Services im Internet für diesen Zweck, mein vertrauter setzt allerdings Port 443 voraus und einige andere vermutlich auch.

Apropos voraussetzen, Browser tun das heute auch schon oft. Möchte man einen anderen verwenden, muss das erst in den verborgenen Einstellungen aktiviert werden.
War der Grund, weswegen ich zuletzt auch OpenSSL angeworfen hatte. Auf Port 636 wollte mein Firefox auch nicht freiwillig das Zertifikat laden.
Also vielleicht mal schlau machen, wie das bei deinen Browser geht.

@networknotwork you can create a feature request over on https://redmine.pfsense.org/

And if you found a bug/issue or improvement in the .tcshrc you could put that in there as well.

edit: This has been a enlightening thread to be sure.. I learned a bit about making sure your actually awake when testing something ;) and also about the stupid bell thing hehe, and got me to update my local ssh client too.

@stephenw10

I will try next. i'm new to pfsense, so will slowly setup as I go. thank you for all the inputs.

Nope. All is good.

Thank you "all" for the assistance and quick response.

@stephenw10

I may not use it. It fits my design goal, free. Totally not needed. And I'm not all that eager to have a video card fan start squealing. The box is in a work at home office.

Someone gave me an electric boat trolling motor. I'm looking at connecting it to the battery in the PFSense box UPS. Stick the propeller into the case. Cool that sucker DOWN.

There'd have to be some tweak to the NUT package though.

Now seeing the following in the NTP logs on both boxes. One with the SureGPS (new box) and the other with the UBlox GPS...

Dec 31 10:51:34 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 10:47:34 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 10:36:22 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 10:31:50 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 10:06:14 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 09:57:58 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 09:40:06 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 09:35:02 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 09:32:38 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded Dec 31 09:27:50 ntpd 19356 kernel reports TIME_ERROR: 0x2307: PPS Time Sync wanted but PPS Jitter exceeded

On the NTP status page looks good...

Computer with Sure GPS

PPS Peer 127.127.20.0 .GPS. 0 l 8 16 377 0.000 -0.006 0.003 ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== oGPS_NMEA(0) .GPS. 0 l 15 16 377 0.000 -0.012 0.001 time-d-g.nist.g .POOL. 16 p - 64 0 0.000 +0.000 0.000 0.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000 2610:20:6f15:15 .POOL. 16 p - 64 0 0.000 +0.000 0.000 0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 +0.000 0.000 +time-d-g.nist.g .NIST. 1 u 31 64 377 34.472 +3.546 1.306 *ntp2.wiktel.com .GPS. 1 u 26 64 377 29.702 +3.131 1.278 +time-d-g.nist.g .NIST. 1 u 53 64 377 34.859 +2.847 1.668 ntpq -c rv associd=0 status=043d leap_none, sync_uhf_radio, 3 events, kern, version="ntpd 4.2.8p15@1.3728-o Fri Feb 5 22:07:56 UTC 2021 (1)", processor="amd64", system="FreeBSD/12.2-STABLE", leap=00, stratum=1, precision=-24, rootdelay=0.000, rootdisp=1.015, refid=GPS, reftime=e579b796.df8aca69 Fri, Dec 31 2021 11:08:38.873, clock=e579b798.9b3b4c7a Fri, Dec 31 2021 11:08:40.606, peer=1700, tc=4, mintc=3, offset=-0.002700, frequency=-6.038, sys_jitter=0.003059, clk_jitter=0.001, clk_wander=0.003

Computer with U-Blox GPS

PPS Peer 127.127.20.0 .gps. 0 l 6 16 377 0.000 -0.001 0.000 ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== oGPS_NMEA(0) .gps. 0 l 3 16 377 0.000 +0.000 0.001 time-d-g.nist.g .POOL. 16 p - 64 0 0.000 +0.000 0.000 0.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000 0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 +0.000 0.000 *time-d-g.nist.g .NIST. 1 u 40 64 377 35.688 +3.124 1.447 +time-d-g.nist.g .NIST. 1 u 9 64 377 35.765 +2.721 1.666 +time.nullrouten 132.163.97.1 2 u 54 64 377 59.810 +3.261 0.899 ntpq -c rv associd=0 status=041d leap_none, sync_uhf_radio, 1 event, kern, version="ntpd 4.2.8p15@1.3728-o Wed Mar 10 18:50:10 UTC 2021 (1)", processor="amd64", system="FreeBSD/12.2-STABLE", leap=00, stratum=1, precision=-21, rootdelay=0.000, rootdisp=1.120, refid=gps, reftime=e579b6c4.00030c50 Fri, Dec 31 2021 11:05:08.000, clock=e579b6cc.a1a5c47b Fri, Dec 31 2021 11:05:16.631, peer=41531, tc=4, mintc=3, offset=+0.001608, frequency=-43.364, sys_jitter=0.000807, clk_jitter=0.002, clk_wander=0.001

@snide_remarks

tripwire.mywire
Renewing certificate
account: tripwire.mywire.org
server: letsencrypt-production-2

Finally got it!!!

@jtd said in Connect Two Private LANs from Different Companies Using Netgate 2100:

There's a lot of communications going on I noticed that had nothing to do with the needed application

:)
pfsense is more than pf
A dedicated firewall gives you visibility and monitoring
Well done

@darkcorner said in Internet access lost with OpenVPN:

Why doesn't Internet browsing work without this setting? If I ask to direct all traffic via pfSense, I would have already had to use the DNS of pfSense,

Imagine the clients resides in 192.168.1.0/24, his network settings are
IP = 192.168.1.25
mask = 255.255.255.0
DNS server = 192.168.2.3

So his DNS server resides in another subnet, which he is able to access via his router.

Now the VPN clients establishes the VPN connection and as you have checked "Redirect gateway", the client changes the default route and point it to the VPN server instead of his local router. Hence he will no longer be able to reach the DNS server at 192.168.2.3, cause this traffic is directed to the OpenVPN server as well.

Why did the navigation stop after some time? If I was missing DNS, I was missing them from the start.

Possibly due to his local DNS cache.

@stephenw10 That is my guess. I will test it this weekend.

So what finally worked.

The Pfsense firewall has 7 interfaces, all bridged under 1 interface called BridgeLAN with BridgeLAN running the DHCP server. I wanted to let only 1 host out the internet without VPN because of GEOIP apps that requiring my country location.

viragomann gave me great direction any I tried his rule direction on every interfaces, what I found out that the BridgeLAN VPN rules superseded all other rule entrys because all the other interfaces are bridged inside the BridgeLAN Interfaces .

Like this

lan12.png

So I created the same rule to open that host above the VPN rule in the BridgeLAN rule and it worked as I wanted.

lan11.png

I know there is better ways to do this, and I will take any advice.

Thanks Again viragomann

@trigg3r said in Move services to the public IPs of the second provider:

Probably the helpdesk service often has to deal with someone not doing his homework, so they probably insisted that my config wasn't ok (despite what I wrote during a whole week of emails ...)

The problem is that this behavior make you a lot of work and steals your time, when you're not really a network expert.

But after reading this thread probably someone gave up in front of your reputation and ... ta-da! ... this morning everything is working fine ( "A change has been made to the receptive antenna, so please check again if remote access is now possible.").

Nice to hear. Thx for feedback.

@johnpoz I get the same address it seems. Is there a script command or something that I could use to release the address, wait five seconds and then renew the address? I'm pretty sure doing that at say 04 every night would solve the whole thing, since it's solved by doing that manually.

Or even better, an HTTP command I could send from my home automation (with POST message) that will do it? In that case I could also have a button in the living room so my wife could press it whenever NRK1 isn't working, and then the system would do the rest?

@jonathanlee I would suggest you go through the hangout by jimp

Youtube Video

While its a bit dated now with 2.5 and 2.6 around the corner.. I am not aware of any sort of major changes.. And for sure this hangout goes over the different options of doing https proxy.

@tigger1975
Freut mich, dass das endlich klappt.

Bei SSL/TLS ginge auch CSO für mehrere Clients, wenn du einen breiteren Tunnel einstellst. Allerdings, wie oben erwähnt, ich rate zu getrennten Servern mit jeweils 30er Tunnel. Das schließt schon im Vorfeld einige Probleme aus und alles ist sauber getrennt und gut konfigurierbar.
UND es erfordert nicht mehr Systemressourcen, was offenbar manche befürchten, UND OpenVPN Server Settings kann man in aktuellen Versionen einfach kopieren.

Grüße