@hypnosis4u2nv said in Unbound Resolver Crash:

I have pfblocker also, does daily updates.

Something like this :

07c5fcb6-6b2d-4a66-aeed-99f6a94730ff-image.png

So, no surprise :

fbc1afad-3020-4b48-9987-d2c8a8955675-image.png

and now you've set everything up for "more problems".
Because :

@hypnosis4u2nv said in Unbound Resolver Crash:

For now I turned on a watchdog service for unbound.

The service watch dog is stupid, doesn't have brains, doesn't use AI.
It execute every minute, checks if tasks listed don't run, and if not start them.
What if .... right at that moment pfBlocker did it's daily thing, and restarts unbound ? Change are pretty great (No need for a 4 years Havard licence here, its 1/30 or 3,33 % chance for me as my restart took 2 seconds and the dog runs every minute = 60 seconds) that the watch dog finds unboiund not running, and start it. But it was already in the restart process.....
You just created more problems.
My advise : you'll get to the bottom of this, don't worry. Just don't use "service watch dog".

@hypnosis4u2nv said in Unbound Resolver Crash:

Memory usage:
9% of 16234 MiB

Ok, probably not a OOM event. That said, pfBlockerng uses PHP to do the loading, filtering and formating. PHP is very slow in doing this.
Do you have many DNSBL lists ?

@bartkus05 said in DNSBL Top1M TLD Inclusions not Saving / Restoring:

Got it fully working now

👍

My files also got auto updated after I've left work.

f3940fb8-86dc-4761-9931-3dbc5cdb0cb6-image.png

Be ware that "Alexo" might be gone soon, as it isnt' maintained anymore.

I guess this "TOP1M Whitelist" option isn't used a lot .... so not well tested against "all possible usage modes".

@tedquade
Thank you!

@stephenw10
Thanks for looking at this and helping me out, when i restarted the states, and toggled some firewall rules after testing with packet capture, it just randomly started working.

ive rebooted a couple times and changed things around and it seems to be good for now, not sure what caused the issue however, but i think i should be good now.

Thank you again for the help.

@stephenw10 said in VM access in LAN pfsense from home network:

add the routes to the Orange Pi directly

Okay, thanks for the idea. initially, I tried to add a path to the router itself, but I did not find such an opportunity. I'll try your idea tomorrow. Thanks for the quick replies, have a nice evening!)

@SteveITS I did a cold boot and the serial connection is working now. I was trying serial post boot prior to this and that did not work.

I am good now.

Thank you @patient0 and @SteveITS

@skogs Sometimes, it takes a village. :)

Thanks for the added information.
I think what I did not communicate properly is that I don't want to put a 2nd piece of equipment (or use their provided router) as I have in the past. I have traditionally opted to purchase a Cisco router, configure and put this in place as the intermediate piece instead of giving ATT any extra money.

What I am hoping to do is integrate the functionality and routing of this Cisco piece into the front end of the Negate, eliminating the hardware.

I think that one of two options might work:

Set up the WAN port with the serial IP, and set the LAN IP (from ATT) to a virtual IP. Route the virtual IP to the LAN on configured on the Netgate.

Utilize the virtual layers now available, set up 1 virtual to handle the ATT portion, and then have it hand off to the 2nd virtual which would be my normal Netgate firewall./router configuration, using the 1st virtual as my WAN interface.

I know they are using a Fortinet Fortigate router for the provided equipment now and doing this all in that unit - so it should be workable on the Netgate as well. Strangely noone has done this - or has taken the time to post and share their efforts.

Thanks

will do the tests!
Thank you.

@bp81 I ended up performing the addition using the first method you mentioned, plus the firewall configuration, and then it worked like a charm. It even added all of the packages to the new node.

Now, I'm dealing with an IPSec speed issue, but that is a whole separate issue and one I have already opened another thread on.

Thank you for taking the time to reply; it is much appreciated, and now if someone else is looking for the same thing, they have some really good options!

Have an excellent day!

TSoF

@Tobi said in Fritz!App Fon (Handy VLAN A) zu FritzBox (VLAN B):

Das ist zwar für mich ganz dünner Boden, weil ich nun mal kein "Netzwerker" bin. Woher soll die Sense denn wissen, was sie mit einem neuen/ ankommenden Paket machen soll?
Es wird doch von innen nach außen alles geroutet aber von Außen nach Innen?

Außen & Innen sind keine Dinge, die ein Gerät kennt. Es hat lediglich Routen. Jedes lokal anliegende Netz hat implizit eine Netzroute mit fast höchster Prio. Die Sense weiß also in welchen Netzen sie steht und wo sie Pakete zwischen den Netzen hin und her verteilen soll. Alles was sie NICHT weiß, schickt sie an die Default Route - dafür ist sie da :)

In der klassischen Situation:

FB <--> pfSense <==> Netz(e) intern

wie man sie oft antrifft, steht ja die Fritte als Provider Kiste vor der Sense, ergo ist der Weg dahin für die Sense immer einfach -> es geht ja eh alles raus, was nicht intern bekannt ist. Problem hat hier die Fritte, denn die hat nur die Sense als Nachbarn, sieht aber die internen Netze nicht und hat da keinen Schimmer von und da ihre Default Route raus ins Internet geht, kommt da dann ohne NAT ausgehend aus der pfSense kein Paket von innen mehr dorthin zurück - außer man setzt statische Routen in der Fritte.

Umgekehrt: Wenn die FB aber in einem internen Netz parkt, wie alle anderen auch und die Sense direkt Internet hat/macht oder es eine andere Kiste davor gibt, dann ist die Default Route der Fritte ja die Sense selbst. Alle Netze an der Sense sind dann problemlos erreichbar, weil die Pakete von/zur Fritte dann ja immer über die Sense laufen und dort die Netze alle bekannt sind. Die Fritte kennt sie zwar nicht, aber da diese auf dem Rückweg eh alles an die Sense schickt - kein Problem, denn die kann dann regeln und kennt wieder den Absender. Ergo ist hier intern hinter der Sense zwischen den Netze kein NAT nötig, die finden sich alle.

Cheers

@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

@horasjey

Ok did some searching for you.
Found this Change default TTL value

That was true in 2018, nothing, afaik, changed since.

Global answers : pfsense change TTL.

edit :

@Gertjan said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

Not sure if it possible with pfSense.

That's a long answer for 'dono'.
So how would I be able to answer :

@horasjey said in Change TTL to Block Internet Sharing by NetShare or Bluetooth:

here is the TTL config on the pfsense device sir?

?

thanks @Gertjan

@keyser Because i've seen it can be pretty intensive, I'm going to enable it only when the needs come up. Ive seen folks leave it on which i guess you can do but seems a bit much.

I appreciate your advice!

Finally managed to solve it.
The issue was that the gateway wasn´t getting an IP address automatically because the VPN interface was created from 0.0.0.0/0 on my side.
Had to manually assign an IP address to the interface using the console (you cannot do it from the GUI).
Once I assigned an IP address to the interface (an unused /30 range) I was able to create the gateway on that interface and assign it the routes.
Then the routes showed up on the routing table and everything worked.

I assume the lagg settings must be correct since it works after re-saving.

It does seem like some issue at boot caused by the delay setting up the lagg I agree.

We need to determine exactly what has failed when that happens.

If the WAN/lagg has a valid public IP and the default route shows the correct gateway then I would expect to be able to ping out from Diag > Ping for example. Even if Unbound (the DNS resolver) fails to start the system itself should still be to ping by IP, to 8.8.8.8 for example.

You may not have the required automatic outbound NAT rules preventing LAN side clients connecting. Check Firewall > NAT > Outbound.

Check the system logs after rebooting. I suspect what you will see is that when the WAN connects and gets an IP it is ignored because it happens during the later bootup process.

@stephenw10 said in Pfsense constantly dropping WAN:

@xMrMurderx said in Pfsense constantly dropping WAN:

pfsense drops WAN within 2 minutes of a config save, then 30 seconds later LAN goes down. I'm unable to SSH into pfsense, and using a monitor and keyboard the console is locked up

If the console stops responding that implies some more serious issue. Does it even respond to ctl+t? That can sometimes show something when nothing else does?

Or does the caps-lock key/led work on a directly connected keyboard?

After you reboot do you see anything logged?

Ctrl+t did nothing. Num, caps lock etc lights turn on and off when I hit them, but yeah the console is completely frozen.

This guy has the exact same setup with the same intel nic, same problem as me. There's a few other reddit and forum threads about this specific PC build with intel cards giving the same issues. I just wish I did a little more research before buying the card haha. It's been a little over a month of running stock pfsense because of this issue.

But yeah, problem has been resolved. Threw in a different card I had lying around and everything has fixed itself.

@stephenw10 Tks my friend.... A project for this week end when my wife goes to sleep :-)

And my customers too.... ( I have 2 sites... Site two can handle the load ( eMails gateway..... oops I'm sharing too much)

Hmm, so the most recently created BE is still enabled?

In that case it must have reverted the config if it couldn't load it. There should still be logs showing that.

Hmm, so what changed? Were you using the non-serial memstick previously?

@Gertjan
Yes, it looks like the issue is indeed with the zombie process. If it happens again, I'll definitely check. Thanks for the idea.