@Derelict I am certain I have come across some sort of bug in pfsense that when IPv6 is enabled, IPv4 performance decreases by about 2mb/s both up and down. I have done lots of testing tonight and Telstra's router does not suffer this issue, only pfsense. The moment I turn off IPv6, I get my full speeds back. The moment I turn on IPv6, I lose 2mb/s down and up on IPv4. I cannot replicate that on Telstra's router. I maintain full speeds on IPv4 with IPv6 enabled on Telstra's router. What additional information would you need to help isolate what this bug would be?

@ciscox That's what I see when I use the Resolver as Forwarder.

Think you forget the 0 on your 3 there Derelict... Your 4 days in already.. ;) This is clearly simple facebook sort of post -- suggest you get your help over there since you don't seem to want to take Derelicts ;) Sure they help you out in couple of mins..

Hmm, interesting I hadn't considered that. Just as a test you can add you current IP as the destination though. You don't want to have that open on all ports permanently. If it works we can look at why it worked and how to replicate that woth port forwards. Steve

It's the Windows clients in Azure that need the route. That can either be added on each client or you can add it to the Azure routing for your VPC (or whatever Azure are naming the local subnet there). That will then apply to traffic from any client that hits the Azure gateway. You can assign the OpenVPN interface there to get an additional logical interface. Because it would be the second interface it will appear as LAN which might make things even more confusing! WAN and LAN are just names though. Steve

@johnpoz said in Does anyone have a link to a good site for Multi WAN: osed to public inter Sorry I think it is just a bridge and on the HV1 and HV2 is untangle running as firewall if I remember correct.

One method: https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

@pigbrother said in mikrotik+openvpn+Pfsense: Так все же МТ - решение из коробки? Или нет? Ну, скажем так . Коробочку еще надо знать как открывать. Тут в общем нужно немного иметь опыта с микротиком т.к. нюансы все таки есть, и самое главное разбираться в сетях. А то бывают разные специалисты ;-)

@johnpoz Thank you for all you help.

So set VLAN 1 on port 1 to Untagged.

@bimmerdriver said in ipv6 disable on Pfsense: Microsoft, as much as everyone likes to bash them, has embraced IPv6 since the Windows 7 Actually, XP SP3 almost fully supported it. There was some minor thing that didn't work, but it didn't have much effect overall. I know it worked fine for me. My first Android phone, a Google Nexus 1 also supported IPv6 and my current Pixel 2 even has IPv6 tethering, with a full /64 prefix.

@ngoehring123 Tried that either

@stephenw10 Hi, I saw that too and checked for "SU" and "Su" and only "Internal_Subnets " exists so I have no idea where that came from either. I clearly must have accidentally clicked on on the Wizard at some point in the last few days and not noticed leading it to get very confused. It all seems good now though. Thanks again for your help G

Do you see blocked traffic in the pfSense firewall log? It seems like your client has the wrong default route or no default route. It looks to have the right gateway though. Hmm...

Ok, so the final update, I have everything fixed now (at least till now) So the final trick is to set my switch to tag port 5-8 which connect to my 4 APs apparently the tp-link APs will receice packages on it's selected wirelss VLAN + anything that's untagged (without vlan header) after change my switch to tag vlan1 on port 5-8 it ensures all the vlan1 tag won't be removed when outbound the port, which fixes the RA flood issue. Thanks everyone for the help

The quality value shown in brackets denotes the accuracy of the timecounter source which is why HPET was chosen by default. That can be a problem when all the hardware is virtual, some may be virtualised better than others for whatever reason. I can't really advice you on KVM settings directly. I would think anything that is different to the host CPU is going to require more processing from the hypervisor. Passing CPU cores directly to the VM is probably better. But as I say I don't use KVM so that's speculation. I'm sure there are others here who can give better advice there. Steve

@johnpoz said in Browsing nfs share in other VLAN not working.: @herman said in Browsing nfs share in other VLAN not working.: When the family is watching a movie and I start to copy large files the movie stutters or even stops. And the kids do not appreciate that :-) If your loading up the server, might not matter if your on another interface or not if your sucking up the I/O to a shared disk or CPU of the machine. If your on a switch you doing something between A and B doesn't effect traffic between C and D.. Adding another interface on B, will only solve the problem of stuttering a streaming movie if the only problem was saturation of the interface.. But if your working with the same disk that the movie is streaming from... Your issue might not be network bandwidth it could be your hitting the I/O of the disk limits, or the cpu of the server streaming, etc.. Thank you @johnpoz for the info... I wil dig in it.

I would only expect to have to push the compression setting if you have changed it to something other than the default. Steve

Yes, you're right :/ ... I'll try either using port forwards or setting up another internal IP for the second 1:1 NAT (will report the result tomorrow as I have to do it overnight)

Yes. I have a PPPoE WAN but fortunately/unfortunately it's no where near fast enough to worry about this. No benchmarks for the C3958 but if we assume it's the same as the C3858 but with 4 more cores then it should make about ~40% better single thread performance. It does seem like a waste of cores unless you virtualise it. Steve

Как вариант, можно попробовать воспользоваться директивой ipset в dnsmasq — вроде как для pfSense он собирается с ней.

@johnpoz Well, maybe you're right. Because it does make sense that something else was getting in the way of unbound. I just know what I saw under system services because I thought of that several days ago and specifically looked to see if BIND was running or not. After I installed suricata and pfblocker on my test install and DNS resolver still worked as it should, that triggered me to go ahead and uninstall BIND because it was the only difference between my test and production pfsense units. But either way, the problem is solved, and I appreciate your help in doing so. Have a great weekend, Nate

Wanted to get some feedback on DNS privacy from the group, I've gone back and forth on this issue several times and it seems that there is no perfect solution. Either you run your on recursive resolver with QNAME minimisation or you forward to an external resolver via TLS over DNS. I've never been a fan of passing the security buck on to someone else, which is exactly what you're doing when you forward via TLS to Cloudfare or others, you are trusting they are not using your data for nefarious purposes and maybe they aren't .... today. But that leaves running your own resolver which still posses privacy issues for the ISP or others inline who can sniff the traffic. Some of this is mitigated with Qname mimimisation but the last query from the resolver to the authoritative server will have the full query.

I set on accept for Promiscuous mode, mac address changes and forget tramits on WAN vswitch, Since my network goes Virtuel WAn switch-pfsense-virtuel LAN switch. Also very important to note that is a reboot of whole esxi is necessary for it to acctually implement the changes made. I didnt discover this at beginning.... so alot of my testing was flawed cause changed wasent acutally being made... Thanks for all help.

Cool, glad you got it working. Steve

Yeah my guess but can not seem to find it in the conf is this ssl.dh-file="{path to dhparams.pem}" So not sure what its using if not called out? To be honest this isn't really that big of deal - other than people doing such scans and thinking the problem is pfsense ;) hehehe I set up pfSense and I was checking for general vulnerabilities. No where did he mention installed "optional" packages xyz, and abc, etc..

@Grimson the rest of the server is pretty much idle, I stopped and closed everything for the tests. Basically it was just this pfSense VM running on a 20 cores CPU +16GB Ram on Supermicro X10SRL-F (Intel 612 chipset). Don't you think it should get the full gigabit? The VM has the NIC on passthrough and on RAID1 SSD

Yeah unless you write this code yourself or place a bounty for it to happen... I don't think this is ever going to happen.. There are a bajillion better things the dev's could be doing - like changing ui to a cooler looking font... Which would fine 10000X more interest from their user base then like the 2 people that might want such a feature ;) You have the time to create a reservation for client and put in the NAM and the mac but not the IP? I don't care if you have a 1000's freaking clients.. You know you could just load this in from a file right? You don't have to do it all by hand in the gui. I can load 1000's reservations via an xml restore in couple of seconds... Vs all this nonsense of just put in reservation without the IP. And then on the other end - if you have 1000 freaking clients if they get an IP who freaking cares if their name is deviceXZY or YourName, etc.

@gertjan said in Users on the LAN network do not surf the internet: Hoho : No bad mood at all on this side. All reflexions are here to help you. Remember : we all have been there - and most of us seen it all already. We're all expert in doing this fast, good and stable (so you can pass on to other things fast !) Thank you so much for your encouragement. I also thought about abandoning Virtualization, because that's the problem in my opinion. Thanks again

Thanks KOM for your help and your patience.

That is a good, stackable, PoE, gigabit switch. Beware that I believe the fact that it is PoE means it is not fanless. The ICX6430-24 (non-PoE) is fanless. You also want to confirm if it is a 6430 or a 6450. The item description says 6430 - the description says 6450 which is a base layer 3 switch. The 6430 is not.

If you want to keep using the resolver, Unbound, you can switch that to forwarding mode instead. That allows you to use DNDBL for example. Or in 2.4.4+ you can set a failover gateway group as the default gateway (cannot be a load-balancing group) and keep using Unbound in resolving mode. Steve

at Johnpoz Thanks for that. I'll give it a go (the worst fate is that guests have no access for a while, but then I don't get a million guests a day and I have an unlimited-data 4G modem if my occasional guests are "unhappy"). I am "greenfield" in a sense -- I have total and exclusive control over my networks and report only to myself in the event of a disaster (yeah, I might get some $#1t from Madame, but there is always the 4G modem to calm her down). I have elected to move to "my-net 3.0" -- my decision was unanimous :) Why do I seek tagged admin? Most VLAN attacks go for VLAN1, or failing which, go for native-VLAN. I ask myself WHY should I have VLAN1 or native-VLAN connected to anything at all ... let alone to the admin heart of the network -- just seems a silly choice! Off to the mountains for skiing: you wont hear from me for a week or two, but I'll report back. Appreciate all the feedback so far. regards, Chris

If you edit the shabang line to use the correct path to the binary, yes. If you have more questions, please start your own thread as it isn't related to this topic.

@johnpoz said in Simple address forwarding: Your going to run into all kinds of problems trying to route stuff when the stuff is on physical and doesn't use pfsense as its gateway. If pfsense is not going to be a gateway to the internet then these networks do not even need to be wan.. 1 could be pfsense lan, and the other could be opt network. But according to the docs, WAN is required so is it possible to run pfsense with only LAN and OPT interfaces? On a separate note, when I cloned the VM, the MAC addresses changed. Can I control the assignment of which mac address is bound to em0 and em1? update on last week, I didn't have any virtual IPs since I wrongly figured the pfsense could see them both and ping them, but then once I added virtual IPs my 1:1 NAT forwarding started working.

Yeah, I called them 10 minutes before you did and straightened them out for you.

Thanks everybody for the replies! I understand it's not Snort's job to resolve the domain and I don't have any problem with seeing these kinds of alerts. However I would have at least expected it would be able to show me which domain is being looked up, moreover once the communication is established (e.g. someone visits the website or downloads something from it) Snort would kill that state and put the IP in the blacklist.

Then just change your wan from dhcp to static and put in the info.. You will have to create the gateway then, etc.

Ok here you go.. So create a new CA. Download the CA cert to your machine. Now create new CERT using that CA. Give it a desc name, pick your new CA, put in the common name for your pfsense box, ie its fqdn you use to access it.. Mine is sg4860.local.lan Any other optional stuff you want to fill out. Make sure you change it to server cert vs user cert And SAN (alternate names) for your pfsense box, or any other device your going to install this server cert on. Make sure you add the FQDN SAN.. Many browsers now require this not just the common name on the cert. You can even put in your IP if you want to be able to hit the IP as trusted. Install the newCA as trusted in your browser - this is firefox Change pfsense gui to use the new cert signed by your newca And there you go bing bang your trusting your pfsense gui, green and pretty. And you can even use the the IP to get to it still trusted and green Now your good for as long as you made the cert for - 10 years should be good ;) Any questions just ask.. While its a lot of pics and looks like a lot of steps.. Its really only couple of mins tops! Now your shiny new CA, can sign off on any boxes you want to put certs... Any browser that trusts your CA will trust any certs signed by your ca, IE, FireFox, Chrome, Opera, etc.. Even your mobile devices browsers can trust your CA. This one time thing for any devices that devices under your control will access. But this sort of setup is not good for when the public are large groups of devices/browsers you do not control - or are not willing to trust your CA, etc. But since say the pfsense gui should only be accessed by "admins" of your firewall.. Say YOU only then this is simple solution that is one time thing and then good for years and years.

When you run tcpdump on the interface in pfSense you see eveything the driver is sending but that might not necessarily make it onto the wire. By using a switch in between, mirroring the port and capturing on there you see what traffic is actually going back and forth. Steve