@greatbush well you can ping other interfaces on pfsense, just not the 172.16.64 one.

At a loss.. You have no floating rules.. And looks like your rule triggered and state are created there in that top rule you posted trying to talk to it.

You have no floating rules - and no current vpn tunnels..

Yeah at a loss to what would cause that.

Can you talk to any of the other 172.16.x interfaces you have via the route table you sent..

@revengineer yeah my issue is different from yours than, but we actually don't know if @70tas 's is. They are using xfinity also so it could be the same issue as mine.

@stephenw10 Today I rebooted the host (Hyper-V) and had no problem at all. Don't know if this points towards being a weird virtualization issue... But then, why would WireGuard be effected...

@stephenw10 Unfortunately I am going to have to wait till I can bring down the network to test. If I take it down now and it doesn't come back up I will be having some hell to pay from the family...lol. 😃

so i kinda got it working... i spent hours fiddling

under the general setup i set up

10.0.0.243 for the one PIA VPN
10.0.0.241 and i set it to WAN and i tried also none

i guess when you set to none that means whatever gateway is avaliable will use it??

ive tried again using 1.1.1.1 for WAN but i find it leaks the cloud flare on the vpn which i truly dont understand as i always figured the ip address you give is specific to that gateway and not share over all the connections..

so i testing with the 2 pia vpn ips.. for now it seems to be working but will see by tommorow.. i been testing stuff all day so ill let you know how i make out

@chpalmer said in Strange behavior with gateway:

???

When the default gateway is set to a failover group the 'Default' column in the gateways list should show the tiers. But in this screenshot it doesn't: https://forum.netgate.com/post/1221365
That's unexpected.

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

That approach seems to work: just stopped dhcpv6 servers on all interfaces, and addressing and net functionality seems unchanged.

Well, that is simple. Thanks!

@Gertjan oh I missed that - my bad.

@gtrdriver said in VPN Performance bei S2S:

Die Rechner auf denen PFSENSE läuft sind recht peformant ich kann mir nicht vorstellen dass die CPU hier das begrenzende element ist.

Kannst du mal bitte trotzdem die genauen daten der eingesetzten Hardware nennen, hat die Hardware Realtek NICs?

Ich haben 2 x Netgate 6100 an GLAS 1 Gbit/s symmetrisch und die macht das ordentlich mit OpenVPN (habe jetzt keinen iperf, deshalb kann ich keine werte liefern). Privat habe ich meine Netgate 6100 und die macht an meinem Internet Zugang mit PPPoE auch einen guten job.

@tinfoilmatt said in Netgate Documentation on DNS over TLS and NOT using DNSSEC:

I've never encountered any problems

And what have you gained by asking for something that has already been done.. You mention you leave 0x20 off for performance - but want to do a bunch of queries for dnssec that make no matter?

@reberhar Piece of cake.

Really fast with no problems.

I enabled my iimb by hand. Seems to work fine on my 6100.

FWIW, the current documentation indicates that the default value of kern.crypto.iimb.enable_aescbc is 1 (enabled), although it has a warning that iimb can be slower than qat for cbc. I don't use cbc, so it doesn't matter in my case.

I think the documentation is incorrect or outdated (at least for the 6100), as the code in /etc/inc/config.console.inc explicitly sets kern.crypto.iimb.enable_aescbc to 0.

FWIW, there is also an interesting note on the qat/iimb trade-off earlier here. YMMV

@johnytb said in Gtek 2.5G (Intel I225 Controller) PCI-E x1 Network Card not recognized by the pfsense:

can you explain to me what exactly is this interface that you show here ?

That's pfSense most important interface 😊
The one that works when even all your NICs don't work.

Its called : the console, which could be a serial connection, or, if you have VGA/HDMI build in, it could be that and a (USB) keyboard.
Or : If the LAN NIC is working, you 'ssh' into your pfSense using a SSH client like putty or classic 'ssh'.

Keep in mind : what happens when you have a disk drive issue ?
=> pfSense can't boot.
=> Network interfaces will all by down ...
You the the console (serial or VG/HDMI/Keyboard) access.

For command line commands I use the ... command line = console (or SSH) access.

@iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself!

Hopefully your setup will remain stable going forward.

@OracPrime

If you use "pppoe" as a WAN connection method, the upstream device, the Fritsbox, is just a modem type device ...

One of the advantages (probably the only one) of using pppoe on the pfSense WAN : the pfSense WAN interface uses the real outside world IPv4.

No need to 'dmz' or 'NAT' or 'redirect' anything to pfSense. Everything will reach the pfSense WAN interface.

Yes as long as it matches the traffic against a rule that's above the policy routing rule that will work.

@hansolo77

Checking what pfSense does every hours sharp - or some other regular moment, is a good start.
But don't stop there !
Check also : all devices connected to your pfSense LANs ! as these can all do something at that very moment.

ISP love to sell you numbers. Like 'a 1 Gbit/sec connection just for you'. If the country where you live has some enforced consumer rights movements, these ISPs add now at the bottom of the contract "... or whatever we have avaible for you".
After all, ISP tend to hookup up entire roads, cities, etc to one main equipment with, guess what, a limited, up front determined throughput. For example : you all share the same 100 Gbits very expensive router/switch.
If more then 100 clients are hookup up to this expense router, then ... you get it : what happens when every all these clients, all their devices, do 'something' at xx sharp ? So you have to check all of them (which you probably can't do) - or disconnect them all while you are testing.
You can even go one level higher, and check all the POP of your ISP ....

Inspecting the cron list is one thing.
You still have to use the console or better, the SSH access, and use menu option 8, and type 'top'.
Make sure the list is sorted at 'CPU usage'.

Use also this command :

ps aux

and look for the process that mention minicron, these are also timed processes.

On my pfSense :

[25.07-RC][root@pfSense.bhf.tld]/root: ps aux | grep 'minicron' root 89370 0.0 0.1 13980 2484 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh root 89826 0.0 0.1 13980 2480 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 300 /var/run/ipsec_keepalive.pid /usr/local/bin/ipsec_keepalive.php root 90216 0.0 0.1 13980 2500 - I 18Jul25 0:00.17 minicron: helper /usr/local/bin/ipsec_keepalive.php (minicron) root 90313 0.0 0.1 13980 2476 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts root 90699 0.0 0.1 13980 2500 - I 18Jul25 0:00.01 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts (minicron) root 90868 0.0 0.1 13980 2504 - I 18Jul25 0:00.20 minicron: helper /usr/local/bin/ping_hosts.sh (minicron) root 91166 0.0 0.1 13980 2480 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data root 91830 0.0 0.1 13980 2504 - I 18Jul25 0:00.00 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data (minicron) root 84792 0.0 0.1 14076 2688 0 S+ 08:49 0:00.00 grep minicron

The "/etc/rc.expireaccounts" is an hourly process, and afaik it doesn't communicate, and takes a split second to execute.

Normally, with a vanilla pfSense (no addons, no pfSense packages) there is no 'download every hours xx Mbytes' process.
pfSense will update some small files ones a month, will check up with the Netgate update servers to see if there are pfSense or package updates avaible, but this will not create big loads of traffic, and last probably for a second or two.

@w0w I am seeing indications in the log it isnt going down as you suggested, as an example dpinger stayed running on static pid, logging almost every second ping failures. Also no switch of gateway, when the switch criteria is "down" state. (my phone was left in all night as a internet uplink).
If its failing to go to a down state, it would make some sense as to why a manual restart works and leaving it alone doesnt. As the obvious question is what is different between me restarting it manually and it trying to restart itself, there must be a difference.

When I intervened dpinger exited on signal 15.

OK so it looks like you had two issues:

The installer didn't work as you expected it to but you were able to get 2.8 installed and booted.

The resulting install didn't behave as you expected. That's independent of the installer and 2.7.2 would have behaved identically in that situation.

So after install you assigned two interfaces, pfSense names them WAN and LAN but any interface can be anything. And you configured them both to be DHCP since both subnets already have a DHCP server?

The typical subnet conflict that users hit when installing behind another firewall if that pfSense uses 192.168.1.1/24 as the default LAN address and that subnet is also used by the upstream firewall WAN side.
I assume you didn't hit that since both subnets already existed in your network so must be using different subnets? What are they?

However you then say you set the LAN back to a static address? Presumably in the same subnet?

By default pfSense creates firewall rules on the LAN interface to allow access to the webgui there. That applies whether the LAN is static or DHCP.

How exactly were you trying to connect? From where?

If anyone wants to test this out

https://github.com/pfsense/FreeBSD-ports/pull/1420

I did get it to fully compile with the adapted Makefile they disable SMB_LM that has been removed