Limiters break ACME LetsEncrypt renewal/account key registration
-
@gertjan Yes, those rules.
I thought that changing the Protocol from ANY to TCP/UDP for the 'out' rule is going to do the trick, but no, it still fails.
Doesn't your setup contradict the document jimp linked, namely the "match" vs "pass" in floating rule for WAN out?
-
@bartkowski said in Limiters break ACME LetsEncrypt renewal/account key registration:
Doesn't your setup contradict ....
Yep.
I actually just discovered this new ? pfSEnse documentation page : https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html
Great ! Finally some good info from a source that doesn't need the 'fact check mode' to be set at 100 %. Thanks, jimp.I was pretty sure - reading the thread where I saw (to) many step by step how-toos - that it should be "match" and not "pass". Not that I understand the real difference between the two of them. I "thought" that "match" was the one to use as it is used to force traffic though a given gateway - using the supplied limiters, the up and own codel queues. This is my 'in brain' explanation ;)
I changed my 2 (2 + 2 actually) to "pass" instead of "match" and did a test on my favorite http://www.dslreports.com/speedtest test. The result was the same or slightly better. -
@gertjan A match rule will match and queue traffic without blocking or passing it, meaning a pass rule would allow traffic. Ergo, just be careful a pass rule isn't allowing traffic you don't want to allow.
Match is also "last match wins" by default as noted on that page, in the Quick section.
-
I switched the In / Out pipe queue order around in my WAN>out rule, and I was able to get ACME to register account key, but of course the result of Download was now matching my upload speed (I have 300/10 from Comcast) set by the WANOut_Q limiter queue (10500 Kbit/s).
-
Side note: I managed to crash my pfSense while changing some parameters on the Limiter, while also switching back to Kbit/s from Mbit/s.
-
In preparation for 22.01 update, I discovered that my Auto Config Backups were not being created. To my surprise, disabling my shaper rule allowed the backup to complete. What could this be?!
-
@bartkowski said in Limiters break ACME LetsEncrypt renewal/account key registration:
What could this be?!
That's what I was asking myself the entire afternoon.
Updated @home (virtual machine) to pfSense CE 2.6.0 : RAS.
@work : unbound ..... to use simple words : refuses to resolve ....
Switching to a pfSense minmal default config : all was fine. So, nice, its something in my setup.
[ ..... 2 hours later .... ]It looks like my limiters and/or floating firewall rules that uses these limiters are the issue.
I ditched them (floating rules first, then my limiters). pfSense was now fine.
I re reconstructed the limiters as per https://docs.netgate.com/pfsense/en/latest/recipes/codel-limiters.html
Added a firewall (just one ?) as per instruction son the same page.
I wasn't looking at the console but pfSense was rebooting - that's the first time for me in years.
I investigating. -
@gertjan said in Limiters break ACME LetsEncrypt renewal/account key registration:
I wasn't looking at the console but pfSense was rebooting
Did you crash? That's what happened to me if you read an earlier post, just unexpectedly.
-
Hey @gertjan, have you figured out anything?
I'm still scratching my head - I have two services that fail to work: ACME and Auto Backup. -
@bartkowski
Noop.
Not using limiters right now.
"They" know the issue exists, something good will come out ... soon ...
