Да, floating я не использую, про контроллер домена с ролью PDC тоже самое - он в одной подсети со шлюзом. Сомнения то вызывает именно отсутствие трафика на порт 123 с рабочих станций вне домена, где уж точно ничего не должно влиять на его прохождение. К созданию запрещающего правила сейчас попробовать не могу (60 человек без интернета явно не порадуются )) это надо делать в нерабочее время, но как попробую отпишусь дополнительно.

@johnpoz It's already working. I found this article https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html and use NAT Reflection for now. I will still look at the host override solution. Thanks for your help

So it was actually the changes here that created more proposals https://paste.ofcode.org/fgeLYyrqpmqFZj7NLs4t4P but now I get a "no acceptable ENCRYPTION_ALGORITHM found" message. So I'm working on that. Any suggestions are appreciated.

redmine.pfsense.org. You could do what you want but not all on one pfSense. And, if you think about it, one of the values has to be controlling. If you limit the whole circuit to 10M and 8 1.5M customers stress their circuits, someone is going to get less than 1.5M.

Please find the error msg Access Denied Access control configuration prevents your request from being allowed at this time. Thank

Thanks to Nino it appears as if it may actually be the PIA servers after all. Something in the configurations is throttling as I was getting great speeds from his OpenVPN server. I will reach out to PIA this evening and hopefully they will be able to shed some light on this. Is anyone else with PIA experiencing any throttling?

Thanks netblues, what I did was this. add the remote network(client) in the RW settings: IPv4 Local networks: local-network,remote network Latter, I add in the RWOVPN Rules, 1 rule that allow the RW network access the server lan, a 2nd rule that allow RW network access remote network using as gw the LB-GW from the site2site setup. In the client network, I didn't have to add nothing, this change was only in the server side. Is working, thanks netblues.

Você está utilizando dois Switches em cada LAN, ou configurou tudo usando VLANs em uma única interface? As máquinas nas duas faixas de rede têm acesso à Internet? Poderia tirar um print das suas interfaces de rede (LAN1 e LAN2) e do DHCP Server, por gentileza? ~Henrique

So I read this paper Dummynet AQM v0.1 – CoDel and FQ-CoDel for FreeBSD’s ipfw/dummynet framework The paper is written by the folks that implemented Codel and FQ-CoDel into FreeBSD ipfw/dummynet. I know @dtaht knows this because he reviewed the source and there is correspondence between them and he back in the day. I'm just catching up - thanks for your patience. Looking at the examples in the paper, I'm wondering why the Codel AQM is selected in the pfSense WebUI in the August 2018 hangout? Per the FQ-CoDel examples in the paper above, it does not seem appropriate and removing Codel as the AQM from the pipe and queue removes the "flowset busy" error @mattund mentioned 4 months ago. @dtaht this is why I was stating codel+fq-codel - when I first learned about FQ-CoDel being added to pfSense 2.4.4, it was in the hangout video which it instructs to choose Codel as the AQM. Concerning buckets and CPU utlization, I played with net.inet.ip.dummynet.hash_size which is the closest thing I could find to what you were explaining - pfSense defaults to 256 and I doubled the value on each flent rrul test up to 16384. I had to use sysctl -w net.inet.ip.dummynet.hash_size=$value on the fly in the console because /etc/inc/shaper.inc overwrites the setting to 256 any time you make a change to the limiters. I did not find setting this above 256 to provide real value. So, unfortunately I haven't made much progress...

Well, other than using it as a OpenVPN server for accessing all your devices when you're not home (something that you probably already did), I really don't know.. Cheers! ~Henrique

Good point, but I still have no idea what was causing the slow down

Hi Viragomann, that really did it, thanks for that. My rules are kept quite easy. As I only want LAN having access to everywhere I want to keep OPT1 from getting access to anywhere instead of "the Internet", so namely the following Destinations: LAN Firewall and now the Modem, too, for sure... The Network behind the LAN Interface shall be my Home Network (TV, PC, Printer, Wifi and maybe later some other stuff). Via OPT1 I just want to provide something like a "Just-Switch-it-On Guest Network" for granting Wifi without having to hand out the Key for the Network behind the LAN Interface. I recognized that you're from Germany so I guess you will know about FreiFunk. I just took my old FreiFunk TPLink WR841N Router and flashed it with OpenWRT for this purpose (that one's OPT1 for now). In addition: I just changed the Block order on OPT1 (from top to bottom: Bogons - This FW - LAN net - Modem)

@soder ECC is now enabled https://pcengines.github.io/#mr-15

Boa noite, Felipe! Seu interesse é em configurar um Load-Balance na WAN (usar os dois links simultaneamente) ou um Fail-Over? (usa apenas um link. se este falhar, o outro é utilizado) Tem também a opção de configurar o pfSense de modo que alguns usuários na rede interna utilizem o primeiro link, enquanto os outros utilizam o segundo. ~Henrique

Boa noite, Vinicius! Cuidado com essas regras de acesso total, hein! É convite pra problema. Primeiramente, você está tentando acessar esse WTS (desculpa, não sei exatamente o que é) externamente? Por exemplo, esse pfSense fica na sua casa, que tem esse serviço WTS e você está tentando acessar do trabalho? Eu já vi um outro usuário aqui nos Fórums tendo problemas de conexão com o TS também, mas ele não conseguia conectar de jeito nenhum. No final das contas, ele tentou uma porta pública diferente (3390) e funcionou, ou seja: o problema era o provedor dele que bloqueava essa porta. Mais uma coisa.. Você consegue acessar outros serviços externamente? Como um servidor Apache ou SSH? Tipo, tem outras portas abertas? Dependendo da configuração física da sua rede, pode precisar fazer outras coisas pra fazer o acesso externo funcionar. Seu pfSense está ligado diretamente na internet? (pega IP público na Interface WAN?) ou ele está dentro de uma rede interna? (NAT / gerenciada pelo seu modem) Boa sorte! ~Henrique

Do you actually mean opnsense? Because if so you should ask on their forum not here. But if you mean pfSense..... (which you should ) If they are routing the /28 to you via the DHCP assigned IP, which I assume is in a different subnet, this should be very easy. Just put that /28 on the DMZ. Use the first (usable) IP in the subnet for the DMZ interface and others for VM hosts inside it. You will have to disable outbound NAT for the DMZ as source so that the public IPs are routed directly. Steve

Boa noite, Felipe! Por gentileza, experimente: Acessar o site usando outro navegador; Acessar o site usando a guia anônima do Chrome (Ctrl + Shift + N); Limpar os Cookies do navegador e tentar novamente. Se você conseguir, crie uma rota estática para que qualquer acesso à este site passe por um link específico (avançado). Se nenhuma das opções acima funcionar, tente desabilitar um dos links temporariamente, se possível. Ou então, tente acessar usando a internet móvel de algum celular, só pra ver se o problema não é o site (apesar de que aqui está abrindo normalmente). Boa sorte! ~Henrique

Honestly, I don't know if the bad connector was the cause, but for quite some time before it completely broke, I also had a lot of (PPPoE) connection drops.. sometimes even twice a day, and taking up to 30 minutes to come back, but some of it could just have been an unexpected maintenance on their side, or bad configuration at mine (since I was still learning how to properly set up the Mikrotik), I don't know. So, yeah, that may be it. =) Keep me updated! ~Henrique

Alte raus, neue rein und die Interfaces in der Konsole neu zuweisen. Fertig.

@luckman212 said in Documentation for the 2.4.4 feature? : Default gateway : Default gateway IPv4 : Automatic: when upgrading from older versions that occasionally leave you with no internet access Funny you should mention that. I had to drive out to a location last week because of this new feature :)

Can we maybe see some screenshots of your settings? The credentials should be fine on BT. They know who you are by the actual line you're connecting on. You do need to have VLAN 101 set somewhere. That might be in the modem, it does appear to have that option: https://www.draytek.co.uk/support/guides/kb-vigor-130-vlantag In fact it appears to be configured like that by default if you have a UK model. That is how the BT modems are configured. Steve

Agora estou com outro problema, depois de aplicar o patch a lista de pacotes nao aparece no gerenciador.

@dennis100 I am seeing this as well on one of my boxes that still has BF-CBC as the encryption cipher. This cipher is susceptible to the SWEET32 attack and my guess is these UNDEF IPs are BOTs scanning and trying to run the attack. I am in the process of migrating all remote devices to AES128-CBC but in the mean time I have a "block all traffic from alias" firewall rule setup to block any traffic from the alias. Whenever I see a new UNDEF IP, I check GeoIP and just add it to the alias. Not perfect but better than nothing and it keeps our customers online until I can have a tech visit every remote location we have. If you are using a 64-bit block cipher or not using TLS auth, I would recommend switching to at minimum AES128-CBC and re-configuring the server and clients to using TLS auth, preferably with the the tls-crypt option.

@r0sebush the order as they appear in the gui, left out Time Periode, this is set to 15k

also i have same problem. after 2.4.4 upgrade 100 mbps internet connection now 8mbsp - 10 mbps with speedtest.. big bug...

I've used a few times so far. Works great!

Ja genau, das ist wohl die einfachste Lösung, wenn du ein DynDNS verwendest. Grundsätzlich kann der Update-Dämon auch auf einem internen Host hinter der Firewall / dem Router laufen. Einige DynDNS-Provider bieten dafür Scripts für verschiedene Plattformen an. Diese müssen nur als Service eingerichtet und konfiguriert werden.

I did not try putting the MikroTik on another port, however I did try only having two of the Intel interfaces up as WAN and LAN, and I still want up having problems. For fun, I tried installing the ESXi on the machine to put pfsense inside that. ESXi wouldn’t recognize the Intel at all.

@johnpoz thanks for the help man.

Boa tarde, Mulambo! Você criou um Traffic Shaper do tipo Limiter? Caso tenha, vá em Firewall > Rules, selecione a aba LAN e clique no botão pra adicionar uma regra ao topo: Troque o Protocol para Any, ou especifique caso desejado. Em Source, escolha a opção Single host or alias, e digite o endereço de IP da máquina que deseje limitar a velocidade. (Recomendo colocar o IP da sua própria máquina, para facilitar o teste. Depois dos testes você pode mudar para a máquina desejada.) Lá em baixo na mesma página, tem a seção Extra Options, dentro dela, tem um botão chamado Advanced Options (a última coisa na página), clique no botão. Desça a página toda, e procure pela opção In / Out pipe (geralmente, a penúltima), e escolha os dois Limiters que você criou anteriormente. (eu não lembro direito qual é responsável pelo Download e pelo Upload.. você vai ter que testar..) (EDIT: acabei de descobrir que o Pipe da esquerda é o de Upload (In Pipe) e o da direita, de Download (Out Pipe), se a regra estiver na Interface LAN) Clique em Save. Me avise se não funcionar, podemos testar outras opções. =) ~Henrique

Sortir avec l'IP LAN de pfSense n'a pas, d'un point de vue réseau, beaucoup de sens de mon point de vue. Mais, si la question est liée à BGP, qu'est-ce qui t'empêche d'utiliser sur le segment entre le routeur Mikrotik et le WAN de pfSense un range publique puisque tu as cette possibilité ? par exemple 185.106.161.252/30, avec Mikrotik en .254 et le WAN de pfSense en .254 Là où ça devient rigolo, c'est que tu veux 131 adresses sur le LAN, donc plus de 126 Il faut ruser un peu, à défaut d'avoir une autre plage d'adresses disponible. Par exemple 185.106.161.0/25 va te donner 126 adresses et 185.106.161.128/26 va t'en donner 62 autres. Donc au total assez pour couvrir tes besoins. Le seul effet de bord, mais peut-être est-ce un problème dans ton cas: tu vas avoir 2 IP LAN pour pfSense qui va voir passer tous les paquets entre le réseau /25 et le réseau /26 Mais c'est une solution qui fonctionne dans utiliser d'adresse RFC1918

What eactly are you wanting to do? Add 100 static dhcp reservations? Why would that require a reboot of pfsense? You can add a static arp with copy paste right at the cmd line... Why can you not just arp -f filename to load in as many static arps you want? If you want to add staticmappings just edit them into your xml backup of your dhcp server. There are many places and ways to convert a csv file to xml format.. Here is a thread from 3 years ago that is exactly what your asking https://forum.netgate.com/topic/91107/how-to-add-bulk-of-mac-address-with-ip-address-into-dhcp-server/9 None of which requires a reboot of anything..

I'm also having problems with limiters and shaper in general. I have upgraded to 2.4.4, and limiters dissapeared. I recreated them, but there was no incoming traffic at all. Upload traffic seemed ok. So, i reverted to 2.4.3 (it's a VM), but then i realized that in 2.4.3 i cannot edit the limiters, or the shaper, or bad things happen. Just by modifying the bandwidth on the limiters resulted in very low incoming bandwidth (something like 700 kbps instead of 3.5 mbps). So, i decided to delete all limiters and re-create them, and i got the same problem than with the upgrade to 2.4.4: no incoming traffic. Removing the traffic shaper (CBQ) also resulted on the same problem. Fortunately, i just reverted to a previous snapshot, and restored normal functionality. But it seems like i cannot modify anything at all on the shapers/limiters, or bad things happen. Not good. Maybe part of the issue was already on 2.4.3? Adding new functionality is nice, but lots of things can go wrong with every change. To me, reliability is much more important than new stuff, and lately i have second thoughts about clicking the update button.

@wesleylc1 After talkingw with Wesley this seems to have been fixed with a haproxy upgrade from 1.8.13 to 1.8.14.

IIRC, shaping over multiple LAN interfaces is either not fun to configure or doesn't work at all. I don't remember which.

No, we have our own internal tracker for issues that only affect our hardware. Thanks, though!