Forum Topic

Unified PFSense Users

  • ^I think your getting the wrong idea here, the point of what were talkinga bout is the limitation the the ISP gave to him (I think around 30k active states). since he cant go beyond 30k states the only solution to bypass this is to get a static IP service from ISP, this can be also fixed with VPN service, not as good as having a native IP address but meh.

    @adamgwap5

    I suggest getting a VPN service, sooner or later may naluluto narin kasi na batas para dyan dito sa pinas so, better be go ahead and anonymize everything on your torrent as soon as possible, naka AirVPN narin ako for 2 years now, kahit naka public IP pa ako kay PLDT (knocks on wood, baka malipat narin sa CGNAT anytime soon).

    plano ko na kasi lumipat sa globe after ma expire yung contrata ko kay PLDT, ganda kasi ng plan offers nila doon, 5k for 500mbps unli. tapos add na lang ng 700 pesos for static ip so ka presyo na sya ng kay PLDT but under 300mbps speed only with other junk bundles came with it (eg Cignal).

    -- edited by polka on Dec 10 2020, 08:23 PM
  • I suggest getting a VPN service, sooner or later may naluluto narin kasi na batas para dyan dito sa pinas so, better be go ahead and anonymize everything on your torrent as soon as possible, naka AirVPN narin ako for 2 years now, kahit naka public IP pa ako kay PLDT (knocks on wood, baka malipat narin sa CGNAT anytime soon).

    plano ko na kasi lumipat sa globe after ma expire yung contrata ko kay PLDT, ganda kasi ng plan offers nila doon, 5k for 500mbps unli. tapos add na lang ng 700 pesos for static ip so ka presyo na sya ng kay PLDT but under 300mbps speed only with other junk bundles came with it (eg Cignal).


    Yup pure VPN so far so good full speed ako, converge ako now pinagiisipan ko din kung mag upgrade nalang ng plan or static ip

    Btw 10k connection palang sir dapa na di pa nga ata abot 10k parang 6-7k ala ng buhay ang net haha i mean 30k po ang usage ko.
  • ^ magkaiba kasi yung counting ng state table size ng freebsd vs linux conntrack. nevertheless its still the same, your still hitting that upper limit that Converge gave you to their connection (lets say your limit is 10k connection). Nakakatawa lang kasi sa PLDT with CGNAT, kahit 100k na yung active connections kaya padin ng NAT hardware nila.

    for now kung gusto mo naked connection mo sa torrent client, luckily pfsense can actually limit the amount of open connection by just adding a new firewall rule on the LAN side (theres no point adding on the WAN side since CGNAT ka naman) by setting the max state for the IP address of your torrent client (mas maganda kung naka docker container yung torrent client mo and give it on its own host IP address para ma control mo yung traffic nya). after that your torrent client should be able to avoid opening too much connections to the internet.

    now that you mention naka converge ka... naka bridge mode ka ba? just asking...
  • ^ magkaiba kasi yung counting ng state table size ng freebsd vs linux conntrack. nevertheless its still the same, your still hitting that upper limit that Converge gave you to their connection (lets say your limit is 10k connection). Nakakatawa lang kasi sa PLDT with CGNAT, kahit 100k na yung active connections kaya padin ng NAT hardware nila.

    for now kung gusto mo naked connection mo sa torrent client, luckily pfsense can actually limit the amount of open connection by just adding a new firewall rule on the LAN side (theres no point adding on the WAN side since CGNAT ka naman) by setting the max state for the IP address of your torrent client (mas maganda kung naka docker container yung torrent client mo and give it on its own host IP address para ma control mo yung traffic nya). after that your torrent client should be able to avoid opening too much connections to the internet.

    now that you mention naka converge ka... naka bridge mode ka ba? just asking...


    Yes sir naka "hacked" bridge mode ako

    Sarap pala dyan sa PLDT

    and useless ilimit ung mga connection ko kasi di rin mag ddl haha mga lumang torrent na kasi ung iba ko dinodownload na kung hindi i foforce download di mag sstart nauunahan ng mga bago, kaya vpn vpn muna :)

    -- edited by adamgwap5 on Dec 13 2020, 11:32 AM
  • well normally hindi mo naman kailangan i-limit yung amount of concurrent connections NAT hardware ng ISP since the bottleneck will obviously be the CPE router they provide (VDSL or ONU) most of them are limited to 16k concurrent connections anyway so why bother setting another limit on the NAT hardware, it will just add another complications and probable issues along the way.
  • Post deleted #12349799
  • @ Polka
    saw your post from Converge thread
    magiging malaking issue to sa mga ginagamit pang business (eg pisowifi) yung residential converge internet nila.


    meron ka po ba link or guide how to totally block torrent on pFsense?
    meron po ako Pihole blocking via DNS will that suffice ?

    thanks in advance..

    -- edited by totin1227 on Jan 31 2021, 05:47 PM
  • ^change ISP lang solution dyan.

    walang workaround for it, you cant block it. iba na ang torrent client ngayun, lahat ng connection nila is indistinguishable na sa ibang normal traffic, the reason is encryption. any deep packet inspection cant deal with this encrypted packets. this change on torrent client is only done when back then ISP (in other countries) are limiting the p2p traffic, after the ISP imposed those discriminating the traffic, ayun nilagyan ng encryption.

    -- edited by polka on Feb 01 2021, 10:35 AM
  • @ Polka sir,

    ^change ISP lang solution dyan.


    can you please elaborate? you mean ang isp ang mag control?

    salamat po pala sa reply...
  • ^what I mean is totally eliminating the source of the trouble. so palitan mo na yung ISP mo to fix the current converge issue. there's literally nothing you can do about it.
  • patulong mga master. ano pa bang ibang way to block youtube. .
    salamat mga master
  • Hello,

    May tanong lang ako about sa IPSEC.
    ung remote area ba kailangan naka Static IP or kahit hindi na? kasi ang dialing IP naman ay Static from PLDT.

    Thanks po
  • Guys sino rito nakapfSense sa corporate?

    -- edited by godlike00 on Feb 16 2021, 10:29 PM
  • ^naka pfsense kami sa work na pinapasukan ko, using a official netgate hardware (XG-7100) x2 (for HA) fully utilized both hardware for Word at Home dahil narin sa robust VPN capabilities.
  • 2.5.0 now available.

    Backup your config before updating. Goodluck!
  • Question, planning to explore pfsense and my option is to buy a compact setup. I have a spare desktop pc pero sobrang laki naman if for pfsense use lang.

    Which is better?

    Fanless Soft Router Intel Celeron J1900 Quad Core Mini PC with VGA HDMI and 4 intel Gigabit LAN for Pfsense OPNsense Firewall Router

    or

    Netgate SG-1100 pfSense Security Gateway Firewall Appliance

    Source is the famous e-commerce site (did not provide the link, following TPC rules)
  • SG-1100 is a weak hardware, so if you can go with the J1900 build, then go with that instead.

    the only advantage you can get with SG-1100 is the power consumption, J1900 mini pc can idle around 12watts while SG1100 can go around 5-6 watts. its negligible but I think you can do much more things on x86 hardware.

    if you want to go to a decent ARM based netgate hardware, then go with SG3100 instead
  • @polka
    Thank you for the detailed answer, will go with J1900 build.
    SG3100 is impractical for my use.

    Additional question, I'm planning to run pfsense with an open source SIEM, do you have any recommendation on free SIEM?

    -- edited by klapausky on Feb 20 2021, 02:41 PM
  • ^cant recommend anything, im only using what im familiar of which is qradar, cant vouch on other
  • Mga Sir sino may free time magpapatulong sana regarding PFSense vpn I'm willing to give token. just send me a message
  • mga boss. naka PLDT ako ngaun at converge. nagana naman ng ayos ang PLDT pero pag nilipat ko sa converge. ayaw mag load ng ibang site o mabagal. may naka experience ba sa inyo?
  • @hype29

    maraming factor yan sir kung bakit, kung cgnat IP converge mo, yun isa possible reason, pwede rin kung marami kang naka connect na devices, users, heavy traffic at hindi naka bridge onu mo kay pfsense dapa talaga yan.
  • @fugazi mag isa pa lang ako. nag rerequest pa lang ako ng brdige mode sa converge. para ma try ko tnx.
  • @fugazi mag isa pa lang ako. nag rerequest pa lang ako ng brdige mode sa converge. para ma try ko tnx.
  • sige sir update mo kami kung pumayag converge mag pa bridge.
  • @fugazi

    nag bridge lang daw sila pag 150mbps+ ang plan. +700 sa monthly. bitawan ko na converge.
  • Guys,

    Since discuss kayo state table...
    How do I test it out on my hardware so that I will know also on my end what is its limit?
  • ^download something connection intensive (eg torrent, just make sure to configure the client to connect to more than 100000 connections) after that look at the state table size, it increased right, now open a website and see if it loads, if yes then good, if not then you already reached the threshold.
  • ^
    salamat & noted!
    will try if I find time...
    will report din after...
    LOS yung connections namin dito with several neighbors for 2+ jumping days na.