Categories

  • 425
    Topics
    1.3k
    Posts

    M

    New features and improvements include VPF for NAT and Filters, DHCP relay support, and core performance updates.

    Netgate TNSR is a high-speed (exceeding 100 Gbps) virtual router and VPN aggregator. TNSR software is the answer for businesses, governments, and xSPs looking for scalable routing without the six-figure price tag.

    Learn More: https://www.netgate.com/blog/netgate-releases-tnsr-software-version-2410

  • 118.0k
    Topics
    742.8k
    Posts

    R

    Got it, thanks for the confirmation! The restriction of =< 802.11n and no AP mode works OK for my situation: we have one 3d printer which, for some reason, doesn't work well with the office wifi, and it's located right next to our pfSense gateway. It also doesn't have an Ethernet port (incredibly unfortunate). (So if it doesn't support station, but does support adhoc mode, I'm good here.)

    This hardly something that I'd want to call "production ready" and more "a useful hack" until we get a better 3D printer with real functionality.

    I'll do a cross-compile and report back with the results.

  • Discussions about pfSense software packages

    Cache/Proxy IDS/IPS Traffic Monitoring pfBlockerNG UPS Tools ACME FRR Tailscale WireGuard
    19.8k
    Topics
    124.9k
    Posts

    A

    I am facing a challenging BGP routing issue in my pfSense setup within my lab environment, and I would greatly appreciate any insights from the community experts.

    Setup Overview:

    SFO Site (AS 65001) and LAX Site (AS 65002) connected via BGP.
    Backbone network IPs:
    SFO router WAN IP: 10.80.20.203
    LAX router WAN IP: 10.80.21.141
    Default route gateway: 10.80.20.1 (used as the backbone network's gateway for internet connectivity within the lab).
    Additional AS (65003) for NSX-T networks in both SFO and LAX. This is working fine, no issue so far.

    Goals:

    Route traffic between SFO and LAX subnets using BGP to ensure direct communication, bypassing the default route (10.80.20.1).

    Actions Taken:

    Local Preference Adjustment: Set higher Local Preference (200) for direct BGP routes.
    AS Path Prepending: Applied AS path prepending to deprioritize the path through 10.80.20.1.
    MED Adjustment: Set MED to 200 for routes via 10.80.20.203 to make them less preferable.
    Next Hop Self: Enabled to ensure proper route advertisement.

    Firewall and NAT Rules: Verified that there are no conflicting rules affecting traffic flow.

    Issue:

    Despite these configurations, traffic between the SFO and LAX subnets is still preferring the default route (10.80.20.1) over the direct BGP-learned path. The BGP routing tables on both sides appear correct, and AS path prepending reflects properly. However, traceroute and packet captures show that traffic continues to take the path through the default gateway.

    Routing Table Snapshots:
    SFO BGP Routing Table:

    K>* 0.0.0.0/0 [0/0] via 10.80.20.1, vmx0, 00:25:22
    C>* 10.80.20.0/23 [0/1] is directly connected, vmx0, 00:25:22
    B>* 172.17.11.0/24 [20/0] via 10.80.20.203, vmx0, weight 1, 00:25:17

    LAX BGP Routing Table:

    K>* 0.0.0.0/0 [0/0] via 10.80.20.1, vmx0, 00:25:29
    C>* 10.80.20.0/23 [0/1] is directly connected, vmx0, 00:25:29
    B>* 172.16.11.0/24 [20/0] via 10.80.21.141, vmx0, weight 1, 00:25:20

    Troubleshooting Tried:

    Increased Weight for BGP routes.
    Ensured correct route-map configurations.
    Confirmed that BGP attributes (MED, AS path) are applied.
    Checked administrative distance settings.
    Validated kernel routing tables against BGP tables.

    Request for Help:

    Are there any overlooked settings or best practices for BGP route selection in pfSense?
    Could there be underlying factors or limitations with the way pfSense/FRR handles route preferences that we missed?

    Any advice on further troubleshooting steps or configuration changes that could help prioritize the direct BGP routes over the default route?

    Thank you in advance for any suggestions or guidance. Your expertise would be greatly appreciated!

  • 42.3k
    Topics
    265.9k
    Posts

    H

    @eagle61 Weil ich OpenVPN bevorzuge und keinen Zugriff auf die Fritzbox habe, lediglich auf die dahinterliegende Infrastruktur.

  • Information about hardware available from Netgate

    2.4k
    Topics
    19.2k
    Posts

    M

    Yes, the Netgate 4200 supports IIMB and can help with WireGuard, more details here:
    https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html

  • Information about hardware available from Netgate

    44
    Topics
    210
    Posts

    GertjanG

    @LesserBloops said in Netgate Security Advisory: CVE-2024-6387:

    I had no idea System_Patches existed until happening upon this thread

    Yeah .... well, scrap what's I've said above.
    I'll rephrase, and express my real opinion :
    It must be a package, so when an update exists, it will get flagged on the dashboard as 'update == patches' exist. That's the great thing about the pfSense package system.
    I was wondering : why isn't this build into pfSense directly ? But that would mean that there will be another thing to check, pfSense packages updates and patches updates. Another dashboard widget ?
    So : upon pfSense installation : advise the user to pick this package ?
    Or, don't signal the admin, and install the package without admin consent ?
    Humm, maybe not ...

    Right now, any package is installed with admin consent, as you have to install them 'ones'.

    Parches proposed by this package are only mostly 'quality of live' amelioration. But ones in a while they are a must have, as it solves a real issue. Then the question doesn't exist anymore : people will find the forum for support, will find that there is a solution ... a patch, and so on ...

    Real issues, like urgent software updates like (example) curl, unbound nginx etc etc (tyhese are not pfSense packages, but FreeBSD packages ! - or FreeBSD updates ported to their pfSense equivalent by Netgate ) are already getting updated using the command line ( SSH or console !! ) option 13.

    @LesserBloops : I've got one for you : Auto update check, checks for updates to base system + packages and sends email alerts
    "Install" that one also. You maybe not knowing it, but you need it 😊
    Btw : you will need to install the Cron pfSense package.

    This script file tells me, as I receive a mail, if anything has an upgrade waiting. Even pfSense itself.

  • Feel free to talk about anything and everything here

    Forum Feedback Community Job Board
    3.4k
    Topics
    18.4k
    Posts

    M

    @QuantumShade said in sipeed nanoKVM:

    That sounds like an awesome little tool! The Sipeed nanoKVM seems like a game-changer, especially for remote management of PCs behind CGNAT. The ability to press the power button and even boot from an ISO remotely is incredibly useful for troubleshooting or installations without being physically present.

    Indeed, and so cheap =)

    The mod you made to fix the backfeeding issue is a clever workaround, though it's always nice when manufacturers take such potential problems into account from the start.

    The product is in a beta stage, I guess that they will fix this in the final release.

    Platforms like Howscribe often highlight how innovative hardware like this can save time and hassle for both hobbyists and professionals. It's great to see affordable, compact solutions making a big impact! Thanks for sharing your experience!

    Really nice to see the market taking something that was expensive making really affordable.
    There is lite version which is even cheaper, it doesn't come with the box or SD-card, but works the same way, so another option if you need to buy a bunch of those.