Categories

  • 424
    Topics
    1.3k
    Posts

    fractal_boyF

    @matlear DHCP relay is coming in 24.10.

  • 117.9k
    Topics
    742.0k
    Posts

    M

    @stephenw10 I can try by disconnecting the upstream router but I don't know how long it would take, maybe in 30 minutes, maybe hours.

  • Discussions about pfSense software packages

    Cache/Proxy IDS/IPS Traffic Monitoring pfBlockerNG UPS Tools ACME FRR Tailscale WireGuard
    19.7k
    Topics
    124.8k
    Posts

    D

    I am in the process of setting up a tunnel to provide IPv6 service over WireGuard. I wanted to have a backup of the configuration so I could reproduce it should that be necessary. What I discovered is that for a static peer the configuration is incomplete.

    I've inserted <hidden> for the keys but this is the configuration I get from the "Download Configuration" button:

    Description: IPv6

    [Interface]
    PrivateKey = <hidden>
    ListenPort = 51823

    Peer: IPv6

    [Peer]
    PublicKey = <hidden>
    PresharedKey = <hidden>
    AllowedIPs = 2620:132:3002:1014::/64
    PersistentKeepalive = 30

    Ideally, it would be nice to have the Address statement in the interface section but I understand that may be a challenge because it is elsewhere in the pfSense interface.

    What I find a significant problem is this is a static peer (dynamic is not checked) and I have entered the endpoint IP and port but this information is not part of the exported/saved configuration. The above configuration needs:
    Endpoint = IP:port
    to be complete.

  • 42.3k
    Topics
    265.9k
    Posts

    S

    @Markus4210
    hast Du mehrere WANs?

    Ich würde beim VPN Client bei (Schnittstelle) mal "any" einstellen (oder wie auch immer das im deutschen heißt), wenn er sonst auf ein anderes WAN wechselt würde er fest hängen. Den Fehler habe ich mal vor Jahren gemacht und durfte auch 300 km fahren :)

  • Information about hardware available from Netgate

    2.4k
    Topics
    19.2k
    Posts

    N

    @stephenw10 That's built-in and I never had any issues with it on any other site:

    363bf467-7bb9-43bb-bbb6-e53d8775ebf3-image.png

  • Information about hardware available from Netgate

    44
    Topics
    210
    Posts

    GertjanG

    @LesserBloops said in Netgate Security Advisory: CVE-2024-6387:

    I had no idea System_Patches existed until happening upon this thread

    Yeah .... well, scrap what's I've said above.
    I'll rephrase, and express my real opinion :
    It must be a package, so when an update exists, it will get flagged on the dashboard as 'update == patches' exist. That's the great thing about the pfSense package system.
    I was wondering : why isn't this build into pfSense directly ? But that would mean that there will be another thing to check, pfSense packages updates and patches updates. Another dashboard widget ?
    So : upon pfSense installation : advise the user to pick this package ?
    Or, don't signal the admin, and install the package without admin consent ?
    Humm, maybe not ...

    Right now, any package is installed with admin consent, as you have to install them 'ones'.

    Parches proposed by this package are only mostly 'quality of live' amelioration. But ones in a while they are a must have, as it solves a real issue. Then the question doesn't exist anymore : people will find the forum for support, will find that there is a solution ... a patch, and so on ...

    Real issues, like urgent software updates like (example) curl, unbound nginx etc etc (tyhese are not pfSense packages, but FreeBSD packages ! - or FreeBSD updates ported to their pfSense equivalent by Netgate ) are already getting updated using the command line ( SSH or console !! ) option 13.

    @LesserBloops : I've got one for you : Auto update check, checks for updates to base system + packages and sends email alerts
    "Install" that one also. You maybe not knowing it, but you need it 😊
    Btw : you will need to install the Cron pfSense package.

    This script file tells me, as I receive a mail, if anything has an upgrade waiting. Even pfSense itself.

  • Feel free to talk about anything and everything here

    Forum Feedback Community Job Board
    3.4k
    Topics
    18.4k
    Posts

    S

    @disi1 said in Feedback request on home network design:

    if I enable QoS for VLAN30, it is also applied on the WAN interface for all traffic?

    Shaping on WAN out is after the NAT happens, so either you have to make a pass rule on VLAN30 with your queue/limiter, or you have to jump through a couple hoops to "tag" packets from ILYA in order for pfSense to know which they are as they go out WAN.
    https://docs.netgate.com/pfsense/en/latest/trafficshaper/advanced.html#shaper-rule-matching-tips

    "To match by a private address source outbound in WAN floating rules, first tag the traffic as it passes in on a local interface. For example, match inbound on LAN and use the advanced Tag field to set a value, and then use the Tagged field on the WAN-side floating rule to match the same connection as it exits the firewall. Alternately, queue the traffic as it enters the LAN with a pass rule instead of when it exits a WAN."

    re: inspecting encrypted traffic, the PC would need to trust a cert on the proxy which decrypts the traffic. So, could be an issue for phones or other devices. I know the Bitdefender GravityZone we use for clients can do that on the PC by adding its own cert to Windows and then it intercepts traffic on the PC.