Categories

  • 454 Topics
    1k Posts
    D

    Hi @Tyronejackson839,
    Thanks for the awesome advice! Your ACL tips worked perfectly—enabling fragment-checking and lean rules secured my nginx webserver without sacrificing performance. Really appreciate your detailed help!

    Best,
    David James | Founder of The Yes No Button!

  • 120k Topics
    763k Posts
    patient0P

    @detox if you defined the VLANs on the 2100 you can block inter-VLAN traffic. The firewall rules for a LAN/VLAN apply to traffic origination in the network you create the firewall rule in.

    Per default there are no firewall rules generate for additional interfaces like VLAN1 and VLAN2 The default LAN allow all firewall rules allows LAN clients to access everything, including other networks you create later

    E.g. to allow VLAN1 to access internet only you create one firewall with source 'VLAN1 net' and destination "! (not) LAN and VLAN2".
    Best is to create an alias where you add the local networks, LAN, VLAN1 & VLAN2 and use that alias as the (not) destination.

    There is a lot of information about that on this forum and the internet, search for "pfSense block inter-VLAN access" or "pfSense VLAN internet access only".

    Posting your firewall rules will certainly help, too.

  • 20k Topics
    127k Posts
    Y

    @chudak Yup. That's exactly what we need for this to be reliable.

  • 43k Topics
    267k Posts
    M

    Hallo zusammen!

    ich habe wiedermal ein spezielles Problem, oder mehr Aufgabe.

    Also ich habe ca. 10 clients die sich via VPN in mein lokales Netz verbinden und dann auf von einem bestimmten Server m3u´s abrufen.
    Dieser Server hat die IP 192.168.1.150.

    Jetzt hätte ich gerne das die PFSense die Erreichbarkeit von 102.168.1.150 prüft. Sollte dieser Server nicht erreichbar sein sollen die Anfrage auf z.b. 192.168.1.160 umgeleitet werden. Der Server hinter 192.168.1.160 gibt dann eine m3u mit "Sorry Server nicht erreichbar - Wartungsarbeiten" zurück.

    Ich habe mir gedacht das irgendwie über eine V-IP zu lösen.
    Also die 150 als v-IP einrichten den Produktiv Server auf 151 legen und den Webserver mit der Wartungsnachricht auf 152.

    Hat da jemand eine Idee dazu?

    Vielen Dank schonmal!

  • Information about hardware available from Netgate

    3k Topics
    20k Posts
    J

    @michmoor

    fwiw, It appears that Netgate only offers the 4200 with the 128Gb SSD, probably due to the eMMC issues.

  • Information about hardware available from Netgate

    44 Topics
    211 Posts
    AriKellyA

    It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

  • Feel free to talk about anything and everything here

    3k Topics
    19k Posts
    P

    From my perspective the issue is the scope for a users contingency planning on pfsense router failure (initially of unknown cause). Netgate's current device locked licensing and lack of an off line installer doubles the cost of ownership and significantly reduces pfsense functionality. It is the reason I have not purchased plus licences.

    My contingency planning is focussed on rapid restoration of service with minimum dependences, limited technical complexity, and a short time. Doing so involves the ability to swap out a failed physical system and replace it with another. First line using a box with pfsense pre-installed. Second line with my locally stored copy of pfsense installation media. The installation media has to work within my system without a functional router, for which an off line installer is most reliable. An online installer which uses that sites pfsense configuration may work but at best introduces higher risk in a contingency plan.

    To achieve this economically I run pfsense on third party hardware which also does other roles. I have multiple physical devices performing tasks of varying importance (set top box for each TV, router a several sites). As well as each device running
    running multiple virtual machines for other functions (PABX, Unifi controller, surveillance cameras etc). The overall effect is all hardware is utilised but relatively spare hardware can be rapidly commandeered if required.

    For this to work with pfsense plus I need to be able to install pfsense on multiple virtual machines and transfer a licence from a failed to a replacement device if required. Ideally by entering registration details in the replacement hardware (which would warns doing so inactivates the prior registration) or doing the same via a Netgate portal. Either of which implies such a transferable pfsense plus licensed device regularly checks licence validity with a Netgate server (making a transferable licence incompatible with a pfsense installation without online access to the Netgate licence server).

    I'm not sure how large the market is for off line Netgate routers. Such an installation would require a non trivial protocol to update pfsense software, which even on Netgate hardware would not be simple. With an off line installer including all patches was available, this could be taken into the secure environment and used to re-install / update pfsense. My understanding there has never been an off line installer with all patches (or packages) as such I suspect software update would require secure erasing the pfsense disk, physically moving the hardware out side of the secured environment, programming it with current pfsense software, returning it to the secure environment, import the sites pfsense configuration file. Not something done frequently and probably not a large market but I could be wrong.

    Similarly my use case is probably also a small market, however I suspect the market for economic contingency planning is much broader. As such many users are likely to benefit from the licence transferability and off line installation options which maybe possible it a monitored plus licence option was offered.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.