@randomaustralian Check the compatibility of your desired Hardware with FreeBSD 11.2 and if its compatible then it will work with pfsense.

@jmatz88 said in pfsense keeping securelevel=3 after reboot.:

I think they get a head start to use the default credentials before we get our hands on the computers so that might be why they have root access so quickly.

Then that defeats the purpose of the competition, doesn't it? If you say your aim is to "defend your network", then you should be the one that get's access. No one worth their pay would install a firewall with access to the WAN/insecure network granted and default credentials still in place (even 2.4.4 gives now very big warnings about that). If they get a head start to "attack" a device with default credentials that is no competition to defend but a cleanup job - and the most secure way would be to kill the box (re-install) and bring it back if it is secured - and doesn't have WAN access at all to the web UI. ;)

Just 0.02$ because that sounded more like a kobayashi-maru as a "competition" :)

@rg0s9 said in VPN Tunnel - No Gateway on TUN interface:

@viragomann Thanks for your replies here. What seems to have done the trick is creating an opt interface for the VPN. This interface now has the first ip address in the tunnel range, and i can now get to devices on the LAN. What was throwing me was it doesnt seem to be referenced in any material i have viewed. Cheers

Yeah that's because normally it isn't required at all. I'm running it on multiple client sites without an interface mapped to it. As @viragomann said, you only need to assign a opt interface to it, if you want to route somehting TO the VPN. As you describe the VPN as dial-in so you can actually maintain some things on their LAN, it's not necessary. Just clicked through the wizard and got a working VPN without any problems, so I think that some other little piece was missing you fixed before assigning the interface.

Only thing that changes with the interface are that you get a VPN GW that is visible to the GUI, you get an extra interface tab for that VPN (instead of just using the OpenVPN group interface for your rules) and ... that's probably it ;)

Greets

@slimypizza said in What am I missing?:

In addition to setting up a VPN server, you might have fun setting up a reverse proxy. I use HAPROXY for this.

Good Idea, I am also going to give it a try, to this reverse proxy.

If you can ping router to router, then it's almost certainly an issue with routing or firewall rules, either on the firewalls on either side, or on the devices behind the firewall(s).

@derelict
Thanks for the solution. This worked.

OK I will read about transparent client ip, thanks.

The source client ip should be used by traefik with a simple LB in TCP mode.

I have tried to create an apache server with a simple port forwarding and I can get the client ip using the Remote-Addr headers and set the x-forwarded-for header to pass it through ProxyPass. The app server logs the correct IPs.

I will try with the loadblancer tomorrow. After that if it works, there is a traefik miss-configuration/issue ?!!

It will be fine and definitely keep the SSD. Spinning drives offer pretty no advantages in a firewall at this point.

Steve

I had a similar issue but thanks for the topic which is discussed in detail. I will read all the discussions and see if it solves my issue.

Well it's always good to resolve your own problems. When I installed pfSense, I changed my private IP scheme to 10.10 from 192.168 and one of the files in nextcloud was configured with the old IP. So now it's working. In case anyone is having difficulty with ssl connections on hosts, I put the following info into dns resolver at the bottom for adding a host override. I'm connecting via SSL to unraid.

host - long chain of characters before unraid.net in your address bar
parent domain - unraid.net
IP - unraid IP address

@jegr Thanks, I will try this as soon as possible!

Firewall rules are by interface, not IP address.

@harrybells said in increase socket and solve squid error:

o many open files With uni

Hi Harrybells,
where the parameters /proc/sys/net/ipv4/tcp_fin_timeout are changed?
In my pfsense I don't have the folder /proc/sys

Thanks in advance

afapark.com is registered and public... But even the public facing doesn't do https.. It listens on 443 but all it does it give errors.. Can not even connect via s_client to get any info..

@biggsy said in can't reach my access points on my lan side using openVPN:

It may be because the APs don't want to talk to anything outside their own network - e.g., traffic coming from the VPN tunnel. I've seen this a few times.

This can be tested easily. tested.
Change your WAN2 for a LAN2 interface.
You'll be having a LAN with 192.168.1.1/24 - on this LAN you have your AP (right ?!).
Make LAN2 (OPT1) like 192.168.2.1/24 - put a pass all firewall rule on it, activate a DHCP server on it, connect to it.

Now, can you access your AP on LAN coming from your PC hooked on LAN2 ?
You should be able to do so. (I do soo all the time, accessing devices on other LAN segments).
If not => go check you AP.

@rico

I have tried setting up Open VPN for an Android client but I cannot get to work. The VPN connects OK but no data passes through. I cannot connect to any device via local IP from my Google Pixel. I followed this tutorial:

https://www.youtube.com/watch?v=Q6YbCQEiC3c

Resolved by suggestion in: https://forum.netgate.com/topic/71097/vpn-over-vpn/8

Found the solution my firewall has atom CPU, and after upgrade it turns serial console.
Solution explains in the end of https://www.netgate.com/docs/pfsense/install/upgrade-guide.html#upgrading-from-versions-older-than-pfsense-2-4-4