@dotdash Thanks a lot!
This PFSense is in production, so I need to schedulle the update task

@frater said in Giving 1 WAN-IP of a /29 network to an external router:

I imagine it does for things like uPnP as that external router is not aware of its IP-address on the Internet.

Yes, so you have to reflect if you realy need that. Most connections work fine with double-NAT.

If that is not an option, it should basically also work with the pfSense WAN IP as gateway. Again, presumed the /29 is routed to you, but not assigned to pfSense itself.
However, you've probably to add sloppy states rules for inbound and outbound traffic.

@netblues said in Dual pppoe (IPv4 + IPv6 via pppoe) Problems in 2.6.0-RELEASE ? Sleeping thread (tid 100749, pid 86381) owns a non-sleepable lock:

Have you ever considered walking into a bmw dealership and tried to explain how inovvative tesla's are?

Why should I? did you take a look at an BMW i4? Thats the thing I would buy... the only downside (despite wear and tear of batteries of all electric cars) is the pricetag.... but on a tesla that is not much difference....

But that car IS innovative and IMHO drives and looks a lot (!) better than any tesla... though, the display is a little bit smaller...

Cheers,

4920441

It seems I have found the root cause thanks to a guy from Spiceworks. It is connected to asymmetric routing which is created when communication from branch to print server goes via pfSense 2, but communication from print server to branch goes via both my pfSense. It means the path is not same and TCP connection can have problem with this.

More info is here
f29d3132-0d47-4566-b404-398902d3005e-image.png https://networkguy.de/the-problems-with-asynchronous-routing/
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

I will have a look to the video, but I don't know if it could by applicable in my case.

My very basic knowledge of OSPF (never use it) is to evaluate cost path of complex network infrastructure and dynamically update complex routing table.

I have only two physical "routeur" with two interface each :

one interface on CWDM spanned subnet one interface on IPSec interface

I will check if I can do something with that , thanks for the input 😉

@marcos-ng Thanks. I'll have to take a look as i'm still on 2.6

I was able to mitigate some by always having an android Phone connected with USB Tethering being the default when plugged in. This required Android 9 or higher and the phone being in developer mode.

Now I'll be in trouble if that phone gets disconnected and the system restarts as it will force the interface setup again because the USB interface is down (seems silly).

I'm hoping that with 2.7 it will allow the system to boot even if the usb interface isn't present, like it does if LAN or WAN are not plugged in. This is how my OpenWRT setup with MWAN worked, if a device was present it followed the rules, if it wasn't it followed the rules.

@justplayinn
A client in the internet does not respect your DNS resolver. He resolves the host names by using it's configured DNS servers and will get back your WAN IP. Hence he sends the request to this IP.
pfSense only sees the destination IP, not the host name. The name is only known at application layer.

So if you have only one WAN IP, where the requests are send to, but you want to forward them to different servers behind based on host names, you need to look in the host header at L7. On pfSense this can be done with the HAproxy package.

@demux said in IF Groups with Multi WAN IFs:

What about the other (normal) WAN IF tabs? Do they still get the reply-to? If yes, the Multi WAN IF group's tab would be great for all the deny stuff, where I won't answer anyway.
Things to be answered or act on would then go to the individual WAN IFs' tabs.

Yes, that's correct.
You can use an interface group for block rules (or you can add floating block rules therefor) and put the pass rules for incoming traffic on the interface tabs.

However, I'm wondering what you want to block on WANs? Anything that is not explicitly allowed by a pass rule is blocked anyway.

@gabacho4 Thanks,

year I noted that already, but with that I can't write any monitoring script for me with that :/

Cheers,

Just FYI. There is now a Redmine open for this bug https://redmine.pfsense.org/issues/13279

@keyser

Awesome this worked! thanks for the help and quick response!

@johnpoz Correct I have contacted the creator of the device but until then i need to figure out how to create this script

Any thoughts on this?

@ahsunh said in only allow access to Internet via single gateway:

@coreybrett so on last rule set your specific gateway route

thanks

I've tried that in the past, but it breaks inter LAN traffic. Using the suggested fix from SteveITS seems to have done the trick for me.

@johnpoz

I tried to edit the message to have your @johnpoz reply outside of the quote text region and was seeing "Post content flagged as spam by askimet.com"

@jomarworkrelated said in VLAN Connect to Cisco SG300:

We have set-up VLAN and assign it and set the dhcp server.. Now, we tried to connect with Cisco Switch SG300 using Putty but we don't know how to connect with Cisco Switch IP. The default Ip for cisco doesn't work anymore..

What would be the new IP for the switch?

Check the DHCP Status for the VLAN you set. If the switch wasn't a static IP, it probably got one from the DHCP server you setup.

@jomarworkrelated for cisco switch IP if your pfsense through DHCP in LAN Vlan and your cisco is on trunk port below is the command:
conf t
interface vlan your vlan no
ip address dhcp or ip address x.x.x.x 255.255.255.0 if you want to static ip define in same scope of you vlan dhcp lan.

thanks

@reberhar It seems to be working.