• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    30k Views
    STLJonnyS
    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from. I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.
  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    64k Views
    V
    Mine may be typical, maybe not..... Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do. I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help. [image: 1697753147328-pfsense1.png]
  • Ecobee thermostat can’t connect to servers

    22
    0 Votes
    22 Posts
    1k Views
    E
    @GPz1100 said in Ecobee thermostat can’t connect to servers: @ezhawk Each firewall is getting a different public ip. That complicates things. Test with the same public IP for each device. I cannot run both at the same time with having the same IP and I also don't have static IPs. As I've said multiple times, behind pfSense it'll work for a few weeks and the stop. The temp fix is to spoof and get a new IP. I had the Ecobee behind the a Cisco with the same IP for more than 2 months and it never dropped once. I've been through more than a dozen different IPs trying to figure it out by using spoofing methods. The IP itself isn't the issue.
  • Anyone using pfSense with telMAX ISP (Canada)?

    4
    0 Votes
    4 Posts
    180 Views
    JKnottJ
    @guardian said in Anyone using pfSense with telMAX ISP (Canada)?: I don't trust my ability to secure it. Not much different than IPv4. You start out with everything blocked and only allow what you want. In fact, you can configure many rules to apply to both IPv4 & IPv6. Here's an example: [image: 1755915116010-9101928c-dd2d-4e58-abe2-d4a68923083d-image.png] The first rule blocks pings and the second allows other ICMP.
  • 0 Votes
    6 Posts
    34 Views
    W
    @stephenw10 yes and also informed there.
  • Goodbye pfSense

    7
    0 Votes
    7 Posts
    294 Views
    R
    @tinfoilmatt said in Goodbye pfSense: Clearly Who wants to tell him that 14,000 posts over 10+ years is only 4/day?
  • 4 ports mini PC recommendations

    15
    0 Votes
    15 Posts
    374 Views
    chudakC
    Anybody is using Protectli Vault V1410-4 Port ?
  • mDNS or Multicast Traffice Not Passing Between Multiple Vlans

    23
    0 Votes
    23 Posts
    585 Views
    stephenw10S
    Yeah, just to prove it out I ran a simple test. Since I don't have anything I can easily use that advertises mDNS I just turned on Publishing in Avahi itself on 4 firewalls: steve@steve-NUC9i9QNX:~$ mdns-scan + 4860 [00:08:a2:xx.xx.xx]._workstation._tcp.local + 4860._ssh._tcp.local + 4860._sftp-ssh._tcp.local + fw1 [00:08:a2:xx.xx.xx]._workstation._tcp.local + fw1._ssh._tcp.local + fw1._sftp-ssh._tcp.local + pfsense [00:01:21:xx.xx.xx]._workstation._tcp.local + pfsense._sftp-ssh._tcp.local + pfsense._ssh._tcp.local + 1100-3 [f0:ad:4e:xx.xx.xx]._workstation._tcp.local + 1100-3._sftp-ssh._tcp.local + 1100-3._ssh._tcp.local In that result 4860 is in the same subnet as the client I'm testing from. fw1 is the router on that subnet. pfsense and 1100-3 are other firewalls in different subnets connected to fw1. You can see the scan tool is able to see all of them no problem.
  • Going from PFsense 24.03 to 25.07

    3
    0 Votes
    3 Posts
    94 Views
    H
    @stephenw10 Thanks
  • pfSense Avahi Not Broadcasting mDNS/Bonjour Services Across VLANs

    Locked
    3
    0 Votes
    3 Posts
    130 Views
    stephenw10S
    Duplicate post.
  • pfsense 2.7.0 installed as vm on xenserver now routing issue

    3
    0 Votes
    3 Posts
    140 Views
    stephenw10S
    Sounds like you have a subnet conflict or a rogue dhcp server. Connecting the cctv server to the existing LAN subnet is probably not what you want to do. It should be on the new NIC and separate to the LAN. Is there some reason you're using 2.7.0 and not a newer version?
  • IAX2 not going out after a while

    4
    0 Votes
    4 Posts
    443 Views
    stephenw10S
    Yes there are. They are defined in pf. You can set longer timeouts or choose a firewall mode that has longer timeouts already defined, like 'conservative', in Sys > Adv > Firewall. But that only applies to states not passing traffic.
  • sshd CVE-2024-6387 vulnerability

    15
    0 Votes
    15 Posts
    4k Views
    stephenw10S
    2.8.0 has the patched code: https://github.com/pfsense/FreeBSD-src/commit/2abea9df01655633aabbb9bf3204c90722001202
  • OVH Virtual IP not working

    2
    0 Votes
    2 Posts
    126 Views
    M
    Got it working. I needed to add a virtual MAC in OVH [image: 1755849994302-7f78b61e-b920-4844-9aec-a984ec259bd5-image.png]
  • Unable to log into WebUI after 25.07 upgrade

    11
    0 Votes
    11 Posts
    263 Views
    M
    @stephenw10 Ended up doing a reinstall. Netgate installer is pretty sweet. First time using it and absolutely no issues at all. Impressive. Also restoring from ACB was a bit nerve racking as I couldn’t find my key but it all worked out in the end. Seamless to get back online to be honest I really don’t know why people have hang up’s over the installer..it just works
  • https://acb.netgate.com failure

    3
    0 Votes
    3 Posts
    293 Views
    stephenw10S
    Usually those are seen when there is some temporary interruption in the connection. Like the WAN is down at boot for example.
  • To do 25.07 or not?! That is the question!

    28
    0 Votes
    28 Posts
    1k Views
    stephenw10S
    I probably isn't specific to boot but if there are any errors there it would be a clue. Any logs showing errors would be something to go on.
  • limit bandwidth for certain users

    3
    0 Votes
    3 Posts
    40 Views
    stephenw10S
    Yup, that. Combine it with static DHCP leases to get a fixed list of IPs to limit.
  • Poor performance over IPsec but not Internet

    16
    0 Votes
    16 Posts
    3k Views
    M
    @stephenw10 said in Poor performance over IPsec but not Internet: In the Phase 1 advanced options settings set 'NAT Traversal' to Force to test ESP specific throttling. Only one end needs to set that. I know I'm necroing a 3+ year old thread, but holy crap this was exactly what I needed here. My main office is on a 500/500 fiber connection, and we have a remote office on coaxial cable running 500/10, and over the VPN I could barely get 20 Mbps, but over the internet I could get the full 500 Mbps. I tried setting the 'NAT Traversal' to 'Force' on our main office, and forced an IPSEC reconnection and now I'm getting about 480ish Mbps over the VPN (internet is around 511 Mbps). THANK YOU THANK YOU THANK YOU Again, sorry about the thread necroing :(
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.