General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  3
  0
  Votes
  3
  Posts
  1316
  Views

  A

  Subscription done!!!
• 

  Share your pfSense stories!
  • jdillard  

  18
  0
  Votes
  18
  Posts
  9527
  Views

  P

  I hope this thread is still alive :) I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense. I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source. Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me! ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
• M

  How to find spambot? Got network abuse report from my ISP
  • MrGlasspoole  

  17
  0
  Votes
  17
  Posts
  163
  Views

  M

  I have the ports blocked since 3 days and Snort runs now on LAN. Nothing shows up. All phones, PCs, tablets, the print server, satellite receiver, DECT station are connected as ever. Nobody was here with a another device. As i said: could be something temporary from playing around and it's no longer present. But it's hard to believe there was something in Raspbian, Armbian or DietPi. Maybe something i did but on the new Fire TV stick that i already did uninstall... The funny thing is that the day before someone from my ISP was here because bridge mode did not work and there box sometimes did crash/reboot. He was the only one with other devices. He told me the router did not receive the last firmware automatically and made a reset to factory defaults. After that the router did pull the newest firmware.
• 

  User account - need permission to run scripts via SSH
  • tkohhh  

  4
  0
  Votes
  4
  Posts
  38
  Views

  

  @tkohhh Actually, it's FreeBSD, not Linux. The su command is used to switch users, so you could log in a a mere mortal and then become root, to do things that require that privilege. You'll have do some research on this sort of thing, if you're going to write & run scripts. Please note, there are some differences between Linux and FreeBSD, so make sure you're learning from the right source.
• M

  How to allow Internet only for one Device and allow only one website for all the others ?
  • Mago  

  3
  0
  Votes
  3
  Posts
  58
  Views

  M

  Can it be done here, yes, however, typically solutions at the firewall level involve manual processes like stephenw10 described plus DNS lookups, chasing down IP ranges, etc. and are management nightmares. You could configure Squid/Squidguard, but personally, I've never liked that route either. One crude way of doing what you're asking is to statically set the IP and DNS for the one workstation you want to have full access... and have DHCP hand out OpenDNS to everyone else where their queries will be filtered. A more effective way of accomplishing your goal is to implement a UTM.
• M

  Blocking Acces to Another VLAN but Allow Internet Acces
  • mracar07  

  5
  0
  Votes
  5
  Posts
  58
  Views

  M

  Where are you testing from? Because I'm not seeing hits on any of those rules. The first thing I would do is re-verify that your access ports are in the correct VLAN. Then, If you only want MUSTERI to access WDSPAYLASIM and nothing else, then remove everything you have and configure an explicit pass rule for: Source = MUSTERI net Destination = WDSPAYLASIM net and be done. Everything else will get blocked by the implicit deny.
• G

  DNS crashing every ~ 36 hours or so and unbound has to be restarted.
  • gawainxx  

  8
  0
  Votes
  8
  Posts
  106
  Views

  

  @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.: config file https://github.com/NLnetLabs/unbound/blob/e828d678bafb7ef0df32623f6883bc4bdc07dc5b/daemon/unbound.c#L664 The config file is actually ok /unbound.conf - this file named is prefixed with with chrooted dir. The chroot went wrong ? => File system errors ?
• P

  An unsettling outage
  • piperspace  

  6
  0
  Votes
  6
  Posts
  95
  Views

  P

  @JKnott - Thanks. I will check to be sure the coax is still grounded and that my modem power supply hasn't gone wonky.
• J

  how to access a dmz servers from LAN?
  • JVlas  

  15
  0
  Votes
  15
  Posts
  102
  Views

  

  @stephenw10 said in how to access a dmz servers from LAN?: Er I think there's some confusion here Yeah for sure!!!! Whoever put up that drawing has ZERO!!! understanding of how networking works.. if that is some teacher??? Then just shoot me!!! Our future is failed - we should just give up.. I really do not get how that could be any sort of class - there is zero possible how that someone that is a teacher of networking could put up such a drawing.. If so we are just failed!!!! WTF???? Really - if someone put that up as some sort of test, other than what is F'ing wrong with this drawing... We are all is serious trouble for the future!!!
• A

  PPOE Not working
  • albgen  

  8
  0
  Votes
  8
  Posts
  39
  Views

  

  Assign the parent NIC as a new interface. Enable it, spoof the MAC, leave the IP types set as none.
• P

  NAT forwarded ports
  • ppssysadmin  

  2
  0
  Votes
  2
  Posts
  23
  Views

  

  Yes you can add an outbound NAT rule on WAN2 to do that. You would have to choose the matching carefully though since I assume source address could be anything. Steve
• N

  Unable to connect to public SAMBA server
  • netnewb2  

  3
  0
  Votes
  3
  Posts
  31
  Views

  N

  @johnpoz Thanks for answering. Just a couple of minutes ago I checked with my ISP and it seems they have an option to request unlocking this port. I didn't expect this, as in the past they blocked only port 25. I expect it was this after all.
• B

  how to block bad guys who is sharing internet by laptop
  • begaa  

  3
  0
  Votes
  3
  Posts
  71
  Views

  

  Trying to understand why this this is an issue exactly? Are you some sort of internet cafe where user is paying for access, and then sharing that with his friends/others so they only have to pay once? Or are you in a work environment? And user is sharing access to other users that are not suppose to have internet - and should be working?
• P

  Port Forwarding between two gateways
  • ppssysadmin  

  4
  0
  Votes
  4
  Posts
  38
  Views

  

  What would of been creating a source port 0 traffic? That is borked!
• Z

  How to get Bell Fibe in Quebec/Ontario (Internet and IPTV) working with pfSense
  • zax123  

  170
  0
  Votes
  170
  Posts
  38089
  Views

  C

  @autumnwalker That's the weird thing, I see the DVR hitting those IP's though... Maybe there's additional ones!
• T

  Please anyone explain process How router and proxy server run Pfsense?
  • tony77  

  2
  0
  Votes
  2
  Posts
  16
  Views

  

  I think maybe you would have better discussion in your native language section.. Proxy is just an application/service just like any other be it dhcp, dns, ssh, httpd... it listens on an IP, and then does something with something that talks to it on the port its listening on.. Proxy normally listens on 3128... So client can directly send traffic to the proxy. Or you can do transparent mode where firewall listens for traffic on say port 80, and then sends it to the proxy port.. Pfsense is not a hardware firewall/router running a very limited IOS sort of OS, like a cisco or juniper or something... It is customized version of freebsd OS, to be easy to use/manage firewall/router - and yes is can provide other services like IDS, dns, dhcp, Proxy, etc.
• S

  Does cloning pfsense from Intel to ARM system work?
  • seanmcb  

  4
  0
  Votes
  4
  Posts
  84
  Views

  

  Editing the config is what I would do there. But I have edited a large number of configs as you might imagine. You need to include the <switches> and <vlans> sections from the 1100 config in the imported 4860 config as well as renaming the interfaces. Steve
• J

  Accessing (web)server from outside from one network to another using IPSec
  • jonp  

  6
  0
  Votes
  6
  Posts
  75
  Views

  

  Set up a site-to-site OpenVPN connection. Assign the interfaces so that you get reply-to and route-to fucntionality. Make sure firewall rules that pass the traffic are on the assigned interfaces and NOT on the main OpenVPN tab. If it's passed on the main tab it does not get tagged reply-to. Add the port forward on the WAN at site A to the LAN IP at site B. High-5 whoever might be next to you! Steve
• N

  Sending email through SendGrid fails
  email smtp • • ndemarco  

  4
  0
  Votes
  4
  Posts
  53
  Views

  N

  I'm still facing this issue. Authentication fails, though I've double checked my configuration. I've also used the same authentication and similar parameters to send emails through FreeNAS. I've looked in the system logs. The notification error text is duplicated in the logs. What's a good next step for troubleshooting? I imagine going to the command line, and manually connecting would be next. Any guidance is appreciated.
• R

  PFsense SG3100 & Actiontec DSL modem with transparent bridging
  • RedDelPaPa  

  5
  0
  Votes
  5
  Posts
  36
  Views

  R

  @stephenw10 currently I only have a need for one public ip at the moment. I honestly don’t foresee needing other workstations on my network to have public IP addresses.
• D

  Ethernet LAN freezing when saving captive portal configuration
  • dhmyess  

  9
  0
  Votes
  9
  Posts
  68
  Views

  

  The config is different? Or are you actually restoring the config onto both machines? I would bet it's different. Steve
• W

  Pfsense, No internet when it is said "You are connected".
  • weiphyo  

  107
  1
  Votes
  107
  Posts
  5571
  Views

  D

  @Gertjan apparently I used the wrong patch, after i use patch https://github.com/pfsense/pfsense/compare/RELENG_2_4_4...Augustin-FL:fix-reconfig-for-2-4-4.diff it works!!! problem solved, I am very very grateful for your help
• F

  how to use PHP shell with static route add
  pfssh.php • • futare  

  2
  0
  Votes
  2
  Posts
  32
  Views

  

  You probably need some include files there for the functions involved.
• 

  Admin user can't access users/groups
  • havastamas  

  16
  2
  Votes
  16
  Posts
  1084
  Views

  

  Because it was only introduced in 2.4.4p3. It will be fixed in the next release. Steve
• J

  Instagram Android - Images load initially then time out - IPV6 turned off, conservative mode on
  • JohnGalt1717  

  13
  0
  Votes
  13
  Posts
  83
  Views

  

  It logs those by default so if you're not seeing blocked traffic it's probably not being blocked. Run a pcap on the LAN side then to make sure those packets are leaving going back toward the phone. Steve
• R

  DNS resolution is slow when WAN is down but not WAN2
  • R4v3n  

  6
  0
  Votes
  6
  Posts
  62
  Views

  

  I would just use loopback/localhost for binding unbounds outgoing interface... This way it uses whatever is the default gateway out of pfsense.. This way you don't have to worry about unbound not being able to bind to an interface that might be down
• T

  Is pfSense affected from CVE-2019-19521: Authentication bypass?
  • tm_an  

  1
  0
  Votes
  1
  Posts
  59
  Views

  No one has replied

• J

  Is there a way create domain based rules or aliases? (i.e. to allow windows update *.domains.com)
  • Jpub  

  3
  0
  Votes
  3
  Posts
  54
  Views

  

  @Jpub, Windows update uses a list of well known domain names, easily found by searching for it, however, what you want and how pfSense works are not quite an exact fit. pfSense provides layer 3 firewalling capabilities, which means by IP and port only. A URL is a wholly different beast as the IP isn't immediately known, only the name, and based on your initial question, you know that some of the URLs contain wildcards, eg: *.update.microsoft.com, meaning Microsoft is free to put anything in place of the *. To further complicate matters, many of these URLs resolve to CNAMES which in turn resolve to Akamai's IP addresses, so trying to block / allow by IP will also affect other traffic that coincidentally is also hosted on the same Akamai infrastructure. There are a couple of ways you could address this issue: Use a proxy server; in this case the proxy server actually sees the URL so access control can be applied on the URL's name as opposed to its IP address. The firewall can be configured to allow the proxy server out, but not the workstations, thus forcing the traffic through the proxy server. Caveat: Not all software plays nice with a proxy server. Use a WSUS server; in this case a system is dedicated to downloading the windows updates and making them available to the local machines. In this case, the firewall can be configured to allow the WSUS server access out while maintaining a more strict access policy toward the Internet.
• T

  is possible to LAN 1 preferred gateway1 and failover gateway2, and LAN2 preferred gateway2 and failover gateway1
  • T.Soprano  

  2
  0
  Votes
  2
  Posts
  25
  Views

  M

  Sure, create 2 gateway groups. 1st one WAN1 TIER 1 and WAN2 TIER2 2nd one WAN2 TIER 1 AND WAN1 TIER2 Assign as default gateway in the advanced options of the firewall rule. vlan 1 gatewaygroup 1st vlan2 gatewaygroup 2nd
• I

  [SOLVED] Virtio NIC Performance - High CPU Usage
  • iamperson347  

  6
  0
  Votes
  6
  Posts
  748
  Views

  C

  Could you please share the solution that solved your issue? I'm having the same problem right now with a server that was running ESXi before. EDIT: sorry, I missed the first line :) No ntopng on my pfsense so it must be something else...
• G

  Logging Snort3/Barnyard2 to Splunk?
  • gawainxx  

  3
  0
  Votes
  3
  Posts
  37
  Views

  G

  I'm getting the data into Splunk but am having a rather difficult time getting fields set, Emerging Threats have been easy to create a regex for using the wizard but the Snort alerts have been throwing a monkeywrench into that by there being an additional, duplicate field in the "Snort Alerts" https://imgur.com/a/yV0kjbL
• O

  Need a link between pfsense and payment service
  • OpenWifi  

  2
  0
  Votes
  2
  Posts
  36
  Views

  

  You may need to use that Ubiquiti system...pfSense is a firewall, not a payment system is my thinking; however, please wait for others, especially seasoned gurus, to respond.
• T

  Problems after upgrading to 2.4.4-Release-p3 from 2.3.5
  • tejas  

  11
  0
  Votes
  11
  Posts
  177
  Views

  

  ClamAV is part of the main Squid package not Squidguard. It wan be enabled/disabled on the Antivirus tab in the Squid Proxy Sever page. Anyway glad you were able to resolve it. Steve
• 

  Change Keyboard Layout permanently
  • pmisch  

  14
  0
  Votes
  14
  Posts
  177
  Views

  

  I filed a feature request since I think there should be an easy option for everyone in the GUI to change the console's keyboard layout permanently. https://redmine.pfsense.org/issues/9942
• G

  Limit vpn access to one computer per account.
  • gridxvpn  

  11
  0
  Votes
  11
  Posts
  97
  Views

  

  Not easily. You might be better off generating the certs externally and autenticating users separately as well if you went that route. Steve
• E

  Gateway Not Active when connecting to 4g comcast backup gateway
  4g failover gateway comcast • • ercoupeflyer  

  3
  0
  Votes
  3
  Posts
  25
  Views

  

  Yes, by default it will be using the 4G routers address which is probably 192.168.165.1 (or maybe .254) but that does not necessarily have to respond to ping. Though I would expect it to. Setting an external IP to monitor there will give you a much better idea of the actual connection quality but it will also use data on the connection which can add up. https://docs.netgate.com/pfsense/en/latest/book/routing/gateway-settings.html#monitor-ip Steve
• N

  sendto error: 65
  • newUser2pfSense  

  33
  0
  Votes
  33
  Posts
  326
  Views

  N

  It just hit me to ask. Since this issue affects the user base of pfSense, have the pfSense developers thought of releasing a fix at least just for this issue before the next version of pfSense is released? This would at least alleviate a lot of restart frustration. Just wondering.
• M

  Changing config values for RANCID
  • mamawe  

  7
  0
  Votes
  7
  Posts
  43
  Views

  M

  @stephenw10 Thanks, that's exactly what I want. Kind regards, Mathias
• R

  Accessing via cloud service
  • rsloan  

  4
  0
  Votes
  4
  Posts
  66
  Views

  

  Yeah, that's still site-to-site from the farm to the cloud. Then Remote Access to the client fro your client and you can get access to the farm LAN subnet. Steve
• S

  pfSense Spectrum
  • StacyAnn33  

  23
  0
  Votes
  23
  Posts
  248
  Views

  S

  Yes, the only thing left for me to do is get my wireless router connected up to it. Thanks everyone for all the help. I really learned something along the way.