General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  3
  0
  Votes
  3
  Posts
  1283
  Views

  A

  Subscription done!!!
• 

  Share your pfSense stories!
  • jdillard  

  18
  0
  Votes
  18
  Posts
  9468
  Views

  P

  I hope this thread is still alive :) I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense. I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source. Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me! ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
• G

  PHP Error - Timezone
  • guilherme_egb  

  6
  0
  Votes
  6
  Posts
  41
  Views

  G

  I've restarted my pfsense and then the problem has been resolved.
• A

  Alias table for FQDN is not updating.
  • atul.chauhan  

  2
  0
  Votes
  2
  Posts
  25
  Views

  

  Could you be more specific? You're creating an IP alias? IIRC, aliases are updated every 10 minutes. If the FQDN resolves to multiple addresses, only the first is used.
• V

  Bootstrap XSS
  • vmb  

  5
  0
  Votes
  5
  Posts
  57
  Views

  

  The file could be stock and still not affected, it depends on the bug and how the library is used. I haven't looked deeply at that particular issue, but in similar cases in the past we've seen instances where we happened to not use a particular affected component so even though the vendor library was flawed, pfSense was not vulnerable. So it does take a bit deeper analysis than just inspecting version numbers. Still, it is very out of date, so we are certainly looking at what the impact of updating it will be.
• G

  fix current time
  • guilherme_egb  

  20
  0
  Votes
  20
  Posts
  76
  Views

  G

  Sorry, I've answered wrong. Today, I'll try to change my time manually.
• S

  Setup specific traffic through VPN
  • spiross  

  3
  0
  Votes
  3
  Posts
  27
  Views

  V

  Go to the OpenVPN client settings and check "Don't pull routes". Add a firewall rule for the IP you want to route over the VPN. Put that IP into the destination box, you may also restrict that rule to a specific source IP. Open the advanced options, go down to the gateway option and select the VPN gateway. Put that rule to the top of your LAN rule set. To route the traffic to multiple IPs over the VPN you may put all these into an alias and then use the alias as destination in the rule.
• N

  sendto error: 65
  • newUser2pfSense  

  7
  0
  Votes
  7
  Posts
  92
  Views

  N

  Indeed it is! I was actually using the interwebs when that happened and I immediately opened up pfSense and began looking at the Status > System Logs. That's when I came along the rc.gateway_alarm. It sure would be nice to find what's making the gateway drop off like that. I don't know that my service provider, Verizon, could be doing something to cause the issue. I notice it typically when I get up in the mornings when I go to check for emails and I can't get out. I then have to restart pfSense. Frustrating.
• M

  Add Custom Tables
  • meaglerick  

  4
  0
  Votes
  4
  Posts
  30
  Views

  

  Try the pfctl command.
• 

  Admin user can't access users/groups
  • havastamas  

  14
  2
  Votes
  14
  Posts
  881
  Views

  A

  Just wanted to say thank you for this!
• 

  pfSense Service or DL Package for SIP-ALG?
  • VirtuousMight  

  13
  0
  Votes
  13
  Posts
  452
  Views

  

  @racecarr Hello, So our company decided to revert back to ring central after using dialpad for about a month. Our experience with their product and services was low-grade - in terms of voip quality and end-user app usability (stability and lack of admin accessibility). They rely to some extent on google data centers for some of their data operations which can be an advantage but also a dependency that is not fault tolerant. We experienced this when some database servers experienced disruption and our users where unable to access the app to get into their accounts to make calls. I do not recommend dialpad. It appeared to me their systems are underdeveloped when it comes to non-Ai and non-sync features, meaning the primary usage of voip with them was inconsistent and low-quality as they seemed to have emphasized other feature enhancements over the main functionality, being voice-over-ip call quality and connection stabilization .
• S

  Squid / ClamAV Experience
  • Stewart  

  11
  0
  Votes
  11
  Posts
  29
  Views

  

  Squid probably isn't tracking that accurately anyhow. You'd be better off with a setup more like netflow but that would require an off-box collector to keep the data and make graphs. ntopng may help locally.
• R

  Arpwatch not able send email notification
  • rifanrcd  

  7
  0
  Votes
  7
  Posts
  72
  Views

  

  Just installed aprwatch package. Settings used : Had to stop it an hour later : my (self hosted) mail box received hundreds of mails from arpwatch. This means : My Sys > Adv > Notifications has been set up correctly ;) "arpwatch" sends mail using the pfSense mail notational system .... and it does as advertised. Btw : take note of the warning : I know what 'gmail' might do when you bombard it with pretty identical mails (from the same IP). It will do what it should do : it will discard and block them .... Upfront, you should white list (make the sender mail a contact, etc). gmail is nice to be sued as a things-go-bad-notifier, but do not spam them.
• F

  routing Issue
  • fluctuationit  

  2
  0
  Votes
  2
  Posts
  23
  Views

  

  @fluctuationit Is the VM network adapter bridged or NAT? If NAT, you have the same subnet on both sides of it, which will not work.
• B

  High CPU user util
  • BlijeGub  

  15
  0
  Votes
  15
  Posts
  59
  Views

  B

  Fixed by disabling dhcpv6 which I didn't even need because router advertising is enough to get ipv6 working. Still don't know why dhcpv6 was causing the cpu spikes though.
• F

  NAT - Source Hash netblock - assigning GW & Broadcast
  • fusionp  

  1
  0
  Votes
  1
  Posts
  19
  Views

  No one has replied

• L

  Sync server firewalls with pfsense?
  • lewis  

  7
  0
  Votes
  7
  Posts
  78
  Views

  L

  Great input, I'll look into each of these and learn about them. Thanks very much again.
• L

  PfSense and Disabled Interfaces
  • lucas1  

  6
  0
  Votes
  6
  Posts
  98
  Views

  

  Hmm, well I would guess the new re(4) card replaced the old one and became re0. The only way to know for sure would be to check the MAC addresses. You should obviously see one card with media status when only one cable is connected but you reported odd behaviour there. Steve
• 

  Trying to Understand Traffic Graphs
  • NollipfSense  

  8
  0
  Votes
  8
  Posts
  159
  Views

  

  @stephenw10 said in Trying to Understand Traffic Graphs: The GUI will become laggy when it has no upstream connectivity. That can be significantly worse on the dashboard where you may have several widgets that try to resolve DNS and check external sources. The update check, support status check, package update check, dyndns entries for example all have to time-out. However it should not take 3 minutes. That seems more likely all the cpu cycles were being used for some process that could not complete. Steve Thank you for explaining the lagging experience Steve! My 3 minutes was a guess estimate...I thought it checked for update when first launching Dashboard though. Dashboard was already opened.
• J

  help me out too.
  • jasonsmith  

  4
  0
  Votes
  4
  Posts
  43
  Views

  

  @jasonsmith said in help me out too.: Below is the output of Pfsense when network fails This may have been omitted, let's see it.
• T

  Pfsense internet cuts off intermittently. Only restart helps
  • themadsalvi  

  5
  0
  Votes
  5
  Posts
  84
  Views

  

  You can disable MSIX for just em devices so that other PCI devices can still use it. Add to /boot/loader.conf.local hw.em.msix=0 If your NIC doesn't support MSIX though it won't be using that anyway. Steve
• M

  No matter what I do, through pfSense I'm getting between 190-200Mb down, and between 400-600Mb up..
  • MrSassinak  

  54
  0
  Votes
  54
  Posts
  361
  Views

  

  @MrSassinak said in No matter what I do, through pfSense I'm getting between 190-200Mb down, and between 400-600Mb up..: 1f418086 That's an Avoton device ID. Are you sure that's not a C2000 CPU? Otherwise it's a C2000 based add on card, which is possible. It should still pass 1Gb either way unless it's like C2350 without turbo mode.
• T

  Network dropout when adding new VLANS to Lagg?
  • tomstephens89  

  3
  0
  Votes
  3
  Posts
  28
  Views

  

  I just did this and noticed no packet loss pinging the pfSense interface on another VLAN on the same lag. 0% loss pinging at 0.5 second intervals. 192.168.223.1 is the pfSense interface address on lagg0.223 Throughout this ping I created VLAN 1501 on lagg0, OPT17 on lagg0.1501, and enabled/numbered/applied OPT17. --- 192.168.223.1 ping statistics --- 444 packets transmitted, 444 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.169/0.664/159.686/7.556 ms At what point does the loss occur? When you add the VLAN? When you create the new interface using that VLAN? When you enable, number, and apply the new interface? What does the system log show when you add an interface? Does your switch log show anything interesting? ETA: No loss pinging through the firewall on removal of the same.
• P

  Failover setup between offices
  • pbrennan845  

  4
  0
  Votes
  4
  Posts
  30
  Views

  

  Start with a Multi-WAN configuration. No I don't know of a guide for that specific set of circumstances. It's pretty uncommon. I would start by just getting the two WANs and the PtP working between the sites, then work on using that PtP as a backup WAN for each side.
• A

  WAN DHCP not obtaining public IP from provider's router
  • amello  

  12
  0
  Votes
  12
  Posts
  100
  Views

  

  If the local router gives you a private IP from it's own DHCP server you can just set the WAN DHCP client to refuse leases from that server. But you can only do that if the DHCP server that hands you a public lease is not that same IP. Otherwise you've refused all leases https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv4-wan-types.html#dhcp Steve
• O

  pfsense 2.4.4-p3 can't find the web management or it changed drastically
  • Odetta  

  3
  0
  Votes
  3
  Posts
  69
  Views

  

  That sounds like something is broken or not displaying correctly in the broswer. All the previous options should be there. Steve
• B

  Speed test is slow direct from my PC to PFSense
  • billsecond  

  21
  0
  Votes
  21
  Posts
  191
  Views

  

  You should start a new thread for this and detail exactly what you're seeing and what you have done. There are numerous reason you could be seeing less throughput that you expect. The chances you are hitting the same issue as the OP in this thread are low. Steve
• A

  Issue in the UI setting up a USB GPS Device.
  • antonkristensen  

  11
  0
  Votes
  11
  Posts
  70
  Views

  A

  @stephenw10 Yeah i have been searching for that too, haven't found it yet...
• T

  PPP unusual errors
  • timt  

  5
  0
  Votes
  5
  Posts
  42
  Views

  T

  @stephenw10 Good idea, I'll take a look in Wireshark at the result, that might give some clues. I removed the hardset 1492 MTU from the config and let PPP negotiate the MTU. It still came up 1492 as expected. Its odd that it only happens in bursts, the first about an hour after resetting the link. I haven't seen anything since. I've also asked the ISP if there is anything happening at their end just in case. regards Tim
• J

  Broadcast traffic on WAN
  • JHPArizona  

  3
  0
  Votes
  3
  Posts
  43
  Views

  

  Your ISP is not isolating customers on the same subnet. Or they are sending it themselves... Continuous 1.5Mbps seems extreme. You can add a firewall rule on WAN to block and not log that which will remove load from the firewall but won't help traffic conditions on your WAN. I would call the ISP if the source IP there is just some other customer of theirs. Steve
• G

  interface speed
  • glenthenerd  

  8
  0
  Votes
  8
  Posts
  55
  Views

  

  @glenthenerd said in interface speed: Rogers is being a pill. The default ID is "cusadmin" and the password is "password". If the modem is in gateway mode, you use the gateway address. If in bridge mode, use 192.168.100.1. IIRC, they do have access. When I had some IPv6 problems, earlier this year, the tech put another password on my modem, which I didn't know and I had to call them to reset it. If first level support can't help, ask for 2nd level. I often do that as I find I'm wasting my time talking to 1st level.
• R

  annoying arpwatch email notification
  • rifanrcd  

  2
  0
  Votes
  2
  Posts
  34
  Views

  

  Not beyond send notifications or don't in the current package. Steve
• R

  Accidently locked out of WebGUI
  • Raka74  

  10
  0
  Votes
  10
  Posts
  88
  Views

  

  You could also use 'fetch' which is included for future reference.
• M

  Firewall Rules with Alias only works after rebooting the pfSense
  • marco.jaeger  

  7
  0
  Votes
  7
  Posts
  51
  Views

  

  @marco-jaeger said in Firewall Rules with Alias only works after rebooting the pfSense: Check this redmine ticket: https://redmine.pfsense.org/issues/9296 Still, the issue seems far less then 6 month ago - I tend to say : for me : no more issues. @marco-jaeger said in Firewall Rules with Alias only works after rebooting the pfSense: our pfSense (Version 2.4.4_P1) @marco-jaeger : what about simply updating to p3 ? The problem will be probably be less - and don't forget the other problem : less other issues which some are security related. The issue could not be 'filterdns' related, but more 'ipfw' - and this is based out of FreeBSD.... ( I think I saw flying @bmeeks other palm now ^^ )
• O

  email Notification login credentials not yet implimented?
  • Oclair  

  8
  0
  Votes
  8
  Posts
  99
  Views

  

  I'm using it right now : After sending a test : mail - server side logs : Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-mail.*******.me Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-PIPELINING Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-SIZE 31457280 Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-VRFY Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ETRN Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-STARTTLS Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ENHANCEDSTATUSCODES Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-8BITMIME Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250 DSN As you can see, my mail server sends out it's capabilities. Among them, there is "STARTSSL". Because the mailing system of pfSense scans the capabilities, and it found STARTSSL, it issues a STARTTLS Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: STARTTLS ... The TCP connection is renegotiated as an SSL connection, the entire process start over, this time encrypted. Mail caps are send again (except STRTSSL, because SSL that mode is activated now) and the LOGIN starts : Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: AUTH LOGIN ..... Btw : my postfix settings for this domain, protocol submission (port 587) : mail.*******.me:submission inet n - - - - smtpd -v -o myhostname=mail.*****.me -o smtp_helo_name=mail.*****.me -o smtpd_tls_security_level=may -o smtpd_etrn_restrictions=reject -o smtpd_tls_cert_file=/etc/ssl/*****.me/*****.me.pem -o smtpd_tls_key_file=/etc/ssl/****.me/*****.me.pem -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=amavis:[127.0.0.1]:10026 -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_auth_enable=yes The important part is the smtpd_tls_security_level=may setting which activated STARTSSL capabilities. When I have some time, I could show you the same thing using gmail's mail server, also proposing submission with SSL (STARTSSL). In that case, I won't have access to the mail servers logs ;) @Oclair said in email Notification login credentials not yet implimented?: Not if I should change my mailserver host's config You and I use the same "pfSense". Right ? There are no settings on the pfSense side, except the usual mail server address and port. What do you want me to say ? Let's be neutral : when both sides agree, mail communication will use STARTSSL. Another proof : My Outlook 2010 mail client settings As you can see, it uses "587" (submission) and the TLS (STARTTLS). Outlook can send mails just fine, doing the same thing as pfSense does. Outlook 365 and Outlook 2016 : same result.
• 

  Best defense for Syn Flood?
  • nfld_republic  

  6
  0
  Votes
  6
  Posts
  156
  Views

  B

  This has been going on for a few months now and is very likely a SYN-ACK flood, as opposed to a SYN flood. The source IPs in the SYN packets are forged. Using forged IPs, the attackers can select any set of source (victim) addresses they want. Those victims are flooded with SYN-ACK packets. Blocking the traffic will only be effective until they choose another victim, which they seem to do regularly. Sadly, there really isn't much you can do. Search for "Anatomy of a SYN ACK attack". I'd post the link but Akismet is stopping me.
• S

  Does cloning pfsense from Intel to ARM system work?
  • seanmcb  

  2
  0
  Votes
  2
  Posts
  48
  Views

  

  The CPU difference might or might not make a difference depending on what the load is on the intel system and what you are doing with it. But it will work. Reassigning the interfaces should be pretty easy if you are using three or less and no tagged VLANs. With more than three interfaces or with tagged VLANs you'll need to do some configuration of the internal switch in the 1100 but it will work.
• L

  Acceptable packet loss on WAN
  • leonroy  

  14
  0
  Votes
  14
  Posts
  166
  Views

  C

  I expect a steam download will cause carnage. I consider that the ultimate test, steam downloads (uncapped in client) are almost like DDOS'ing your own line 30+ download threads. Basically when a line is saturated you will get packet loss, there has to be, TCP flow is controlled by the fact packets get dropped. However the issue is which packets are getting dropped and the amount been dropped. Ingress shaping that prioritises small packets e.g. if working perfect would ensure these pings make it through on the monitoring, so presenting a loss free line, and "all" the dropped packets would be from the TCP downloads having practically no impact on throughput. That's the ideal world scenario. It is a mystery why some people don't see this issue at all, some see it but can fix it via ingress shaping, others see it but cannot fix it at all (without a massive downstream throttle to prevent it). My theory remains a driver/nic issue been possible, but also hard to rule out the intermediate modem. If possible the first test would be to swap out pfSense for something else temporarily, and if the behaviour is the same, then it suggests an issue either with modem or ISP side queuing. Certainly I think on the modern internet ingress is far more difficult to manage than egress, egress for me has only ever really compromised QoS in the days when it was tiny like on ADSL. Even then it tended to just skyrocket latency rather than cause significant packet loss. Buffer bloat is bad, but its a lesser evil than a mass of indiscriminate dropped packets.
• T

  Default deny rule IPv4
  • tomli  

  11
  0
  Votes
  11
  Posts
  118
  Views

  

  There is always another option. :)
• 

  HTTP to HTTPS redirect
  • manjotsc  

  3
  0
  Votes
  3
  Posts
  76
  Views

  

  @stephenw10 Thanks