General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  3
  0
  Votes
  3
  Posts
  1317
  Views

  A

  Subscription done!!!
• 

  Share your pfSense stories!
  • jdillard  

  18
  0
  Votes
  18
  Posts
  9528
  Views

  P

  I hope this thread is still alive :) I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense. I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source. Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me! ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
• A

  Diagnosing can't ping out
  • axxxxe  

  6
  0
  Votes
  6
  Posts
  32
  Views

  

  What happened? How could I have diagnosed further before resorting to a reboot? Probably packet captures to see what was actually going out WAN. Evaluating the routing table to see what the state of the network was at the time.
• T

  Eventual TFTP failure - "couldn't forward tftp packet: Permission denied"
  • TreyD  

  1
  0
  Votes
  1
  Posts
  8
  Views

  No one has replied

• J

  Implement pfSense To Protect Distributed Virtual Private Servers
  • jtomelevage  

  1
  0
  Votes
  1
  Posts
  14
  Views

  No one has replied

• E

  Gateway Not Active when connecting to 4g comcast backup gateway
  4g failover gateway comcast • • ercoupeflyer  

  14
  0
  Votes
  14
  Posts
  66
  Views

  

  I expect it to add a route there though and it isn't. If it's rejecting it there should be some messages in the log. What does it show in the system log or dhcp log when you connect it? Steve
• D

  Can't get to login.microsoft.com
  • dcihon  

  3
  0
  Votes
  3
  Posts
  20
  Views

  

  Define 'I turn off the firewall'. How exactly does it fail when connecting from behind pfSense? Timeout? Can't resolve? Steve
• P

  WAN1<>LAN1, WAN2<>LAN2, no cross traffic allowed
  • pille99  

  3
  0
  Votes
  3
  Posts
  38
  Views

  

  Yes, this should be two IPs. Two interfaces in the same subnet is not valid. If you really want them completely separate and it's running in ESXi then you could just use two pfSense VMs. Though I notice you have the firewall labelled as "pfSense LB", is it running as a load-balancer? Steve
• 

  User account - need permission to run scripts via SSH
  • tkohhh  

  12
  0
  Votes
  12
  Posts
  97
  Views

  

  Logging on as root is generally not recommended / insecure. A better way would be to create a dedicated user that will use public key for logging on and and authorize exactly what commands they can run using sudo. Install sudo package Add a new user: System / User Manager -> Add (let's call this user testuser for this example) Set a very complicated password (we won't be using it) >>Paste your public key that you will be using to connect with.<< Save the user Go back and edit testuser to expose the permissions part of the GUI that doesn't appear initially (bug?) Grant the user User - System: Shell account access Save the user Edit the sudo config (System / sudo) Add User: testuser with Run As User: root, Check No Password, preferably, enter the allowed command list, or ALL To test: ssh testuser@pfSense - you should not be prompted for a password since you will be using public key login [2.4.4-RELEASE][testuser@pfsense.local]/home/testuser: id - you'll see the default user ID (uid=2000(testuser) gid=65534(nobody) groups=65534(nobody) sudo id - now root user ID uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),1999(admins) sudo your-script -your script will run as root To run your script from remote: ssh testuser@pfSense sudo your-script
• R

  Plex issue with having 2 Wans
  • ryanjones  

  2
  0
  Votes
  2
  Posts
  22
  Views

  

  Yes, you can just set a pass firewall rule for he Plex device as source above the load-balancing rule and specify a single gateway. You should not have to though. The port forward coming in is independent of the load-balancing of outbound connections. It might be affected if the Plex detects the external IP and advertises that somewhere. Steve
• J

  Possible to modify rule based on a schedule?
  • jeff3820  

  2
  0
  Votes
  2
  Posts
  30
  Views

  

  You can put a schedule on a firewall rule: https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-schedules.html But that would require scheduling it enabled too and it doesn't sound like that would fit your usage. You might be able to just set the rule as disabled using a php shell command/script. Then call that from a cronjob. https://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html Steve
• M

  How to find spambot? Got network abuse report from my ISP
  • MrGlasspoole  

  21
  0
  Votes
  21
  Posts
  211
  Views

  M

  @Gertjan said in How to find spambot? Got network abuse report from my ISP: You mean : even you didn't send a mail What i mean is that nothing shows up that is trying to send mails. Sure, if I try to send one (what of course is not working) it shows up.
• M

  How to allow Internet only for one Device and allow only one website for all the others ?
  • Mago  

  3
  0
  Votes
  3
  Posts
  65
  Views

  M

  Can it be done here, yes, however, typically solutions at the firewall level involve manual processes like stephenw10 described plus DNS lookups, chasing down IP ranges, etc. and are management nightmares. You could configure Squid/Squidguard, but personally, I've never liked that route either. One crude way of doing what you're asking is to statically set the IP and DNS for the one workstation you want to have full access... and have DHCP hand out OpenDNS to everyone else where their queries will be filtered. A more effective way of accomplishing your goal is to implement a UTM.
• M

  Blocking Acces to Another VLAN but Allow Internet Acces
  • mracar07  

  5
  0
  Votes
  5
  Posts
  64
  Views

  M

  Where are you testing from? Because I'm not seeing hits on any of those rules. The first thing I would do is re-verify that your access ports are in the correct VLAN. Then, If you only want MUSTERI to access WDSPAYLASIM and nothing else, then remove everything you have and configure an explicit pass rule for: Source = MUSTERI net Destination = WDSPAYLASIM net and be done. Everything else will get blocked by the implicit deny.
• G

  DNS crashing every ~ 36 hours or so and unbound has to be restarted.
  • gawainxx  

  8
  0
  Votes
  8
  Posts
  109
  Views

  

  @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.: config file https://github.com/NLnetLabs/unbound/blob/e828d678bafb7ef0df32623f6883bc4bdc07dc5b/daemon/unbound.c#L664 The config file is actually ok /unbound.conf - this file named is prefixed with with chrooted dir. The chroot went wrong ? => File system errors ?
• P

  An unsettling outage
  • piperspace  

  6
  0
  Votes
  6
  Posts
  104
  Views

  P

  @JKnott - Thanks. I will check to be sure the coax is still grounded and that my modem power supply hasn't gone wonky.
• J

  how to access a dmz servers from LAN?
  • JVlas  

  15
  0
  Votes
  15
  Posts
  107
  Views

  

  @stephenw10 said in how to access a dmz servers from LAN?: Er I think there's some confusion here Yeah for sure!!!! Whoever put up that drawing has ZERO!!! understanding of how networking works.. if that is some teacher??? Then just shoot me!!! Our future is failed - we should just give up.. I really do not get how that could be any sort of class - there is zero possible how that someone that is a teacher of networking could put up such a drawing.. If so we are just failed!!!! WTF???? Really - if someone put that up as some sort of test, other than what is F'ing wrong with this drawing... We are all is serious trouble for the future!!!
• A

  PPOE Not working
  • albgen  

  8
  0
  Votes
  8
  Posts
  47
  Views

  

  Assign the parent NIC as a new interface. Enable it, spoof the MAC, leave the IP types set as none.
• P

  NAT forwarded ports
  • ppssysadmin  

  2
  0
  Votes
  2
  Posts
  27
  Views

  

  Yes you can add an outbound NAT rule on WAN2 to do that. You would have to choose the matching carefully though since I assume source address could be anything. Steve
• N

  Unable to connect to public SAMBA server
  • netnewb2  

  3
  0
  Votes
  3
  Posts
  35
  Views

  N

  @johnpoz Thanks for answering. Just a couple of minutes ago I checked with my ISP and it seems they have an option to request unlocking this port. I didn't expect this, as in the past they blocked only port 25. I expect it was this after all.
• B

  how to block bad guys who is sharing internet by laptop
  • begaa  

  4
  0
  Votes
  4
  Posts
  88
  Views

  

  Trying to understand why this this is an issue exactly? Are you some sort of internet cafe where user is paying for access, and then sharing that with his friends/others so they only have to pay once? Or are you in a work environment? And user is sharing access to other users that are not suppose to have internet - and should be working?
• P

  Port Forwarding between two gateways
  • ppssysadmin  

  4
  0
  Votes
  4
  Posts
  40
  Views

  

  What would of been creating a source port 0 traffic? That is borked!
• Z

  How to get Bell Fibe in Quebec/Ontario (Internet and IPTV) working with pfSense
  • zax123  

  170
  0
  Votes
  170
  Posts
  38113
  Views

  C

  @autumnwalker That's the weird thing, I see the DVR hitting those IP's though... Maybe there's additional ones!
• T

  Please anyone explain process How router and proxy server run Pfsense?
  • tony77  

  2
  0
  Votes
  2
  Posts
  20
  Views

  

  I think maybe you would have better discussion in your native language section.. Proxy is just an application/service just like any other be it dhcp, dns, ssh, httpd... it listens on an IP, and then does something with something that talks to it on the port its listening on.. Proxy normally listens on 3128... So client can directly send traffic to the proxy. Or you can do transparent mode where firewall listens for traffic on say port 80, and then sends it to the proxy port.. Pfsense is not a hardware firewall/router running a very limited IOS sort of OS, like a cisco or juniper or something... It is customized version of freebsd OS, to be easy to use/manage firewall/router - and yes is can provide other services like IDS, dns, dhcp, Proxy, etc.
• S

  Does cloning pfsense from Intel to ARM system work?
  • seanmcb  

  4
  0
  Votes
  4
  Posts
  87
  Views

  

  Editing the config is what I would do there. But I have edited a large number of configs as you might imagine. You need to include the <switches> and <vlans> sections from the 1100 config in the imported 4860 config as well as renaming the interfaces. Steve
• J

  Accessing (web)server from outside from one network to another using IPSec
  • jonp  

  6
  0
  Votes
  6
  Posts
  75
  Views

  

  Set up a site-to-site OpenVPN connection. Assign the interfaces so that you get reply-to and route-to fucntionality. Make sure firewall rules that pass the traffic are on the assigned interfaces and NOT on the main OpenVPN tab. If it's passed on the main tab it does not get tagged reply-to. Add the port forward on the WAN at site A to the LAN IP at site B. High-5 whoever might be next to you! Steve
• N

  Sending email through SendGrid fails
  email smtp • • ndemarco  

  4
  0
  Votes
  4
  Posts
  53
  Views

  N

  I'm still facing this issue. Authentication fails, though I've double checked my configuration. I've also used the same authentication and similar parameters to send emails through FreeNAS. I've looked in the system logs. The notification error text is duplicated in the logs. What's a good next step for troubleshooting? I imagine going to the command line, and manually connecting would be next. Any guidance is appreciated.
• R

  PFsense SG3100 & Actiontec DSL modem with transparent bridging
  • RedDelPaPa  

  5
  0
  Votes
  5
  Posts
  38
  Views

  R

  @stephenw10 currently I only have a need for one public ip at the moment. I honestly don’t foresee needing other workstations on my network to have public IP addresses.
• D

  Ethernet LAN freezing when saving captive portal configuration
  • dhmyess  

  9
  0
  Votes
  9
  Posts
  68
  Views

  

  The config is different? Or are you actually restoring the config onto both machines? I would bet it's different. Steve
• W

  Pfsense, No internet when it is said "You are connected".
  • weiphyo  

  107
  1
  Votes
  107
  Posts
  5582
  Views

  D

  @Gertjan apparently I used the wrong patch, after i use patch https://github.com/pfsense/pfsense/compare/RELENG_2_4_4...Augustin-FL:fix-reconfig-for-2-4-4.diff it works!!! problem solved, I am very very grateful for your help
• F

  how to use PHP shell with static route add
  pfssh.php • • futare  

  2
  0
  Votes
  2
  Posts
  38
  Views

  

  You probably need some include files there for the functions involved.
• 

  Admin user can't access users/groups
  • havastamas  

  16
  2
  Votes
  16
  Posts
  1092
  Views

  

  Because it was only introduced in 2.4.4p3. It will be fixed in the next release. Steve
• J

  Instagram Android - Images load initially then time out - IPV6 turned off, conservative mode on
  • JohnGalt1717  

  13
  0
  Votes
  13
  Posts
  84
  Views

  

  It logs those by default so if you're not seeing blocked traffic it's probably not being blocked. Run a pcap on the LAN side then to make sure those packets are leaving going back toward the phone. Steve
• R

  DNS resolution is slow when WAN is down but not WAN2
  • R4v3n  

  6
  0
  Votes
  6
  Posts
  62
  Views

  

  I would just use loopback/localhost for binding unbounds outgoing interface... This way it uses whatever is the default gateway out of pfsense.. This way you don't have to worry about unbound not being able to bind to an interface that might be down
• T

  Is pfSense affected from CVE-2019-19521: Authentication bypass?
  • tm_an  

  1
  0
  Votes
  1
  Posts
  72
  Views

  No one has replied

• J

  Is there a way create domain based rules or aliases? (i.e. to allow windows update *.domains.com)
  • Jpub  

  3
  0
  Votes
  3
  Posts
  58
  Views

  

  @Jpub, Windows update uses a list of well known domain names, easily found by searching for it, however, what you want and how pfSense works are not quite an exact fit. pfSense provides layer 3 firewalling capabilities, which means by IP and port only. A URL is a wholly different beast as the IP isn't immediately known, only the name, and based on your initial question, you know that some of the URLs contain wildcards, eg: *.update.microsoft.com, meaning Microsoft is free to put anything in place of the *. To further complicate matters, many of these URLs resolve to CNAMES which in turn resolve to Akamai's IP addresses, so trying to block / allow by IP will also affect other traffic that coincidentally is also hosted on the same Akamai infrastructure. There are a couple of ways you could address this issue: Use a proxy server; in this case the proxy server actually sees the URL so access control can be applied on the URL's name as opposed to its IP address. The firewall can be configured to allow the proxy server out, but not the workstations, thus forcing the traffic through the proxy server. Caveat: Not all software plays nice with a proxy server. Use a WSUS server; in this case a system is dedicated to downloading the windows updates and making them available to the local machines. In this case, the firewall can be configured to allow the WSUS server access out while maintaining a more strict access policy toward the Internet.
• T

  is possible to LAN 1 preferred gateway1 and failover gateway2, and LAN2 preferred gateway2 and failover gateway1
  • T.Soprano  

  2
  0
  Votes
  2
  Posts
  27
  Views

  M

  Sure, create 2 gateway groups. 1st one WAN1 TIER 1 and WAN2 TIER2 2nd one WAN2 TIER 1 AND WAN1 TIER2 Assign as default gateway in the advanced options of the firewall rule. vlan 1 gatewaygroup 1st vlan2 gatewaygroup 2nd
• I

  [SOLVED] Virtio NIC Performance - High CPU Usage
  • iamperson347  

  6
  0
  Votes
  6
  Posts
  755
  Views

  C

  Could you please share the solution that solved your issue? I'm having the same problem right now with a server that was running ESXi before. EDIT: sorry, I missed the first line :) No ntopng on my pfsense so it must be something else...
• G

  Logging Snort3/Barnyard2 to Splunk?
  • gawainxx  

  3
  0
  Votes
  3
  Posts
  37
  Views

  G

  I'm getting the data into Splunk but am having a rather difficult time getting fields set, Emerging Threats have been easy to create a regex for using the wizard but the Snort alerts have been throwing a monkeywrench into that by there being an additional, duplicate field in the "Snort Alerts" https://imgur.com/a/yV0kjbL
• O

  Need a link between pfsense and payment service
  • OpenWifi  

  2
  0
  Votes
  2
  Posts
  36
  Views

  

  You may need to use that Ubiquiti system...pfSense is a firewall, not a payment system is my thinking; however, please wait for others, especially seasoned gurus, to respond.