General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor

  1
  0
  Votes
  1
  Posts
  559
  Views

  No one has replied

• 

  Share your pfSense stories!
  • jdillard

  17
  0
  Votes
  17
  Posts
  8277
  Views

  R

  @johnpoz: While the ability for any software and your hardware/system to run for such a long time is nice. That you would run your firewall on software that is no longer updated or maintained is BAD security..  2.1.5 should of been updated when it went EOL..  Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security. Agree with everything! This box, however, was only handling internal routing between some private networks. Didn't have access to the internet either - updating wasn't easily possible. Was also a low-priority segment - it's now being killed forever and nothing comes in place.
• R

  Problem with ISP connectivity
  • rm-rf

  2
  0
  Votes
  2
  Posts
  14
  Views

  R

  I think I know what it is- proxy ARP on another router causes this problem. Testing it now. I still don't understand why it affects only pfsense.
• N

  latency of connection monitoring
  • Nthly

  25
  0
  Votes
  25
  Posts
  91
  Views

  N

  @johnpoz said in latency of connection monitoring: Great then ping those - what is the latency.. sorry for the few hours hiatus. I did ping the above, however packets may be dropped as no ping back is receive. I heard most game providers do that, probably for lessen the load on servers that i assume may be running at close to full capacity, and, in a conspiracy theory view.... to hide the fact that servers they use may be in a different region or not be as good as people expect them to be.. LOL. The first one more likely. On PC, the game seems to run better and faster, plus ping is readily available and can be added as an overlay on a corner of the screen, but this is a whole different world.
• S

  Pfsense connect with DSL modem wifi router problem need help.
  • stardreamer77

  1
  0
  Votes
  1
  Posts
  10
  Views

  No one has replied

• D

  WAN Monitoring and Packet Loss
  • david_harrison

  6
  0
  Votes
  6
  Posts
  101
  Views

  D

  @johnpoz Thanks to you and all. So problem went away when I moved ( well rebuilt) my pfSense router in a new VM on a different host with different NIC's. The original install utilised Realtek r811 nics, the new one using an HP 4 port lan card. Haven;t dropped a packet since..... 2 Day chart below ( have been utilising the WAN interface pretty hard )
• T

  Gigabit Throughput
  • TheQuank

  26
  0
  Votes
  26
  Posts
  534
  Views

  R

  My setup uses a nearly identical Core 2 Due E8500 CPU and I can reliably achieve 900Mbps+ throughput. The network cards make a difference. Also your PC should be fast. I have an older system based on Xeon W3550, and it never gets more than 600Mbps from Internet, testing with iperf or doing an ISP speed test.
• N

  PPPoE settings for BT Infinity with Netgear DM200 VDSL Modem
  • neocleous

  13
  0
  Votes
  13
  Posts
  2828
  Views

  

  VLAN 101 is usually required, for residential connections at least. If you're using one of the Openreach modems they are configured to add that. If you're using some other modem such as in this case you need to add it either at the modem or in pfSense if the modem passes that. Steve
• S

  sonewconn: pcb Listen queue overflow
  • sloppymike

  4
  0
  Votes
  4
  Posts
  48
  Views

  

  It's probably connections coming in faster than HAProxy can service them. Once the queue values is exhausted it starts throwing that error. You can increase that value quite substantially without a problem but it may just delay the problem. Set a system tunable kern.ipc.soacceptqueue to something larger that the default 128. Try 512. See if that eliminates the error or simply delays it's appearance. Steve
• K

  [Resolved]"Service 19050-tcp: server exit with 0 running servers" = ??
  • Khampol

  8
  0
  Votes
  8
  Posts
  120
  Views

  

  NAT+Proxy sets up a service like that for each instance and it appears that one was having some issue. Perhaps the IP you have it running on has been removed or the interface was down. Running in Pure NAT mode is preferred as it doesn't require such a service. There are very few situation that actually require NAT+Proxy. Setting the NAT reflection type individually for each forward is the best way to avoid something like that though as you have done. Steve
• A

  IPTV returns 401 after latest update
  • anonymouse

  1
  0
  Votes
  1
  Posts
  23
  Views

  No one has replied

• D

  Route FreeNAS Torrent downloads through VPN?
  • Dayve

  1
  0
  Votes
  1
  Posts
  19
  Views

  No one has replied

• G

  Windows update broke wan connection
  • garryab12

  5
  0
  Votes
  5
  Posts
  60
  Views

  G

  I tried that in the beginning no change. I have noticed that under the interface status I do get the ip address but the gateway shows pending.
• N

  has anyone noticed
  • no_one

  7
  0
  Votes
  7
  Posts
  124
  Views

  N

  the usb keyboard does work on this computer but when i plug it into the other one it does characters. i plugged in my ps/2(yes i still have ps/2 kb and mouse) it does not show those characters, so you are right it was the keyboard. thank you for replying. i thought the keyboard was fine but I guess not.
• P

  Complete loss of network; where to find info on what happened?
  • purduephotog

  8
  0
  Votes
  8
  Posts
  165
  Views

  

  @purduephotog said in Complete loss of network; where to find info on what happened?: I'm getting an idea how something might have happened to the mesh aps when or if the network upstream crashed. I wonder if the other apps tried to take over. Also side note for Wireshark can do sniffing with wireless lan, but you need to set it (your wlan net) open, otherwise you grab only crypted traffic) (Easy way). Bye. P.S. Oh, for all pfSense history logs, more advanced users can take useful infos by reading directly some logfiles into /var/log subfolder. Here is the pfSense place where is storing past log hystory. Sometimes will be more quick to avoid messing with regular log file viewer So you can recall from pfSense web ui logfile you want look . at any time by browsing /var/log folder with Diagnostic / Edit File tool like this example below: Or by CLI with Less command, if you like Ssh console managing: [2.4.4-RELEASE][root@pfSense.babiz]/var/log: less routing.log In conclusion, additional useful feature is made by ** Packet Capture" ** built into pfSense, allowing you to record a kind of *.cap file, get sniffing from pfSense interface you wand and read it later with wireshark "open .cap files" option for data analytics and filtering jobs, is more convenient and not require any mirroring stuff. Just configure it as your need and start capture will write this special file /root/packetcapture.cap It's readable with any .cap file reader capable , Wireshark or just pfSense built-in reader.
• 

  Monitoring: Should IPsec Be There if Not Set Up?
  • beremonavabi

  1
  0
  Votes
  1
  Posts
  36
  Views

  No one has replied

• B

  minnowboard firmware update process?
  • bcruze

  1
  0
  Votes
  1
  Posts
  33
  Views

  No one has replied

• R

  Issues with RDP over IKEV2 VPN
  • RanmaKei

  2
  0
  Votes
  2
  Posts
  62
  Views

  M

  I doubt this is a PFsense issue. We also have no idea what you're logging into, but here are a few things I've seen from other posts: Have you tried disabling persistent bitmap caching on the client? Some say CTRL-ALT-END and then cancel works Someone else says this worked for them ---> "Add the "Authenticated Users" and "Interactive Logon" to the local "Users" group and reboot. If the machine is a DC, do the same in the builtin\users Group"
• R

  Link-local address flooding logs
  • rsaanon

  6
  0
  Votes
  6
  Posts
  62
  Views

  

  Great post @marvosa And concur so much linklocal traffic screams lack of configuration, failure of dhcp quite possible...
• A

  SD-WAN Capabilities?
  • acoolov

  1
  0
  Votes
  1
  Posts
  42
  Views

  No one has replied

• 

  No log entries for external ping in 2.4.4-RELEASE-p1 ?
  • chudak

  7
  0
  Votes
  7
  Posts
  87
  Views

  

  @kom kill me!
• E

  Gmail and VoIP problems
  • emin911

  2
  0
  Votes
  2
  Posts
  41
  Views

  

  like everything, the more information you can share the better we will be. Can you let us know what packages you have installed, what troubleshooting you have done.
• N

  PFsense Blocking Some Traffic
  • noob

  8
  0
  Votes
  8
  Posts
  139
  Views

  N

  It doesn't flush/reset all states (box is unticked) and I've disabled gateway monitoring. But that was more of a side quest..... Anyone got any ideas about the original issue? It's still happening. Not being able to watch virgin TV go app on my android TV box is a killer (for the Mrs) and if I can't resolve it I'll have to rip out pfsense and ditch it.
• M

  Firewall + Summary view - i need help to understand the "cake"
  • MOdesty

  5
  0
  Votes
  5
  Posts
  76
  Views

  

  Windows boxes out of the box are going to be Noisy little bastards.. And even if your not using IPv6 are going to put a lot of NOISE on the network via ipv6 You have a few options Just ignore it and live with the log spam Set firewall not to log the noise Configure your client boxes to not send out so much ipv6 noise when your not using ipv6 - with windows easy way is to just disable it.. Take a look here for what option best suites your needs. https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users
• P

  Inter-Network Blocking Question
  • Pete-Man

  7
  0
  Votes
  7
  Posts
  116
  Views

  C

  Create a interface group containing all of the networks for conference rooms. On the interface group Permit all traffic to public networks Permit access to the GUI (PFSense web interface? in this case is better to allow access only from a few non dhcp addresses OR create and extra VLAN dedicatet to management only.) Block all traffic to private networks This should be fine.
• C

  Active Active Load Balancing
  • chriva

  1
  0
  Votes
  1
  Posts
  32
  Views

  No one has replied

• O

  LDAP on CLI Console
  • Ozy311

  2
  0
  Votes
  2
  Posts
  56
  Views

  O

  Yes, we do that here. There is some manual work to be done, but see https://github.com/opoplawski/ansible-pfsense/tree/master/roles/pfsense_setup for basically how we do it. I think I still need to figure out how to start nslcd automatically after reboot. /etc/rc.conf.local I thought used to do it, but perhaps not anymore with 2.4.4.
• M

  Connecting it to my already configured network
  dns dhcp captive portal • • mark7807

  1
  0
  Votes
  1
  Posts
  39
  Views

  No one has replied

• 

  auth and unauth squid proxy in parallel
  • adamw

  2
  0
  Votes
  2
  Posts
  32
  Views

  

  No Not ideally, maybe if you have an ACME/LE trusted cert but even then I would not recommend treating your firewall as a general purpose web server.
• C

  Failing cloudsense fragmented packets test
  • chrcoluk

  15
  0
  Votes
  15
  Posts
  59
  Views

  C

  Ok it is fixed on the DC instance now. I simply enabled scrub again and it works. How strange is that? Considering scrub messes with fragmented packets. So with scrub disabled the frag test fails, are you able to test that? Same fix works on LAN as well. Ok glad the cause is found, it is odd, but good nevertherless. thanks :)
• U

  Connect 2 wan 1 from 1 nic
  pfsense • • uzairali001

  5
  0
  Votes
  5
  Posts
  40
  Views

  U

  @grimson Thanks, I do read manual but in this case I don't know where to start so I asked question here and yes I only have 1 physical line (at-least for now), I will add quad gigabit ethernet nic to my PC next month.
• D

  DNS resolver: SRV record for _vlmcs._tcp
  • dcnieho

  6
  0
  Votes
  6
  Posts
  86
  Views

  

  @dcnieho said in DNS resolver: SRV record for _vlmcs._tcp: I tried adding the A record, but some reading told me i need an IP address on the right side, not a FQDN. OK, then you use a CNAME record instead of an A record. A CNAME is an alias to an existing FQDN. A records point to an IP address. I wonder what is the problem i really solved here? You need to ask the right server to get correct information. Can i instead configure the DNS resolver to rewrite _VLMCS._TCP.DigiClassroom in any query to _VLMCS._TCP.hiddenschooldomain? Bind might have some funky voodoo handler for something like this but I don't think Unbound does. You can add host overrides so that you can give a specific custom response to the lookup of a particular host. You can add a domain override so that any queries about *.hiddenschooldomain get forwarded to another DNS to respond to.
• M

  Bug or not: IPSec and OpenVPN bind to wrong IP on WAN with virtual IPs (2.4.4-p1)
  • msi

  3
  0
  Votes
  3
  Posts
  54
  Views

  M

  Hi It wasn't as easy to describe but I might have to rephrase and thus let me add some more data, it's actually the other way: Worked as expected previously, doesn't work as expected after the updated. I thought it was easier to show XML/config and shell example instead of screenshots, I hope this is OK as well. However the forum software detected all code sections as spam, so I had to resort to github gists instead: I've snipped the config.xml parts about the OPT IPs, the virtual IPs: ifconfig This results in the following (shortened) ifconfig First: Known-good config Now for the known-good/working way when I select (any) virtual IP to bind OpenVPN to on WAN_<removed>, this is the resulting part of <openvpn-server> section in config.xml This in turn results into the following OpenVPN config (in this case /var/etc/openvpn/server1.conf) And you can see, the output of sockstat confirms that it does bind to the right IP. Problematic case: Binding to the OPT's IP: Now for the (to me) problematic example when I select WAN_<removed> as Interface... First the <openvpn-server> part of config.xml, there you can see that no Address is defined. This however results into the following server1.conf for OpenVPN. And sockstat confirms that indeed, even though you can see the difference in config.xml, the OpenVPN server does not bind to .250 which is the WAN_<removed>'s address. I could repeat that with the IPSec server but it is repeatable with both IPSec and OpenVPN.
• S

  pfsense- rebranding
  • suneerkadooran

  4
  0
  Votes
  4
  Posts
  87
  Views

  S

  The only way is to download the source code, edit the references to pfSense and recompile. You may then use and support the product using the name of your choice.
• J

  PFSense Shell Command Line
  • jemu

  2
  0
  Votes
  2
  Posts
  44
  Views

  

  No. The pfSense shell : pfSense - Netgate Device ID: 20cc46dfabc85c78e087 *** Welcome to pfSense 2.4.4-RELEASE-p1 (amd64) on pfsense *** 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Option 8 - is a classic shell. Cisco uses IOS commands, pfSense has a GUI. With the Cisco GUI (if it has one) you couldn't do all the things you can do with the IOS commands. pfSense : the other way around. "Option 8" exists to see the OS file system and to interact with, start some basic or complex "FreeBSD" commands and yes, there are even some less known (and rarely used) made-by-pfSense scripts files. You cant' manage pfSense purely from the command line. See also threads like https://forum.netgate.com/topic/125603/cisco-vs-pfsense/9 (and Google can tell you more, as usual)
• K

  VIMAGE on pfsense
  • kraduk

  1
  0
  Votes
  1
  Posts
  25
  Views

  No one has replied

• F

  online LDAP server problem
  • fayRofa

  4
  0
  Votes
  4
  Posts
  45
  Views

  F

  @mr-newbie thanks for your reply i'm trying to setup user management/privilege in which our users can login with their LDAP credentiel(username and pasword),i want to know why on "system usermanager>settings>test " all are ok but via Diag>authentication,autnetication failed,please can you test "ldap.forumsys.com" or do you know any online ldap server for test on it?(you can see my ldap server config attached) thanks
• S

  Sheduled Reboot
  • snaker

  7
  0
  Votes
  7
  Posts
  4176
  Views

  

  /etc/rc.reboot like he said. Locking this ancient thread.
• Z

  Boot halts on #
  • zoqask

  7
  0
  Votes
  7
  Posts
  72
  Views

  

  fsck requires read-only mode because it operates on the filesystem metadata directly. A read-write filesystem could change in the middle of a fsck operation and break it worse.
• G

  How do I find this device?
  • gregeeh

  10
  0
  Votes
  10
  Posts
  181
  Views

  G

  @bmeeks said in How do I find this device?: @gregeeh if you do not want this traffic filling up your logs, create a rule near the top on your LAN interface that has any as the source, UDP as the protocol, ff02::1 as the destination address and 10001 as the destination port. Set the rule to drop but not log. Right now that traffic is hitting the firewall's default deny rule and that rule is logging the dropped packet. By inserting your own rule up higher in the chain, the packet is "handled" by your rules and thus never gets to the default deny rule (which is at the bottom of the rule chain). Most helpful. Thank you.