@johnpoz:
While the ability for any software and your hardware/system to run for such a long time is nice.
That you would run your firewall on software that is no longer updated or maintained is BAD security… 2.1.5 should of been updated when it went EOL… Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security.
Agree with everything! This box, however, was only handling internal routing between some private networks. Didn’t have access to the internet either - updating wasn’t easily possible. Was also a low-priority segment - it’s now being killed forever and nothing comes in place.
And here’s what the routes look like after manually assiging the DNS servers in the GUI, assigning them the default gateway, and unchecking “Allow DNS server list to be overridden by DHCP/PPP on WAN”
Internet:
Destination Gateway Flags Netif Expire
default 10.251.253.33 UGS xn0
10.251.251.67 10.251.253.33 UGHS xn0
10.251.251.252 10.251.253.33 UGHS xn0
10.251.253.32/27 link#5 U xn0
10.251.253.55 link#5 UHS lo0
10.252.252.245 10.251.253.33 UGHS xn0
104.43.216.101 10.251.253.33 UGHS xn0
localhost link#2 UH lo0
172.19.0.1 link#2 UH lo0
Now traffic from the other side of an IPSEC tunnel can reach the DNS server IP addresses.
Did you every figure out how to ignore alerts for IPv6 ICMP and multicast? I have a similar setup with the same issues on the WAN side. My provider refuses to turn off IPv6 on the cable modem. I have “Allow IPv6” unchecked in System -> Advanced -> Networking. I also have “IPv6 over IPv4” tunneling unchecked.
I also don’t understand why despite a firewall blocking everything unless allowed, we still see alerts for ICMP?
My setup differs in that although I am using Suricata with blocking turned on, I am not in Inline Mode, not Legacy Mode. I am only using Snort Personal rules with the pre-set “Balanced” IPS Policy set and nothing else, yet.
I see lots of things that I want to start messing with in System -> Advanced -> System Tunables to further turn off support… but I definitely don’t fall into the pre-requisite “Advanced Users” category.
However, my end goal is not to just suppress alerts and therefore allow IPv6 packets, but to just drop all IPv6 packets and not log any pattern alerts or logs in any system.
If my provider or anyone wants to talk on IPv6 I want it to be a black hole of nothingness for them to waste their time on and not bug me about it.
I have an HP switch that I setup an access list to drop all IPv6 on my LAN side, but that doesn’t stop the thousands of alerts in the Suricata logs on the WAN port. Just stops all of the alerts on the LAN side. This is working perfectly, because anyone that leaves IPv6 enabled on their device just drops at the switch so I never hear about it on pfSense.
Can I do something similar to this on the WAN side?
ipv6 access-list "drop-all-v6"
10 deny ipv6 ::/0 ::/0
vlan 444
name "YO_MAMA"
untagged 1-48
ip address 172.25.1.2 255.255.255.0
ipv6 access-group "drop-all-v6" vlan-in
exit
look in pfsense arp table… Do you see the IP is it on the mac you setup the reservation for… If so then it would show up as online, if not then it would be offline.
Your last one there is showing online
Keep in mind I was pinging my AP from another segment, so it had to talk to pfsense (its gateway) to answer. So pfsense would need is mac in its arp table. If the AP was on the same network as I was pinging from then pfsense would have not learned the mac address and would show it offline. Have pfsense ping the device, or have the device talk to something that would require it to talk to pfsense.
Hello Friends,
I’m having the same issues… created a post here: https://forum.netgate.com/topic/131916/pfsense-with-ha-closing-sessions-when-apply-any-rule
Anyone have solved this issue? is this a bug?
No what I saying is that is how you could flag traffic in windows. Then you should be able to route that traffic with whatever specific marker you put.
There is no other way I know of to tag or mark traffic coming from a specific application other than with dcsp.
You can route traffic in pfsense really easy based upon source IP, source port, Dest port, dest IP, etc. And then you can tag that traffic for other rules to process, etc. But that is not what you asked - you asked per application how to mark the traffic.
So for example you could part traffic that is coming from your browser with af11, and traffic coming from say application XYZ with af12… Then you could tag traffic coming from IP of your box with af11 as browser, and traffic with af12 as application and then route it based on those tags i pfsense rules.
This way even if going to the same dest IP, you could could tell what is browser traffic and what is application traffic.
@beremonavabi said in Time is not syncing:
(select the WAN in Services > NTP)
That is NOT a solution… That is a work around for some other misconfig…
Did you do what I suggested and remove the 0.0.0.0 route you have and see if works then not picking wan.
That setting makes no difference to the firewall log it only affects Suricata logs in the System log.
You can still see the Suricata logs by going to the logs tab in Services > Suricata.
Steve
@ashima that rule was missing the invert match option. I ticket it and still nothing is working on my end.
I’m wondering at this point if I should remove the vlan and try re-adding it.
I mean getting more speed that they have allowed. Very unlikely here I agree…
And now I see you;re using Zen in the UK so forget that as a theory.
The SG-1000 should pass 80Mbps, yes. Usual caveats apply there but I wouldn’t expect that to be the issue.
Steve
@jimp @stephenw10
Can confirm that patch has fixed the issue. Thanks for looking into it.
[2.4.3-RELEASE][admin@pfSense.localdomain]/root: cat /boot/loader.conf.local
comconsole_port="0x2e0"
legal.intel_wpi.license_ack=1
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1
the solution is this:
in the config file (/usr/local/etc/netdata/netdata.conf), change the line:
bind to = 127.0.0.1
to
bind to = *
and restart the netdata service:
kill <pid>
service netdata onestart
Additional update: I give up with pfsense as the gateway. I’ve done a compromise of sorts, I have my pfsense box just with the LAN interface active, and it’s doing my DHCP and DNS. The T3200M is just doing routing. I lose some stuff, like bandwidthd and the ability to see what’s using my bandwidth, but I don’t have a double NAT and I’m not just randomly losing the ability to contact the gateway every 3-6 hours like clockwork. I haven’t tried a non-pfsense host on bridge mode but I think I just give up at this point. At least my LAN hostname resolution isn’t terrible with the pfsense box doing that. I might split that off to another linux host like my NAS or something, but this works and I’m just so tired of this.
I don’t know where the fault lies. None of it ever made a lot of sense with how it was manifesting and I never did get around to packet captures. Thanks again for the help. This will work well enough I guess.
As jahonix mentions, any software that wants to put in a url to pool in their software as default is asked to create their own unique fqdn for the pool, etc. So this is pfsense playing nice with ntp.org
http://www.pool.ntp.org/vendors.html
Anyone smart to even look into where or what its using for ntp should prob change this to either their own ntp servers of choice or the fqdn pool urls for their region of the globe.
For example if you want to use the pool and your in the US you should use say
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org
You can find a full listing here
http://www.pool.ntp.org/zone/@
@beremonavabi
It doesn’t look like it’s a DNS issue, either. I stuck the actual IP address for a public DNS server
http://support.ntp.org/bin/view/Servers/PublicTimeServer000011
in and removed the WAN interface. Same problem: NTP doesn’t start. Put the WAN back in the list and all was well.
Honestly, unless there is a problem I don’t waste my time tweaking for that extra 1 ms. Netgate uses resolver by default because it just works out of the box without the need to specify upstream servers. If you’re concerned with speed, use the forwarder with your ISP’s local DNS.
As for testing, DNS Bench by Steve Gibson is one such tool.
Not really. If you’re using the SDEC driver though they will be connected to the input pins on the parallel port. You could try reading the port directly.
Probably easier to just try various combinations of the buttons specified by the driver until they line up.
Steve
That^.
Seems like a fairly accurate description to me.
There are 3rd party apps for controlling Denon/Marantz stuff. One of those might work for you.
Steve
So what IS working here?
Do you have DHCP enabled on OPT1? Are clients pulling a lease from it?
With outbound NAT in manu7al mode you will have to add outbound NAT rules for the new OPT1 subnet.
Do you see any alerts in the GUI? It may be failing to load the new ruleset correctly. You should still be able to ping from LAN to OPT1 though even without any new rules.
Steve
If your ISP can only provide those IPs to you directly on the WAN, rather then routing them to you via a different public IP, then your options are limited.
You can setup IPAliases for those publlic IPs on the WAN connection and then 1:1 NAT them to private IPs internally. That means the servers using them cannot have a public IP directly which may or may not be an issue.
With a non-PPPoE connection you could bridge the WAN and the internal interface in order to use the public IPs directly on the servers.
Steve
@ivor said in Roadmap? Any idea how much longer till I need AES-NI?:
Likely not this year, still a lot of work is to be done.
Thanks… that’s exactly the answer I was looking for. For me it’s no rush as I’m in no hurry to lay out more $$ for another mini PC. Given there is a period of support for 2.4.x after 2.5 comes out, it looks like I’m good till about the 3rd-4th Quarter of 2019 before I’m totally unsupported.
This thread is quite old but others who are searching for it may find it helpful.
On Chrome, you can fix this Error by adding -disable-prompt-on-repost
Follow these steps
Open application’s folder in Program files in C Drive
Right-click and open properties
Click on the target field and add -disable-prompt-on-repost to the end of the directory
Try again to check if Chrome is still showing the error
Image for reference
Hope this Helps
Source: Confirm Form Resubmission
