General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  3
  0
  Votes
  3
  Posts
  1453
  Views

  A

  Subscription done!!!
• 

  Share your pfSense stories!
  • jdillard  

  18
  0
  Votes
  18
  Posts
  9830
  Views

  P

  I hope this thread is still alive :) I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense. I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source. Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me! ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
• 

  Multiples crashes, error on different equipment
  • Ozer_im  

  7
  0
  Votes
  7
  Posts
  64
  Views

  

  Thank you all for your answers. @stephenw10 said in Multiples crashes, error on different equipment: This looks like an APU2 which is not Netgate hardware. Moved the thread. I'm sorry, I hadn't noticed that. It's running 2.4.4p1 you should upgrade to the current pfSense version. It's running a config created in a newer version which is not necessarily valid in 2.4.4p1: <118>Loading configuration...... <118> <118>******************************************************************************* <118>* WARNING! * <118>* The current configuration has been created with a newer version of pfSense * <118>* than this one! This can lead to serious misbehavior and even security * <118>* holes! You are urged to either upgrade to a newer version of pfSense or * <118>* revert to the default configuration immediately! * <118>******************************************************************************* <118> And yes in the first case it looks like it crashed out because it's running from SD card and the card or controller stopped responding. Steve Indeed it is not the same version. With a more recent version, I had multiple errors when re-importing on a new motherboard, with a more recent pfsense version. I preferred to use the version of my current configuration, which is 2.4.4-RELEASE-p1 (amd64). A new equipment was installed this morning, with a new motherboard and a new SD card. The configuration has been redone entirely from scratch and by hand, without using the import/export tool provided by pfsense. Fingers crossed ...
• S

  PfSense VLAN + switch tagging trunk questions
  • SR190  

  13
  0
  Votes
  13
  Posts
  575
  Views

  

  @jwhitewick01 Well, fire up wireshark, to see what's happening. Wireshark has a column for VLAN ID, but you have to enable it.
• P

  Bypass At&t fiber BGW210-700
  • Phantom_Stage  

  46
  0
  Votes
  46
  Posts
  253
  Views

  P

  I ran dmesg -a and got the out put below. Initializing.................. done. Starting device manager (devd)...kldload: can't load ums: No such file or directory done. Loading configuration......done. linker_load_file: Unsupported file type kldload: an error occurred while loading the module. Please check dmesg(8) for more details. Updating configuration...done. Checking config backups consistency.................................done. Setting up extended sysctls...done. Setting timezone...done. Configuring loopback interface...done. Starting syslog...done. Starting Secure Shell Services...done. Setting up interfaces microcode...done. Configuring loopback interface...done. Creating wireless clone interfaces...done. Configuring LAGG interfaces...done. Configuring VLAN interfaces...done. Configuring QinQ interfaces...done. Configuring IPsec VTI interfaces...done. Configuring WAN interface... em0: link state changed to UP done. Configuring OPT1 interface...done. Configuring OPT2 interface...done. Configuring OPT3 interface...done. Configuring LAN interface...done. Configuring CARP settings...done. Syncing OpenVPN settings...done. pflog0: promiscuous mode enabled Configuring firewall......done. Starting PFLOG...done. Setting up gateway monitors...done. Setting up static routes...done. Setting up DNSs... Starting DNS Resolver... em4: link state changed to UP em2: link state changed to UP em3: link state changed to UP em1: link state changed to UP done. Synchronizing user settings...done. Starting webConfigurator...done. Configuring CRON...done. Starting NTP time client...done. Starting DHCP service...done. Starting DHCPv6 service...done. Configuring firewall......done. Generating RRD graphs...done. Starting syslog...done. Starting CRON... done. Starting package Shellcmd...done. pfSense 2.4.4-RELEASE (Patch 3) amd64 Wed May 15 18:53:44 EDT 2019 Bootup complete
• B

  is the Netgate sg-2220 capable of release 2.4.5
  • bcruze  

  17
  0
  Votes
  17
  Posts
  200
  Views

  B

  its enabled now. it was not before. 24 hours will tell, thanks for the replies Stephen more logs, that show the gateway goes down for whatever reason. Feb 19 18:13:27 rc.gateway_alarm 2403 >>> Gateway alarm: WAN_DHCP (Addr:100.92.192.1 Alarm:1 RTT:1.135ms RTTsd:1.512ms Loss:21%) Feb 19 18:13:27 check_reload_status updating dyndns WAN_DHCP Feb 19 18:13:27 check_reload_status Restarting ipsec tunnels Feb 19 18:13:27 check_reload_status Restarting OpenVPN tunnels/interfaces Feb 19 18:13:27 check_reload_status Reloading filter Feb 19 18:13:28 php-fpm 66863 /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP. Feb 19 18:16:59 php-fpm 53040 /index.php: Successful login for user 'admin' from: 192.168.1.205 (Local Database) Feb 19 18:21:59 php-fpm 53040 /status_interfaces.php: The command '/usr/local/sbin/dhclient {$ipv} -d -r -lf '/var/db/dhclient.leases.igb0' -cf '/var/etc/dhclient_wan.conf' -sf '/usr/local/sbin/pfSense-dhclient-script'' returned exit code '1', the output was 'Internet Systems Consortium DHCP Client 4.3.6-P1 Copyright 2004-2018 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Listening on BPF/igb0/00:08:a2:09:e9:be Sending on BPF/igb0/00:08:a2:09:e9:be Can't attach interface {} to bpf device /dev/bpf0: Device not configured If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging. exiting.' Feb 19 18:22:07 check_reload_status rc.newwanip starting igb0 Feb 19 18:22:08 php-fpm 66863 /rc.newwanip: rc.newwanip: Info: starting on igb0. Feb 19 18:22:08 php-fpm 66863 /rc.newwanip: rc.newwanip: on (IP address: 100.92.220.245) (interface: WAN[wan]) (real interface: igb0). Feb 19 18:22:08 php-fpm 66863 /rc.newwanip: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]' Feb 19 18:22:08 php-fpm 66863 /rc.newwanip: The command '/sbin/route delete -host ' returned exit code '64', the output was 'route: destination parameter required route: usage: route [-46dnqtv] command [[modifiers] args]' Feb 19 18:22:13 php-fpm 66863 /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Feb 19 18:22:13 php-fpm 66863 OpenVPN terminate old pid: 98658 Feb 19 18:22:14 kernel sonewconn: pcb 0xfffff8000a55db40: Listen queue overflow: 2 already in queue awaiting acceptance (1 occurrences) Feb 19 18:22:16 php-fpm 66863 /rc.newwanip: OpenVPN ID client3 PID 98658 still running, killing. Feb 19 18:22:17 kernel ovpnc3: link state changed to DOWN Feb 19 18:22:17 php-fpm 66863 OpenVPN PID written: 84973 Feb 19 18:22:17 check_reload_status Reloading filter Feb 19 18:22:17 php-fpm 66863 /rc.newwanip: Creating rrd update script Feb 19 18:22:19 kernel ovpnc3: link state changed to UP Feb 19 18:22:19 check_reload_status rc.newwanip starting ovpnc3 Feb 19 18:22:19 php-fpm 66863 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 100.92.220.245 -> 100.92.220.245 - Restarting packages. Feb 19 18:22:19 check_reload_status Starting packages Feb 19 18:22:20 php-fpm 339 /rc.newwanip: rc.newwanip: Info: starting on ovpnc3.
• P

  Problems reestablishing the connection
  • Panja  

  20
  0
  Votes
  20
  Posts
  137
  Views

  

  There are only 100 packets there, it's all outbound from 100.92.220.245 and none of it is DHCP. But you should start your own thread. Unless this turns out to be identical it's only going to confuse things here. Steve
• M

  Notification when a connection is established
  • mikeisfly  

  24
  0
  Votes
  24
  Posts
  125
  Views

  

  Mmm, it would have to be limited in some way because you could easily end up sending thousands of emails. I could imagine situations where it might be useful.
• L

  Configuration with Two SIP Connections
  • lusekelo  

  2
  0
  Votes
  2
  Posts
  20
  Views

  

  Generally you should not have to port forward anything no matter what anyone tells you. But you probably will need firewall rules from their servers to your devices on your WAN tab. Source= their IP destination = your LAN device. Ports 5060 (if they use that port) for SIP and whatever you have set up for RTP. Generally I will watch my states during calls to determine what ports they use but I use 32000-65000 for "source" ports. You need to find out what SIP ports and RTP ports each carrier will want to use. If one carrier uses 5060 then set up your other device to use 5062.. ect. But if you are using two separate devices this probably is not necessary. The SIProxd package might be a good fit for you as well if all else fails. In that case you would create your firewall rules with "WAN address" as the destination. This is a WAN rule I use here for SIProxd. Only difference without is that destination would be your LAN address of your device.
• E

  PfSense: How can I ping ip on my lan from my local machine passing through wan address (pfsense on virtual machine)
  • Evoku  

  8
  0
  Votes
  8
  Posts
  113
  Views

  E

  I also found this which might be good? I am currently at the vpn client export bit and learning how to correctly use this package in order to get it to work https://elitshelp.zendesk.com/hc/en-us/articles/115003168045-OpenVPN-Configuration-pfSense-
• N

  Web gui access limitation
  • nagithas  

  6
  0
  Votes
  6
  Posts
  55
  Views

  

  Nice. Let us know if you are able to connect, that would definitely need looking at if so. The generated ruleset on the secondary looks good here though. Steve
• D

  Yet another "swap_pager_getswapspace" issue
  • darioperezb  

  4
  0
  Votes
  4
  Posts
  43
  Views

  

  The best way is to remove the SWAP partition at install time. If re-installing is an option for you.
• S

  Puzzled: Wan latency is high when no RDP are opened
  • sampar  

  1
  0
  Votes
  1
  Posts
  15
  Views

  No one has replied

• T

  How to enable 802.1x on wired lan interface?
  • tiagosmx  

  8
  0
  Votes
  8
  Posts
  110
  Views

  T

  @johnpoz @jimp that's exactly what I was missing, thank you for pointing that out. Lesson n.1: There are different types of layer 2 switches (managed and unmanaged), some of them support 802.1x protocol and some of them not. Lesson n.2: The 802.1x authentication is done at the layer 2, before the IPs are handled to the devices. When packets reach the layer 3 is too late to do any kind of 802.1x authentication as the devices were already authorized to enter the network. Cheers!
• T

  ISP router (Nokia G-140W-F) does not have bridge mode
  • trumee  

  2
  0
  Votes
  2
  Posts
  33
  Views

  

  You can still use pfSense behind it and double NAT. Putting the pfSense WAN as the DMZ IP in the router helps with any port forwards you might want as all traffic will be sent to pfSense already. Steve
• D

  WOL packets across subnets?
  • dstarr3  

  34
  0
  Votes
  34
  Posts
  683
  Views

  

  Just because you have something that will relay or forward (that device that has access to both L2s) doesn't mean its going to work with alexa or google home or homekit, etc. etc. Not without some major background work and setup most likely, and understanding the details of how your device you want to say wakeup X actually does that.. My Alexa can turn on my TV, and off.. but I have my harmony remote in the same vlan as alexa, while my tv is in its own vlan. Both of these vlans are different than my other vlans. It would prob work without even... Since the harmony remote isn't in standby and the alexa should be able to talk to it over L3. But trying to find ways to move L2 data into another L2 is not the right approach.. Correct design of your L2s is better option from a security standpoint.. You need X to talk to Y via layer 2 - then put them in the same layer 2, its really that simple!!! Isolate that network from your other stuff.. Do you trust alexa... do you trust your tv, do you trust your iot - well no that is why we isolate them.. But if X needs to talk to Y via layer 2 stuff.. The simple solution is just put them in the same L2 ;)
• P

  Signature change
  • Panja  

  7
  0
  Votes
  7
  Posts
  42
  Views

  P

  Thanks for the help! I'll do my best.
• B

  Using FreeBSD as a DHCP server
  • Balanga  

  4
  0
  Votes
  4
  Posts
  46
  Views

  

  There are lots of things you could do with running your dhcpd on another box, if that is what they want.. Be it windows, freebsd, linux, etc. etc.. That you can not do with pfsense dhcpd instance.. Multiple scopes without having to have leg in the network for one thing.. Reservations inside the pool range, etc. While the dhcpd setup in pfsense is easy to use and has easy to use gui, etc. Not all the features of running say isc dhcpd on some other os or box.. But turning off dhcpd on pfsense has zero to do with running unbound (resolver)...
• R

  PFSense problem on Openstack/KVM
  • roberto.bertucci  

  17
  0
  Votes
  17
  Posts
  171
  Views

  R

  Thank you all, i modified configuration via web configurator and it works perfectly. Thank you again. Roberto
• H

  Slow Dahua RTSP stream with VLC when going through pfSense
  sg-3100 rtsp stream • • harefoot  

  8
  0
  Votes
  8
  Posts
  118
  Views

  

  Nice catch! Thanks for the follow up.
• 

  ADSL and SIP
  • Qinn  

  6
  0
  Votes
  6
  Posts
  79
  Views

  

  @AndrewZ I don't know if there is a permanent virtual circuit for voice.
• B

  Debugging PXE booting
  • Balanga  

  4
  0
  Votes
  4
  Posts
  35
  Views

  

  Many years ago we did a hangout on this: https://youtu.be/1wfjv3j57KI?t=1228 Gui looks outdated now but the principals are all the same. Not sure what potato converter was used from Fuze. I would probably switch to tftp server that does log what's happening at least as a test. Steve
• M

  Pfsense limiting wan?
  • mrhomelabber  

  9
  0
  Votes
  9
  Posts
  111
  Views

  

  Ah, bad cable, bad port maybe?
• T

  Network Setup Suggestions For XG-7100
  • ThePieMonster  

  10
  0
  Votes
  10
  Posts
  157
  Views

  

  @ThePieMonster said in Network Setup Suggestions For XG-7100: Are you saying that I can delete the VLAN groups 2,3, & 4 in the following screenshot? Yes, you only need those defined there at all if you want to truck VLAN through the on-board switch. If you're using ix0/1 directly for VLANs the switch plays no part in that. Steve
• M

  Can I use pfSense in a Pi as a bridge between to networks?
  • Mastiff  

  4
  0
  Votes
  4
  Posts
  96
  Views

  M

  I thought pfSense was working on the Pi, since Gonozopancho did it, but I guess he didn't make a how-to. ;) OK, so that's out. As for ad hoc network I had even forgotten that the damned thing excisted, from back in the 90's when it was actually in use! ;) I agree that if it had been a cowboy car factory (like so many electric car companies now) it could be a problem, but Mitsu has been around for a long time, so I wouldn't be more scared about them stopping the service then Volvo doing it for my car. And malware is not really a thing with simple stuff like setting the heater, but with a Tesla I agree it could be a problem. I will take the extender out there some time during next week and see if that picks up anything, thanks!
• R

  Copy Firewall Rules from a Interface to another.
  • ramses.sevilla  

  12
  0
  Votes
  12
  Posts
  211
  Views

  

  Simply creating the group will not do anything beyond giving you a new tab in Firewall > Rules. Steve
• X

  [Solved] Ooma not working
  • x88dually  

  50
  0
  Votes
  50
  Posts
  247
  Views

  

  @stephenw10 said in [Solved] Ooma not working: You shouldn't need any of those ports forwards. Exactly - says right on their site, these are "outbound" ports https://support.ooma.com/home/advanced-connections-and-service-ports/
• H

  Slow LAN speed after pfsense on a few computers on my network.
  • hilltop79  

  2
  0
  Votes
  2
  Posts
  54
  Views

  

  If you saw that limit between two hosts in the same subnet that traffic goes directly, or at least it should. pfSense never sees it and cannot do anything to affect it. I would have to guess something is misconfigured on the client. Steve
• I

  Unraid WebUI not accessible from another computer on host network
  • iamthewiz20  

  2
  0
  Votes
  2
  Posts
  21
  Views

  

  Hard to give any specific advice without knowing exactly how it's setup. But in general... Try to access the webgui from another device then: Check the firewall logs for blocked traffic from the test client. Check the state table in Diag > States for open states from the test client to pfSense on port 80 (asssuming you're using http still). Run a packet capture on the internal interface the test client is connected to. Filter by the test client IP and port 80. Is that traffic even arriving at pfSense. Steve
• D

  Intermittently high latency on WAN
  • dum258  

  1
  0
  Votes
  1
  Posts
  25
  Views

  No one has replied

• A

  pfSense is restoring the configuration
  • albgen  

  14
  0
  Votes
  14
  Posts
  63
  Views

  

  Back then it might have been wiped out automatically. The error was from two days ago in your screenshot, though. I'd still say it was a failed attempt to change a setting to something with an international character. No matter what, though, the best path forward is to upgrade.
• O

  Strange behavior
  • oppeqq  

  4
  0
  Votes
  4
  Posts
  60
  Views

  

  Check the firewall logs for blocked traffic. I could imagine it's trying to open a different port perhaps and has to timeout. Otherwise it's hard to see what pfSense could be doing there. You are fowarding ports to it I assume? 80 and 443? Steve
• J

  Why does my post fail?
  • JonH  

  12
  7
  Votes
  12
  Posts
  125
  Views

  J

  Yes. I was thinking that they might be able to help getting me off those spam lists since it is their IP block. But now that I think about it, talking to ATT is probably a waste of time. At a minimum they will tell me to use sbcglobal. My email ISP has tried to help with spf and that worked for several years but it's apparent that is no longer good enough. This is the handwriting on the wall for me. I'll have to pull the plug on my old address and wait out the blacklisters.
• S

  WAN Going Down and Some Errors
  • stubborngreek  

  12
  0
  Votes
  12
  Posts
  95
  Views

  

  @johnpoz They were part of pfBlockerNG list that I enabled so I let them be. I haven't finished setting up VPN yet...I had tried and was getting "could not authenticate." Then, I upgraded to pfSense 2.5-dev. I will get back to the VPN soon...I had meant to set up VPN schedule...meanwhile I will disable the VPN.
• H

  WAN interface changed speed from 1000 base to 100 on it's own.
  • hilltop79  

  10
  0
  Votes
  10
  Posts
  82
  Views

  H

  @JKnott I did, see past reply's. I will not know till and if it happens again.
• H

  Gigabit WAN speed low though pfsense.
  • hilltop79  

  15
  0
  Votes
  15
  Posts
  143
  Views

  

  @hilltop79 Can you login via SSH and run: systat -vmstat Then check the interrupts and if the load is high. If that's the case, switching to polling could help. Cu
• R

  Losing connection to pfsense/internet randomly
  • ravadon95  

  9
  0
  Votes
  9
  Posts
  76
  Views

  R

  I had a large Net limit rule in firewall, ive deleted it, but i wasnt using it for anything Thank you for your time steve
• N

  libcryptoauth.so.3 - 2.4.4-RELEASE-p3 MIA
  • NogBadTheBad  

  6
  0
  Votes
  6
  Posts
  37
  Views

  

  It doesn't matter if you changed your mind after switching to it, the changes were set at that point. If you change it back to stable, you'll have to at least manually reinstall pkg, which is probably what you already did by following that link.
• J

  PFSense Logging for Microsoft Cloud App Security
  • jpozzoli  

  3
  0
  Votes
  3
  Posts
  56
  Views

  

  This looks like a more relevant page: https://docs.microsoft.com/en-us/cloud-app-security/custom-log-parser Interestingly it looks more like netflow data would be better there. The firewall log does not record data totals. It also doesn't log passed traffic by default. Steve
• I

  I have utorrent blocking help me thank you
  • inagan  

  4
  0
  Votes
  4
  Posts
  47
  Views

  

  @inagan Well if you're accessing via your browser, it could be your browser.