Is it all regular L3 traffic from one subnet to another? Or could some of it be trying to send broadcast or multicast on the WireGuard interface?

I wouldn't think so, since it can't be bridged and that would typically involve something like Samba running on the firewall (which it can't) but it makes me curious.

Also what entries do you have in "Allowed IPs" on both sides? Is it empty? Or do you have the remote subnets listed?

If you have the Allowed IPs list filled in, could something be trying to route across WireGuard that isn't listed in Allowed IPs?

@divsys
yes !
so far confirmed

@aniel said in NAT Reflection does not work when "NAT Reflection mode for port forwards" is set to "pure nat":

192.168.1.x:5000 (dsm diskstation)

Dude you have your dsm open to the public?? That is NOT a good idea at all!!

I also have a synology nas.. So I could for sure duplicate that.. Why would you do that.. Not a secure Idea to open that to the public internet..

I access DSM pretty much every single day, multiple times a day.. Just hit it via is local dns name in my case nas.local.lan.. I have this as entry in my pfsense dns..

edit: BTW - its not "u" guys.. Its the netgate/pfsense guys - I have nothing to do with.. I am just a glorified garbage man deleting spam ;) hehehe... Nothing more than a user like you with the ability to delete spam off the forum ;)

@aie-sakaki said in XG-7100 1U for the webserver gateway:

Any recommendation for any extra package to secure the webserver?

I would put this directly on the web server, it was invented for this:
WAF
https://modsecurity.org/

BTW:
Be careful, with a lot of filtering and restrictions on NGFW in front of WEB server, because in the end no one can see your page 😉

@jimp said in Recover via WebGUI feature:

No, that is not viable.

It was more like a dream :)

(On the 'ceph' project we've been taking about "downgrade" feature for a long time and still talking...)

But it's a nice dream !

Thanks @maverickws . The purpose of this revamp:

they wanted to use only single pair of pfSense so that it can handle the traffics for the whole subnet 172.16.0.0/21. For eg 172.16.1.0/24 for client A, 172.16.2.0/24 for client B, 172.16.3.0/24 for client C and so on. Initially there are 2 WAN as in 2 ISP, 1 for each pair of the old pfSense unit. So now will be reduce to only 1 WAN (1 ISP). I will need to create few VIP at the new pfsense as a gateway for each subnet, for eg 172.16.1.1/24 for client A, 172.16.2.1/24 for client B, and assign VLAN to each of the subnet and configure some rules so that they wont be able to communicate with each other.

@johnpoz OK thank you very much 👍 😊

Installed fresh from 2.5 image.
restored 2.4.5p1 .xml.
Everything works again, EXCEPT LAN Traffic Graph.

Bummer, something in my .xml config?
I can't seem to find the reason...

@buggz said in To 2.5.0 or not ? that is the question :):

Hmm, well, cleared the error, but still no traffic for LAN shown on the Traffic Graph...

thanks @daddygo for the reference/information. I'll check it out and see if it resolves the problem

@chpalmer Escalating with Spectrum gives me "Call us again on this and we'll bill you for coming out." I've had multiple techs go out to both sites. The techs that go on site say they put the modem in their "SCOPE" system which puts them in Device Watch. That allows the techs to go back and look at history for the unit. BUT, when you call in and talk to a CSR every one of them says that they no longer use that system. Only the techs onsite can setup or see into the SCOPE system now but you can't get a tech onsite without the possibility of them billing for every visit. Even then they just troubleshoot the moment and don't even refer to it unless you make it a point to make them. It's crazy. But still better than every DSL provider and AT&T U-Verse in this area. You pick your poison.

@layerthree said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

So the "Don't pull routes" solved the whole problem.

Follow the guide, except this step and then restart ur machine. After this everything works.

Thank you for ur help!

I posted in the other thread. I just reset up my provider that wasn't working

it connected. but if I restart the tunnel. traffic stop passing again

you?

@thiago-0

There are some issues with OpenVPN on the new version. Check the OpenVPN forum.

@xplozia said in Pfsense FW behind to Mikrotik WiFi router:

What I have to do in Mikrotik in order to redirect all traffic to the Pfsense?

Hi,

This seems more like a MikroTik forum issue. 😉

Proposal:
Why not the pfSense is your main router + firewall

There is a potential for some things to be different, and moreso as time goes on, but for the time being most of the PHP code is the same on both.

It's worth trying, and if there is a need for a patch specific to Plus 21.02 we can generate one of those as well.

That's what happened with the one I received from the other user as well, I couldn't base64 decode it even on other systems.

You don't need those certs on the firewall unless you need to use them for export in some way, though. If the users have them already, they can keep using them. If they need to get a new copy you could use that opportunity to give them a new one.

As long as you know the cert serials you can revoke them without the certs being present in the GUI, too.

That's what I thought, so I checked the Status->DHCP Leases immediately after printing and it was still "offline". Oddly enough, my Epson R3000 which I haven't printed from in over a day is showing as "online", but the WP-4530 is "offline".

@lecygne Any replies?

I found today that PHP is already with the correct time, even before we update to PFSense 2.5. With that, the conclusion I had is that certain packages of the FreeBSD system receive updates before the PFSense system itself, even because if I did not do this I would not receive updates from the repository to notify that there is a new update from it.

Problem solved. FreeBSD version 11.3-Stable.

@jknott hello How are You Can you Able to help with this issue pls asa and pfsence in same vlan and i have to do sla

@alanesi

You never know what happens on Pfsense ... Would be interesting what the cause of the fatal error was. The upgrade of unbound is very unlikely to cause such problem.

@serbus thanks G I remembered right !

🙃

I second this request. If anything, the pfSense developers should be aware of this issue that has been uncovered. It seems there is not much more that can be done on the Xen / XCP-ng side as the issue lies more with FreeBSD / pfSense.

(as an example), here is one post from the XCP-ng team:

@stormi (XCP-ng Team)
What the last tests reveal is that pfSense sends A LOT of spurious events, so no wonder it gets throttled to protect the kernel against event flood. Anyone knows a good FreeBSD kernel developer?

Authenticated binds are much different that attempting to query for a user, which is affected by all the other settings on the page for the various containers/base dn/etc.

All that proves is you can communicate with the server, it doesn't mean your other settings are OK.

Turn off TLS, take a packet capture of some auth attempts. See what is happening. That's the only way forward.

Is it only myself who is seeing slowness getting into the webconfig?

@viktor_g said in "pcscd PC/SC Smart Card Daemon" ?:

support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec: https://redmine.pfsense.org/issues/9878

Ok makes sense, thx !

Is there a reason to keep it on and what the best way to disable it ?

I created a bug report for the case mentioned above when renewing in the GUI: https://redmine.pfsense.org/issues/11514

@stephenw10 said in LACP LAGG in Silicom NICs:

Completely different NIC type though.

Yep, I think I'll wait a bit and test again under 2.5.(?)
although, if I read it correctly (somewhere), only "ixl" got a brand new driver under FB12

@colindexter
Not sure on the first one- I'd try re-installing the latest version pf pfB and force updating the rules. The other two are known issues. If you search, there are some patches you can apply to fix the IPSec status. The IP6 gateway will at least go online if you specify a monitor IP. I used google's DNS.

@cool_corona
Just pay it forward.

I tried about every combination of options in the GUI and it always errored out. I expect that's because I've updated/restored so many times. The cert probably dated back to 2.0 if not 1.2.3

This turned out to be hardware issue. Had to replace the SSD card.

I worked with the freebsd forum.

https://forums.freebsd.org/threads/cannot-boot-via-ssd-gptboot-no-boot-loader-on-0-ad-0p2.78994/

I don't recall exactly when, I thought it was in 2.4.x, but we disabled X11 forwarding in the SSH daemon on the firewall for security reasons.

The error is harmless though, you can ignore it, or like you've done, disable it on the client side.