General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  1
  1
  Votes
  1
  Posts
  1737
  Views

  No one has replied

• 

  Share your pfSense stories!
  • jdillard  

  23
  0
  Votes
  23
  Posts
  10389
  Views

  P

  Hello I have been working in the IT business my whole career. When I retired I was not aiming as being a "couch potato" so I search for an activity as a volunteer and I discover Emmaüss Connect a caritative French association. Emmaüs Connect fights for the digital inclusion of the most vulnerable people in France, where a quarter of the population is unable to use the internet on a daily basis. I joined the local team in Lyon France where I provided lectures regarding basics used of laptops, smartphones and tablets. From an IT side I found that the small local network didn't have any protection aka the cable modem/routeur was directly connected to the PCs. Talking to the local responsible I suggested that we implement some basic strategy to protect our local network. The constraint was to make it at 0 Euros as you may understand. After looking around on what was available on the software market I choose pfSense because it got an excellent reputation, it was modular and available to be implemented on a recycled PC. So I moved that way and with the help of the pfSense user forum and the many excellent tutorials available on Youtube I end up with a pfSense configuration that is now up and running 24 hours a day. The Firewall protects our small network. I also added the following packages: pfBlockerNG : to filter what is going out because we don't want people going to "bad" sites using our network. Captive portal : so we can provide free vouchers to the people we are supporting to use our network to connect to the internet. OpenVPN : so I can do remote monitoring/maintenance on the firewall. I like to really thank the whole pfSense community for the great product they have made and keep maintaining actively. I will be a real advocate for it. If anyone is in the same situation I will be happy to help/share. Thanks again Pierre
• P

  Notification for a host down
  • pankaj13  

  1
  0
  Votes
  1
  Posts
  3
  Views

  No one has replied

• C

  pfSense - OpenVPN + Avahi = Not Working
  • CCNewb  

  3
  0
  Votes
  3
  Posts
  9
  Views

  G

  Hello, I read somewhere, that avahi will run only if you use TAP tunnel. On Vmhost it was exactly same setup?
• 

  A Road Warrior pfSense Laptop
  • NollipfSense  

  4
  0
  Votes
  4
  Posts
  18
  Views

  R

  I had thought about it, but then thought better of it. Instead I setup openvpn. When I am out with the laptop or tablet, I just launch the VPN. It requires a TLS key to initiate the connection, a certificate+username and password to authenticate, and by not allowing a split tunnel, all my internet must go through the tunnel and into my home network, then out the PFSense router using all my rules, PFBlocker and Snort. I also loaded up the VPN on my cell phone so can even surf with that encrypted on a public wifi. The goal for me is not to have someone sniffing what I am doing, and I think this fits the need.
• T

  Power Failure Bulletproof ::: yes! I have half-ton of UPS.
  • tiago.m.azevedo  

  11
  0
  Votes
  11
  Posts
  38
  Views

  

  @tiago-m-azevedo One other thing to consider is computers that support multiple power supplies. I used to have an IBM Netfinity server, which had 3 power supplies, any 2 of which were sufficient. You'd then have multiple power sources. This sort of thing was also common in telecom, whether AC or DC powered.
• S

  Random panic reboot
  • stevemosher  

  14
  0
  Votes
  14
  Posts
  62
  Views

  S

  We went ahead and picked up an Intel X550T2 card. Should be here next week. Stay tuned. Above all -- Thank you.
• G

  Would like some guidance for troubleshooting connectivity issues with a Smart Appliance
  • gawainxx  

  14
  0
  Votes
  14
  Posts
  62
  Views

  G

  @johnpoz said in Would like some guidance for troubleshooting connectivity issues with a Smart Appliance: Where did you sniff that? On pfsense? You can see some retrans were sent, ie device not answering.. But from that posting. Pfsense did what was suppose to and sent traffic on to client.. Client didn't answer or didn't get it? This was captured on pfsense with the IF in promiscuous mode. The TCP re transmissions seem to go both ways in the capture. From what I've read so far this could suggest packet loss but I'm not seeing any signs of packet loss on the wan IF or on my APs. Although packet loss wouldn't necessarily explain why the issues seem to occur going both directions? The full packet capture i linked to has some other odd behaviour between the client and web server.
• R

  How do I debug frequent Gateway alarms
  • Roy360  

  7
  0
  Votes
  7
  Posts
  14
  Views

  

  I meant to give it a tug when hooked up to your Ethernet tester, not pfSense. The tester could give a you the false sense that the cable is good when it's actually not. Therefore, stressing the cable a bit might put it in a failing state and give you a more accurate test result. If you're still having issues, it might be easier to replace the cable. That might be worth a try anyway if you have an extra cable around. Yea, I think those hotplug events were you disconnecting the cable when you were testing.
• G

  WAN link state change up and down until reboot
  • GeorgeCZ58  

  4
  0
  Votes
  4
  Posts
  17
  Views

  G

  There are another informations from log and time when problem starts: Aug 13 22:30:14 kernel em2: link state changed to DOWN Aug 13 22:30:14 kernel em2: RX Next to Refresh = 1023 Aug 13 22:30:14 kernel em2: RX Next to Check = 0 Aug 13 22:30:14 kernel em2: RX discarded packets = 0 Aug 13 22:30:14 kernel em2: hw rdh = 0, hw rdt = 1023 Aug 13 22:30:14 kernel em2: RX Queue 0 ------ Aug 13 22:30:14 kernel em2: Tx Descriptors avail failure = 0 Aug 13 22:30:14 kernel em2: TX descriptors avail = 886 Aug 13 22:30:14 kernel em2: Tx Queue Status = -2147483648 Aug 13 22:30:14 kernel em2: hw tdh = 0, hw tdt = 138 Aug 13 22:30:14 kernel em2: TX Queue 0 ------ Aug 13 22:30:14 kernel Interface is RUNNING and ACTIVE Aug 13 22:30:14 kernel em2: Watchdog timeout Queue[0]-- resetting Aug 13 22:30:14 check_reload_status Linkup starting em2 Aug 13 22:28:04 dhcpleases /etc/hosts changed size from original! Aug 13 22:28:04 php-fpm /rc.newwanip: rc.newwanip: on (IP address: xxx.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em2). Aug 13 22:28:04 php-fpm /rc.newwanip: rc.newwanip: Info: starting on em2. Aug 13 22:28:03 check_reload_status Reloading filter Aug 13 22:28:03 check_reload_status rc.newwanip starting em2 Aug 13 22:28:03 php-fpm /rc.linkup: Hotplug event detected for WAN(wan) static IP (xxx.xxx.xxx.xxx ) Aug 13 22:28:02 kernel em2: link state changed to UP Aug 13 22:28:02 check_reload_status Linkup starting em2 Aug 13 22:28:01 php-fpm /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_IP_ADD. Aug 13 22:28:00 check_reload_status Reloading filter Aug 13 22:28:00 check_reload_status Restarting OpenVPN tunnels/interfaces Aug 13 22:28:00 check_reload_status Restarting ipsec tunnels Aug 13 22:28:00 check_reload_status updating dyndns WAN_IP_ADD Aug 13 22:28:00 rc.gateway_alarm 41570 >>> Gateway alarm: WAN_IP_ADD (Addr:8.8.8.8 Alarm:1 RTT:9.184ms RTTsd:.778ms Loss:21%) Aug 13 22:27:59 check_reload_status Reloading filter Aug 13 22:27:59 php-fpm /rc.linkup: Hotplug event detected for WAN(wan) static IP (xxx.xxx.xxx.xxx ) Aug 13 22:27:58 kernel em2: link state changed to DOWN Aug 13 22:27:58 kernel em2: RX Next to Refresh = 1023 Aug 13 22:27:58 kernel em2: RX Next to Check = 0 Aug 13 22:27:58 kernel em2: RX discarded packets = 0 Aug 13 22:27:58 kernel em2: hw rdh = 0, hw rdt = 1023 Aug 13 22:27:58 kernel em2: RX Queue 0 ------ Aug 13 22:27:58 kernel em2: Tx Descriptors avail failure = 0 Aug 13 22:27:58 kernel em2: TX descriptors avail = 989 Aug 13 22:27:58 kernel em2: Tx Queue Status = -2147483648 Aug 13 22:27:58 kernel em2: hw tdh = 0, hw tdt = 35 Aug 13 22:27:58 kernel em2: TX Queue 0 ------ Aug 13 22:27:58 kernel Interface is RUNNING and ACTIVE Aug 13 22:27:58 kernel em2: Watchdog timeout Queue[0]-- resetting Aug 13 22:27:58 check_reload_status Linkup starting em2 Aug 13 22:27:53 check_reload_status Reloading filter Aug 13 22:27:53 dhcpleases /etc/hosts changed size from original! Aug 13 22:27:53 php-fpm /rc.newwanip: rc.newwanip: on (IP address: xxx.xxx.xxx.xxx) (interface: WAN[wan]) (real interface: em2). Aug 13 22:27:53 php-fpm /rc.newwanip: rc.newwanip: Info: starting on em2. Aug 13 22:27:52 check_reload_status Reloading filter Aug 13 22:27:52 check_reload_status rc.newwanip starting em2 Aug 13 22:27:52 php-fpm /rc.linkup: Hotplug event detected for WAN(wan) static IP (xxx.xxx.xxx.xxx ) Aug 13 22:27:51 kernel em2: link state changed to UP Aug 13 22:27:51 check_reload_status Linkup starting em2 Aug 13 22:27:49 check_reload_status Reloading filter Aug 13 22:27:49 php-fpm /rc.linkup: Hotplug event detected for WAN(wan) static IP (xxx.xxx.xxx.xxx ) Aug 13 22:27:48 kernel em2: link state changed to DOWN Aug 13 22:27:48 kernel em2: RX Next to Refresh = 733 Aug 13 22:27:48 kernel em2: RX Next to Check = 734 Aug 13 22:27:48 kernel em2: RX discarded packets = 0 Aug 13 22:27:48 kernel em2: hw rdh = 734, hw rdt = 733 Aug 13 22:27:48 kernel em2: RX Queue 0 ------ Aug 13 22:27:48 kernel em2: Tx Descriptors avail failure = 0 Aug 13 22:27:48 kernel em2: TX descriptors avail = 961 Aug 13 22:27:48 kernel em2: Tx Queue Status = -2147483648 Aug 13 22:27:48 kernel em2: hw tdh = 70, hw tdt = 133 Aug 13 22:27:48 kernel em2: TX Queue 0 ------ Aug 13 22:27:48 kernel Interface is RUNNING and ACTIVE Aug 13 22:27:48 kernel em2: Watchdog timeout Queue[0]-- resetting Aug 13 22:27:48 check_reload_status Linkup starting em2 We have more public addresses. Cisco routers on other address seems works OK. So you think, that replace Intel card is the solution? But after restart it work ok. :-/
• I

  Email notification configuration
  • IT_Elkey  

  2
  0
  Votes
  2
  Posts
  26
  Views

  

  There are no options to control which events generate e-mail notifications. The only one of the items you listed that is somewhat possible is the interface one, though that is only possible via gateway monitoring, not from the interface event itself.
• R

  pfsense setup question
  • redgreen2020  

  4
  0
  Votes
  4
  Posts
  25
  Views

  

  Don't forget to set the default gateway in the routing section. I recently had a similar problem with the WAN being shown as up, but LAN clients being unable to connect to the internet. It was because I had migrated the router from a different location and the old default gateway was still set.
• J

  Internal routing stops when internet goes down
  • jhunt  

  21
  0
  Votes
  21
  Posts
  64
  Views

  

  @jhunt Certain models of TP-Link switches, including your don't handle VLANs properly, in that they allow multicasts to leak. There are apparently issues with VLAN 1 appearing on all VLANs. This may have been fixed with an update.
• C

  NTPD losing contact with servers: "Unexpected origin timestamp"
  • clough42  

  9
  0
  Votes
  9
  Posts
  5436
  Views

  

  @ntranx /var/db
• C

  K12 Schools and VPN
  • comforttech  

  5
  0
  Votes
  5
  Posts
  241
  Views

  G

  Hmm, how about snort and the openappid-vpn_tunneling.rules. ruleset? If you do go through with locking down VPN, please do your users a solid and make sure your Wireless environment is secure and users aren't at risk of packet sniffing or MiTM attacks.
• N

  ATT BGW210 pfsense bypass with multiple static ip addresses
  • netmonster  

  5
  0
  Votes
  5
  Posts
  29
  Views

  N

  @user_three $15 a month with ATT.
• P

  NTP redirection not working?
  • pfguy2018  

  6
  0
  Votes
  6
  Posts
  25
  Views

  

  @pfguy2018 Yes, that appears to come from the first server tried. However, it also seems to have a bad checksum, so it would be discarded.
• A

  ACB service not working
  • ACNiC  

  3
  0
  Votes
  3
  Posts
  11
  Views

  A

  @jimp ah okay i see. Thanks for letting know. Is there a way to see the server availability by the way?
• S

  LAGG interfaces help
  • stefanwe  

  1
  0
  Votes
  1
  Posts
  9
  Views

  No one has replied

• W

  Strange - Very slow routing performance while iperf shows gigabit speed
  • wxppro  

  10
  0
  Votes
  10
  Posts
  61
  Views

  

  Nice.
• A

  haproxy show clinet ip
  • aminbaik  

  2
  0
  Votes
  2
  Posts
  9
  Views

  P

  @aminbaik To send the ip addres of the client/webbrowser to the server/webserver behind haproxy there are a few options: 1- option forwardfor 2- send-proxy 3- source 0.0.0.0 usesrc clientip Each has its own (dis-)advantages.. https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver
• W

  "Strange"? Memory Pattern Since Snort Migration
  • wormuths  

  2
  0
  Votes
  2
  Posts
  13
  Views

  

  Snort will use more RAM temporarily during the restart sequence that happens at the end of a rules update task. When the rules are downloaded and extracted, all running Snort processes are restarted so they will pick up and start using the updated rules. That restart process is the memory uptick you are seeing. The amount of memory used is a function of the number of the active rules you have configured.
• L

  firewall and caching server?
  • lewis  

  2
  0
  Votes
  2
  Posts
  20
  Views

  L

  Cannot delete this post. No longer asking this question.
• L

  Cannot ssh from firewall to LAN
  • lewis  

  3
  0
  Votes
  3
  Posts
  20
  Views

  L

  Hi, I am ssh'ing from an allowed public IP to the pfsense box which has a rule on it to allow ssh from my IP to that server. Nothing reaches it from outside of pfsense but I can reach this server from other servers on the LAN side. On that same server, I can ping to 4.2.2.2 for example using -I on the first (public facing) NIC but using the second (LAN sided NIC) NIC, I get nothing. # ping -I ens33 4.2.2.2 PING 4.2.2.2 (4.2.2.2) from x.x.x.x ens33: 56(84) bytes of data. 64 bytes from 4.2.2.2: icmp_seq=1 ttl=59 time=9.20 ms ^C --- 4.2.2.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.205/9.205/9.205/0.000 ms # ping -I ens34 4.2.2.2 PING 4.2.2.2 (4.2.2.2) from 10.0.0.14 ens34: 56(84) bytes of data. ^C --- 4.2.2.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms
• C

  pfSense using unreasonable amount of bandwidth while idle
  • CyberMinion  

  47
  0
  Votes
  47
  Posts
  286
  Views

  

  Yeah something is not right because that is not really a valid query.. A query for an IP should be a PTR query.. And a A record like that would really never resolve because that last part would be considered the tld.. and .072 sure isn't a valid tld.. Now your 066.140.x.x.localdomain could resolve.. if the local NS you were asking had a record like that in it.. but public would never resolve that sort of query. Maybe look through your xml, you can download a full backup and search for anything that could be put in somewhere that matches that odd query. edit: BTW your not seeing any other odd queries like that? Just that 1 weird one that repeats over and over? Are you seeing any firewall logs with that IP in it? Or that IP reversed, where maybe the PTR got messed up? so like 72.140.159.66 or 66.159.140.72 ?
• P

  Can't reach Apple services
  • pfguy2018  

  13
  0
  Votes
  13
  Posts
  68
  Views

  U

  ok.
• F

  cPanel + pfSense = few weird problems
  • Flegy  

  4
  0
  Votes
  4
  Posts
  61
  Views

  F

  I am sorry for bump, but still looking for a solution to get curl to work with NAT 1:1.
• A

  pfsense change syslog config
  • aminbaik  

  5
  0
  Votes
  5
  Posts
  25
  Views

  T

  $ cat /etc/syslog.conf # Automatically generated, do not edit! Do not edit that file. The include line I mentioned tells the system to load custom syslog configuration files from /var/etc/syslog.d/. Try this: $ printf "local1.notice\t\t/var/log/access.log\n" > /var/etc/syslog.d/apache.conf $ service syslogd restart In your apache.conf (not the syslog.d/apache.conf) you should having something like this: CustomLog "|/usr/bin/logger -t httpd -p local1.notice" combined Also, one more time so I feel like I properly warned you. Do not run your own webserver on your firewall. All it takes is you making a mistake in your server code and now someone has compromised your firewall. DO NOT DO THIS.
• J

  PFSense Logging for Microsoft Cloud App Security
  • jpozzoli  

  4
  0
  Votes
  4
  Posts
  143
  Views

  A

  Hi Guys, It is very good idea! did you find solution to setup this ? thanks
• X

  HTTPS translation to IP [solved]
  • x007alfa  

  13
  0
  Votes
  13
  Posts
  40
  Views

  X

  @johnpoz thanks a lot ;)
• D

  Enable user accounting with radius
  • dbgolf74  

  1
  0
  Votes
  1
  Posts
  6
  Views

  No one has replied

• W

  I cannot Access my pfsense
  • Willing_To_Learn  

  16
  0
  Votes
  16
  Posts
  89
  Views

  W

  @stephenw10 Thank You Alot...I just reinstalled pfsense on the device and it worked
• G

  Can't send emails from internal devices to external host
  • girkers  

  1
  0
  Votes
  1
  Posts
  10
  Views

  No one has replied

• G

  WAN interface stops working every few days.
  • gawainxx  

  13
  0
  Votes
  13
  Posts
  65
  Views

  G

  @stephenw10 said in WAN interface stops working every few days.: That may not tell you much anyway. It's curious that rebooting the ONT corrects the issue but unplugging the cable does not. Those should be similar from pfSense's view. Obviously one resets the upstream connection too but if that were an issue then rebooting pfSense alone would not correct it. A short pcap made whilst the connection is bad might show something. Bad packets etc. It might need to be on the PPPoE parent interface though. Steve Three things have been observed to correct the issue so far. Rebooting pfsense Disconnecting the WAN if's ethernet cable for ~15 seconds then plugging it back in. Power Cycling the ONT packet loss and latency skyrockets during these events. I'm going to do a packet capture as well as take a close look at the PPPOE traffic the next time this happens. I'm curious to see if my WAN IP changes as well as what disabling and re-enabling PPPOE does. This issue began approximately 1 week after I had replaced my optiplex 7010SFF PFsense instance for the R210 II. There are two other things in the same timeframe which "may may potentially attribute but I'd be surprised if they were the issue" Minor heat wave where temps were in the upper 90's for a few days.\ Unmounted ONT to physically inspect what type of optical cable it uses, It may be remotely possible that I somehow pinched the cable when returning the ONT back into it's cradle? I'm not certain whether that would manifest with these symptoms though. aside from the every 12-36 hour events pings, latency and packet loss are on par for gigabit.
• J

  Routing Error :radvd 40776 sendmsg: Permission denied
  • jefstrongman  

  3
  0
  Votes
  3
  Posts
  17
  Views

  J

  Thank you! That did the trick.
• S

  Dyndns update use public ip
  • serbus  

  2
  0
  Votes
  2
  Posts
  12
  Views

  

  Hmm. Yes I believe there are a number of providers who will just use the source IP of an update. The customer option there may also work rather than using one of the built in presets. The pfSense update client will do that anyway if the monitored interface has a private IP but that makes it tricky in your case.... Steve
• 

  FreeBSD Bug 188261 - How to apply patch to pfSense
  • maverickws  

  14
  0
  Votes
  14
  Posts
  123
  Views

  

  @chrcoluk said in FreeBSD Bug 188261 - How to apply patch to pfSense: ticket on redmine if you read, this has happened in the past @maverickws " I've added here: https://redmine.pfsense.org/issues/10820 Thanks!"
• W

  Enable DNS over TLS via DHCP
  • Woodsomeister  

  2
  0
  Votes
  2
  Posts
  26
  Views

  

  Seems like it's not ready yet: option-code: TODO (two octets) Unbound can accept DoT requests if clients are sending them as long as you have enabled it and added a cert. Steve
• M

  Pfsense and Google Wifi as access point
  • muppie  

  4
  0
  Votes
  4
  Posts
  23
  Views

  M

  Hi! Many thanks for the replies. It turns out that there were some errors with my switch. However, I never managed to put the google nodes in bridge mode so I gave up and bought a uniquiti access point and installed. //Andreas
• M

  Web GUI responsiveness
  • mervincm  

  11
  0
  Votes
  11
  Posts
  61
  Views

  

  The Mellanox drive line is expected on any system. The dhcp leases line it likely something attempting to restart it twice (still starting from the last previous time). Here's me editing an alias on a test box: Aug 11 12:06:27 check_reload_status Syncing firewall Aug 11 12:06:39 check_reload_status Reloading filter Aug 11 12:06:40 xinetd 23110 Starting reconfiguration Aug 11 12:06:40 xinetd 23110 Swapping defaults Aug 11 12:06:40 xinetd 23110 readjusting service 19000-tcp Aug 11 12:06:40 xinetd 23110 Reconfigured: new=0 old=1 dropped=0 (services) It responds pretty much instantly in the GUI. The first log line is when it hit save. The second log line is when I hit apply. It takes ~1s to reload everything. Now that's a test device without much config on it. As you add more services and more rules, and tables etc it takes longer to reload. Steve