I hope this thread is still alive :)
I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense.
I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source.
Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me!
...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
@viragomann said in PFSense problem on Openstack/KVM:
@roberto-bertucci said in PFSense problem on Openstack/KVM:
I am not able to access to web interface.
This is part of my problems. Simply, web interface is not reponding to connections from LAN or WAN side.
nginx.log says nothing and i am stuck on this first problem (it would be great to have any hint on this too :D ) .
I don't see any correlation with connections dropping and i was trying to solve this before any other issue to be able to connect via ssh and do an easyer debug instead f working in VM console.
BTW, i am going to apply change in config.xmal and will et you know if it worked.
Thank you again
Yes, it does support variable length subnet masks. However, you have overlapping subnets. That 192.168.2.0 /22 is in fact 192.168.0.0 /22 because the mask erases the .2 in the 3rd byte of the address. The next network up that supports /22 is 192.168.4.0.
@bmeeks Got one 500VA UPS coming tomorrow for the fiber modem, pfSense, switch, and the two UniFi AP's. This will be USB cabled to the pfSense and it's an APC so if nut doesn't work then I will use apcupsd.
I have a second UPS also coming, in the range of 1800VA for my NAS, switch, and ESXi boxes.
As far as the restore, since I have backups and copy them off the appliance, it was stupid simple. I created the USB key, added the FAT32 "Recover" partition and copied the backup xml file and named it config.xml. I had to hook the firewall up to my TV as I have no VGA monitors in my house surprisingly, but it booted, installed, and on reboot applied config.xml and was up and going. Stupid simple DR in my mind and a huge bonus for pfSense in my book!
From now on, it's going to be a DR instead of hours of troubleshooting, its just too damned easy to recover.
Going to use a SIIG USB over IP device and a FTDI cable to have remote access to the console for any future needs.
I've discovered a solution for this problem. Here you can find it. It' s a german post. Translated it says:
You have to activate the "static ARP" option at the "DHCP Static Mappings for this Interface" of the DHCP Server. Now you can wake your Host up with (direct from shell or via cron):
/usr/local/bin/wol -i IP MAC
Have not had time to script tests yet. One of the 2 brand new boxes with same hardware and "WOL" disabled froze a couple of days ago as well. The previous box's console was still interactive when issue happened. This one was a full freeze. Not reacting to any inputs.
@johnpoz said in Planning to use PFsense with Cisco L3 core router and Unifi for L2... does this look ok? suggestions?:
@Jpub said in Planning to use PFsense with Cisco L3 core router and Unifi for L2... does this look ok? suggestions?:
Keep it simple."
Which is why you have to make the choice - if you want to easy firewall, then use pfsense to route between your vlans - be it you fire up another another one in the core, or just route at the edge.. Or are you going to take the time to actually do it correctly at your L3... If your not - then you might as well just do a big fat flat network and not have to worry about the routing at all.
In pfsense land, one thing I've read as a reason for segmenting, at the least in terms of provisioning IP's along CIDR/subnet lines, is if you're using IDS then you can filter and target logs better. Another is "network ACL's" ... but yeah.... it sounds great, but maintaining this doesn't seem like something a small shop would be doing very well beyond that first day or two they set it up. The IDS logs I think I would actually use a lot, or at least want to narrow things down quickly on alert.
So there is a plugin in OSSIM which I enabled thinking that might help me read pfSense logs directly but I realized that is not going to work. Besides that I found about https://github.com/decay/alienvault-pfsense. This seems promising but it says AlienVault USM not OSSIM. Not sure if I should try this or not so I wonder if I could get some help.
And on those dell cards, be careful many are small form factor. These cards won't fit in a regular size atx motherboard setup. There are people who do sell the proper bracket out of china.
The easiest way around this is to create an alias called ProxyExempt for example, and then add all clients that you want to that alias. Then add a firewall rule just above your tcp80,443 block that allows ProxyExempt out on those same ports. That's how I do it:
You have to create the VLANs in Interfaces > Assign > VLANs
Add whatever VLAN you need using ix0 as the parent interface.
Then assign and enable the new ix0.x VLAN interface in Interfaces > Assign as you would with any other interface.
Do you just have a port open on your WAN to allow access the webgui? A port forward?
Are you accessing it by IP directly or by FQDN?
Is the Cyberoam device known to you? How is it connected if so?
Ah, then that's almost certainly the cause!
In environments where it's not possible to guaranty the power you can set /var and /tmp as ram drives. That minimises drive writes and hence the chances of filesystem issues. That's a setting in Sys > Adv > Misc. It does require rebooting to set that.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive for past announcements.