General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  3
  0
  Votes
  3
  Posts
  1324
  Views

  A

  Subscription done!!!
• 

  Share your pfSense stories!
  • jdillard  

  18
  0
  Votes
  18
  Posts
  9536
  Views

  P

  I hope this thread is still alive :) I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense. I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source. Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me! ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
• M

  PfSense as NVA in Azure HELP PLS!!!
  • mbogoev  

  1
  0
  Votes
  1
  Posts
  6
  Views

  No one has replied

• N

  DNS Forwards or Zones? Or how do I setup a backup + forward.
  • nafeasonto  

  3
  0
  Votes
  3
  Posts
  36
  Views

  

  So in this scenario both your DCs are down? Because AD can for sure share their dns info. If both your DCs are down - you have bigger problems then a copy of your dns records running on pfsense ;) But sure running bind on pfsense would allow for zone xfers from your AD dns..
• P

  Port Forwarding Website
  • PC-2011  

  2
  0
  Votes
  2
  Posts
  24
  Views

  V

  So configure your pfSense to listen on a different port than 80 or 443 in System > Advanced > Admin Access and check the 'WebGUI redirect' option.
• D

  Why doesn't DHCP work consistently on my PFsense box?
  • Dave R2  

  2
  0
  Votes
  2
  Posts
  21
  Views

  

  Sounds like a problem with your NIC/hardware and not the OS, or perhaps the combination of that NIC+Modem. There are tens of thousands of people using DHCP without issue. Next time it happens, check your DHCP logs and other logs and see what is there, especially from dhclient.
• B

  Pfsense in Azure - Cannot reach host on IPsec tunnel
  • bhodges  

  3
  0
  Votes
  3
  Posts
  24
  Views

  B

  Hi Stephen, Yup, i've enabled IP forwarding for both of the interfaces (WAN and LAN) attached to the pfsense box. Also switched off the firewall on the VM i'm doing the connection testing from. thanks Ben
• 

  High WAN Usage
  • manjotsc  

  3
  0
  Votes
  3
  Posts
  21
  Views

  

  @freska99 I'll keep an eye for next time it happens, I am pretty sure it is going happen again, because It had happend to me, couple time. Thanks.
• Z

  Active Directory/LDAP and WebGUI
  • zarje  

  9
  0
  Votes
  9
  Posts
  5139
  Views

  J

  @dreamslacker Bingo, that was the piece I forgot, thanks!
• G

  DNS crashing every ~ 36 hours or so and unbound has to be restarted.
  • gawainxx  

  16
  0
  Votes
  16
  Posts
  193
  Views

  G

  @stephenw10 Unfortunately the system logs have already looped and only go as far back as this morning. I've set up service watchdog to monitor the unbound process which will hopefully prevent the issue from causing extended outages while I work on getting it figured out. Snort is protecting my home network as well as a few miscellaneous things, mostly running for added security, I'm using one of the lighter pre-defined snort ruleset bundles. I've exported the data from splunk in a raw format, perhaps that will be closer to the original? Here are my logs from yesterday, the outage was around 10:56am, where there is an absolute absense of unbound log data until I had someone at home restart the server via console. UnboundIssues_SystemLogs.txt UnboundIssues_UnboundLogs.txt UnboundIssues_SnortLogs.txt
• D

  Can't access Web Sites behind nginx reverse proxy.
  • DonWood  

  4
  0
  Votes
  4
  Posts
  25
  Views

  D

  Well who needs sleep
• A

  Configuring static wan IP
  • az  

  4
  0
  Votes
  4
  Posts
  46
  Views

  

  Ha! That happens... disappointingly often.
• A

  Port Forwarding Problems
  • az  

  1
  0
  Votes
  1
  Posts
  16
  Views

  No one has replied

• P

  NAT forwarded ports
  • ppssysadmin  

  4
  0
  Votes
  4
  Posts
  58
  Views

  

  Depends how you have the rules configured. If they are using references like 'interface IP' and 'WAN address' etc they should update. Hard coded IPs will not update there. Steve
• H

  PFSense 2.4.4 User Authentication Using Zentyal 6.1
  • Hazmat480  

  1
  0
  Votes
  1
  Posts
  17
  Views

  No one has replied

• R

  Proxy, Whitelist
  • rglenn  

  1
  0
  Votes
  1
  Posts
  9
  Views

  No one has replied

• D

  self-paced PfSense courses?
  • detox  

  1
  0
  Votes
  1
  Posts
  17
  Views

  No one has replied

• M

  apcupsd- Back UPS 650VA
  • mbrossar  

  15
  0
  Votes
  15
  Posts
  72
  Views

  M

  @jimp LOL! I have been thinking this very thing and will probably do it. If I do, I’ll report back.
• P

  LDAP authentication works in Diag:Auth but not for login
  • ppssysadmin  

  1
  0
  Votes
  1
  Posts
  22
  Views

  No one has replied

• B

  how to block bad guys who is sharing internet by laptop
  • begaa  

  18
  0
  Votes
  18
  Posts
  193
  Views

  

  @marvosa said in how to block bad guys who is sharing internet by laptop: We even have a few clinics that are sharing a single T1... A real T1? These days, those are generally emulated over Ethernet. I first did that over 10 years ago. They have also been run over SHDSL for many years. I was working with that stuff back in the early '90s. I suppose there are still some parts of the world that rely on 2 cans and a string.
• A

  Pfsense 2.5.0 pppoe Limit on Radius
  • asim  

  6
  0
  Votes
  6
  Posts
  72
  Views

  

  Possible solution here: https://forum.netgate.com/topic/141034/rate-limit-on-radius-reply-attributes-for-pppoe-connections-not-working/3 Pretty hacky though.... Steve
• R

  [2.4.4p3] Reboots with ctrl-alt-del on console even though hw.syscons.kbd_reboot = 0
  • rgijsen  

  3
  0
  Votes
  3
  Posts
  38
  Views

  R

  @jimp said in [2.4.4p3] Reboots with ctrl-alt-del on console even though hw.syscons.kbd_reboot = 0: kern.vt.kbd_reboot That was a quick fix, that indeed works. I wonder if that could be in the default tunables table, or maybe even a GUI options somewhere, I musn't be the only one who rebooted their box unintentionally by pressing this often-used MS combination... Thanks!
• T

  Is pfSense affected from CVE-2019-19521: Authentication bypass?
  • tm_an  

  2
  0
  Votes
  2
  Posts
  103
  Views

  T

  Just crosslinking the other thread, basically asking the same question. https://forum.netgate.com/topic/148666/cve-2019-19521-and-pfsense To date: no "official" statement there either, but same assumptions about FreeBSD != OpenBSD, plus pfSense not using anything of the mentioned auth mechanisms exept for SSH, which would fail anyways.
• S

  pfsense backup
  • sunacaso  

  2
  0
  Votes
  2
  Posts
  21
  Views

  M

  Diagnostics > Backup & Restore > Download configuration as XML
• J

  Implement pfSense To Protect Distributed Virtual Private Servers
  • jtomelevage  

  9
  0
  Votes
  9
  Posts
  53
  Views

  

  It might be more expensive. Other VPCs are available, I changed out the link. Vultr appears to have some sort of private networking feature that you may be able to use for this. Consolidate all your servers there perhaps. Not something I've ever tried. But multiple servers behind pfSense in AWS or Azure is quite common. Steve
• D

  Can't get to login.microsoft.com
  • dcihon  

  7
  0
  Votes
  7
  Posts
  77
  Views

  

  Ok, so pfSense can resolve it. Does it show a reply from all the DNS servers listed there? I could imagine external server resolve it but localhost (127.0.0.1) does not perhaps? Check Services > DNS Resolver. Is it enabled? If not check the DNS Forwarder instead. In whichever is enabled look for host or domain overrides for *.microsoft.com. Remove them if there are any. If not then make sure your client is actually using pfSense for DNS. Steve
• E

  Gateway Not Active when connecting to 4g comcast backup gateway
  4g failover gateway comcast • • ercoupeflyer  

  21
  0
  Votes
  21
  Posts
  133
  Views

  

  It looks like you have something configured using 192.168/16 somewhere that is conflicting. It's not in the routing table though. I would open your config file and search it for 192.168 and see what pops out at this point. There will be a lot of entries since you're using that for LAN. Steve
• 

  User account - need permission to run scripts via SSH
  • tkohhh  

  15
  0
  Votes
  15
  Posts
  116
  Views

  

  @tkohhh said in User account - need permission to run scripts via SSH: why is logging on as root considered insecure? Root has absolute power and can do a lot of damage. Mere mortals cannot damage anything out of their own area. If you only have local access and no one else can log in with the root ID, then you're okay. One common practice is to require those with root access to log in with their own ID, then su to root. This creates a log entry to show who assumed root access. Of course, never allow root login via anywhere beyond the local LAN. If I want to connect remotely, then I have to fist connect to my main system and then connect to my firewall from there. You can also enable passwordless connections, which use a public/private key pair, to ensure connections only from that one computer.
• T

  Eventual TFTP failure - "couldn't forward tftp packet: Permission denied"
  • TreyD  

  8
  0
  Votes
  8
  Posts
  60
  Views

  T

  @stephenw10 Good call - I'll start here next time pfsense is in this state and see if those requests are making it out of the firewall. I ended up rebooting pfsense last night and everything came back up fully functional. I have no doubt this situation will happen again, and I usually have a chunk of time to mess around with it. If this indeed only happens during a power outage or loss of provider, I can at least know to reboot the system when the automated alerts tell me things have come back up - that alone is a big win. I can't confirm as I didn't think to check the uptime in the past, but it seems as good a theory as any right now. I'll keep an eye on this post for any new comments, and I truly appreciate everyone's time and assistance in helping me resolve this issue.
• A

  Diagnosing can't ping out
  • axxxxe  

  6
  0
  Votes
  6
  Posts
  46
  Views

  

  What happened? How could I have diagnosed further before resorting to a reboot? Probably packet captures to see what was actually going out WAN. Evaluating the routing table to see what the state of the network was at the time.
• P

  WAN1<>LAN1, WAN2<>LAN2, no cross traffic allowed
  • pille99  

  3
  0
  Votes
  3
  Posts
  47
  Views

  

  Yes, this should be two IPs. Two interfaces in the same subnet is not valid. If you really want them completely separate and it's running in ESXi then you could just use two pfSense VMs. Though I notice you have the firewall labelled as "pfSense LB", is it running as a load-balancer? Steve
• R

  Plex issue with having 2 Wans
  • ryanjones  

  2
  0
  Votes
  2
  Posts
  26
  Views

  

  Yes, you can just set a pass firewall rule for he Plex device as source above the load-balancing rule and specify a single gateway. You should not have to though. The port forward coming in is independent of the load-balancing of outbound connections. It might be affected if the Plex detects the external IP and advertises that somewhere. Steve
• J

  Possible to modify rule based on a schedule?
  • jeff3820  

  2
  0
  Votes
  2
  Posts
  35
  Views

  

  You can put a schedule on a firewall rule: https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-schedules.html But that would require scheduling it enabled too and it doesn't sound like that would fit your usage. You might be able to just set the rule as disabled using a php shell command/script. Then call that from a cronjob. https://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html Steve
• M

  How to find spambot? Got network abuse report from my ISP
  • MrGlasspoole  

  21
  0
  Votes
  21
  Posts
  224
  Views

  M

  @Gertjan said in How to find spambot? Got network abuse report from my ISP: You mean : even you didn't send a mail What i mean is that nothing shows up that is trying to send mails. Sure, if I try to send one (what of course is not working) it shows up.
• M

  How to allow Internet only for one Device and allow only one website for all the others ?
  • Mago  

  3
  0
  Votes
  3
  Posts
  74
  Views

  M

  Can it be done here, yes, however, typically solutions at the firewall level involve manual processes like stephenw10 described plus DNS lookups, chasing down IP ranges, etc. and are management nightmares. You could configure Squid/Squidguard, but personally, I've never liked that route either. One crude way of doing what you're asking is to statically set the IP and DNS for the one workstation you want to have full access... and have DHCP hand out OpenDNS to everyone else where their queries will be filtered. A more effective way of accomplishing your goal is to implement a UTM.
• M

  Blocking Acces to Another VLAN but Allow Internet Acces
  • mracar07  

  5
  0
  Votes
  5
  Posts
  68
  Views

  M

  Where are you testing from? Because I'm not seeing hits on any of those rules. The first thing I would do is re-verify that your access ports are in the correct VLAN. Then, If you only want MUSTERI to access WDSPAYLASIM and nothing else, then remove everything you have and configure an explicit pass rule for: Source = MUSTERI net Destination = WDSPAYLASIM net and be done. Everything else will get blocked by the implicit deny.
• P

  An unsettling outage
  • piperspace  

  6
  0
  Votes
  6
  Posts
  107
  Views

  P

  @JKnott - Thanks. I will check to be sure the coax is still grounded and that my modem power supply hasn't gone wonky.
• J

  how to access a dmz servers from LAN?
  • JVlas  

  15
  0
  Votes
  15
  Posts
  111
  Views

  

  @stephenw10 said in how to access a dmz servers from LAN?: Er I think there's some confusion here Yeah for sure!!!! Whoever put up that drawing has ZERO!!! understanding of how networking works.. if that is some teacher??? Then just shoot me!!! Our future is failed - we should just give up.. I really do not get how that could be any sort of class - there is zero possible how that someone that is a teacher of networking could put up such a drawing.. If so we are just failed!!!! WTF???? Really - if someone put that up as some sort of test, other than what is F'ing wrong with this drawing... We are all is serious trouble for the future!!!
• A

  PPOE Not working
  • albgen  

  8
  0
  Votes
  8
  Posts
  61
  Views

  

  Assign the parent NIC as a new interface. Enable it, spoof the MAC, leave the IP types set as none.
• N

  Unable to connect to public SAMBA server
  • netnewb2  

  3
  0
  Votes
  3
  Posts
  37
  Views

  N

  @johnpoz Thanks for answering. Just a couple of minutes ago I checked with my ISP and it seems they have an option to request unlocking this port. I didn't expect this, as in the past they blocked only port 25. I expect it was this after all.