General pfSense Questions

• 

  pfSense Hangouts are available on YouTube!
  • ivor  

  3
  0
  Votes
  3
  Posts
  1293
  Views

  A

  Subscription done!!!
• 

  Share your pfSense stories!
  • jdillard  

  18
  0
  Votes
  18
  Posts
  9480
  Views

  P

  I hope this thread is still alive :) I was using m0n0wall for a long time (still have one that's been alive without reboot almost 7 years!) before I came across the first customer needing VLAN, about 12 years ago I think. I got recommended to check out pfsense, and I have since then never looked back. These days I run my own company and importing hardware and building our own routers based on APU2 board and pfsense. We have at least 200+ installations out there, and we're also running pfsense in our small datacenter where we maintain our smallest customers, as well as the two geographical backup sites we keep for customer data. And, at home of course, where I hide my entire network behind an OpenVPN service setup in pfsense. I'm originally a Windows-guy, but after I met pfsense I realised there's a whole world of open source out there so I started learning, and today roughly half of our services are based on open source. Comparing pfsense to Cisco or the likes, I'd say there is no competition when it comes to price / functionality / reliability (as long as you use an appropriate hardware). Only kind words from me! ...and were are also retailers for Netgate in Sweden, not that we have a lot of customers of the size demanding that good hardware.
• R

  Why is file sharing not recommended on a pfSense box?
  nas samba nfs iscsi storage • • RAMChYLD  

  2
  0
  Votes
  2
  Posts
  7
  Views

  

  @RAMChYLD The point is that a firewall should be only a firewall. If you start putting other stuff on it, you create possible security risks. Tftp is often used for booting up systems, including VoIP phones and so is often provided on the router, which pfSense is also.
• E

  WAN_DHCP6 Pending
  • Elliott32224  

  5
  0
  Votes
  5
  Posts
  29
  Views

  E

  @JKnott Thanks for educating on this. It does look like my modem (Netgear C7100V) has that set up.
• P

  Noob needs help with pfsense
  • Perseverance66  

  7
  0
  Votes
  7
  Posts
  73
  Views

  P

  @stephenw10 Epic fail! on my part.... Wow, I'm betting I was trying to use the serial console image and should actually be using the VGA image instead... I'll double check when I get home. Thanks stephen!
• K

  Fresh install internet access issue
  • kimi4  

  10
  0
  Votes
  10
  Posts
  126
  Views

  K

  Tried to set from 90 to 900 here https://nimb.ws/9tPfzO no luck, still can't obtain IPv4. BTW I do not use any modem, just ethernet cable from ISP.
• R

  URL Redirect for Search Engines
  • rsaanon  

  7
  0
  Votes
  7
  Posts
  78
  Views

  H

  if you have control over those devices: https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html#setting-up-wpad-autoconfigure-for-the-squid-package or you can start messing with fake ssl certificates todo this transparently ... but thats messy
• A

  Remove LAN interface
  • angdigi  

  28
  0
  Votes
  28
  Posts
  145
  Views

  N

  @angdigi said in Remove LAN interface: Isn't this considered "flapping". Maybe it's something on the NIC that's causing the issue and not the ISP.... Flapping is generally a term for when a mac address moves rapidly between different ports on a switch / switches.
• N

  sendto error: 65
  • newUser2pfSense  

  10
  0
  Votes
  10
  Posts
  135
  Views

  N

  Well, the ONT was replaced. I'll see how it goes for the next however many days.
• D

  pfSense halving Virgin fibre connection speed
  • danneh82  

  10
  0
  Votes
  10
  Posts
  122
  Views

  

  @danneh82 said in pfSense halving Virgin fibre connection speed: Swapped data ports (luckily ran extra drops!) and now getting full speed. The problem is probably at one of the connectors. Reterminating the cable should fix that or perhaps there's a bad connector. The cable itself rarely goes bad, unless physically damaged.
• M

  Add Custom Tables
  • meaglerick  

  9
  0
  Votes
  9
  Posts
  167
  Views

  

  Yes, there's no way to do that directly. You can try using the Netflix ASN in pfBlocker to create an alias then use that in a policy routing rule. https://forum.netgate.com/post/848939 Steve
• S

  how to deploy pfsense in the current network?
  • success127  

  6
  0
  Votes
  6
  Posts
  113
  Views

  M

  Another vote for replacing the USG with PFsense. I haven't seen anything in your diagrams that would warrant having two firewalls in your environment.
• T

  Deny dhcp lease and lan access to unknow and unwanted devices
  • T.Soprano  

  8
  0
  Votes
  8
  Posts
  110
  Views

  

  yeah that would be a possibility I guess..
• F

  NAT - Source Hash netblock - assigning GW & Broadcast
  • fusionp  

  4
  0
  Votes
  4
  Posts
  48
  Views

  

  There's no other way I'm aware of I'm afraid. If you need to use source hash you need to use a subnet as the translation so you need to use a set of smaller translation rules. Steve
• M

  Interface with my AP cuts out regularly
  • mh13  

  14
  0
  Votes
  14
  Posts
  76
  Views

  

  Yup, indeed. Hence I added potentially in there. Whilst you should not ever need to set fixed 1G, and you can I would argue it's an invalid setting, if both ends allow setting that you might as well try it. Assuming it i a link neg issue at all. Prove that first with a switch in between.
• S

  Exporting LetsEncrypt Certificates in Automated mode.
  • smr  

  2
  0
  Votes
  2
  Posts
  34
  Views

  

  Why do you need to do that if you're off-loading SSL in HAProxy? To do that though you would need to pull in the cert and then restart whatever service is using it in the VM. So a script running on the VM seems like the first option. Though allowing the VM direct access to the firewall is a security issue. You might be able to pull it via the gui using a user with limited access similar to the pull automated backup described here: https://docs.netgate.com/pfsense/en/latest/backup/remote-config-backup.html#pull-it Steve
• C

  Where does pfSense fit into the SD-WAN market?
  • coreybrett  

  8
  0
  Votes
  8
  Posts
  3912
  Views

  

  ZeroTier is a great solution... I use it on a bunch of devices in 2 different countries and I can operate everything as if they were on the same LAN. But if we could get it integrated into pfSense and run it at the router level, the entire sites could do the same (not just specific devices running ZeroTier locally on each device). https://forum.netgate.com/topic/91683/zerotier-one-as-a-package-100usd
• B

  PfSense as PXE boot server
  • Balanga  

  14
  0
  Votes
  14
  Posts
  9128
  Views

  F

  nice! I'm working on a similar project. when I circle back to pxe boot from pfSense I'll expand on this.
• 

  Problems with flaky internet and pfSense
  • Bob.Dig  

  38
  0
  Votes
  38
  Posts
  185
  Views

  

  I would check for a missing or bad default route when this happens. Diag > Routes If there is no default route client traffic will not be able to get out. pfSense itself would not be able to ping out to arbitrary sites. However the gateway monitoring will show onlint because that has a static route via the WAN gateway. Do you have more than one gateway in System > Routing > Gateways? If the default IPv4 gateway is set to automatic setting it to the WAN dhcp gateway instead should get you back a default route if that is what you're hitting. Steve
• N

  Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN
  • noel.alanguilan  

  17
  0
  Votes
  17
  Posts
  103
  Views

  

  Ok there are several problems there. Which port on the XG-7100 is connected to Unmanagedswitch1? It looks like it's probably on LAN so that would be port 2 only. That is the port you need VLAN3003 to be tagged out on. The switch config for vlan 3003 should read: vlangroup6: vlan: 3003 members 2t,9t,10t The actual VLAN group number there is not relevant. VLAN 3001 appears to be something else there. EDIT: Moved out of wireless, this isn't a wifi issue. Steve
• V

  WAN packet loss when new LAN connection made
  • vx  

  2
  0
  Votes
  2
  Posts
  19
  Views

  

  @vx said in WAN packet loss when new LAN connection made: Does anyone have any idea or even an idea on what to troubleshoot? You can start with packet captures to see what's actually happening on the network. PfSense has Packet Capture built in and you can also use Wireshark. I expect you have a managed switch, with port mirroring available. If so, you can run Wireshark on a computer and use mirroring to watch individual ports. The switch status lights may also help. For example, a defective connection might cause a port to switch to 100 Mb mode, which can be seen in the lights on many switches. So, you have to collect some info for us to provide advise, though I doubt it's a pfSense issue.
• S

  Has any one use type transparent in DNS resolver?
  • sabinlal28  

  1
  0
  Votes
  1
  Posts
  19
  Views

  No one has replied

• K

  Need hardware for PfSense gateway!
  • Keanu  

  4
  0
  Votes
  4
  Posts
  131
  Views

  

  Hmm Ok, well I know you can order from Voleatech: https://www.voleatech.de/de/produkt/sg-5100/ They are probably closest to you and have stock of most of our devices. Steve
• C

  Dynamic DNS (route53) failing after moving from virtual machine to sg-3100
  • Craquehead  

  2
  0
  Votes
  2
  Posts
  25
  Views

  C

  As is always the case, I was able to resolve this immediately after posting. the comments in https://www.ceos3c.com/cloud/aws-with-pfsense-part-2-route53-dyndns-with-pfsense/ suggest that there is some uncertainty around prefixing the zone id with "us-east-1" which may have changed around 2.4.0. My old VM had been through many upgrades so perhaps it was still working with the old value while my fresh install on the sg-3100 was not. I deleted the dynamic DNS entry entirely and recreated it from scratch with just the hosted zone ID sans the us-east-1 prefix, and it worked immediately. Hopefully this proves useful to someone in the future.
• L

  PfSense and Disabled Interfaces
  • lucas1  

  7
  0
  Votes
  7
  Posts
  127
  Views

  L

  @stephenw10 said in PfSense and Disabled Interfaces: You're right. Yes really network cards were messed up (by FreeBSD itself). re0 became re1, and vice versa. Defined it as you advised on MAC addresses. Changed their places in the slots. re0 became re0, re1 became re1. kernel ae0: phy read timeout: 17. kernel arpresolve: can't allocate llinfo for on ae0 In the interface properties, remove auto-negotiation and set the exact connection speed, for example 100 FD.
• A

  my client cannot connect to the internet from LAN interface
  • asti-mis  

  3
  0
  Votes
  3
  Posts
  38
  Views

  A

  Hi Sir Steve, Just to give you an update, my client is now able to ping external IPs, I just changed the Default gateway from None to Automatic under System>Routing>Gateways. Kindly see image below: My problem right now is, still my client was not able to access the internet or even ping 8.8.8.8 or google.com. Can you help me troubleshoot with this? I can't see any problem with our set-up. Below are some of my configs: YOUR HELP IS GREATLY APPRECIATED, SIR STEVE! :) GOD BLESS!
• A

  Alias table for FQDN is not updating.
  • atul.chauhan  

  7
  0
  Votes
  7
  Posts
  72
  Views

  

  @jimp Leonardo Acropolis thinks you are a genius.
• G

  PHP Error - Timezone
  • guilherme_egb  

  7
  0
  Votes
  7
  Posts
  68
  Views

  

  @guilherme_egb Thanks.
• S

  Setup specific traffic through VPN
  • spiross  

  4
  0
  Votes
  4
  Posts
  85
  Views

  S

  That's great. Thank you very much. I'll give that a try and let you know how it goes. Many thanks
• P

  lets encrypt cert from pf sense to pydio
  • pooperman  

  2
  0
  Votes
  2
  Posts
  24
  Views

  

  how can I make the pydio work with the certificate? You don't. Install certbot on your pydio box and then let it get its own certificate.
• V

  Bootstrap XSS
  • vmb  

  5
  0
  Votes
  5
  Posts
  67
  Views

  

  The file could be stock and still not affected, it depends on the bug and how the library is used. I haven't looked deeply at that particular issue, but in similar cases in the past we've seen instances where we happened to not use a particular affected component so even though the vendor library was flawed, pfSense was not vulnerable. So it does take a bit deeper analysis than just inspecting version numbers. Still, it is very out of date, so we are certainly looking at what the impact of updating it will be.
• G

  fix current time
  • guilherme_egb  

  20
  0
  Votes
  20
  Posts
  101
  Views

  G

  Sorry, I've answered wrong. Today, I'll try to change my time manually.
• 

  Admin user can't access users/groups
  • havastamas  

  14
  2
  Votes
  14
  Posts
  928
  Views

  A

  Just wanted to say thank you for this!
• 

  pfSense Service or DL Package for SIP-ALG?
  • VirtuousMight  

  13
  0
  Votes
  13
  Posts
  459
  Views

  

  @racecarr Hello, So our company decided to revert back to ring central after using dialpad for about a month. Our experience with their product and services was low-grade - in terms of voip quality and end-user app usability (stability and lack of admin accessibility). They rely to some extent on google data centers for some of their data operations which can be an advantage but also a dependency that is not fault tolerant. We experienced this when some database servers experienced disruption and our users where unable to access the app to get into their accounts to make calls. I do not recommend dialpad. It appeared to me their systems are underdeveloped when it comes to non-Ai and non-sync features, meaning the primary usage of voip with them was inconsistent and low-quality as they seemed to have emphasized other feature enhancements over the main functionality, being voice-over-ip call quality and connection stabilization .
• S

  Squid / ClamAV Experience
  • Stewart  

  11
  0
  Votes
  11
  Posts
  52
  Views

  

  Squid probably isn't tracking that accurately anyhow. You'd be better off with a setup more like netflow but that would require an off-box collector to keep the data and make graphs. ntopng may help locally.
• R

  Arpwatch not able send email notification
  • rifanrcd  

  7
  0
  Votes
  7
  Posts
  77
  Views

  

  Just installed aprwatch package. Settings used : Had to stop it an hour later : my (self hosted) mail box received hundreds of mails from arpwatch. This means : My Sys > Adv > Notifications has been set up correctly ;) "arpwatch" sends mail using the pfSense mail notational system .... and it does as advertised. Btw : take note of the warning : I know what 'gmail' might do when you bombard it with pretty identical mails (from the same IP). It will do what it should do : it will discard and block them .... Upfront, you should white list (make the sender mail a contact, etc). gmail is nice to be sued as a things-go-bad-notifier, but do not spam them.
• F

  routing Issue
  • fluctuationit  

  2
  0
  Votes
  2
  Posts
  30
  Views

  

  @fluctuationit Is the VM network adapter bridged or NAT? If NAT, you have the same subnet on both sides of it, which will not work.
• B

  High CPU user util
  • BlijeGub  

  15
  0
  Votes
  15
  Posts
  65
  Views

  B

  Fixed by disabling dhcpv6 which I didn't even need because router advertising is enough to get ipv6 working. Still don't know why dhcpv6 was causing the cpu spikes though.
• L

  Sync server firewalls with pfsense?
  • lewis  

  7
  0
  Votes
  7
  Posts
  86
  Views

  L

  Great input, I'll look into each of these and learn about them. Thanks very much again.
• 

  Trying to Understand Traffic Graphs
  • NollipfSense  

  8
  0
  Votes
  8
  Posts
  166
  Views

  

  @stephenw10 said in Trying to Understand Traffic Graphs: The GUI will become laggy when it has no upstream connectivity. That can be significantly worse on the dashboard where you may have several widgets that try to resolve DNS and check external sources. The update check, support status check, package update check, dyndns entries for example all have to time-out. However it should not take 3 minutes. That seems more likely all the cpu cycles were being used for some process that could not complete. Steve Thank you for explaining the lagging experience Steve! My 3 minutes was a guess estimate...I thought it checked for update when first launching Dashboard though. Dashboard was already opened.