@robatwork:

I had tried 8.8.8.8 as the monitor which also failed.  ….

As far as I know, "8.8.8.8" has been set up to reply to ping.
But this "8.8.8.8" can be far away for you - just count the 'hops' (actually : a router).
You should know that every 'hop' has the right to throw away traffic that it thinks is "useless" because, example, its overloaded. And guess what : ICMP is just the protocol that gets thrown away if needed.
A gateway monitor IP should as close as possible - often this is a device from your ISP.

@gelcom:

Thanks. It worked perfectly!

The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.

This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan

Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs.

RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan.

You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn.

2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827
User-Name = "andy"
NAS-IP-Address = 172.16.1.11
NAS-Port = 0
Framed-IP-Address = 172.16.2.41
Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius"
Calling-Station-Id = "D0-4F-7E-85-D9-BE"
NAS-Identifier = "802aa8969d8c"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Start
Acct-Session-Id = "5A44C1A4-0000000F"
Acct-Authentic = RADIUS
Connect-Info = "CONNECT 0Mbps 802.11b"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014
User-Name = "andy-ipad"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 47
Service-Type = Framed-User
State = 0x3011d33a3212c931f791fe04904119c2
Called-Station-Id = "xx.xx.xx.xx[4500]"
Calling-Station-Id = "172.16.2.41[4500]"
NAS-Identifier = "strongSwan"
NAS-Port-Type = Virtual
EAP-Message = 0x020300061a03
Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f
NAS-Port-Id = "con1"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

Re-installing and restoring my configuration worked and now I can see packages, thank you.

The DNS forwarder (dnsmasq) uses the option –stop-dns-rebind by default, which rejects and logs addresses from upstream nameservers which are in the private IP ranges. In the most common usage, this is filtering DNS responses received from the Internet to prevent DNS rebinding attacks. Internet DNS responses should never come back with a private IP, hence it's safest to block this.

There are some cases when public DNS servers have private IP address replies by default, though it is not recommended. In those cases, DNS rebinding can be disabled or an override may be placed in the DNS Forwarder Advanced Settings box as follows:

rebind-domain-ok=/mydomain.com/
Note this is automatically overridden for domains in the DNS forwarder's domain override list, as the most common usage of that functionality is to resolve internal DNS hostnames.

Just enable the descriptions in the firewall log settings… Or just view the full rules with

https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

And you can see which rule that number shows up on..

[2.4.2-RELEASE][root@sg4860.local.lan]/root: pfctl -vvsr | grep 1000000110
@23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
@24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
@25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
@26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
@27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
[2.4.2-RELEASE][root@sg4860.local.lan]/root:

Yes.
The one thing you may not do is resell pfSense (like bundled with your hardware). Using it is not restricted in any way.
Supporting the project with a Gold Membership or through buying pfSense/netgate hardware is a plus, of course.

thanks for the reply @chpalmer, just wanna get my voip clients to work. when doing an outbound calling I don't have any problem but for my inbound I work it out.

Everything fails eventually.

A good configuration backup taken regularly and a cold-spare system is a decent alternative.

GMIRROR should ride out most failures of a single hard disk.

ZFS should also help with a disk failure.

Two live units in HA/CARP will generally have zero downtime if a node crashes.

Pretty much my current setup (ddwrt provides nothing more than access points, pfsense handles everything else).  You may want to have a read through here: https://forum.pfsense.org/index.php?topic=116980.msg720119#msg720119  Although the author is using lede/openwrt principals are the same.

I have several TL-SG3210 (trying to be a cheaper SG300-10 derivate) and 1x TL-SG5428 as well as 1x TL-SG5412F.
Those are fully managed L2 "JetStream" switches and do not exhibit the behaviour of the entry-level smart switches. This is at home only. Since we use Cisco in the office and at client's site's extensively I probably would buy those for my home now as well.

Hi,

what are your DNS server settings on System / General Setup?

Here's my settings:

And Services / DNS Resolver / General Settings?

I recently fixed this myself, but i'm not 100% certain what i did to fix the problem, but i remember i changed some settings on these two places.

As you can see here:

https://vpn.ht/dns-leak-test

My DNS is not leaking, as it shows the Google DNS.  ;D

By upgrade to pfSense, I assume you inserted a piece of hardware running it into the network.  If so, then yeah latency will increase, as the packets have to pass through the hardware.  Don't forget, that packet has to be received, processed and transmitted by pfSense, so it all adds up.  Also, if you're still using that Linksys as a router, don't bother.  Just use it as an access point & switch.  That will remove the latency of the router portion.  See what the latency is when passing only through pfSense

Good catch Derelict - yeah "OUTSIDE address of my ISP" never going to work that way ;)

Yes, I tried with and without ECN.

An update…

Opened a ticket with Netgate but do not expect any updates from them now until Tuesday.

I have discovered that I can ssh into device (via VPN) and issue a ifconfig down / up on the LAN interface and connectivity is restored. So to keep this thing working until I can get on site or Netgate finds an issue I have added a crontab entry to run the ifconfig command every 5 minutes.

I also checked netstat when connectivity is down and here is the output:

[2.4.2-RELEASE][admin@shelter.applegate.privatedns.org]/root: netstat -i|grep cpsw1
Name    Mtu Network      Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
cpsw1  1500 <link#2>7c:38:66:26:ba:30  6412951    0    0  5694350    0    0
cpsw1    - fe80::%cpsw1/ fe80::7e38:66ff:f        0    -    -        1    -    -
cpsw1    - 192.168.1.0/2 shelter              5536    -    -    2488    -    -

[2.4.2-RELEASE][admin@shelter.applegate.privatedns.org]/root: netstat -i | grep cpsw1
Name    Mtu Network      Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
cpsw1  1500 <link#2>7c:38:66:26:ba:30  6412963    0    0  5694356    0    0
cpsw1    - fe80::%cpsw1/ fe80::7e38:66ff:f        0    -    -        1    -    -
cpsw1    - 192.168.1.0/2 shelter              5542    -    -    2488    -    -

[2.4.2-RELEASE][admin@shelter.applegate.privatedns.org]/root: netstat -i | grep cpsw1
Name    Mtu Network      Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
cpsw1  1500 <link#2>7c:38:66:26:ba:30  6412984    0    0  5694367    0    0
cpsw1    - fe80::%cpsw1/ fe80::7e38:66ff:f        0    -    -        1    -    -
cpsw1    - 192.168.1.0/2 shelter              5547    -    -    2488    -    -

There are no output packets for IPV4…</link#2></link#2></link#2>

The book is only $24.70. See .sig