@johnpoz it had sandbox folders in it like snapshots of something. I never deleted that. It was really weird. Both V-100 spotlight folders and .trashes had that. I don't expose the NAS it's protected behind the firewall. Could have been a timebomb bug and it never got implemented because I blocked it. I thought maybe someone else has that bug and they don't know what is making the IP show as high risk. I don't even think OS x uses sandbox Microsoft does. Someone has to have seen this weird HDD resources consumption issue too. One can say it's the perfect place to hide. Some hidden folders that no one really looks at on any USB drive that is plugged into a apple OS. An invasive actor might use it for a container to do proxy chains with, or an exit node. The normal users would not think to look at it, they just use the NAS and the NAS uses their Internet without them knowing. That could cause a bad IP reputation without them knowing. I was flat out confused, thinking why is the folders all the sudden so massive in size. Just a weird situation. It's like a scary Halloween Pumpkin bug. Hey, that reminds me of the Metasploit's pumpkin I saw during a lab in October.

Screenshot_20230916-103329.png

Screenshot_20230916-103348.png

@THEVIKING said in Upgraded mobo lost internet connectivity:

I have Pfsense router setup to send all traffic thru VPN to 192.168.20.100 (my PC)

This doesn't make a lot of sense - so your pc is hosting vpn server? That outside clients connect too? Or your routing your traffic out through a vpn on pfsense (client to some vpn service)

You have some vpn on pfsense and your doing a port forward through the vpn?

None of these scenarios have anything to do with you changing the mother board your pc and pfsense.. Not one of those scenarios has anything to do with pfsense and you changing your pc motherboard.

The only thing that could change on your pc that might effect something you have setup on pfsense is the IP address of your PC, if its still 192.168.20.100 pfsense doesn't give 2 shits what motherboard or OS or anything - it only cares about the IP address.

A D2250 should work it would just be bandwidth limiting for PPPoE. But something like that will already be old, better to start with something newer anyway. 👍

@SteveITS said in Confusion in understanding one of the "Deny unknown clients" setting:

We used to have tenants

While that seems like a very valid use case.. Thanks for a great example.. But that kind of puts you a bit above your typical home/smb sort of use don't you think ;)

Mmm, in fact it generally work better with mobile devices in my experience. Any recent version of Android or iOS can detect the redirection and prompt the user before they've even opened a browser.

lol yeah, @dennypage with just that it still works.

So was it passing full speed until recently?

That's what I would expect because the system routing table should be correct. Incoming traffic should always come from that route unless you have some route asymmetry somehow.

It's the port forwards (NAT) that allows traffic from a single source IP to arrive via any gateway.

Is the OpenVPN server configured to listen on 'any' interface?

If you can put a switch between igb2 and that PC? That would solve this.

However if you set OPT1 to track interface for IPv6 it will probably stop this happening. Even if you have no IPv6 on the WAN.

No solution yet as far as I know. Any progress here should be on the bug report.

@macaruchi said in Access from internet router to LAN:

No, it doesnt

So how would you expect pfsense to forward something that never gets to pfsense?

Either you don't have the forward setup correctly in the router in front of pfsense, or the traffic is never even getting to that router for it to forward.. You sure when you went to can you see me that the IP it sent the traffic too was the routers wan IP that you setup the forward to pfsense wan IP?

@stephenw10
That makes sense.
Thanks

@stephenw10 yup that is a very good viable option.

Or use that opt1 for your normal network, because the "lan" has the anti-lock out rule on it.

@stephenw10
Ok, I changed my hard drive. We’ll see!

There is no specific rule to block it. All unsolicited traffic is blocked inbound by default.

Traffic is scrubbed by default which prevents fragments passing but even if you disabled that most rules would not pass fragmented traffic because they cannot match without the header info.
See: https://man.freebsd.org/cgi/man.cgi?query=pf.conf#FRAGMENT_HANDLING

There's no way to actively pass fragments from the GUI, there is no fragment option on user rules.

@planedrop said in Will pensense join vpp/dpdk:

@NollipfSense I am guessing a typo, though that might be a difficult one to do....

LMAO...

It's defiantly Home Assistant. I assume deleting the integration didn't completely get rid of everything. I'll have to do some poking around and see if I can find out how to disable whatever is left.

Commonly it's because there are no iroutes to allow the OpenVPN server to know which subnets exist behind which clients. Those are not required in a shared key setup because it can only ever be point-to-point.

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html#create-client-specific-overrides

Steve

@stephenw10 That's great, thank you. I'll get that done