• Netgear Orbi RBR50 no Internet Connection in AP Mode

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • 0 Votes
    20 Posts
    2k Views
    PhizixP
    @molepy, Thanks for the reply. What I am currently using works, but is VERY KLUGE. I hate that it kill all states, but that is the only way to make it work. Phizix
  • Three issues still apparent on 2.4.5

    4
    0 Votes
    4 Posts
    606 Views
    stephenw10S
    #2 there sounds like the expected behaviour with the CSRF check. That has been present for a long time but it was not obvious what was happening. In 2.4.5 a custom page was added that provides feedback: https://redmine.pfsense.org/issues/9799 #1 Obviously should not happen. It can take a lot longer to complete tasks if the firewall has no WAN connection and is trying to use one, such as if you have ACB configured. I've never seen it take 15mins just to complete the wizard though. #3 Is it possible you are doing that before completing or escaping the initial setup wizard? Steve
  • SSH and FRR Question

    2
    0 Votes
    2 Posts
    715 Views
    stephenw10S
    No, I don't believe that's possible. If the user has sufficient privileges to access vtysh they will be able to access pfSense. At least using the built in user priviledge management. I guess I could imagine a user who's default shell spawned vtysh.... It would probably be relatively easy to escape though. Steve
  • Bonding help between pfsense & Mikrotik SRS3xx (no vlan traffic passing?)

    2
    0 Votes
    2 Posts
    337 Views
    stephenw10S
    That should work fine. I'm not sure if I've seen that specific switch but LACP to Microtik is quite common. What about if you assign the lagg port dircetly? Can you pass traffic without the VLAN? Steve
  • Buffer Bloat Mitigation w/o speed impact?

    11
    0 Votes
    11 Posts
    1k Views
    chpalmerC
    @StarsAndBars said in Buffer Bloat Mitigation w/o speed impact?: @chpalmer Thanks for your response. The Cable Modem provided by the ISP is a Hitronic CGNM-2250 and as it is a business-class account, I do not have the luxury of selecting my own. Since this is a Puma6 model modem keep in mind that it has some issues.. http://badmodems.com/ Make sure you have no UDP traffic going on while you are testing.. Some modems have various patches in place but depending on the ISP some do not.. UDP traffic can be quite the problem for these modems to handle.. VOIP, video, gaming ect.. If you are a Comcast customer then the only reason they will not let you use your own modem as a commercial customer is if you have purchased static IP's from them. Otherwise we do it all the time. I would bring up the Badmodems site to your ISP and see if they will give you another Broadcom based model..
  • LAN issues while establishing OpenVPN client connection

    3
    0 Votes
    3 Posts
    338 Views
    K
    Thank you! 'State Killing on Gateway Failure' was set and did not need to be. I'll have to wait for the next time the VPN goes down to be sure it solves my issue, but it looks like it should.
  • Pfsense LAN interface no access to internet

    3
    0 Votes
    3 Posts
    354 Views
    stephenw10S
    Yes, more information required. Are you replacing the Microtik device with pfSense? What is the WAN connection type? Steve
  • Connecting via PPPoE modem on WAN to TalkTalk (UK ISP)

    13
    0 Votes
    13 Posts
    6k Views
    A
    Hey everyone. So. I've managed to get everything working. I am using TalkTalk Faster Fiber This is my setup now: TalkTalk ISP wall box -> RJ11 Draytek Vigor 130 Modem Had to log onto it and manually configue it to be in Bridge mode) -> RJ45 pfSense SG1100 IPv4 and IPv6 configured as DHCP I hope in the future this will help people who had the same questions I did! Cheers
  • Losing WAN connection intermittently

    31
    0 Votes
    31 Posts
    7k Views
    DaddyGoD
    @Raffi_ said in Losing WAN connection intermittently: A can of compressed air held upside down does the same thing. óóóó, the blessed physics and the expanding gases
  • ARP Table devices that Expires in 1161 seconds

    4
    0 Votes
    4 Posts
    555 Views
    W
    ok thanks i will just leave it. cheers for the advice.
  • 0 Votes
    6 Posts
    2k Views
    GertjanG
    Your cert info looks like this : -----BEGIN CERTIFICATE----- MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2 MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK5478BAQDtWKySDn7rWZc5ggjz3ZB0 8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0 ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56 dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9 AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0 BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9 AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr1589F2rtGtazSqVqK9E07sGHMCf+zp DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7 IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH79RtQtDkHBRdkNBsMbD+Em 2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0 WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU= -----END CERTIFICATE----- ? The "Certificate Private Key (optional)" is optional. Needed if you want to revoke the cert, something that has no real meaning for a "firewall GUI". Try with this part. Also : there is s/ was some cert issue, resolved in the 2.5.0 dev version. Check redmine.
  • PFSense unable to communicate with Salt Master

    10
    0 Votes
    10 Posts
    1k Views
    N
    @tlotr Lan ip? When something runs on pf, and makes a network connection to a remote host uses the local ip of the connected gateway to that host. I believe you are not "protecting" the ip used by ipsec phase2 Can you post your ip sec settings, especially p2 and a network diagram to make it clear.?
  • How to block attached files, or infected with virus/malware

    Locked
    11
    0 Votes
    11 Posts
    2k Views
    GertjanG
    @bmeeks said in How to block attached files, or infected with virus/malware: Virus and malware detection now really needs to be done on the endpoint client because that's where the final decryption occurs. That is, today, mail servers still store the mail in clear text. So, when received, all mail, incoming and outgoing can be - and should be - filtered. One of the first filters should be a known spam / known antivirus filter. The last filter is typically something called "DKIM" that adds a signature to the mail, so the receiving part can check the origin and validity of a mail. Example : when you send a mail to a gmail account today, using IPv6, gmail will not accept the mail if SPF + DKIM => DMARC doesn't pass the check. When the mail account user interacts with his mail box, using a mail client, the mail is passed through an SSL layer again. A mail server belongs on a dedicated device (server) equipped with a 'simple' firewall, fed by a tools like fail2ban so slammers and 'rule breaking mails servers' (read : quick and dirty mail spammer servers) are recognized and blocked. My advise : never ever run a mail server on pfSense. And also : no need to put pfSense in front of a mail server.
  • System Log: List Queue Overflow

    4
    0 Votes
    4 Posts
    448 Views
    J
    Sockstat seems to have helped. Looks like the cause is UPNP-PMPNat. I noticed a bunch connections on port 2189 from PFSense to my nas. Disabled these services and they seem to go away. Will see how the log looks in the am.
  • Wifi calling issue

    7
    1 Votes
    7 Posts
    10k Views
    M
    Update: I made the change suggested by @tman222 last week and have not had a single issue since then. Both phones now work fine, and it did not require any new NAT rule. The value of udp.multiple can probably be tuned as the "conservative" mode keeps connections open for a while. I also took a look at the internals of Android to figure out the default time between NAT-T keepalive packets. The constant of interest is (aptly) named NATT_KEEPALIVE_DELAY_SECONDS. Stock Android shows that it has a value of 10 seconds (probably why a Pixel phone works immediately), so either Samsung or all the US carriers are changing its value to something different. The constant is defined in the file IkeSessionStateMachine.java under com.android.internal.net.ipsec.ike. Thank you all!
  • pfSense-upgrade upgraded: 0.84 -> 0.85

    2
    0 Votes
    2 Posts
    269 Views
    jimpJ
    https://github.com/pfsense/FreeBSD-ports/tree/devel/sysutils/pfSense-upgrade
  • OpenVAS found vulnerabilities in pfSense host

    2
    0 Votes
    2 Posts
    824 Views
    jimpJ
    Most of those are not relevant since they aren't even the right OS/Platform/etc. That doesn't even mention what port the notification was triggered by, but since they appear to be HTTP, probably the GUI. The ones that don't mention a specific name are very old, and I find it hard to believe they are still relevant against a modern nginx or haproxy like the one used on pfSense. Also, depending on how you performed the scan, if you have NAT rules, you might actually be scanning a device behind pfSense and not pfSense itself.
  • New, noob, just up and running and a little hiccup?

    31
    0 Votes
    31 Posts
    5k Views
    GertjanG
    @netblues said in New, noob, just up and running and a little hiccup?: Browsers first try to connecti via ipv6. If they - the devices on a LAN - have an IPv6 that can route to the outside, and they have a IPv6 gateway. A solution might be : set IPv6 to None on the pfSense LAN interface setting. Devices on LAN can still communicate among each other using IPv6 using auto assigned IPv6 addresses - the fe80.... ones - but will not use IPv6 to visit "the world". [image: 1594618134192-414fbddf-419e-45ef-8b2a-abf4eac6c5c0-image.png]
  • I cannot route between LAN and VLAN

    4
    0 Votes
    4 Posts
    511 Views
    johnpozJ
    @greymouser said in I cannot route between LAN and VLAN: Does it even need to be a VLAN if it's on it's own port? No it doesn't - but what are you connecting these ports too? You can not just connect them to a dumb switch.. You need to either use different dumb switches for your different networks. Or you need to be connecting to a single device. If your connecting into a switch - then you will need to setup up vlans on the switch for your different ports.. Pfsense doesn't have to know anything about them.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.