@sr10977 said in Automatic VLAN assignment: Where do I start? i guess by redesigning your network ? unless i'm misunderstanding something ofcourse

I would like to get the practice with the Cisco switch, in a kind of enterprise environment. I do want the lab to be able to reach the internet for updates and downloads and such but don’t want the lab to be able to reach any other networks. I currently have 4 VLANS on the PfSense, through the Ubiquity switch, one VLAN for my stuff, one for IoT stuff, one for the kids and one other. I may set up VLANS on the Cisco switch as I will have some VMs on the servers in the home lab...one kali machine, one metasploitable machine, one for a SIEM, and probably a Windows server and Ubuntu server. I will want to set up one for active directory as well. I basically want the lab to be its own network, with internet access through the PfSense box.

You could try running that cronjob manually without the '&' and see what output it gives you.

you should test from one device on the wan to one device to the Lan (and vice versa) and not to pfSense. pfSense is a firewall/route and not optimized to work as a client system/advanced/networking Disable hardware checksum offload Disable hardware TCP segmentation offload Disable Hardware Large Receive Offloading reboot and try again any additional package like ntopng / darkstat / suricata / snort ?

We deactivated all VLANs, also pfBlocker. Still sometimes websites timeout. During this timeout the client is still able to ping the website, also other websites work just fine. After some minutes everything starts responding again. Most of the time this happens if multiple pupils connect to the same website - in that case it seems that also more clients are affected by this misbehavior. I know, it's hard to troubleshoot this kind of problem, but help would really be appreciated. Where can I look next, what tests would you propose to narrow down the problem? Thank you again, elko_sc

kiokoman@nanto:/$ sudo mount -t nfs -o user=laboratorio 172.16.0.100:/tftp /mnt kiokoman@nanto:/$ ls /mnt ldlinux.c32 menu.c32 I would say nothing special is needed, but we don't know what you have configured maybe firewall rules, I see port tcp/udp 111 and 2049 on my server

@kiokoman Thank you for the reply the bxe1 is not being used only bxe0 for my fibre connection ix0 is a straight 10gb connection to my pc...

For the next guy/gal: to retain (the illusion of) bash as the login shell across reboots, I did the following: I installed the shellcmd package via the webui. I added the following "command line" as a "shellcmd": test -x /usr/local/bin/bash && for u in root nu; do chsh -s /usr/local/bin/bash $u; done I don't touch the default shells /bin/sh and /bin/tcsh. I think the one-liner above is executed by /bin/sh which is very similar to bash (except for differences, which I've never memorized). The one-liner is tested (I did a reboot). According to the documentation, I could have created something like /usr/local/etc/rc.d/bash-again.sh, made it executable and it would execute on boot. I'm pretty sure I'll go there next, since I want to re-establish other things on boot. In particular, I dislike that ~{root,nu}/.profile seems to be overwritten on startup. I'll be reverting my changes back, ty very much. If this reads a little hacky to you, well, yes, yes it is. Being new to pfsense, I guess there are some good reasons (control, repeatability) to change the login scripts. I realize this a "router appliance" first and a FreeBSD box second, regardless of my insistence to make it more like the later. But it also surprised the heck out of me. So indulge the noob for talking out of school and bloviating about his hopes and dreams.

Thanks will check

@kiokoman said in Error message in System log: ip address of network ? is it a public ip? there is no reason to hide a private address anyway Ignore it as it's harmless. it's basically saying "I can't remove that address from the ARP table because it isn't in the ARP table". It’s a private ip address, was just being careful If the error message means nothing bad I can live with seeing it in the logs

@johnpoz Ha, that took a while.

@johnpoz 2.4.5 sp1. Thank you

Thanks, @stephenw10 Yes, we are planning the upgrade to 2.4.5 but will take some more days as we need to get a downtime approved from our users.

i've tested again, here are my stats. 1GB down @ Comcrap. I'm happy with this throughput considering suricata/extensive pfblocker lists. [image: 1602482981356-52a984fe-fe15-4ae7-8d16-05117685f590-image.png] [image: 1602483010084-0af8c970-3f1f-4b94-99cf-deaeb7ef953a-image.png] [image: 1602483070869-2f696e8a-bd99-4b0f-b419-d60bbc2a9695-image.png]

yeah its disabled and I redacted my new account name above. enabling the admin and generating a new key for it works normally as you explained. no restrictions [image: 1602452278450-e0479304-a6b3-463a-b5a9-e7ed4d5a194b-image.png] bolded text9

@LesF In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..) It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after.. I think what you currently want is impossible.

@Bob-Dig No worries! I did check, with a specific server trying to use UPnP. If I don't manually set the WAN IP, it flags "Router WAN IP: Unknown". But if I set it ... it's happy, and uses it. I also have no issue writing a script to get my WAN IP, but not sure how to then set the variable in pfSense Thanks!

Yup, if you must do it then use the correct pkg versions. Just be aware of the risks before doing so. Steve

I have found the bottleneck to be ntop. Once disabled my throughput was better but not perfect. It seems ntop needs to be fine tuned for connections greater than 1GB otherwise it cannot process the data fast enough.