@vbman213 https://github.com/pfsense/FreeBSD-ports/pull/1011

If dpd is enabled then the P1 will not stay up if the route between the end points is interrupted. However if your tunnels are not using NAT-T then the P2 traffic will be ESP dircetly and it is possible for that to be blocked resulting in the tunnel establishing (over UDP port 500) but not passing traffic. Steve

@alexmercer I did this recently. Followed the guide referenced above. No issues at all, worked first time.

Assigning an IP from the /29 to an interface means I can ping that IP from an external address. That shows, at least, the block is being routed to the main firewall. Couldn't get any internet access, 1:1 NAT etc working though. Have now run out of time trying to diagnose, but ISP has swapped my /29 for a /28, which is more than enough for what I need for now even considering the 4 lost addresses (3+1 interface) - so have just put it on an interface on the L2TP instance and gone the easy way. Thanks so much for your help though - absolute legend!

@stephenw10 ah ok always learning something new everyday.. figure realtek made the driver for pfsense or the freebsd and u just use it the way they made it.. didnt know about compiling etc... and then read there is no likly the drivers be released in next version of pfsense... probably because its not a high priority kinda thing.. but always learning.. i just glad its not motherboard... as with this damn pandemic its making harder to get certain parts i appreciate the info learn something new every day

Yeah, it would need to actually route to it using a static route. Outbound NAT does not route traffic. You're right though, you can't use a URL alias in a static route. Which is reasonable since adding 2055 routes to the table would be.... ugly at best! Steve

@peter_apiit you need to set 'passwod protect console menu' (system->advanced)

@rumaru said in Viber in openvpn: 5242 4244 5243 9785 And any other port you might have forgot / not know about. This rule (the last one, number 4), will always work : [image: 1608531875501-0204cc9d-28c2-4701-baa6-4b49978cffcf-image.png]

@stephenw10 Yeah for some reason it's not showing on the Tech Community for public viewing anymore, I'm not sure why... You can find more information about this project on my GitHub.

@dcoens said in Website blocked until login to console: Disable DNS Forwarder: When you set that in Sys > General setup you are telling the firewall to use the defined external DNS servers for it's own connections. Like from Diag > Ping or firmware checks etc. It will otherwise ot's own DNS server, either the forwarder or the resolver whichever is enabled. It's unlikely that change would have any effect on client connectivity. Steve

Yeah shortcut to the root of the nas will show you all the shares. While a drive mapping has to really go to a specific share.. You can get specific with your shortcut if you want them going direct to a specific share..

@stephenw10 Helo Steve, Thank you very much for your help. I could not get it working with the Aegis Authenthicator because it looks like Aegis has a bug and it only is working with the FreeRadius default TOTP settings. So that is why I could not understand why I could not change the settings However, after I installed Google Authenthicator I could extend the OPT Lifetime to 60 seconds and also change the Hash Algorithm to SHA256. Google Authenthicator automatically accepts those (non-default) settings

Maybe no choice if they are really using PPTP still. If they are using GRE over IPSec which I would expect to find more commonly it implies they might not be encrypting it correctly. Steve

@w4436 said in pfsense internal network on 'public' range: I forgot to set Outbound NAT mode to Hybrid to take advantage of the manual rule I created. It works, now. Thanks! When you do this, route to a downstream network. Pfsense would automatically add an outbound nat for that network.. Be it rfc1918.. Example I duplicated your downstream network.. And if I add a route for rfc1918, its auto added to the auto outbound nat. [image: 1608337056674-outbound.png] But yeah @stephenw10 is right - this is not good idea to just use public IP space internally that is not yours, or that is not actually routed to where your using it. Lets just hope whoever this is - you don't need to get to any of their stuff ;) NetRange: 172.99.0.0 - 172.99.3.255 CIDR: 172.99.0.0/22 NetName: SOUNDVIEW Organization: Soundview Broadcasting, LLC (SBL-72) ;; QUESTION SECTION: ;www.soundviewbroadcasting.com. IN A ;; ANSWER SECTION: www.soundviewbroadcasting.com. 3573 IN CNAME soundviewbroadcasting.com. soundviewbroadcasting.com. 3573 IN A 172.99.1.34 for a customer who has run out of RFC 1918 subnets Really?? the 10 space alone is 16 Million addresses.. Now with 192.168 another 65,000 then another million with 17.16/12.. I find it very hard to believe they have used this up.. Unless horrible IP management like using a /16 for every site out of the 10 space.. There is also the whole 100.64/10 space they could use which is cgnat space.. Which is another 4 million. There is is also the practice of using like the documentation networks.. 192.0.2.0/24 Or say the 198.18.0.0/15, which is used for benchmarking - that again doesn't step on some other companies public space.. That is another 130K address. That someone could use all of this space up really just screams horrible IP planning and management.. And vs just fixing that they start grabbing public space that is not there's normally its the dod space like 6.x, 7.x, 11.x some of the common ones used... If they using like 20Million devices on their network - they really really should be working on deployment of IPv6 vs just snagging public.. I know this on not on you specifically - Unless you planned out their misuse of rfc1918.. Yeah just use the /16 for the finance department vlan - with 3 people in it.. We will never use up this space ;) hehehe Horrible misuse of network size is one of those things just bugs me - sorry ;) You do have to quite often work with what your given.. You see it here all the time where users using 10/8 on their lan or 192.168/16 -- you would think ah its just their 1 home - who cares if they use up all of rfc1918 with their 3 networks.. But such practice leads to nonsense in the work networks as well.. Just because space seem so large you will never use it up - doesn't mean your network shouldn't be appropriately sized.. Companies that do this shit rub me the wrong way is all.. ;) Had a customer a few years back that used a /16 for their printer vlan.. Was like WTF??? you have 20 printers.. Tops!!

Probably depends how you have Suricata configured. Usually the only reason you run it on the internal interface is to have visibility on the internal IPs in which case running it on the bridge would give you that. If you're running in-line mode you probably need to use the real interfaces. If you're running blocking mode the bridge filtering probably determines where it needs to be run. It's not a common deployment so I would recommend running some tests to see what works for you. Steve

@stephenw10 We can consider this resolved. I rebooted the machine this morning and something did not go well. I've Factory Reset and back and running I probably broke it with all the packages i was installing, i will proceed with caution this time around. Thanks again.

/bin is a directory, try "cd /bin"

@gertjan as long as i dont configure Wan Port with DHCP or PPOE system works fine the min ... i put ppoe and it does refresh system stop responding and after reset stays on that line and yes i see link up

@jknott @jknott said in Can VLANs on a Cisco AP work with PFSense?: If you're using VLANs, you create one on a physical interface. Ok I see. When I created VLAN 200 in pfsense, it ended up assigned to my LAN interface as em1.200. I was experimenting a couple weekends ago and didn't catch it was a virtual nic. It's making more sense now, thanks.