@stephenw10 that worked Thanks so much for your assistance!

@johnpoz said in Block network Access with correct Static IP: @stephenw10 how would that work exactly? You would have to setup static arps for every IP that was possible. And then when you wanted a new device with IP, you would have to remove / edit that static arp.. That would be a real PITA to manage.. Yup. far more trouble than it's worth! And, yes, it only does anything for traffic going through pfSense obviously.

@igorbarrosmcz No, LAGGs are meant for binding interfaces to achieve failover, load balancing or throughput enhancement.

@stephenw10 Ye from what i see i cant edit it,if you can mark it for anyone with the same ''problem'' (mostly newbies) if they google it so they know it works once again thank you!

@stephenw10 Thanks Steve.

I suggest that all of those are because the IP you're testing from hit locked out of the firewall dues to excessive login attempts and the it's existing states were cleared. That applies before the user rules so it still hit and logged. The arrow there shows it was blocked outbound on PCLAN_1G whicb is almost always out-of-state traffic because the state was closed. The extra rule you have added does nothing more than block some traffic without logging before it hits your block everything rule anyway. Steve

Is that a config from 2.4.5? SSH keys were not included in the config until 2.6. You can probably remove that section from the config to allow it restore. Steve

That worked. I was able to uncheck the serial option, saved a backup, and imported it with no problem. Thanks all for the help.

Pretty much the only thing that can cause a link even like that, other than it actually losing link, is if you are running Snort or Suricata in in-link mode and it restarts. Is that possible? A gateway event on the OpenVPN tunnel could be triggering that restart. Do you have the OpenVPN tunnel interface assigned? Steve

@bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!: @stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired: Employee see AP's SSID, "Team" for example. They enter the known password, known by all team peeps. They are presented with the CP (captive portal) challenge for user & pw from pfsense. They have their own user & password on pfSense, and use it to get past the challenge. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs. Now for each of your questions: Do you mean simply entering the wifi pass key (WAP2/3)? Yes. Steps 1 & 2 above. Or are you using the Unifi captive portal for that? I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that! If it's the latter then serial captive portals could be a problem. I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that. Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do. P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most. I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20. Seems overly complex, thought about using wpa2-enterprise & freeradius ?

@rmac1813 I just gave that as an example. I also mentioned Internet2 as another. Many people have yet to move on from 1500 byte MTU and even struggle with frame expansion, to allow VLANs etc., which happened years ago. My first work experience with IP was on token ring, which supported much larger MTU. With even home Internet connections over 1 Gb (my ISP recently announced plans for 8 Gb) I wonder how long before ISPs start allowing larger MTU. A few years ago, I first came across a 10 Gb connection in my work. It was for a major bank's data centre.

Mmm, I'm not aware of any issues with multiple keys registered by the same user (email address). You can choose multiple subscriptions in the store. I believe we did add a limit there since some people immediately tried to get 1000 keys! Steve

@johnpoz Yup, that was it. I at least have most things acting normally now. I'll find out as I keep going if anything else pops up, but I'm thinking that was probably it. Now I just need to migrate my whole network to new VLANs...

@robh-0 Hi Rob, requirement 2.2 in PCI DSS v3.2.1 is to create configuration standards for all in-scope system components. Here is the requirement text: 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: • Center for Internet Security (CIS) • International Organization for Standardization (ISO) • SysAdmin Audit Network Security (SANS) Institute • National Institute of Standards Technology (NIST). As an update, I've now been advised that I can use the firewall STIG to create my configuration standard (Firewall SRG - Ver 2, Rel 2 https://public.cyber.mil/stigs/downloads). It's not pfSense specific so it will be a case of going through and applying the recommendations to pfSense where applicable. So for me this is sorted out - thanks for your responses.

Yup, can be a VLAN. pfSense treats a VLAN the same as any other interface. It can even be something obscure like PPPoE. Though I would not recommend that unless you have no other choice. Steve

@rwillett said in iperf3 on pfsense server (slower) different to client (faster) - Why?: Interestingly I didn't get much better throughput on the Macbook client with 5 threads. Well this is pretty maxed out for gig connection already. 7] 4.00-5.00 sec 111 MBytes 935 Mbits/sec [ 7] 5.00-6.00 sec 112 MBytes 935 Mbits/sec So no you prob wouldn't see much better than that ;)

Those firewall logs are all blocked ACK traffic to connections that have already closed. Not a problem: https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets So did you have pfSense in place when you were using the USG-Pro? Either way I'm not really sure how you can pass multicast through the UXG-Pro with or without pfSense. Steve

@stephenw10 log compression off and higher log size seems to have stabilized it. Theres about 12 computers in that closet. There is cooling and venting into the closet and the alarm never went off but the case was pretty hot to the touch. Will keep an eye on it. thank you.

@johnpoz said in pfSense as initial network filter: https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html Thank you John for sharing.

Huh, that is good to know. And also truly bizarre! Thanks for the update. Steve