@stefanl Same here. Went smoothly.

@jknott The traffic goes through the IPSec tunnel because the networks are defined in IPSec phase 2.

@stephenw10 Answer, hopefully in order... Version is 2.5.2 on the Azure VM and 21.05-RELEASE (amd64) on the 5100s OVPN is site-to-site, pre-shared key, UDP on IPV4 only, Layer 3. On the remote server there is a point-to-site server (for use as a remote internet gateway). It's for travel use but nobody's travelling so there are no connections. Latency is 27-32 ms, WAN Azure to WAN local; 100-130 ms to the other sites from WAN local. I only have one local device so I haven't tried to replicate here. I could spin up a Hyper-V guest but not now, I am currently working on alternative method, most likely a Linux server on the local LAN, running OpenVPN as a server and NAT port forward Linux server. We are up interactively but backups through the tunnels are an issue. Not an expert regarding state tables so I wouldn't know what to look for. I can try clearing the state tables after the trouble begins to see if that reset avoids a reboot to restore WAN performance. Would that provide useful information? We're not running IPSEC now. We were, but IPSEC failed after a recent upgrade. We switched to OpenVPN. I have read that the IPSEC issue has been resolved but haven't switched back. One more observation. We do have a point-to-site server running locally. There is one user, a Synology raid device that phones home and stays connected 24x7. It is used as an off-site backup device accepting snapshot replication and file share backups. It's been running without issues. It seems to be the site-to-site tunnels that are tripping us up, on the client-side.

When you run Squid in transparent mode on pfSense it adds port forwards to the listening interfaces to redirect traffic on ports 80 and 443 to localhost. You can just as easily add those manually and point them at some other IP where the proxy is. If it's on the same subnet things get complex to avoid asymmetric routes. But, yeah, it depends what the clients are and why they 'need' to use the proxy. The cleanest way to do it is configure the clients to use the proxy. pfSense doesn't have to do anything then beyond routing the traffic. Steve

@jimp said in Troubleshooting what caused pfsense to hang: Since that device has a serial console, you should leave a serial client open and connected to the serial console at all times, with the client set to log the output and/or have a large (100k+ line) scrollback buffer while you're looking into the problem. If there is some kind of crash or other error condition it would be printed on that console. When it's locked up, check what is in the console output and see if the device responds to input over the serial console. Try things like using a menu option or hitting ctrl-t to see if it prints any output. If the output just stops and it is unresponsive at the console and across the network, then it's likely hardware related, though that isn't always definite. That's what I thought I should do. I only ever had to use the serial console during pfsense installation but it would be a good idea to keep connected to it at all times and use it when this kind of issues happen.

Yes, do that. Or just paste the diff text into the patch directly. Steve

@marvosa Thank you for the info. EDIT: I think you were right, it was the traffic shaper. I deleted the existing shaper, re-ran the wizard and traffic speeds appear as fast as they should be and relatively stable! Thank you for your help... I'll post an update should anything change, but for tonight, it looks good!

I have ZFS on a gen 1 i3 with 8gb ram. When I switched I did not see any CPU or RAM difference.

DHCP Static Mapping is how pfSense refers to that. But we knew what you meant.

@jgq85 It wouldn't be a WAN port. The WAN port connects to the Internet, though you could consider the port on the UDM as "WAN" as it's the one that's closest to the Internet. You can connect it to pfsense with either a separate LAN port on pfsense or VLAN.

@gm192 said in Automated exfiltration advice: Thanks for all the advice. After reading the replies it looks like I'm going about things the wrong way. Using a firewall is set, but I get to choose the data exfiltration techniques and I've clearly tried the wrong one. I'll have a look at transferring large amounts of data and see if I have any success. I was thinking of trying DNS exfiltration, but I imagine I'd run into the same issues as before. Again, thanks for all the help and if you have anymore advice it would be welcomed :) Here is a link to some Gartner data on Data Loss Prevention software (DLP): https://www.gartner.com/reviews/market/enterprise-data-loss-prevention. As I mentioned previously, this kind of software tends to start getting pretty expensive pretty fast. But it can be quite effective. The company I retired from ran a product on all user PCs, and also a few servers (might have been the Symantec one, now that I think about it). Any data copied from any network drive or local hard drive to portable media (i.e., CD/DVD-ROM or USB stick or hard drive) was logged. It recorded the logged-in user, the filenames copied, where they were copied from (source) and where they were copied to (destination). I believe remote alerts from this activity could also be generated. Even though I worked in network security, I was not directly responsible for managing the DLP product, so I don't know all of its features. It also goes without saying, that having the proper permissions on file folders containing sensitive or proprietary data is paramount! You probably don't want to give the group everyone read access ... .

Does anyone have an idea about my issue? Thank you, Mauro

good morning i have the same problem this is last row of error report 69034 /diag_authentication.php: ERROR! Could not bind to LDAP server Google. Please check the bind credentials. Jul 20 18:51:20 stunnel 69347 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Jul 20 18:51:20 stunnel 69347 LOG3[0]: SSL_accept: /build/ce-crossbuild-252/sources/FreeBSD-src/crypto/openssl/ssl/record/rec_layer_s3.c:1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Jul 20 18:51:20 stunnel 69347 LOG6[0]: Peer certificate not required Jul 20 18:51:20 stunnel 69347 LOG5[0]: Service [Google] accepted connection from 127.0.0.1:50399 Jul 20 18:50:45 stunnel 67696 LOG5[ui]: Switched to chroot directory: /var/tmp/stunnel Jul 20 18:50:45 stunnel 67696 LOG5[ui]: Configuration successful what can i try to test the ldap functionality ? thanks Alberto

@nikla said in How to configure mail server behind pfsense router: I have been running my mail server on a server/NAS at home since 15 years. I do it to motivate myself to learn things. You might be correct when advise me not to run a server exposed on internet at home. I still believe that it is possible to run a server at home using a pfSense router in front of a NAS. I still fail to configure that so my question remains. I just wanted to warn you, that using a 'mail server at home, behind an ISP type WAN IP' is cumbersome. It's excellent for the "how to do so" and "learn" practises, I agree. But as soon as you get the hang of it, you want an always-on solution, which means : no bad ISP land lines problems, No DNS issues, no power issues, no drive-went-bad issues : you don't want to bother with all the hardware details. You want to be reachable (by mail) at all times, even when you go off the beach for a couple of days. That's why advise the "2$ / month solution". For my, my Synology devices are just used for what they are meant to be : backing up local devices. Btw : NATting port 25 TCP to an internal device is like NATting port 143 TCP to an internal device is like NATting port 110 TCP to an internal device is like NATting port 993 TCP to an internal device etc etc Just that one number changes. About the certs (from Letenscrypt) : The pfSense package 'acme.sh' is handling the renewal. Every 60 days or so, when I get a mail that informs me that the cert "*.mydomain.tld" has been renewed, I export the two new 'cert' files, and import them in my Synos. True, this is a manual operation and I have one month (after renewal) to do so. I actually do not really need 'known' certs on my Syno, self signed or over-time certs will get flagged by my browser (if I didn't create an exception for my internal 'LAN-bases' internal devices, as I do trust them anyway). You can probably also have the Syno ask for 'letensrypt' certs.

@jadejaws said in How to block randomized MAC addresses?: Mine does. DHCP Server service does anyway. That's not filtering. It's assigning an IP address to a MAC address. If it was filtering, you could create a rule to do that. I have worked with other firewalls that can filter on MACs.

Curious. Are you seeing Group Policy Errors in some of your client's Event Logs? If so, what are they? Wondering if you have a DNS issue as AD relies heavily on DNS.

@PerfectBake420, The issue you are having CANNOT be fixed without upgrading both the Server and Client side Internet to a minimum of 100 x 100. Your upload speed needs to be just as fast as your download speed at both locations. This is the nature of QuickBooks and not a problem with your VPN. Intuit has something called the QuickBooks Database Manager that runs on the Server hosting QuickBooks. However, don’t confuse the “QuickBooks Database Manager “ with something like SQL. The QuickBooks database may as well be a “flat” file. This means every time you access QuickBooks from a workstation it is taking all of the QuickBooks files on the Server and passing them over the network to the workstation. There are four QuickBooks files that are involved with one company file. They are the QBW, DSN, ND, and TLG files. Combine the total size of all those files and that is what has to pass across the VPN. Obviously, things probably work well within your LAN because you most likely have a Gigabit switch which is 1000 x 1000. There is NO WAY you can make this usable for an end user without very fast bandwidth, in both directions, at both sites. An alternative would be to setup another workstation at your office (a VM perhaps). Install QuickBooks on that workstation and have the user log in via Windows RDP to that workstation across the VPN. OR, if QuickBooks Online is a viable option you could migrate to it and pay the monthly fee. Unfortunately, I know a ton about setting up QuickBooks and it’s something I’m not proud of. There is a saying in IT about QuickBooks. It goes….”I don’t know why they call it QuickBooks, cause there is nothing quick about it.”...at least from an IT standpoint.

@mccann25 I think we are having the same problem. I only have 1 DNS Resolver 127.0.0.1 -- I didn't get the Bad Gateway message, but I likely didn't wait long enough.

It's possible the hardware problem started from the reboot during upgrade and not from anything in 2.5.2. You'd be surprised at how many hardware issues only start or get noticed after a reboot, and then seem to coincide with an upgrade as a result. But there isn't a lot to go on to say with any certainty what the cause might be. Are those logs in reverse order with the newest on top? It appears that way. Normally that kind of log message about a NIC only happens from a hardware event (e.g. cable is unplugged).