Are you sure that worked in 2.5.1? It looks like this was lost in the conversion to iflib which was added in FreeBSD 12 and hence all 2.5.X pfSense releases. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246885 Steve

Usually it's because after completing the wizard ntp kicks in after a few minutes and the session cookie then becomes invalid and it expires the session. You should be able to just reconnect but the CSRF check will complain. Steve

@leumasstudios said in HELP!! Can not get my new pfsense install connected to my ISP and don't have internet!: and made sure to set the MAC address in pfsense to 63:e3. That seems suspicious. You should not need to set the MAC address if it's using a dedicated NIC (pass through). If you did it implies something else is using that MAC and spoofing it in pfSense will break layer 2. It sounds like you may have ended up with ESXi using that MAC. Steve

Yeah, this is almost certainly an issue with the USB NIC or it's driver. Do you see anything logged after restoring access or at the console? Try swapping the NIC assignments, use the USB NIC as WAN. Does the WAN now fail? Use a real NIC there is a best solution. Use VLANs with just the on-board NIC would also be better that USB. Steve

Yes, it is still the plan. Unfortunately it has taken longer to get the required pieces in place and tested that originally expected. It's hard to guess a time scale with any accuracy at this point. It will happen! Steve

@mikahe said in pfSense fatal error allowed memory exhausted cause: PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 6992529389211575168 bytes) in /etc/inc/config.gui.inc on line 40 Mmm, that's like 7000PB. An impossibly huge number! It can't be real. How big is your actual config file? What were you doing at that time? Steve

@nogbadthebad My only differences: For the first image. I am listening on 127.0.0.1 instead of *. image 5 - I did not have that. Freeradius users - Password Encryption set to MD5-Password for me.

To isolate devices on a Netgate router with switched ports, you can set the ports to act like separate ports. Each is its own network. Then devices connected via those ports are isolated unless you set firewall rules allowing them to talk to other networks. At 100 Mbit/s I'd fully expect the 2100 to be fine, running IDS. At 2000, I'd expect it to have problems. Not quite sure where the middle ground is but I'd guess around 300-500 Mbps. IDS (Snort/Suricata) is set up on an interface on the router. So it can be set up on one of the ports, generally LAN. re: IDS with VLANs, see this thread. So if you run Snort on LAN it should function for any of the VLANs that are set up on any of the LAN ports as well.

@steveits And.... SOLVED it. Without the GUI, it's almost impossible to see real issues. WITH the GUI, the problem quickly became visible: Long ago, I created a final FW Rule on WAN allowing me to control logging of dropped packets. New Port Forward configs create FW pass rules on WAN... and places them at the end. Which means the above block rule means none of the port forward pass rules do anything ;) Disabled my block, and all is well!

@jkalber You're welcome. Just help someone else someday. :)

@mcury said in Site is on Squid proxy server Whitelist, but it is blocked: Allowed SSL ports, in squid configuration, does it include port 444? I did what you told me and it worked. I added the tip in the following fields: ACL SafePorts; ACL SSLPorts Thanks

You can just port forward the public IP to it for the required VPN ports. Or use 1:1 NAT for all ports. You could easily end up with some asymmetric routing though if the Firebox doesn't handle it correctly. Do you actually need a /16 on that LAN interface? Do you actually need those LAN side gateways defined in pfSense? They would only be required so that pfSense can access 192.168.0.0/24 for example. Steve

'Auto' allows the system to choose the default gateway based on what is up and in list order. If the DHCP WAN goes down and you have another gateway defined it will select that and, importantly, will not go back when the WAN comes back up. If you have internal gateways configured you should set the default to a specific gateway or group. Steve

If it doesn't show in the process list it's probably something in kernel like a driver. Are all the affected systems running on the same hardware? Steve

@johnpoz The isolation works as expected. When logged in to regular or Guest SSIDs I cannot ping or discover devices on the other network. That thread you referenced is a couple of years old. Apparently I bought my ORBI and satellites (last year) after the isolation issue was resolved or it was resolved in an update prior to my using the Guest SSID. And thanks for your answer to my previous question about using a separate NIC interface for WiFi on pfSense. Doing so I’ll be able to ensure control and isolation for my IoT devices and leave my Guest SSID just for….. guests.

Thanks Steve, I'll do some more tests. I understand now I don't need DHCP but using it ensures portable clients will get the PfSense DNS resolver and not their default network settings. When they get on another network they will get their IP address and DNS as normal. I think this has been my problem - Knowing when DNS lookup is coming from PFsense or from the VPN private DNS servers direct. My Windows setup is using my preset fixed IPs and specified DNS servers which are Google or the ISP. Big mistake! I hadn't thought about DHCP with static lease mappings but I'll research. I don't know if that will allocate the IP address I want unless PfSense can use client MAC addresses. When I do a DNS leak test, all my external IPs show as the VPN provider along with their DNS addresses looking similar to their IP address. I don't see Google! Without using the wrong network speak I'll explain what I and many others may want to achieve: Small home networks using standard ISP supplied routers can be compromised by the addon 'Smart' clients that people are now just plugging in without considering DMZs or sub nets. Some U.K TV streaming (BBC & Netflix) and bank sites look for the public IP address and geolocation to allow access to their services. VPN providers using shared and rotated IP addresses are often blocked. In a family home network the ability to block websites or non-approved connected clients is important. My pfsense setup at the moment is: Local Lan for PCs using fixed IP addresses. A small block of IP addresses is assigned to 2 firewall Aliases - 'Pass to VPN' or 'Bypass VPN' to WAN public IP. A DMZ interface with an IP address range for Smart TV, Media box and internet connected hard disc recorder. The DMZ accesses my Public IP. Any packets to or from the LAN are blocked. I regard the DMZ as low security. A wifi interface connected to the LAN on a fixed IP using VPN. This works for routing, blocking and allowing traffic, but I can't achieve DNS filtering. If I use DHCP fixed static mapping wouldn't there be uncertainty that another client could get the wrong IP? I may be dumb but it seemed to me that unless Pfsense could get a client MAC address it can't reliably use the rules set for it? I think that's why I concluded each client would need a fixed IP address and the pfsense DNS server address. On a small home network that's easy to configure for each client unless a wired laptop on a fixed IP moves elsewhere and won't connect wired to a DHCP router. WiFi connections aren't a problem because each connection on Windows defaults to DHCP. I'd like to use DHCP on PfSense, but I can't yet see how I can achieve selective routing?

@stephenw10 Thanks for the link. Yeah, but i think there may be a DNS problem, since nothing showed for over 2 hours after boot. Will pursue.

@ddave This is the post you want from BennTech. And yes, it does work. https://forum.netgate.com/topic/16217/howto-ping-hosts-and-reset-reboot-on-failure