@jahonix: As long as both ends of a cable are configured the same way it doesn't matter. One manufacturer (r+m) made a comparison and found TIA568A to be capable of slightly faster transmission speeds than TIA568B. I cannot find the paper ATM though and can't explain why that should be. Just found on de.wikipedia that 568A is supposed to be the preferred standard in Europe and 568B is around in the US for historical reasons … oh well. The only difference between pairs is the twist rate.  Each pair has a different twist rate, to minimize cross talk.  However, with a 10 or 100 Mb cable,the same 2 pairs are used and only the signal direction reversed between A & B.  With Gigabit, all 4 pairs are used.  568B goes back to what eventually became 10baseT, StarLAN.  StarLAN was designed to share an existing 3 pair CAT3 cable with a telephone.  The phone would be on the first pair (blue/white), with the 2nd (orange/white) and 3rd (green/white) used for the LAN.  It also used a 6 position connector, as was common for phones.  This also means that Ethernet was designed to share a cable with phones, but that's not recommended practice now. https://en.wikipedia.org/wiki/StarLAN

@Grimson: @kcallis: This morning, in a moment of inspiration, I thought I would get tor working. So I configured polipo as well as tor and decided that it wasn't working for me. I removed the packages and find that I could no longer access the internet. Those aren't official packages, so whatever you did there probably messed with the pfSense install itself. Do a fresh install. I was hoping for a snazzy way to solve this problem, but the tried and true solution always win! I was just burning my USB thumb drive when I saw your response! K.

The startup/shutdown beeps use the PC Speaker and not a sound card. Disable the sound card.

If you want the servers in your DMZ to be accessible via IPv4, yes, you do.  If you have IPv6 available and you're happy with your DMZ devices being only accessible through IPv6 (assuming they support it), then there's no requirement that you create IPv4 port forwards.

Disregard, got it working. Forgot to create a new virtual interface on my NIC on Mac OS X box.

Did you add the firewall rule ? If you did try changing it to an any any rule and does it then work? https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Add_Firewall_Rules_for_IPsec TBH I just followed https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and it worked, I then tweaked my settings to suit what I wanted after.

Dude I have been doing this for over 30 years, getting paid to do it for 25.. Before there were real computers and "networks" ;) Just not possible to "teach" you security in a few posts… I can answer your questions on how to block or allow something specific in firewall rules.. More than happy to help you understand how to read the headers in an email message, etc. But you have not given any actual evidence of being "hacked"  more you have seen 1 too many movies or tv shows.. Did you just binge watch some episodes of Mr Robot? ;) Turning on pfsense is not going to fix your issue or really make you any more secure from being "hacked" than any off the shelf router.. When it comes down to it out of the box they do the same thing - they block unsolicited inbound and allow you out via a nat.  Its not a magic box you turn on and it makes your network secure from being "hacked".. It just a tool you use to secure your network.. But without the understanding of how to use the tool, its not some magic thing you turn on..  Many new users hear oh I can turn on IPS and will be secure from hackers - sorry it doesn't work that way.  If anything going to block the user from what they want to do when they want to do it.. And provide them with so much information it will just be overload of info they do not understand anyway.. For all we know you bought your phone off ebay and was jailbroken when you got it.. As to your bank account username and password being changed - sorry makes no sense.. Why would someone do that? And then not take any money?  Come on did you maybe forget your password?  And the username you norm use wouldn't work so its different than the normal username you pick... Maybe you smoked a bit of thee good stuff and got a bit paranoid after watching mr robot and thought someone changed your password - ie "hacked" you... Don't mean to make fun - You got some p0rn spam that said it was from you and your getting hacked? ??

Hi, The page you mentioned does exist - but I guess it isn't really part of the GUI anymore. From what I make of your question, you are using a tool that parses the html of that page to feed your own stats. That's ok, but understand that pfSense can change format, data, etc all the time. It's up to you to change your parsing tools. I guess that after changing the kernel version, from 9 to 10 to 11 (FreeBSD) interface internal naming, numbering, details, data, whatever, changed, so these pages are useless right now. Consider them as left overs from an old GUI version.  They have to be updated first if you want to see any data. Because you wrote - or at least: set up - de parser, you might as well 'repair' the pages graph.php (and ifstats.php). It's PHP, not a hassle for a "IT" guy. Btw : never ever keep old version 2.4.0 have been replaced by two newer version already, when asking questions you should use the latest, because now you are asking a question about a version that no one uses anymore … (not a problem of course, but your question becomes non-answerable).

Take a packet capture of the RADIUS auth exchange. Load it up in Wireshark and inspect the reply from the AD server, see if it has the Class attribute and how it looks.

Sorry for the delayed reponse… @johnpoz: "he wants to access the same site" That I think is still unclear.. I think its more he wants to access site xyz wan 1, and then site abc via wan 2.  But sure it could access site xyz 1 time with wan 1 and then next time with wan 2, etc.. This is exactly what I meant. Sorry for the broken English… Example: user 1 is a mobile user. He wants to connect to site "xyz.com" using wan 1. A few moments later, he wants to access this same site but using wan 2 without disconnecting from his actual LAN. As he does not have admin privileges he cannot access pfSense admin page to update his default gateway. @johnpoz: I think best way to do something like that would be with 2 proxies and then pointing your browser at specific proxy to use wan 1 or wan 2. This is a perfect workaround! I can set 2 proxies so users can choose which proxy to use. As each proxy is linked to a specific gateway the magic is done! Thanks a lot :-) kind regards

I beleive my issues are related to the APU2 BIOS. I've rolled back all but one unit to BIOS V4.0.7. So far, no issues with those routers for the last few days. I haven't reinstalled any packages yet.

I got it! Well, almost! From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec. I also had to install certbot, and its annoyingly long dependancies. After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert. –--------------------- Worked! IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem   Your key file has been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem   Your cert will expire on 2018-04-16\. To obtain a new or tweaked   version of this certificate in the future, simply run certbot   again. To non-interactively renew *all* of your certificates, run   "certbot renew"

Tks for that. I was scared someone would say that :( Will try the same setup on another computer with 2 nice and see how it goes. Will update. Tks

What is the model of the linksys switch ? What spec is the fiber ?

They'll be under /var/log/snort :- [2.4.2-RELEASE][admin@pfsense]/var/log/snort: ls -alg total 100 drwxr-xr-x  9 root  wheel    512 Jan  5 20:52 . drwxr-xr-x  7 root  wheel  1024 Dec 19 20:59 .. -rw-rw–--  1 root  wheel      0 Dec 22 12:17 alert drw-rw–--  3 root  wheel  4096 Jan 15 11:15 snort_igb0.256577 drw-rw----  3 root  wheel    512 Jan 13 00:08 snort_igb0.343654 drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.427080 drw-rw----  3 root  wheel  3072 Jan 15 00:20 snort_igb0.516395 drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.658303 drw-rw----  3 root  wheel    512 Dec 19 21:10 snort_igb035478 drw-rw----  3 root  wheel  12288 Jan 15 09:05 snort_pppoe054518 -rw-rw–--  1 root  wheel  56255 Jan 15 18:05 snort_rules_update.log [2.4.2-RELEASE][admin@pfsense]/var/log/snort: The entries in red are directories, the info is stored under here.

Do not update microcode now, wait. @https://support.lenovo.com/ee/en/solutions/len-18282: Withdrawn Broadwell & Haswell CPU Microcode Update:  Intel provides the CPU microcode updates required to address Variant 2, which manufacturers like Lenovo then incorporate into their UEFI firmware. Intel has notified manufacturers of quality issues in the initial Broadwell and Haswell microcode updates with instructions to no longer distribute the affected microcode. As such, Lenovo has withdrawn previously issued UEFI firmware containing the affected Broadwell and Haswell CPU microcode. We will issue revised UEFI firmware updates as soon as possible following Intel’s release of revised Broadwell and Haswell CPU microcode. Servers affected by this issue are noted, below, as “Earlier update X withdrawn due to a microcode quality issue.” @robi: I'd love to see some general-purpose tool to edit BIOS files and update microcode inside them. Something that would know most BIOS formats, open the BIN file, advise which binary microcode file to choose, and compile a new image from it. Because most manufacturers won't care to release BIOS updates for motherboards older than 1-2 years. pfSense would also want to have a nice GUI somewhere to allow us to browse for a microcode pack we can download from Intel etc. and apply it at each boot at runtime. And write in the logs whether the runtime update was successful or not. It is not so simple. Every BIOS is copyrighted by AWARD, AMI and whoever else… Phoenix  ;D. So you just can't edit it without buying proper license and most manufacturers use also security checks, for example I just can not flash edited BIOS into Asus motherboard with standard methods — only BIOS flashback function or hardware tools, also there are some special BIOSes like HP uses for their enterprise grade hardware. Even not so universal tool for BIOS modding like UBU have had copyright problem with AMI.