Yes, check the logs when this happens, what's actually being triggered?

I'd also recommend setting the default v4 gateway in System > Routing > Gateways to WAN_DHCP instead of 'automatic'.

Steve

@dragonfly said in pfSense on netgate 6100 stops passing traffic multiple times per day:

there was an external IP address that was mercilessly hitting the firewall

If it was hitting the firewall I assume I was being blocked? If so adding a different rule to block it wouldn't change anything. Unless the new rule is non-logging and hit rate was so high that the number of block logs was creating a significant load.

@jimp said in Change default SSH shell?:

While you can't change the default without affecting things like the menu, you can have ssh start whatever you want. There are not a lot of alternatives available, though. But there is bash which you can install via pkg install bash.

Then SSH in with:

$ ssh root@x.x.x.x -t bash

Be aware if you try to use bash -l it will end up going right into the menu if you use root or admin. As a regular non-root user that should be OK.

Alternately, consider either having it run your preferred shell at the end of the tcsh .tcshrc or even patching the menu file (/etc/rc.initial) to run it directly for option 8.

Thanks! Well, there were a few options, and I think loading it from .tcshrc sounds like the best option, least intrusive :) I'll give it a go!

@ferchu

Thoughts?

MS AD Server or VM with LDAP & Radius role

LDAP Server & Radius Server based on Linux or BSD

MikroTik RouterOS with user manager (RB1100AHx4 (ARM))

pfSense with captive portal and the only have allowed to enter the CP menue for managing.

Shoo, managed to get in using pfsenses' IP from a different vlan. Now time to change my shorts.

Well, today my laptop was able to get a proper route and is able to use the internet as would be expected. I have no idea what is different from today as compared to yesterday. "I changed nothing" except that I unplugged the power from both the Netgate 1100 and the Arris S33 router overnight. I powered them up this morning, first the S33 and let it power up completely. I then powered up the 1100 waiting until the Console Menu popped up and then plugged in the S33 to the WAN port of the 1100.

The final steps were to plug in my usb to ethernet adapter into the laptop, I then started Wireshark and started capturing packets. No packets were being captured, as expected as the there was not cable connected between the laptop and the 1100. The final step was plugging in the cable to the 1100 LAN port.

Wireshark started capturing packets and shortly I had an address and a "proper" looking route:

$ ip a show dev enp0s13f0u3 6: enp0s13f0u3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:05:1b:b0:6f:f0 brd ff:ff:ff:ff:ff:ff inet 192.168.1.105/24 brd 192.168.1.255 scope global dynamic noprefixroute enp0s13f0u3 valid_lft 6386sec preferred_lft 6386sec inet6 2601:647:cb00:470a::2000/128 scope global dynamic noprefixroute valid_lft 6388sec preferred_lft 3688sec inet6 2601:647:cb00:470a:37d:3b80:545c:c086/64 scope global dynamic noprefixroute valid_lft 86396sec preferred_lft 14396sec inet6 fe80::faff:5f36:799d:482d/64 scope link noprefixroute valid_lft forever preferred_lft forever $ ip r show dev enp0s13f0u3 default via 192.168.1.1 proto dhcp src 192.168.1.105 metric 100 192.168.1.0/24 proto kernel scope link src 192.168.1.105 metric 100

And I could ping ucsc.edu:

$ ping ucsc.edu PING ucsc.edu (128.114.119.88) 56(84) bytes of data. 64 bytes from resnet.ucsc.edu (128.114.119.88): icmp_seq=1 ttl=53 time=12.1 ms 64 bytes from resnet.ucsc.edu (128.114.119.88): icmp_seq=2 ttl=53 time=15.0 ms 64 bytes from webops-vip88.ucsc.edu (128.114.119.88): icmp_seq=3 ttl=53 time=11.9 ms 64 bytes from webops-vip88.ucsc.edu (128.114.119.88): icmp_seq=4 ttl=53 time=11.4 ms 64 bytes from resnet.ucsc.edu (128.114.119.88): icmp_seq=5 ttl=53 time=11.1 ms 64 bytes from webops-vip88.ucsc.edu (128.114.119.88): icmp_seq=6 ttl=53 time=11.1 ms ^C --- ucsc.edu ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5008ms rtt min/avg/max/mdev = 11.053/12.102/15.016/1.361 ms

Not sure what I learned, I suspect I did something wrong, but for now I'll chalk it up to "be patient" and "never give up" :)

Thanks @SteveITS

@rickybaker said in Multicast/IGMP, Bonjour and UPNP Full enable double check?:

irect need for any setting. And as far as I can tell, the LAN settings on the Unifi Controller software don't really affect anything without a Unifi Gateway (which I don't have, just the pfsense)

lol I found this, my own post, while troubleshooting this exact same issue after creating an IoT subnet VLAN (always document the solutions kids!). @eustachy did you have to enable anything specifically to enable Multicast, Avahi and upnp across vlans?

Routed IPsec VTI:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html

FRR package:
https://docs.netgate.com/pfsense/en/latest/packages/frr/index.html?highlight=frr#frr-package

Basically, you would have two tunnels running at the same time at each side and FRR package would run OSPF or BGP dynamic routing protocols.

OpenVPN AS is not the same as OpenVPN. OpenVPN AS is their commercial product, not the open source server/client that is found in pfSense software and others.

That is OpenVPN "community" and it does not support SAML as far as I'm aware.

@dobby_ thank you, I really appreciated the content of the link you provided. I'm a newbie and this kind of documentation is really important for me.

Yes, that file, like everything else, is generated from data in the main config. So after a restart manual changes there would be replaced.

Does it work as expected if you call between internal extensions?

In situations like this it's almost always because the PBX is sending it's internal IP address for external devices to connect to with RTP and that of course fails. However that doesn't prevent outgoing audio normally.

What states do you see to and from the base-station when the call is connected but no audio is passed?

Steve

No, there's no way to do that in the pfSense config.

@stephenw10 the path I'm pursuing is to experiment outside of my main network using a couple laptops.

Txs all the help and advice!

Sometimes. It depends how far it boots and what it was doing when it failed.
Usually it just fails to boot because it cannot create a file that's required and after freeing up space it will boot normally. Since that isn't happening it seems more damage occurred. If it's running ZFS you may be able to roll back to an earlier BE snapshot. Or just do that as a VM snap if you have any. If you have config backups I would just reinstall and restore it.

Steve

@josepham Open a ticket for this.

https://go.netgate.com/

@jimp said in [Solved] Duplicated admins group...?:

There is a commit on https://redmine.pfsense.org/issues/14363 which corrects the behavior.

You can install the System Patches package and then create an entry for a2a2e8a8bee55d5b0c393d2c2d311a2fc8903bce to apply the fix.

I have that, I'll check the patch out, thanks :)

@stephenw10 said in GUI Lockout?!:

Ah, I see this could be the result of the duplicate user groups issue you also hit. I would resolve that first before digging any further here.

Thanks, I just finished typing in everything manually and somehow got DNS working too.. I hope there will be a limited number of rabbit holes ahead, I need it to "just work" for a while now... :P

I will try adding the SSH key tomorrow, with all that has been, just a tiny bit worried it won't work... :/

@stephenw10

I have loaded up 197 driver and will see how that goes.

@stephenw10 Well..it works 😊

I created a VIP on the pfsense.
Created my backend pool
Created my tcp front end.
Created an ACL matching 0.0.0.0/0 and using the default pool for ldap

Works like a charm.

Obviously, for larger implementations, i wouldn't do this but if you are a small to midsize operation with a need for ldap, why not use pfsense with built in proxy to handle it.