General pfSense Questions

• S

  Very strange DNS / Routing Issues
  • Stewart  

  3
  0
  Votes
  3
  Posts
  68
  Views

  S

  @Gertjan I'm sorry. I'm not understanding what you wrote. Unbound has forwarding disabled so it should be doing it's own resolving. I'm not sure what else you would want me to detail. Network Interfaces: LAN+All VLANS Outgoing Network Interfaces: LAN + OPT1 DNSSEC: ON Forwarding: OFF DHCP Registration: ON Static DHCP: ON OpenVPN Clients: ON As for the version issue. Just refreshing changes whether it says I'm on the latest or if there is a new version available. If i keep refreshing it switches back and forth. I'm assuming that is because sometimes there is response on the WAN and sometimes on the OPT1, however, I would expect it to either be correct in showing 2.4.5 or just fail. Since I've disabled OPT1 it's been correct every time I refresh. I know there is some kind of DNS issue on the AT&T side. I'm facing 2 issues that I see: Why DNS queries are sent out of OPT1 when the routing is still going out of WAN. Why DNS is failing and returning the wrong info over the DSL where it shows google.com at 192.168.1.254 and the Arris modem is trying to pass off the certificates. I assume that is because that is what the modem is sending. My best guess at this moment is that the DSL modem has been reset and is intercepting all of the traffic because it's waiting for a user to log in and activate. That's the only thing I can think of that would cause it to behave in this way. (I HATE DSL). I suppose what I need to know, then, is how to limit DNS queries to go out the interface that is the current route. I don't want queries going out OPT1 when routing has the data going over the WAN.
• M

  How to detect ISP Throttling / Shaping?
  • mmurrell  

  1
  0
  Votes
  1
  Posts
  37
  Views

  No one has replied

• P

  IGMP proxy not working properly, 2.4.5
  • ProxyMoron  

  9
  0
  Votes
  9
  Posts
  382
  Views

  P

  @penguin-nut Brilliant mate - many thanks - thats the starter for 10 i needed. I'll give it a shot at some point.
• R

  Export the Local User Database and Certificates.
  • ramses.sevilla  

  4
  0
  Votes
  4
  Posts
  43
  Views

  R

  @viktor_g, the only solution is? pfSense-01: Export the Certificate and the Key. pfSense-02: Import the Certificate and the Key exported. Create a new User identical to the User in the pfSense-01. To edit the new User and select to use the Certificate imported. It's right? The problem is the password of the new User, isn't it? Regards, Ramsés
• N

  Bug reporting rant + RADIUS authentication server incorrectly processing "Accept" messages
  • ndragun  

  5
  0
  Votes
  5
  Posts
  132
  Views

  

  What is your RADIUS server? FreeRADIUS or AD? Any 2FA features (like DIGIPASS)? can you check it with simple shared secret and userpass (like '123')?
• W

  Bypass openVPN with static route
  • WisceBIat  

  1
  0
  Votes
  1
  Posts
  58
  Views

  No one has replied

• F

  Internet alias
  • fedesoundsystem  

  11
  0
  Votes
  11
  Posts
  88
  Views

  

  And what sort of rules would you put in this group... Keep in mind rules on a network.. Quite a few of them you would want to be specific to that network... Pinging the specific interface for example - so you clients can validate they can actually talk to the gateway.. Maybe use dns to that interface... Sure you could allow dns to this firewall sort of rule.. Or you could use this firewall alias if you don't care if client pings another IP on the firewall.. How best to do the rules would depend on your specific setup and your specific wants and needs for what is allowed and what is not allowed. Do you even know what these are as of now? If so spell them out, and we can go through how you can do what you want with the min amount of rules. But smallest amount of rules is not always the best case.. Its very handy to put the rules on each interface so you can easy check with simple glance at that interface what that network can do.. Example... Here is a common sort of lock down that you might do for a network. I can look at that, and in seconds understand exactly what this network can an can not do.. It can ping pfsense IP on that network, it can ask it for dns, it can talk to it for ntp.. Any other port it can not talk to the firewall on.. That would be any other vlan, or the wan.. It can not talk to any rfc1918 address - ie any other network at all.. Then anywhere else - Ie the internet, it can do anything it wants.. Those rules take all of like 1 minute to setup.. And are easy and clear and easy to understand. I don't have to check floating tab and look to see if a specific rule as interface X in it.. I don't have to check an interface group.. Here is a group rule... But what interfaces are in that? If I would just take the extra 15 seconds and put the rule directly on the interface - I can easy see on any network EXACTLY what the rules are for that network... I don't have to jump all over looking to see if floating rule applies or if group has interface X in it, etc.. So while these features are handy if you have 100's of interfaces.. If your managing a handful.. Its easier to just do the rules on the interfaces directly - even if you might have to duplicate a bit of work.. It will make your life easier going forward!!!
• 

  Why the extra NTP servers?
  • JKnott  

  9
  0
  Votes
  9
  Posts
  184
  Views

  

  @jimp said in Why the extra NTP servers?: Best practice is to use no less than three NTP servers, for accuracy and redundancy. With one, you have no assurance the server is accurate. With two, you can't tell which one is wrong if they don't agree. With three, you can at least have a good chance at excluding an outlier. Yep. I have 3 stratum 1 servers and the pool. I figure that should be good enough. Also, according to what I read about multiple servers is the average is used, which results in better precision. BTW, here's an interesting book about accurate time from the NIST: From Sundials To Atomic Clocks
• 

  Connecting external drive via USB ?
  • chudak  

  1
  0
  Votes
  1
  Posts
  22
  Views

  No one has replied

• A

  Supermicro firewall SFP+ port back Compatible with UniFi switch USW SFP port
  • avsion  

  2
  0
  Votes
  2
  Posts
  47
  Views

  N

  Your modules don't need to 'vendor match' on each end, but they'll need to negotiate a link speed between them. SFP+ modules are typically 10G, while SFP are 1G. You CAN plug an SFP into a SFP+ slot, but you can't do the reverse. You'll have to look at module specifics if you want a 10G fiber to negotiate down to 1G, I've never done it and I don't know how well it's supported. Since it's a Supermicro chassis, and not something proprietary like Cisco, you should be able to pretty much use any vendor module on that side; I can't speak to UniFi on what modules they accept. So in a nutshell, you should be fine getting two 1G SFP UniFi (Ubiquiti) modules. Personally, I wouldn't pay $15+ for a 1G fiber module.
• C

  Low bandwidth extremely low for local network to WAN however normal for pfsense box to WAN.
  • chidmas  

  2
  0
  Votes
  2
  Posts
  46
  Views

  N

  @chidmas said in Low bandwidth extremely low for local network to WAN however normal for pfsense box to WAN.: N3050 I'm wondering if your CPU is getting choked out, it's pretty low spec with only two threads. Have you tried, and can you provide, the following: Monitored the CPU load while doing the hard-wired speed test Provide the model of the Intel nic Do a direct connect speed test (remove all hardware, just pfsense + workstation) check your logs for any errors
• N

  No internet access with pfsense on my virtual machine (VirtualBox)
  • Nemesis32  

  6
  0
  Votes
  6
  Posts
  63
  Views

  N

  @Gertjan Oh god! I did change what you suggested and it fixed my issue! I am not sure myself why i did change it but i'm defininitely learning from my mistake. Thank you so much!
• R

  High Availability in pfSense 2.4.5. Incongruity and BUG?
  • ramses.sevilla  

  6
  0
  Votes
  6
  Posts
  91
  Views

  R

  @jimp, I'm sorry but I'm afraid that something is wrong because in "Firewall > NAT > Port Forward" works well, when I change the value of the Virtual IP (CARP) in "Firewall > Virtual IP" It updates dinamically in "Firewall > NAT > Port Forward" but not in "Firewall > NAT > Outbound". Example. Firewall > Virtual IP > VIP CARP DEDI_NIC_FO (Type: CARP) => 80.80.80.80 Firewall > NAT > Port Forward: In the NAT Port Forward Rule We select Destination: VIP CARP DEDI_NIC_FO In the Rule appears the correct value of VIP CARP DEDI_NIC_FO. Firewall > NAT > Outbound: In the NAT Outbound Rule We select Translation > Address: VIP CARP DEDI_NIC_FO. In the Rule appears the correct value of VIP CARP DEDI_NIC_FO. We Edit and Change Firewall > Virtual IP > VIP CARP DEDI_NIC_FO (Type: CARP) => 90.90.90.90 Firewall > NAT > Port Forward: In the Rule appears the correct value of VIP CARP DEDI_NIC_FO. It's changed dinamically. Firewall > NAT > Outbound: In the Rule appears the old value of VIP CARP DEDI_NIC_FO. It's not changed dinamically. I think that It's not correct. Is this the correct way of operating or should It change dinamically too? Regards, Ramsés
• K

  bulk alias export
  • karolwatcher  

  2
  0
  Votes
  2
  Posts
  29
  Views

  

  @karolwatcher Backup... and teh same way for import. If adding some special use the XML Editor of your choice brNP
• M

  Increasing quality graph resolution
  monitoring rrd quality logging resolution • • madengineer  

  2
  0
  Votes
  2
  Posts
  38
  Views

  

  RRD intentionally aggregates data into larger intervals as the data gets older. The monitoring graphs are intended to provide troubleshooting information, not be a high-resolution, historical archive. For that you can query the device using something like cacti or zabbix or a plethora of others. Setting 8 hours x 1 minute resolution is pretty comprehensive. Anything longer than 8 hours and the resolution will be reduced.
• L

  fails to get WAN IPv6 address ( was wrong date and time)
  • lifespeed  

  48
  0
  Votes
  48
  Posts
  264
  Views

  

  @lifespeed So, don't select that. I don't know what you've done, but sometimes it's best to start from scratch, in case you did something you shouldn't have. Perhaps there's someone else here, who can help you with Comcast. My experience is with Rogers, where IPv6 works well.
• M

  Auto Config Backup not uploading
  • mOrbo  

  11
  0
  Votes
  11
  Posts
  115
  Views

  M

  I don't know why, but it started again on Sunday: Tue, 03 Mar 2020 02:00:18 +0100 (system): Scheduled backup Wed, 04 Mar 2020 02:00:19 +0100 (system): Scheduled backup ------- Sun, 24 May 2020 02:00:38 +0200 (system): Scheduled backup Mon, 25 May 2020 02:00:37 +0200 (system): Scheduled backup I haven't changed anything (not even a reboot).
• R

  Intermittent pfSense partial outage
  • rrab  

  7
  0
  Votes
  7
  Posts
  58
  Views

  R

  I have no good reason for using 8.8.8.8; I did this as part of trying to diagnose this issue, as the behaviour I was observing was that the internet was unavailable, but the gateway was still reporting as up, my supposition was that the ISP was prone to upstream failures - but I can revert this. I don't follow the recommendation (my lack of knowledge). Are you saying that the gateway alarm is result in openvpn restarting, and (for some reason) - that this resulting in being me unable to make connections outbound from LAN to WAN?
• N

  Hosting websites on DMZ gives cert error from LAN
  • notarobot  

  10
  0
  Votes
  10
  Posts
  94
  Views

  L

  I have tried a few hosting services before I decided to go with dedicated servers. They all promise a lot of good things, but my website was not working properly the minute traffic on it grows. I was really annoyed by this and I decided to look for other solutions and that is how I have found Dedicated server hosting. I use hosting from GThost and I am really satisfied with it. They have cheap dedicated servers that do a great job. I have their cheapest plan and I have never had any problems with my website. After finding out about them I have been recommending them to everyone because I love working with them. They have really low latency and they are constantly improving which is good for my website.
• V

  dev.ix.0.fc not persistent
  • verizu  

  3
  0
  Votes
  3
  Posts
  44
  Views

  V

  Yes found that yesterday while fiddling with sysctl ;) Made a PR to update the doc : https://github.com/pfsense/docs/pull/125
• L

  PPPOE weird Issue
  • lcs  

  2
  0
  Votes
  2
  Posts
  44
  Views

  L

  So I created a script in /usr/local/etc/rc.d/ containing /sbin/ifconfig re0 promisc which solves the problem. But why all of a sudden pfsense started behaving like this?
• 

  Clear interface statistics
  • cmcqueen  

  5
  0
  Votes
  5
  Posts
  52
  Views

  

  AFAIK the Interface statistics are pulled from netstat counters and there is no way to reset them from the command line. The one and only way is to reboot. -Rico
• M

  pfSense Rewrites Source IP for ICMP Errors Breaking Traceroute
  nat traceroute icmp • • miki725  

  18
  0
  Votes
  18
  Posts
  249
  Views

  J

  This got me today. I can confirm the floating rule for ICMP solves the issue.
• B

  New second Lan has no internet
  • bilal_io  

  3
  0
  Votes
  3
  Posts
  80
  Views

  B

  @stephenw10 Thanks a lot for your response Steve. I have just given up and factory reset pfsense. But your comment will be useful when I setup PIA (Yeah abbreviations are hard lol) VPN in a later date.
• T

  Temperature tracking?
  rrd cooling snmp sensors coretemp • • tjcooks4829  

  3
  0
  Votes
  3
  Posts
  90
  Views

  V

  You can also achieve this with telegraf and the exec plugin (sysctl)
• B

  performance impact of clicking "apply changes"
  • binary_bandit  

  9
  0
  Votes
  9
  Posts
  117
  Views

  B

  Got it. I have no issues waiting for p1 to appear I'm just trying to look at this as a learning opportunity. Thanks for all your help @teamits.
• S

  No link and flood of arpresolve: can't allocate llinfo for x.y.z.w on ix0
  • SG-net  

  3
  0
  Votes
  3
  Posts
  57
  Views

  S

  Software update on Mikrotik from 6.44.1 to 6.46.6 solved the problem. Sounds like Pfsense is handling some things a little bit differently than client/consumer OSes and this was an issue for Mikrotik. Thanks for help.
• A

  WARNING: failed to start mysql
  • ahmetakkaya  

  7
  0
  Votes
  7
  Posts
  70
  Views

  A

  I installed in ZFS pfsense test environment I'm still trying, working for now, I continue sudden closings I will install on the real system when I get results
• C

  [SOLVED] Inconsistant pinging across OPT
  • coatmaker618  

  10
  0
  Votes
  10
  Posts
  100
  Views

  C

  Glad to report it's fixed. After several existential crises I found the problem. Ends up while I was doing 498758967456798430674551 different things, I swapped some ports around, and got some bad routes. For whatever reason, PFSense preferred the bad routes to the good one. So I just went to "Diagnostics --> States --> Reset States" and reset all (literally the only option). Anyway, after giving everything a minute or two....it all just worked. I have no idea why those routes didn't clear out, but it's CERTAINLY a tool I'll remember in the future!!!
• P

  Signature change
  • Panja  

  11
  0
  Votes
  11
  Posts
  73
  Views

  

  +1 there you go. ;-) -Rico
• T

  Setup remote syslog: Can't receive anylog from pfSense
  • tienpro113396  

  9
  0
  Votes
  9
  Posts
  46
  Views

  

  my rsyslog.conf under ubuntu rsyslogd 8.32.0 # provides UDP syslog reception module(load="imudp" timeRequery="8" batchSize="128" threads="2") # needs to be done just once input(type="imudp" port="514") if $programname == 'dhcpd' then /var/log/pfsense-dhcpd.log & stop cat /var/log/pfsense-dhcpd.log May 20 19:29:37 172.16.0.254 dhcpd: Internet Systems Consortium DHCP Server 4.4.1 May 20 19:29:37 172.16.0.254 dhcpd: Copyright 2004-2018 Internet Systems Consortium. May 20 19:29:37 172.16.0.254 dhcpd: All rights reserved. May 20 19:29:37 172.16.0.254 dhcpd: For info, please visit https://www.isc.org/software/dhcp/ May 20 19:29:37 172.16.0.254 dhcpd: Config file: /etc/dhcpdv6.conf May 20 19:29:37 172.16.0.254 dhcpd: Database file: /var/db/dhcpd6.leases May 20 19:29:37 172.16.0.254 dhcpd: PID file: /var/run/dhcpdv6.pid you also need to check centos firewall/selinux
• M

  RADIUS: EAP-TLS with LDAP Authorization?
  • millnet-maho  

  1
  0
  Votes
  1
  Posts
  15
  Views

  No one has replied

• B

  Setup issues 6p Protectli Firewall
  • bill1  

  13
  0
  Votes
  13
  Posts
  183
  Views

  

  The OpenVPN gateway IP may not respond to ping. Try setting some other external IP to monitor across it.
• 

  Disable nginx access log (to remote syslog server)
  • arrmo  

  3
  0
  Votes
  3
  Posts
  31
  Views

  

  @Gertjan said in Disable nginx access log (to remote syslog server): True, these "access logs" are not really needed and do pollute de remote log. @arrmo said in Disable nginx access log (to remote syslog server): /var/etc/syslog.d/pfSense.conf Noop. This is the one that controls syslogd : /etc/syslog.conf Yes, agree with you! I was thinking filtering at syslog, but I like your idea better It's build here 985 -> 1080 in /etc/inc/system.inc I tried to rebuild somewhat the last statement : Mine is : *.* @192.168.1.4 so it excludes logs from 'nginx' as a program, or "Local5" as the facility, but no access. OK, you lost me there, sorry. With *.* ... everything gets sent across, no? I may be missing your point. It's also possible to inform nginx to shut up. See line 1447 : access_log syslog:server=unix:/var/run/log,facility=local5 combined; in the same system.inc file. What somewhat seem to work without any pfSense file edits : Yes, agreed! I like this approach. I changed that line to , access_log off; And voila, after a webConfigurator restart (to regenerate the needed files) ... no "noise" from the access log. I think this is the best way to go, agreed? Another solution : On the remote site, filter out Local5.Info messages Right, but that still means all those messages going across => lots of bandwidth and horsepower chewed up (for no good reason ... agreed?) Thanks for the thoughts and pointers - much appreciated!
• A

  LDAP Authentication Servers with Peer Certificate Authority not working properly
  • abockhold  

  5
  0
  Votes
  5
  Posts
  51
  Views

  

  After you make any change to LDAP SSL settings, run 16 and 11 from the console menu (ssh or physical console). Then test things again. PHP gets weird sometimes when populating the environment variables needed for LDAP to work. Unfortunately the PHP settings to configure LDAP directly don't work. On 2.5.0 you could have both CAs added to the trust store for the OS which would also likely solve it.
• 

  Low bandwidth on Virtual IP address
  • emammadov  

  5
  0
  Votes
  5
  Posts
  156
  Views

  

  Use the dual-home backup server if that's what you need. Make sure it cannot route between them though. If routing between those subnets is restricting the throughput then look into where that is. pfSense maxing out the CPU? You should be using different interfaces for the subnets, VLANs at least but preferably two NICs so you are not seeing throughput killed by the ACK traffic. Steve
• J

  Fatal trap 12
  • jejelectro  

  9
  0
  Votes
  9
  Posts
  122
  Views

  J

  Tanks for your help. i have seen with an other pc and only the other pc on the network, that there is no problem for 56 hours and when i reconnect my first pc the error appears in 3 hours. i checked this idea and if it doesn't solve the problem i will see to RMA with the retailler of the pc where pfsense is installed. i will post the solutions of this test. many thanks for your help have nice day Jérémy
• C

  Issue with network and Gmail and other Google pages
  • codybadger  

  22
  0
  Votes
  22
  Posts
  142
  Views

  

  @JKnott said in Issue with network and Gmail and other Google pages: Well, I'm allergic to Apple gear LMAO!
• P

  Slow Upload Speed on Gigabit Connection
  • Pointed  

  12
  0
  Votes
  12
  Posts
  215
  Views

  D

  I thought of it as fine tuning: Path to file: /boot/loader.conf.local.......................... and these as well: System -> Advanced -> Miscellaneous -> Power Savings Check "Enable PowerD" and set to "Maximum" or Hiadaptive" for all power states.......................... Anyway, I'm glad you solved the problem. PS:Unfortunately, I can't open the link, so I don't know how good a description you found.
• Z

  [Solved][But bug still present] Available Packages empty
  • zippydan  

  12
  0
  Votes
  12
  Posts
  115
  Views

  Z

  @kiokoman said in [Solved][But bug still present] Available Packages empty: anyway his ipv6 is missing a route to netgate I wasn't missing a route. pfSense insists on trying IPv6 first, even if no IPv6 interfaces are defined. This is semi-understandable considering IPv6 is the standard of the present/future, but seems to me that pfSense could check to see if there is any IPv6 configuration defined before attempting to use that protocol. The real problem, though, is that it seems to be incapable of graceful fallback to IPv4. A secondary problem is that the webUI gives absolutely no useful feedback about what is going on. The Dashboard update indicator just spins endlessly. The Installed Packages page just spins endlessly. Available Packages just shows a blank list. That's a pretty obtuse and unhelpful way of communicating there is a problem. Some error messages like: Could not resolve SRV records for _https._tcp.pkg.pfsense.org or Could not resolve A/AAAA records for files01.netgate.com or Timeout attempting to contact files01.netgate.com at 2610:1c1:0:6::40 or Timeout attempting to contact files01.netgate.com at 162.208.119.41 Would be much more useful error messages, indicating problems with DNS, IPv6 connections, or IPv4 connections, respectively, and would have saved me hours of troubleshooting time.