General pfSense Questions

• W

  Pfsense, No internet when it is said "You are connected".
  • weiphyo

  13
  1
  Votes
  13
  Posts
  589
  Views

  F

  @olakara said in Pfsense, No internet when it is said "You are connected".: Hello, I have the same issue ( 2.4.4-RELEASE-p1) and many others reported. The only solution is, don''t make any changes in CP settings when the users are connected. After making any changes, you need to "disconnect all user" from status. We have to wait until the bug get fixed. @johnpoz said in Pfsense, No internet when it is said "You are connected".: This? https://redmine.pfsense.org/issues/8616 Hello, I made a fix for it : https://github.com/pfsense/pfsense/pull/4031 You can now install this fix using patch package. After installing the patch, please reboot pfSense completly, otherwise you might have SQL errors in your logs (the errors should be about sqlite complaining of "unknown columns bw_up/bw_down"). If you can't reboot (production server?) you can alternatively click on "Disconnect All" in captive portal status page (after applying the patch), or disable/re-enable your captive portal zone (also after applying the patch) Don't hesitate to report me issues or to thumb up this PR on Github ! @gertjan said in Pfsense, No internet when it is said "You are connected".: You can ! Come over and I pay you even a beer or two while doing so ! ;) May i also request a beer ? ;) Update : multiple users are reporting me that they can't apply the patch on pfsense 2.4.4-p1. The patch has indeed be made for pfsense:master (dev, future 2.4.5 version). I will set up a patch for 2.4.4-p1 later
• M

  Facebook videos not loading after blocking all web access except facebook
  • mudassar

  9
  0
  Votes
  9
  Posts
  302
  Views

  T

  He doesn't want to hear the facts nor listen to the guidance we are trying to put forward. He does not want an answer to a complex question. He wants an answer to a simple question. The answer to the latter is: https and 443.
• I

  pfSense Azure appliance not passing SMB traffic to Azure
  • insobox49

  5
  0
  Votes
  5
  Posts
  84
  Views

  I

  I just read that it actually needs MSS Clamping to be 1350 or MTU at 1400 and misread the line in the pfSense as being MTU and not MSS. I just realized my mistake it's been a long three days in troubleshooting this. I just stopped and started the IPSec service on the Azure appliance after making that change and it worked the first few tries (this has happened a few times). I'll go ahead and continue testing to see if the results stick.
• M

  Help with troubleshooting low interface throughput
  • mattzap

  4
  0
  Votes
  4
  Posts
  84
  Views

  

  @mattzap said in Help with troubleshooting low interface throughput: Ah-ha! Yes, I do have AT&T. Here's the relevant threads I just found: https://forum.netgate.com/topic/138604/sudden-drop-in-throughput-900-900-on-modem-vs-30-100-on-pfsense/14 https://forum.netgate.com/topic/112691/wan-throughput-capping-at-500mbps-att-gigapower/3 https://forums.att.com/t5/AT-T-Fiber-Equipment/DMZPlus-mode-in-my-Pace-5268AC-causing-browsing-to-not-work-but/td-p/5712305 I haven't read through all of this yet, but it all starts out matching my situation exactly. I'll report back when I get a chance to get up to speed on this and see if it turns out to be my issue. Thanks! Yep, those are some of the relevant threads. I think the user found a solution on the AT&T forums.
• A

  PfSense - Metadata GUID?
  • alfonso588

  2
  0
  Votes
  2
  Posts
  102
  Views

  

  Yes, if anywhere it would be using Snort or Suricata with custom rules files. Better to ask in the IDS/IPS section for help with that. Steve
• P

  Systemlogs are shown under to the wrong System log Tab
  • pete35

  8
  0
  Votes
  8
  Posts
  206
  Views

  

  Great. Thanks for the update. Steve
• J

  Everytime I create a block/reject rule with a specific port, it defaults to any port...
  • jlroberts

  12
  0
  Votes
  12
  Posts
  203
  Views

  J

  Gotcha! Thank you guys!
• E

  Which hardware for pfSense should I choose? continued
  • eiger3970

  7
  0
  Votes
  7
  Posts
  301
  Views

  B

  even after configuring the mini-box with the basic's the minnowboard to me is still the better buy . since you have a switch already the extra ports on the minobox will be a waste.. my minnowboard has proven stable no way i personally would buy a knock off
• K

  Rsync issues with 2.4.4-P1 on XG7100
  • kholmqvist

  2
  0
  Votes
  2
  Posts
  80
  Views

  K

  UPDATE: I have made a factory reset on the XG7100, created a VPN tunnel and now Rsync works without any issues.. So that points to something in my configuration.. I will try restore a backup I made before the reset and see how that goes.. I might otherwise have to do a step by step reconfiguration and see if I can find the issue
• I

  Configure 3 PFSense using VLANs
  • isdromar

  3
  0
  Votes
  3
  Posts
  128
  Views

  M

  I also curious as to why you need 3 virtualized instances of PFsense.
• E

  Which hardware for pfSense should I choose?
  • eiger3970 0

  5
  0
  Votes
  5
  Posts
  250
  Views

  E

  I have moved this post to my correct original account https://forum.netgate.com/topic/139236/which-hardware-for-pfsense-should-i-choose-continued. Please do not post here.
• G

  Simpliest network access by active directory group with native MS client?
  pfsense • • gek

  7
  0
  Votes
  7
  Posts
  209
  Views

  M

  @derelict I say that's a constant regardless of what you do :)
• G

  Packet Capture Causes GUI Error?
  • guardian

  6
  0
  Votes
  6
  Posts
  167
  Views

  G

  @stephenw10 said in Packet Capture Causes GUI Error?: I created a bug to track it: https://redmine.pfsense.org/issues/9239 Thanks for doing that-Great job of writing up! (Not sure if its worth suggesting, but another possible solution might be to cut the output at some predefined number rather than none. Might also be easier to code as it wouldn't be necessary to create a "None" option. If you think the idea has merit please add to you report.) Thanks again for creating the report!
• 

  Where to put shell commands to run at login?
  • ssbarnea

  10
  0
  Votes
  10
  Posts
  198
  Views

  G

  @ssbarnea said in Where to put shell commands to run at login?: I am not willing to ruin the uptime of the router by rebooting it for that, even if is my home-office one. There is nothing to be proud about a high uptime. A high uptime only showcases that you're late with updates.
• M

  Bug or not: IPSec and OpenVPN bind to wrong IP on WAN with virtual IPs (2.4.4-p1)
  • msi

  4
  0
  Votes
  4
  Posts
  151
  Views

  M

  Hi I wanted to ask about where to look at further. The workaround works and since then I have (for sole fun) tried to reproduce this on a fresh system with a main and a secondary virtual IP but have not been able to reproduce it. It has been reproducible though on this particular setup that has been update from 2.0.3 via 2.3.5 to latest 2.4.4-p1.
• B

  2 Newbie Questions on Network Architecture
  • Brain Damaged Pilot

  7
  0
  Votes
  7
  Posts
  178
  Views

  

  @johnpoz said in 2 Newbie Questions on Network Architecture: So when you do vlan X to Y on the same physical interface you have actually cut your bandwidth in half when devices on these different vlans are talking to each other. It's not quite that simple. While both VLANs are on the same wire, the portion of bandwidth will depend on the traffic patterns. For example, with a large file transfer, most of the bandwidth will be used in one direction, with only a small amount in the other. Bear in mind, with full duplex, what happens in one direction does not affect the other, so when doing that file transfer, one VLAN will have most of it's traffic in one direction and the other VLAN, in the other direction.
• O

  Basic Setup of Network + Firewall + Vlans + guiaccess on 1 NIC
  • oliviamatu2008

  1
  0
  Votes
  1
  Posts
  51
  Views

  No one has replied

• N

  Filebeat needed
  • netfoo

  6
  0
  Votes
  6
  Posts
  184
  Views

  N

  Filebeat now can take syslog udp input and transport over tcp tls. Use this install script i have made and just set pfsense to syslog to 127.0.0.1:9000 https://github.com/Noebas/pfsense-filebeat I can confirm filebeat is not compatible with clog, but running trough syslog works fine for me. Also the config includes snort and pfblockerng logging
• S

  Virtualize PfSense or old Laptop for Basic Home
  • skalyx

  16
  0
  Votes
  16
  Posts
  217
  Views

  S

  @stephenw10 Happy new year! Yes, the risks are negligeable. I won't lose a penny if the network fails and I can easily make it up and running. I don't expect it to fail often nor fail for a long time thanks to the USB failover, back up, hardware failover (cold backup with exact same laptop and same configuration), etc. In any case, I just easily can shut down my PFsense router or DHCP server and switch the VLANs to switch the DHCP server to the WAN1 or WAN2. It isn't difficult. Furthermore, my family all has 4G and can use it as hotspot... Android smartphones, moreover, switch to 4g automatically when the connection isn't stable. Thus that is not at all big deal. Thanks,
• H

  No internet access on LAN but VPN is up on pfsense
  • hbbs

  12
  0
  Votes
  12
  Posts
  249
  Views

  H

  I have redone all the setup configuration. This time, finally, I was able to reconnect to my VPN provider after a reboot. Let's hope it stays that way. I consider this thread to be solved. I appreciate all the inputs you guys have given me. I opened another ticket here asking for help about redirecting DNS queries.
• X

  WI-Fi extender without internet
  • xplozia

  19
  0
  Votes
  19
  Posts
  909
  Views

  

  Mmm, I thought that. Seems like it should still be one layer 2... But I'm seeing multiple references showing the opposite. As I'm reading it's setting static ARP that prevents them working correctly, hence mostly they just work. I guess more research needed... Steve
• 

  Assign specific names to local hosts in pfSense?
  • chudak

  11
  0
  Votes
  11
  Posts
  188
  Views

  N

  @marvosa the problem with using a SRV record is the client trying to use whatever service must use or ask for the SRV record or know to ask for it. Web browsers for example do not do this because of an old RFC.
• R

  upgrade to 2.4.4 hangs at booting...
  • rbrtpfsense

  31
  0
  Votes
  31
  Posts
  1784
  Views

  L

  @stephenw10 yep I was finally able to get it after interrupting the boot on both the install and initial boot.
• M

  Help troubleshooting looping crash
  • Matty-CT

  7
  0
  Votes
  7
  Posts
  146
  Views

  

  Be aware that using ZFS in a virtual environment may have some unexpected behavior. ZFS is copy-on-write so it doesn't play well with thin provisioned storage, eventually it will take up the entire space allocated to its disk(s).
• S

  Sonos Issues [Solved]
  • skalyx

  4
  0
  Votes
  4
  Posts
  134
  Views

  

  Done.
• B

  Trying to narrow down the culprit
  • bhjitsense

  11
  0
  Votes
  11
  Posts
  202
  Views

  B

  Still not sure. I'll be bringing the new switch online later this week.
• D

  Pfsense blocking Playstation network on my ps4 and 3 and other phone apps
  • DavidServerGuy2019

  98
  0
  Votes
  98
  Posts
  675
  Views

  

  Yet it didn't work at the default 1492. Interesting. Steve
• S

  Attachment in E-Mail-Report (syslog-ng)
  • schweidj

  2
  0
  Votes
  2
  Posts
  55
  Views

  

  You really don't want your firewall to be a host for syslog of other devices. Spin up a VM and use something else as your remote syslog.
• J

  Congestion Control Algorithms
  • justme2

  18
  0
  Votes
  18
  Posts
  460
  Views

  C

  I understand that, but lets put things in perspective, these are a few modules already part of the OS, the work to activate them is adding them to a build script, and the size of the modules? Average 14kB each. I have seen far bigger things taking much more effort implemented in pfSense. For reference modules are not loaded by default, they optional, so the risk of crashing on boot, simply by compiling them and distributing them is pretty much zero. If the end user has gone to the trouble of adding a module to their loader.conf.local then they can go to the trouble of removing it as well if it becomes a problem.
• M

  Questions about pps module.
  • mrco

  5
  0
  Votes
  5
  Posts
  118
  Views

  G

  RTFM https://www.netgate.com/docs/pfsense/book/services/ntpd.html https://www.netgate.com/docs/pfsense/book/services/ntpd-gps.html
• C

  Wordpress updates behind pfsense
  • crookiecookie

  2
  0
  Votes
  2
  Posts
  69
  Views

  

  Why have you added those host overrides? Resolving them directly seems like a much better plan, the single hosts you have chosen there could be down for example. Check the server logs though it should tell you what the error is. It seems unlikely to be anything to do with the firewall unless you;re using it for DNS and those overrides are breaking something. Steve
• A

  Upgrade from pfsense 2.4.2 to 2.4.4
  • ashima

  5
  0
  Votes
  5
  Posts
  113
  Views

  

  You keep your config.. You just want to make sure you have a backup in case the worse case scenario happens and you have to clean install. 99 out 100 you will be fine with just clicking go... But if its really production you have to make sure if the worst happens the down time is minimal.. Or you get yelled at, worse case could be a PSGE (pink slip generating event).. Any typical enterprise change control process would include backout plan, and recovery. I have had to fly out to locations for "risky" upgrades of hardware.. And then doing the work at after hours so that you have enough time to even get new hardware onside in the 4 hour support window and back up before production starts again, etc. The level of precautions needed to be taken depend on the level of production your talking about taking a risk with.. I click update on stuff all the time when there is no SLA for the service ;) I would say 999 out 1000 just hitting clickity clickity on the update will be fine.. But always plan for the worse ;) Let us know how it goes..
• N

  PFsense Blocking Some Traffic
  • noob

  33
  0
  Votes
  33
  Posts
  607
  Views

  

  time up will also be in the stats time.up=81609.360209 Which would be in seconds. And to be honest most everything on my network points to downstream pihole, so that reduces the number of queries unbound sees because pihole only asks unbound for stuff that has not been blocked, and also it caches.. So if say 3 things asked for xyz.com unbound would only see the 1 from pihole, then piehole would serve the answer up to the clients via its cache.
• V

  PPoE Question (strange results)
  • veldthui

  2
  0
  Votes
  2
  Posts
  68
  Views

  

  That looks like the expected result. The gateway IP is whatever is upstream from you at the ISP. The interface IP is your local address that external sites see to reply to. Steve
• M

  LDAP cuts out half the time with ssl
  • msudak

  7
  0
  Votes
  7
  Posts
  171
  Views

  M

  In the end i managed to figure it out. It seems that the certificate is case sensitive so once i fixed that it all works. the only thing im not sure about is why it worked sometimes before i fixed it. thank you for your help
• S

  Asymmetrical OpenVPN speeds on symmetrical Gigabit service
  • SpinningMyOwnWheels

  3
  0
  Votes
  3
  Posts
  111
  Views

  S

  That... uuuuuhhh... would actually make a lot of sense. I'll go ahead and ask them, thanks!
• J

  PPPoE on WAN link for Centurylink gigabit service
  • johns1

  38
  0
  Votes
  38
  Posts
  26403
  Views

  

  Nice result! Be aware that setting net.isr.dispatch=deferred will give you better PPPoE speeds but might cause problems with ALTQ if you need shaping. And, yeah, you need to have powerd (speedstep) enabled on those ADI SG series devices to see the full CPU speed. Steve
• A

  DHCP Retry on WAN Interface
  • acascianelli

  7
  0
  Votes
  7
  Posts
  206
  Views

  

  If you have any advanced DHCP options set the default settings are overridden but what is added should still be valid there. Were you able to check the values in the generated conf file? For example /var/etc/dhclient_wan.conf Steve
• S

  Crash report
  • Saiful Rezan

  2
  0
  Votes
  2
  Posts
  58
  Views

  

  Was this after an upgrade? During the upgrade? From what version? To 2.4.4p1? More details needed. That could be a filesystem error or it could be due to the php version change in 2.4.4. Steve
• W

  Reset OpenVPN Service
  • wes93

  5
  0
  Votes
  5
  Posts
  121
  Views

  W

  My VPN Provider is PrivateVPN. The Log of the VPN Dec 22 10:01:08 openvpn 5717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 22 10:01:37 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:02:07 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:02:07 openvpn 5717 Could not determine IPv4/IPv6 protocol Dec 22 10:02:07 openvpn 5717 SIGUSR1[soft,init_instance] received, process restarting Dec 22 10:02:07 openvpn 5717 Restart pause, 300 second(s) Dec 22 10:07:07 openvpn 5717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 22 10:07:37 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:08:06 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:08:06 openvpn 5717 Could not determine IPv4/IPv6 protocol Dec 22 10:08:06 openvpn 5717 SIGUSR1[soft,init_instance] received, process restarting Dec 22 10:08:06 openvpn 5717 Restart pause, 300 second(s) I will try with Watchdog option. Thanks a Lot Stefano