General pfSense Questions

• S

  IGMP Proxy vs PIMD package use case
  • supersquid  

  1
  0
  Votes
  1
  Posts
  37
  Views

  No one has replied

• J

  LDAPS Authentication with Active Directory and Intermediate CA failed
  • jphoude  

  6
  0
  Votes
  6
  Posts
  84
  Views

  Y

  LPADS has been working for me for some time, including a test. A few minutes after trying to log out and log in to pfsense, I can’t log in anymore and the SSL connection does not work, I see the error "Unknown CA (48)" in network traffic. What reliable actions need to be done?
• 9

  Adding a Trusted Root Certificate Authority Certificate
  • 999Vladislav999  

  9
  0
  Votes
  9
  Posts
  109
  Views

  

  Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm.. What gov is this?
• 

  Renewal of Internal CA
  • provels  

  6
  0
  Votes
  6
  Posts
  94
  Views

  A

  @jimp said in Renewal of Internal CA: You could spin up a 2.5.0 VM, import your CA, renew it there, export, and then copy the contents back to your current setup. If it's that old, though, you'll probably also want to let the renewal process upgrade it to a stronger key/hash/etc. Thanks for the great feedback.
• D

  Unable to load dynamic Library
  • Druplex  

  4
  0
  Votes
  4
  Posts
  42
  Views

  

  @Druplex said in Unable to load dynamic Library: @Gertjan am on 2.4.4-p3, i had upgraded to 2.4.5 but gave me the same same error so i just reverted back and the error is still on. Ok. Packages were updated / upgraded to support 2.4.5 and PHP dependencies. You can't upgrade packages using and 'old' version of pfSense like 2.4.4-p3 if a 2.4.5 exists, as the package could actually need (example) PHP 7.2.b) while pfSense 2.4.4-p3 is using 7.2.a. There will be a PHP library version mismatch. That what you are seeing. Normally, when you upgrade pfSense, you don't stop there. The list with installed packages will also get updated, and show you if any packages should be upgraded. At that moment, these upgrade might not be optional, as they could use old (PHP) libraries, and pfSense just replaced them with more recent ones. This explains the error you saw. Just finish upgrading, and all will be fine. Downgrading pfSense will not help here. Golden rule : Do not install/upgrade (use ?) packages any more as soon as a new version of pfSense comes out and you decide to stay on the old version. That is : closely observe what sub packages, like PHP, get installed with it them. Some will work on neraly any version of pfSense, some use a lot of shared resources with the OS or other pfSense core files, and need to get upgraded - at least re installed. See Netgate release notes. Netgate's upgrade video and the huge quantity of forum posts about the subject. Keep in mind : most packages are created by people like you and me. Package maintainers should only have to support their package using the latest pfSense version. No one want to make a package installable on all kind of recent and ancient pfSense version (like Microsoft doesn't support his older versions neither, it's just to much of o job).
• S

  Auto config backup fails often
  • sebalbers  

  10
  0
  Votes
  10
  Posts
  89
  Views

  S

  I finally got to make the change and have been monitoring the last week with great success. We haven't had one error in the last 10 days which leads me to believe that changing the time has fixed the issue we were experiencing. Before we had it set to 00:00 CEST now it's set to 12.00 CEST.
• O

  Time to have push notification?
  • oddussiben-3161  

  7
  0
  Votes
  7
  Posts
  502
  Views

  O

  @viktor_g awesome, can't wait
• T

  Tip - I solved my WiFi Calling issues
  • tomk  

  6
  1
  Votes
  6
  Posts
  183
  Views

  

  @zaogrnutess FWIW, I am also on Rogers and haven't noticed any problems. However, I have only one Android phone.
• R

  libalias-bug in FreeBSD
  • Rhicinus  

  4
  0
  Votes
  4
  Posts
  32
  Views

  

  The firewalling and NAT are done in pf, not ipfw. If you enable the captive portal, it uses ipfw for the CP blocking functions. Perhaps you were thinking of ipfwSense.
• C

  pfSense updates an package installation very slow when using Deutsche Telekom
  • Crunk_Bass  

  4
  0
  Votes
  4
  Posts
  84
  Views

  

  Can confirm the creation of the route6 IRR record in ARIN database. root@andrew-NUC7i7BNH:/home/andrew# whois -h rr.arin.net 2607:ee80:10::/48 route6: 2607:ee80:10::/44 descr: Netgate descr: 4616 Howard Lane #900 descr: Austin, TX 78664 descr: US origin: AS11403 mnt-by: MNT-RC-218 changed: awaranowski@netgate.com 20200514 source: ARIN remarks: **************************** remarks: * THIS OBJECT CONTAINS PLACEHOLDER DATA remarks: * Please note that all data that is generally regarded as personal remarks: * data has been removed from this object. remarks: * To view the original object, please query the ARIN Database at: remarks: * http://www.arin.net/whois remarks: ****************************
• 

  Increase swap size
  • Raffi_  

  6
  0
  Votes
  6
  Posts
  89
  Views

  

  @JKnott said in Increase swap size: @Raffi_ I also wonder why you'd need more swap on a router. However, in the Linux world, it's possible to create a swap file, which serves the same function as a swap partition. Perhaps the same is possible with FreeBSD. Thanks, that's a good point. I will not spend any time looking into ways to do it even if it is possible. It was just something I was curious about more than something I needed. If for example it was a single command I could have run and it was fool proof, I would have gone for that. But being that in the case of pfsense it would be a partition adjustment. There is no way I'm doing that. Especially, for something that really isn't necessary as you point out.
• 

  Why cant i reach the other network while i have added the routes and firewall rules to allow traffic? (Pfsense/USG200)
  • CodeNinja  

  3
  0
  Votes
  3
  Posts
  94
  Views

  

  @stephenw10 First of all, thanks for your answer. I tried with Outbound NAT in automatic mode and in manual mode with the rules: WAN1 10.128.10.0/24 * * * WAN1 address * this is not a rule to the WAN 2 where the 192.168.104.0 network exists. Should i make a NAT rule to WAN2 ? Something like: WAN2 192.168.104.0/24 * * * WAN2 address * ? I also tried to enable the Bypass firewall rules for traffic on the same interface setting. Unfortunately i still not able to reach the 192.168.104.0 network from the 10.128.10.0 or visa versa. I thought adding a static route on each firewall and add the correct firewall rule (to allow traffic from the other network on the concerning interface) should do the trick? but how i understand from you i miss something (NAT?) ? Note that i can ping the Zyxel USG200 interface and devices of the 192.168.104.0 network from the Pfsense diagnostics ping tool but not from my computer.
• 

  Shared object "libarchive.so.7" not found, required by "pkg"
  • Qinn  

  12
  0
  Votes
  12
  Posts
  325
  Views

  M

  "First of all, try pkg bootstrap -f (or pkg install -f pkg). If it fails then try pkg-static bootstrap -f (or pkg-static install -f pkg) as it doesn't require any shared objects. If everything else doesn't work then you can install pkg from ports: cd /usr/ports/ports-mgmt/pkg make make reinstall clean You should be able to use pkg now." Source: https://unix.stackexchange.com/questions/369372/shared-object-libarchive-so-7-not-found-required-by-pkg I get the same error warning while trying to install virtualbox-ose-additions with "pkg install virtualbox-ose-additions" command in pfSense 2.4.5-Release. I have fixed it with "pkg bootstrap -f" command. pkg version is 1.12.0 now from pfSense repository.
• O

  Help Me understand
  • OpenWifi  

  3
  0
  Votes
  3
  Posts
  64
  Views

  O

  @stephenw10 , Thank You
• E

  Issue connecting to Cisco switch (long)
  • eri3  

  3
  0
  Votes
  3
  Posts
  44
  Views

  E

  Steve, thank you. I read through your post and went at it again after factory resetting the switch and basically putting the OPT interfaces back to how they were when I received the SG5100 from Netgate. OPT1 (ix0), OPT2 (ix1), OPT3 (ix2), OPT4 (ix3) = added but not enabled From there I went to Interfaces => VLANs Define VLAN tag 10 interface ix0 (opt1), VLAN tag 20 interface ix0 (opt1) Enabled VLAN 10 and VLAN 20. Assigned static IPv4. Defined DHCP for VLAN 10 set range but added a static IP address for the Cisco switch outside of the pool range. Defined DHCP for VLAN 20, set range. On another computer connected directly to the Cisco switch, I defined VLAN 10 and 20. Set port 1 as a trunk. Tagged VLAN 10 and 20. Set port 8 as access. Untagged for VLAN 20. Added an IPv4 interface for VLAN 10, DHCP. Usually this is where I get kicked off but this time after I connected port 1 from the switch to ix0, the switch was listed under DHCP and Online in pfSense. In addition, my other computer that is directly connected to the switch was still connected using the switches default IP address. I’m assuming it’s because VLAN 1 and VLAN 10 are both active on the switch and I have that computer plugged into a port that I didn’t mess around with. I plugged a device into port 8 and confirmed it got an IP address in the VLAN 20 range. One issue I found is that I cannot connect to the switch from my laptop that’s on the LAN connection. But I’m guessing that’s probably a firewall issue. I can still connect to the switch directly from my other computer so I can do switch configuration from there. I’m going to back up the settings on the switch and pfSense before I go any further. I guess for most people getting to where I am now seems trivial. After all, I don’t even know if the device works on port 8 since I just did a simple connectivity test, but after spending the last several weekends setting up, resetting, plugging in, and unplugging, I’m happy that I can finally move onto the next steps. Thank you very much for your help!
• M

  OpenDNS DDNS
  • mbrossar  

  9
  0
  Votes
  9
  Posts
  583
  Views

  L

  Just want to add to this in case someone else runs into it. There is in fact some sort of issue with passwords that have special symbols which work just fine in OpenDNS (and special symbols are required), but in pfsense, the login doesn't work. For example, changing my password to not include an "&" but to instead use a "$" fixed my issue. I'm guessing there is some bug in how the password is being encoded from the html form field or something. As others have mentioned, checking the verbose logging flag is encourage so you can go into the system logs after you force an update and see if it logged in successfully or not. Hope that helps someone!
• B

  New machine, Hardware question
  • bereby  

  12
  0
  Votes
  12
  Posts
  142
  Views

  D

  @bereby said in New machine, Hardware question: XG-7100 you're right: look at its original configuration, which has an i7 CPU and a 200W power supply ..... who is already looking at the XG-7100, wants serious hardware... (many just like to experiment or want a significant reserve in their system) only this "ugly" hardware originally outlined, should be conjured up a bit of a network appliance type 35 -50W power consuption / rack case / all-in-one face / Intel NIC / etc. (and for sure 10 Gig SFP+ WAN or other interface...) jahhh and don't think I'm against Netgate hardware, (since I've already said that) it's also perfect, but you only have a choice if you know what you can do and choose (Intel vs. AMD in network appliance theme)
• 

  Posisble bug or ?
  • chudak  

  9
  0
  Votes
  9
  Posts
  112
  Views

  

  Not in pfSense. At least not without changing your network configuration. That traffic goes from 192.168.90.3 to 192.168.90.5 directly at layer 3. It probably goes through at least 1 switch at layer 2. It never goes to pfSense at all so there's nothing it can do to see that. What you could do, for example, is configure a mirror port on the switch and then analyse the traffic on that to get flow data. You could bridge two ports in pfSense and make sure those systems were connected to different sides of the bridge. Then traffic would go through pfSense so you could see it and filter it. That is generally considered a bad idea unless you absolutely need it though. Steve
• P

  How to set up a 4G modem on pfSense?
  4g failover • • philled  

  15
  0
  Votes
  15
  Posts
  168
  Views

  

  Yup, those Ethernet connected Netgear LTE modems work well. You can use many USB LTE modems directly with pfSense though. What exactly is the device you have? Steve
• O

  Feel like giving up on pfsense
  • OpenWifi  

  22
  0
  Votes
  22
  Posts
  388
  Views

  D

  it’s not a problem, everyone starts somewhere in which slot (on MOBO) do you put the new NIC, what version of HP device do you have? HP Technical Reference Guide according to Google INTEL PRO PT 1000 Quad Port Network Adapter
• G

  DNS domain forwarder stopped working
  • gyahoo  

  6
  0
  Votes
  6
  Posts
  41
  Views

  

  @gyahoo said in DNS domain forwarder stopped working: I am at a loss as to how to proceed. Get on a current version of pfsense - the 2.3 line is DEAD, has been for over a year, shoot Oct will be 2 years... There were like 2 years of warning that 2.3 was going to be DEAD! Once you get on current.. Come back if your having issues. So 2.3.4 is from 2017... You honestly thought it was up to date, with zero updates in like 3 years - on security software? its not a notepad app you downloaded from some guy that wrote something he needed and shared it. How did you not check on that? Simple 2 minute visit to the website would of told you if your current or not, etc.
• F

  Randomly lost link on WAN interface
  • FrozenFiber  

  4
  0
  Votes
  4
  Posts
  85
  Views

  

  Your WAN interface is actually losing link: 5/15/2020 19:13 php-fpm 12911 /rc.linkup: DEVD Ethernet detached event for wan 5/15/2020 19:13 check_reload_status Linkup starting em0 5/15/2020 19:13 kernel em0: link state changed to DOWN Which now I check back was in your first post! It looks like you've swapped out enough things that should eliminate a bad NIC, cable or switch port. It sure looks likely to be one of those things though. It's linked at 100M? You could try setting to link speed to 100M-FD fixed if the switch will allow it. That might eliminate any link negotiation issues. It should normally always be set to auto-negotiate though. How far is it to the switch? Can you add another switch much closer as a test? Steve
• G

  10min to boot gui screen on J1900 - how can it be
  • gwaitsi  

  4
  0
  Votes
  4
  Posts
  85
  Views

  

  Hmm, well it could be any number of things then. I've seen some systems where a slow serial console at 9600 cause the initial RAM count to take forever. Steve
• L

  Purpose of tracker on pfsense config rules
  • ltctech  

  3
  0
  Votes
  3
  Posts
  1276
  Views

  J

  according to https://docs.netgate.com/pfsense/en/latest/monitoring/raw-filter-log-format.html#bnf-grammar the purpose of the tracker id is <tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug I've written this script to fix my rules and make the tracker id numbers unique import xml.etree.ElementTree as ET ONE_SECOND = 1 def main(): start_epoch = 1585650686 root_element = ET.fromstring(XML_DATA) rule_elements = root_element.findall('rule') for rule_index, rule_element in enumerate(rule_elements): rule_id = str(start_epoch + (rule_index * ONE_SECOND)) tracker_element = rule_element.find('tracker') tracker_element.text = rule_id created_time_element = rule_element.find('created').find('time') created_time_element.text = rule_id updated_time_element = rule_element.find('updated').find('time') updated_time_element.text = rule_id fixed_xml = ET.tostring(root_element, encoding='unicode') with open('fixed-firewall-rules.xml', 'w+') as f: f.write(fixed_xml) XML_DATA = ''' <filter> <rule> ... // copy and paste the exported rules here </filter> ''' if __name__ == '__main__': main()
• R

  When modify the IPsec config, I can't access vía webConfigurator and the OpenVPN connections hang.
  • ramses.sevilla  

  14
  0
  Votes
  14
  Posts
  124
  Views

  

  You will continue to have problems as long as you're on 2.3. That was only current for about 1 month waaay back in April 2016: https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html#id7 You could try creating the file /boot/loader.conf.local (if it doesn't already exist) and adding to it the line: kern.smp.disabled=1 Then rebooting. Otherwise you might have to disable all but one CPU core manually which we did as a workaround at the time for a few systems. It was fixed for 2.3.1. Steve
• C

  Everything is messed up after a power outage
  • captain3xtreme  

  4
  0
  Votes
  4
  Posts
  111
  Views

  C

  So I wasn't able to figure out exactly what the problem is because I reinstalled pfsense completely and it did the same thing but I tried using a different old pc and switched my intel network card over and now it's working again, i guess it has something to do with the other pc, no idea what though.
• M

  Single Subnet Traffic through VPN
  vpn • • misanthropist  

  2
  0
  Votes
  2
  Posts
  42
  Views

  Z

  Use policy routing https://docs.netgate.com/pfsense/en/latest/routing/directing-traffic-with-policy-routing.html https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html
• N

  FreeRadius 3 authentication problem on pfsense 2.4.4
  • nfern  

  3
  0
  Votes
  3
  Posts
  28
  Views

  N

  Hi, I have upgraded to 2.4.5. please find screenshots requested below. still does not authenticate.
• N

  How does pfsense handle cloned mac address?
  • narmenia  

  5
  0
  Votes
  5
  Posts
  84
  Views

  

  There isn't any way for the firewall to tell two MACs apart. You'll need something more. If it's that bad, you need L2 auth (802.1x) in your APs, not firewall controls.
• G

  How to troubleshoot - lost packets.
  • geyser  

  24
  0
  Votes
  24
  Posts
  138
  Views

  1

  @JKnott I had a look but I have no firewall schedules defined. Im at risk of hijackingnthis thread so rather than take over from the OP's questions and answers i will start another thread - i just wanted to say I am also having very similar issues.
• M

  SNORT Enable Performance stats not working
  • markgca  

  3
  0
  Votes
  3
  Posts
  33
  Views

  

  @markgca said in SNORT Enable Performance stats not working: When i check the "enable performance stats' feature on Preproc page of services/snort/interface, the interface restarts but never quite gets there. Turn that feature off, and it works again i have several snort instances running on different vlans and they continue to work. Is this indicative that i need to allocate more space or change some option? i have 24gb of ram, and only about half of that is used. thanks for any thoughts Have you looked in the pfSense system log to see what, if anything, is being logged by Snort when attempting to start it? Are you running the performance stats on those other instances successfully? You will generally have better responses to IDS/IPS package questions when you post your inquiry in the IDS/IPS sub-forum under the PACKAGES section here on the board.
• D

  [Solved] PPPoE issue
  • dddave  

  2
  0
  Votes
  2
  Posts
  37
  Views

  D

  Hi all, Looks like the GPON gateway had locked on to the previous devices hardware address. After power-cycling it the latest version connected without issue. (Piece of junk unnamed cheap manufacturer). May be good to get some output added as to why the process is terminated, to assist others - if there is anything useful that can be logged - just an idea. Very happy now PPPoE is running as it should! :) Please mark as solved and close thanks.
• 

  Upgrade to 2.4.5 broke 802.1x RADIUS WiFi over VPN
  • DAVe3283  

  21
  0
  Votes
  21
  Posts
  212
  Views

  

  No the failover group should work exactly the same. You will have to restart the OpenVPN client once it's been assigned as an interface. The purpose of assigning it as an interface if that it is then treated differently by pf. You should make sure any pass rules are on the assigned interface only rather then the general openvpn tab so states are created there. Specifically pfscrub, which reassembles fragmented packets, seems to be applied differently. We have seen it fix exactly this sort situation. I don't know what might have changed in 2.4.5 to change the behaviour though. Steve
• K

  Dynamic DNS update interval
  • kermus  

  2
  0
  Votes
  2
  Posts
  37
  Views

  S

  Hello! Maybe some variation of : awk '{print "0.0.0.0|0" > FILENAME}' /cf/conf/dyndns* ...in a cron task? John
• D

  PHP Fatal Error: memory exhausted
  • dlaprade  

  11
  0
  Votes
  11
  Posts
  62
  Views

  

  @dlaprade said in PHP Fatal Error: memory exhausted: Thank you, I appreciate all the information everyone has given me. I am fairly new to pfsense / firewall configurations. I need to learn more about IDS/IPS setup and configuration. Nothing wrong with being new to IDS technology. All of us were in the same boat when we started. Google can be your research friend as you learn about IDS in general. For pfSense setup, here is a suggestion/recommendation I posted some time back for new-to-IDS users: https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2. It offers some helpful tips for initially getting started. There are some other useful tidbits of info in the other posts within that thread if you read the entire thread.
• R

  Doing homework before move to an AT&T Fiber service area
  • RonRN18  

  3
  0
  Votes
  3
  Posts
  116
  Views

  

  @jasonsansone I just acquired a sg-3100 and currently struggling to identify how to implement the hardware. Preferably I would rather replace the Pace hardware from AT&T with the 3100. Note: Currently, I have the Pace in use with a netgear router in bridge mode.
• T

  Proper way to run script on pfSense shutdown?
  • tomashk  

  2
  0
  Votes
  2
  Posts
  49
  Views

  T

  So it looks I have to learn how to build rc.d scripts :)
• R

  Match rule - pass or drop?
  • RadOD  

  2
  0
  Votes
  2
  Posts
  36
  Views

  

  Traffic is neither passed nor blocked. It is matched. You can do things like assign a queue or a tag or log it but it does not change the pass or drop status of the traffic. quick has no bearing on match rules. They always flow though and rule processing continues.
• C

  pfSense.localdomain - Arpwatch Notification
  • cburbs  

  1
  0
  Votes
  1
  Posts
  22
  Views

  No one has replied

• S

  Temporary Major Lag While Gaming
  • SickestGuy  

  19
  0
  Votes
  19
  Posts
  4266
  Views

  P

  have you checked the wan drivers ? Idk, I have never experienced anything like that. I am playing a lot of CS GO and everything is fine. I am sure that there is a software problem, maybe you should reinstall the drivers. By the way, when you will solve that problem, we could play together a couple of games. If you have a very low rank it's not a problem, you can always use a rank boosting service like eloboss.net. If you are interested, leave me a message! It's going to be really cool! I am waiting for your message, dude!