General pfSense Questions

• F

  Subnet problem?
  • Fratopolis

  23
  0
  Votes
  23
  Posts
  474
  Views

  F

  First off, let me just say thank you all, for just diving head first without me having any clue what you all needed from me. This network was setup before anyone that works in our dept was even there over 12-13 years ago. We have upgraded equip since then and went to 10Gb routers and switch stacks for furture enhancement but not sure if anything design wise has changed, I'd have to ask our net admin. We all wear many hats, I more than anyone only because I engage in everything I can get my dirty little hands on. Ok so after I learned how to draw, learned what transit meant, then learned how to semi properly map things out, the consensus seems to be that the network is not as bad as originally thought by everyone "so I hope". "creating aliases for allowing and/or denying internet access for certain subnets." this works with our current setup and as far as diagnosing problems, we or I should say our net admin has never had problems doing so so far. Updated map. (Yes I know that 10.31.0.0/19 wireless network is huge. Did it for a reason as it is our guest network. There are only ever about 150-300 people on it at once but my thought was give them an IP and they keep it for I think 2 years. Lets us easily track mischievousness) I will not be making major changes until after the holiday break seeing as I am not at work to see how those changes affect anything. I do have a remote AP at my house with a VM added to our domain so I will continue working/testing other things in pfSense until i get back.
• A

  Routing via VPN by "service" instead of host ip
  • alexktz

  5
  0
  Votes
  5
  Posts
  225
  Views

  P

  I'm an ex-Brit living in Canada - have the same issue. I spent a lot of time playing around with this. It was easier to run a VM machine at home dedicated to the UK and have PF Sense route all it's requests via the VPN to the UK. After much testing, it was the only reliable solution. Then run a remote desktop session on the machine connected to the TV when you want UK TV. By the way - the offline BBC iPlayer app can run on the UK dedicated VM and download material, but if you make sure it stores the material in a place that other machines can access, you can run the offline BBC iPlayer app on other machines looking to that location for material and it works fine. Regards Paul
• R

  Where are e-mail notification subject lines set?
  • rcfa

  1
  0
  Votes
  1
  Posts
  50
  Views

  No one has replied

• S

  No internet on third interface.
  • storms

  5
  0
  Votes
  5
  Posts
  94
  Views

  S

  ok, the arp reset didnt work, i changed the OPT netowork ip to 10.10.0.0/24 instead of 10.0.10.0/30 and it started working! so i think its because of the network range of my lan ( lol my bad) but now when i ping 8.8.8.8 i only get duplicate packages....
• G

  No WAN IP on new PfSense Box
  • gemrock

  12
  0
  Votes
  12
  Posts
  219
  Views

  

  What do you mean "no logs"??? Status - System Logs - DHCP. All DHCP client messages are logged there. You're saying there is nothing at all? Also, what do you mean by "I can't capture packets"??? Diagnostics - Packet Capture. The tools are there. Use them.
• G

  Network Access Problem
  • guardian

  8
  0
  Votes
  8
  Posts
  190
  Views

  G

  @marvosa said in Network Access Problem: You could also create a NAT rule to translate your IP to the camera subnet when accessing your cameras from another VLAN, which sounds more like the solution you're looking for. Thanks @marvosa - You are 100% right here - this is for home use, so I am looking to keep the amount of excess HW to an absolute minimum. Can someone give me a few hints - possibly what tab to use and/or references/good keyphrases to google etc. I understand NAT in principle, but I'm very sketchy on the details of how it works in pfSense.
• G

  Make boot use High Resolution VGA Console
  • guardian

  8
  0
  Votes
  8
  Posts
  199
  Views

  

  @guardian said in Make boot use High Resolution VGA Console: Thanks @jimp - I can't really see any difference. I assume the difference is 16 vs 32 colors. Does pfSense make use of anything over 16 colors? The only console thing that uses colors is the prompt, and that's only a few. Doesn't really matter AFAIK. Am I correct in assuming the difference is an extra 4 bits of video memory x the screen resolution ( 1280x1024x4/8=640K ) for 640K of memory? Probably, not sure it matters in the grand scheme of things, since that is probably minuscule by compared to typically available video memory on systems. Where does this get applied? Sorry I'm clueless about the BSD boot sequence. Does this statement get added to some config file, or is it just applicable after boot is complete? That takes effect only when run manually. You would need run the full command in a boot-time script every boot, you could make your own and drop it in /usr/local/etc/rc.d/ if you like what it does.
• N

  Odd behaviour!
  • noob

  21
  0
  Votes
  21
  Posts
  441
  Views

  N

  Bump
• E

  Gmail and VoIP problems
  • emin911

  4
  0
  Votes
  4
  Posts
  134
  Views

  

  There are not many VOIP providers anymore that require static port. Who is your VOIP carrier? Im curious if you have an MTU problem.. What kind of internet connection is this?
• N

  How to configure e-mail notificatons
  • no_jah

  3
  0
  Votes
  3
  Posts
  114
  Views

  N

  Ah, yes you're right, I've alson seen pfSense boot notifications. I think it's great to have the ability to get notification, but it doesn't do much good if you can't specify what events you want to get notified about. I know about the mailreport package, and it's great, but it only give you periodic reports, no instant alerts.
• S

  Internet traffic stops working for some traffic, a reboot of the firewall resolves the issue for several hours.
  • SteveBobMike

  6
  0
  Votes
  6
  Posts
  169
  Views

  M

  By chance were you running snort in Inline Mode? Nvm, I'm thinking of Suricata. Snort does not appear to have a district "Inline Mode".
• D

  Route FreeNAS Torrent downloads through VPN?
  • Dayve

  3
  0
  Votes
  3
  Posts
  131
  Views

  M

  We'd need more info to offer more targeted advice, but In general, you'll need to: Policy route the static IP's for QBittorrent and Couchpotato on your LAN tab, which it sounds like you have done. BTW, how are these apps using different IP's on FreeNAS? Are they VIP's that are bridged to the LAN adapter? I'd like to know how these apps are communicating on the network and if they truly are sourcing traffic from the IP's you've configured. Add an Outbound NAT entry for your static IP's that is configured to send matching traffic out your VPN interface Verify the rules on your OpenVPN tab are explicit so the traffic you want to be routed thru the VPN isn't matched on the wrong interface.
• S

  any remote (internet-server)ssh disconnect
  • scorpoin

  4
  0
  Votes
  4
  Posts
  89
  Views

  S

  it worked thanks Derelict. Regards
• P

  Complete loss of network; where to find info on what happened?
  • purduephotog

  9
  0
  Votes
  9
  Posts
  269
  Views

  P

  @babiz Thank you kindly. The /var/log was empty except for the reboot; there were no past logs. That bugged me and I wondered if they were somewhere else I hadn't thought to look for. I have wireshark, but honestly hadn't thought to try it while everything was flipping out. As far as I can tell it looks as if the WAPs attempted to take over when something happened to PFSense. There was a cable modem reboot in there, too, which once triggered some strange IP issues. But without the log (and I was desperately trying to get everything back up) I've got nothing to go back and look at. Thank you for taking the time to read and respond to my post, and point out ways I can in the future better analyze issues. That's a very welcoming approach you have there, and I'm quite thankful for it. ~J
• S

  Blocking domains via text file
  • sensori

  5
  0
  Votes
  5
  Posts
  126
  Views

  S

  @johnpoz : I had to deactivate pfblocker because it was blocking internet access and once freezed the whole system and I had to reboot. But I don't know for sure if it was pfblocker itself or the rules I have.
• D

  How can i fix fatal error: Call to undefined function gettext() in /etc/inc/certs.inc on line 44 ERROR
  • ddeshar

  2
  0
  Votes
  2
  Posts
  65
  Views

  

  There must be something wrong with the installation. The fastest way to recover it would be to reinstall, choosing the option to recover the configuration during the install process.
• E

  Stuck at booting...
  • emin911

  2
  0
  Votes
  2
  Posts
  70
  Views

  

  https://www.netgate.com/docs/pfsense/install/upgrade-guide.html#upgrading-from-versions-older-than-pfsense-2-4-4 Specifically see the part at the end of that section about putting kern.vty=sc into /boot/loader.conf.local.
• 

  gigabit internet with Zotac ci323 Speed bottleneck
  • chevywu

  11
  0
  Votes
  11
  Posts
  240
  Views

  

  Thanks for letting me know. I decided to upgrade on HW mainly because I want the box to do more. IDP, bandwidth monitoring and Traffic shaping...
• A

  IPTV returns 401 after latest update
  • anonymouse

  4
  0
  Votes
  4
  Posts
  128
  Views

  

  Ah, OK and the IPTV stream is being accessed over the VPN when pfSense is in play? Most likely the IPTV service has blacklisted the VPN providers IPs as the source of either hack attempts or users bypassing geo restrictions. Try disabling the VPN and testing through pfSense. Steve
• B

  minnowboard firmware update process?
  • bcruze

  11
  0
  Votes
  11
  Posts
  250
  Views

  B

  Its upgraded I’m not gonna mess with it again until I have too.. I still have my sg2220 has my backup I probably need to update it to 2.4.4 at some point!
• R

  Link-local address flooding logs
  • rsaanon

  33
  0
  Votes
  33
  Posts
  454
  Views

  

  I am not blocking the 169.254 - I block the multicast address. But sure you could block it via 169.254.x.x if you wanted too.. I don't want or need any of that multicast noise - and I sure don't want it going out to the wifi, which that vlan is where my roku sticks connect.. 169.254 is IPv4 link local and yes is used for APIPA... In a correctly configured network there should never be any need or use for it.. What you posted is clearly what I would call NOISE.. that should be able to be disabled on the device sending it.. But if you can not, then the best place to stop is before it even enters the switch ;) I had looked all over to how could disable the noise coming out of the directv box.. Could not find anyway.. So block at switch it is then ;) Which reminds me should look to thread I had on plex forums about the noise it was sending out.. Even when dlna and disabled - it was sending out SSDP nonsense.. I had to block that at the switch as well.. edit: F'ing Crickets over there https://forums.plex.tv/t/stop-pms-from-sending-ssdp-dlna-and-gdm-disabled/321779 Thing sends every freaking 10 seconds.. Wonder if any of the beta's after posted that fixed it? On 1.14 something now.. going to remove the acl on the switch and see ;) fingers crossed. edit: Arrggghhh still chatty kathy.. 13:22:57.575617 IP 192.168.9.10.42339 > 239.255.255.250.1900: UDP, length 101 13:22:57.575635 IP 192.168.9.11.45988 > 239.255.255.250.1900: UDP, length 101
• R

  Issues with RDP over IKEV2 VPN
  • RanmaKei

  3
  0
  Votes
  3
  Posts
  129
  Views

  

  I have seen similar behaviour to that with RDP where the connection MTU was restricted. Try setting MSS clamping in the IPSec advanced settings. Try setting it to 1300. Steve
• S

  Schedule a DNS forwarder restart
  • syeoma

  3
  0
  Votes
  3
  Posts
  75
  Views

  S

  @stephenw10 Thanks for the quick response.
• C

  Active Active Load Balancing
  • chriva

  2
  0
  Votes
  2
  Posts
  88
  Views

  

  I would expect that to be OK as long as the load balancers are acting as true proxies rather then forwarders. If all traffic to/from the servers goes via the load-balancer that is all the rules you will need. Steve
• P

  Inter-Network Blocking Question
  • Pete-Man

  19
  0
  Votes
  19
  Posts
  323
  Views

  

  The "this firewall" includes ALL ips on the firewall.. For example your WAN IP that is normally not a rfc1918 address. So this rule makes sure that NO IP on the firewall can be accessed.
• M

  No outbound traffic in transparant bridge mode
  • mgielissen

  13
  0
  Votes
  13
  Posts
  120
  Views

  M

  pfsense runs in a vm on proxmox, can that be a problem with the linux bridge proxmox uses? I did a second setup with pfsense in NAT mode and a local IP address on the LAN side, same problem with outbound connection. I can only ping. EDIT: Found the solution: disable "Hardware Checksum Offloading" for Proxmox VirtIO interface
• T

  Gigabit Throughput
  • TheQuank

  29
  0
  Votes
  29
  Posts
  855
  Views

  K

  This is my test : I run pfSense on Cisco UCS C210 M2 with 2x X5650 CPU and BroadCom QLogic dual port 10G NIC... Maximum load I registered was 11%... I am pretty sure this result is caused by a speed limitations between me and server instead of my pfSense box... After a few day I will have second 10G line from separate ISP and then I can test again... This machine was released in 2010 so almost 9 years old but works pretty well and I am happy with it ;)
• S

  Pfsense connect with DSL modem wifi router problem need help.
  • stardreamer77

  11
  0
  Votes
  11
  Posts
  188
  Views

  

  Yes, it looks to me like your Asus router has started handing out DHCP leases in conflict with pfSense. Make sure it is running the same settings it was previosuly. But, yes, it would be far better to use separate devices as the DSL modem and wifi access point. You're relying on PPPoE to separate WAN from LAN there. Steve
• N

  This topic is deleted!
  • Nthly

  7
  0
  Votes
  7
  Posts
  23
  Views
• D

  WAN Monitoring and Packet Loss
  • david_harrison

  7
  0
  Votes
  7
  Posts
  202
  Views

  

  Nice. Realtek NICs are better than they used to be but there's a reason they still have a bad rep. Steve
• 

  Monitoring: Should IPsec Be There if Not Set Up? [ANSWERED]
  • beremonavabi

  2
  0
  Votes
  2
  Posts
  106
  Views

  

  It's there because the interface is always there, and there isn't a good way to track that it was never enabled. If it's disabled now, there could still be some historical data there that someone might want to see if IPsec was recently or temporarily disabled.
• C

  LAN Interface makes WAN not receive address from ISP
  • carobell

  5
  0
  Votes
  5
  Posts
  93
  Views

  C

  @netblues Actually updated to 2.4.4_1 (or 2.4.4p1 as it says in your thread) and it took care of all of it. Thank you for that first reply you made my search 100% more successful :)
• R

  Problem with ISP connectivity
  • rm-rf

  2
  0
  Votes
  2
  Posts
  80
  Views

  R

  I think I know what it is- proxy ARP on another router causes this problem. Testing it now. I still don't understand why it affects only pfsense.
• N

  latency of connection monitoring
  • Nthly

  25
  0
  Votes
  25
  Posts
  260
  Views

  N

  @johnpoz said in latency of connection monitoring: Great then ping those - what is the latency.. sorry for the few hours hiatus. I did ping the above, however packets may be dropped as no ping back is received. I heard most game providers do that, probably to lessen the load on servers that i assume may be running at close to full capacity, and, in a conspiracy theory view.... to hide the fact that servers used may be in a different region or may not be as good as players expect them to be.. LOL. The first reason much more likely. On PC, the game seems to run better and faster, plus ping is readily available and can be added as an overlay on a corner of the screen, but this is a whole different world.
• N

  PPPoE settings for BT Infinity with Netgear DM200 VDSL Modem
  • neocleous

  13
  0
  Votes
  13
  Posts
  3030
  Views

  

  VLAN 101 is usually required, for residential connections at least. If you're using one of the Openreach modems they are configured to add that. If you're using some other modem such as in this case you need to add it either at the modem or in pfSense if the modem passes that. Steve
• S

  sonewconn: pcb Listen queue overflow
  • sloppymike

  4
  0
  Votes
  4
  Posts
  103
  Views

  

  It's probably connections coming in faster than HAProxy can service them. Once the queue values is exhausted it starts throwing that error. You can increase that value quite substantially without a problem but it may just delay the problem. Set a system tunable kern.ipc.soacceptqueue to something larger that the default 128. Try 512. See if that eliminates the error or simply delays it's appearance. Steve
• K

  [Resolved]"Service 19050-tcp: server exit with 0 running servers" = ??
  • Khampol

  7
  0
  Votes
  7
  Posts
  210
  Views

  

  NAT+Proxy sets up a service like that for each instance and it appears that one was having some issue. Perhaps the IP you have it running on has been removed or the interface was down. Running in Pure NAT mode is preferred as it doesn't require such a service. There are very few situation that actually require NAT+Proxy. Setting the NAT reflection type individually for each forward is the best way to avoid something like that though as you have done. Steve
• G

  Windows update broke wan connection
  • garryab12

  5
  0
  Votes
  5
  Posts
  112
  Views

  G

  I tried that in the beginning no change. I have noticed that under the interface status I do get the ip address but the gateway shows pending.
• N

  has anyone noticed
  • no_one

  7
  0
  Votes
  7
  Posts
  179
  Views

  N

  the usb keyboard does work on this computer but when i plug it into the other one it does characters. i plugged in my ps/2(yes i still have ps/2 kb and mouse) it does not show those characters, so you are right it was the keyboard. thank you for replying. i thought the keyboard was fine but I guess not.
• A

  SD-WAN Capabilities?
  • acoolov

  1
  0
  Votes
  1
  Posts
  126
  Views

  No one has replied