• SPAN port

    4
    0 Votes
    4 Posts
    579 Views
    stephenw10S

    The SPAN port will reflect all traffic on the bridge so you would have to add anther port, set that as SPAN and then connect the tcpdump client to that.

    Steve

  • SSH connection stalls when going through pfSense

    12
    0 Votes
    12 Posts
    2k Views
    johnpozJ

    @pfuzr said in SSH connection stalls when going through pfSense:

    I see some CISCO switches run like a jet engine for several minutes at startup!

    In the smb line unless your talking higher port density >28, they are normally all fanless
    https://www.cisco.com/c/en/us/products/collateral/switches/small-business-smart-switches/data-sheet-c78-737359.html

    So you don't have any fans until you hit the 28 port poe model in the sg350 line for example.

    As to those features, for example the $40 dgs-1100-08 has all of that other than the ACLs, and there is a poe model. And if you look at their firmware release history, they do update it..

    Just trying to point out that you don't have to drop $200 bucks to get a switch that can do what you want.. And that you can get instant gratification for a few bucks ;) vs dicking with work arounds. Especially if high port density is not a requirement currently. Keep in mind that lacp is not going to get you much with your nas unless you have lots of clients, and or your devices that are going to be moving traffic to and from it also have multiple interfaces.. Or what your worried about is failure mitigation on loss of port on your switch or nas.

    Since you stated 8 port would work, doesn't seem like you have enough clients to worry about setting up lacp ;)

  • Create Custom pfsense

    3
    0 Votes
    3 Posts
    436 Views
    F

    thanks for your reply.

  • "/usr/local/www/wpad.dat" failed

    5
    0 Votes
    5 Posts
    1k Views
    C

    @kiokoman Thanks!

  • Fatal error with php-fpm

    3
    1 Votes
    3 Posts
    3k Views
    guiambrosG

    Sorry to re-open an old topic, but I'm facing the same problem, and was able to reproduce: Fatal Error Zend OPcache cannot allocate buffer for interned strings.

    For me it's happening after I changed the VM memory size (vmWare Workstation v15). I'm using latest pfSense 2.4.4 Patch 3 out-of-the-box, just downloaded and installed with default options - ZFS, no disk encryption, no RAID.

    If I set the VM to 256MB, the system boots normally, I can use web configuration, etc.

    But if I power off and change the memory size to 2GB, it gives the error above, and the menus are all unusable. The only option that works is 8 - Shell. Going back to 256MB allows me to boot again.

    Screenshots here

    Interestingly, using 2.5.0-DEV branch (built Jul 24 21:30:13 EDT 2019) doesn't present the same problems. I can change the memory size back without any problems.

  • Would FPSense have any affect on my LAN traffic?

    6
    0 Votes
    6 Posts
    559 Views
    KOMK

    It's definitely not pfSense. Your devices talk directly to each other on the same network, as John already mentioned. pfSense doesn't even see the traffic unless it needs to be routed to a different network, eg. the Internet, or a VLAN or another interface (OPT1, OPT2 etc). Your clients know their local network based on its subnet mask, and will send any traffic for outside their network to your gateway (pfSense), who forwards it out and returns the replies back to you.

  • Netgear 4G modem on WAN port - weird IP address and no internet

    13
    0 Votes
    13 Posts
    4k Views
    D

    I know this is a old post,
    I had this Issue a few days ago when I registered my APN setting in the Net-gear modem with "three.co.uk" and then when changing it to "3internet" this gave me an public IP.

    I just need to sort out what it will not renew when the lease is up seems to be sticky :)

    Hope this works for you if your with Three, basically it seems like
    Phones >> three.co.uk
    Modem's / routers >> 3internet

    Cheers

    Rich

  • Need help please

    3
    0 Votes
    3 Posts
    606 Views
    johnpozJ

    Lets take look at it another way... Why are you using ospf in such a setup? As just a learning experience?

    I find it unlikely your adding all kinds of new networrks behind this downstream router.. The only way pfsense can get to those downstream networks is to esw1 via whatever transit network you have setup between it and pfsense.

    So just create static route(s) to include the networks you have downstream.. No need of routing protocols unless your trying to use it for dynamic path selection, or when downstream networks might pop up that fall outside normal space... But since I have to assume all the networks downstream of pfsense would fall in rfc1918 space - you could just route All it to esw1.

  • Can access web server externally, but not from LANs.

    28
    0 Votes
    28 Posts
    3k Views
    johnpozJ

    @PITS_King said in Can access web server externally, but not from LANs.:

    Then, on to getting Snort and Suricata back up and running! :-)

    So you have your internal working... I sure wouldn't start playing with those until you do, and you sure and the F do not need both.

  • Static IP Block & CenturyLink Fiber w. PPPoE

    6
    0 Votes
    6 Posts
    1k Views
    stephenw10S

    Ha, you could send it to Netgate HQ but someone will probably have drunk it before I get there. 😉

    Glad you got it running.

    Steve

  • Block android apps (netflix, youtube, spotify)

    4
    0 Votes
    4 Posts
    2k Views
    GertjanG

    @erdosain9 said in Block android apps (netflix, youtube, spotify):

    it does not block applications.

    This somewhat proves that "app's" do not use the web server of the same resource.
    Ports and IP addresses are probably different.

    Two solutions :
    Reverse-engineer the app to find the IP and port info.
    or
    "Wireshark" the traffic generated by the app. IP and port info will show up.

  • Ways to manage devices on network

    30
    0 Votes
    30 Posts
    3k Views
    DerelictD

    @cheapie408 said in Ways to manage devices on network:

    IE: All networking related stuff IE, Switches, Routers, AP etc... would be between 1 to 10, all IOT devices would be 11-40, IP Cameras would have it's own range.

    Makes more sense to do that in CIDRs not decimal ranges.

  • One device not able to get online

    2
    0 Votes
    2 Posts
    342 Views
    C

    NVM discovered the issue was with Squid. 2nd time since the installation of Squid. I have to disable the services, make sure the device gets online then re=enable it and it seems to work there after.

  • Confused about ISP setup

    11
    0 Votes
    11 Posts
    2k Views
    I

    @Derelict said in Confused about ISP setup:

    You could also bind the OpenVPN server to localhost and forward the ip_address:1194 to 127.0.0.1:1194. In your situation that is probably what I would do.

    Doh! I don't know why I didn't think of this.. it sounds perfect! I'll give that a shot tomorrow....

  • Release of aarch64 images for espressobin v7 board

    2
    0 Votes
    2 Posts
    911 Views
    T

    @mveplus said in Release of aarch64 images for espressobin v7 board:

    First product equipped with Microchip® CryptoAuthentication Device which provides assurance your system is running authentic, unaltered pfSense software

    Does it mean that Netgate SG-1100 hardware based on Espressobin v7 has additional build in hardware signature chip?
    Quick skim of the V7 schematics does not reveal any Microchip authentication processor. Would that prevent installing ARM recovery image to a vanilla board?

    Best regards,
    Martin

    My testing says yes, that chip prevents all kinds of things from working. The recovery USB fails with "no valid serial" and "no Thoth module found". Upon getting pfSense to boot on my Espressobin via microSD going a different route, I have also found that it cannot check for updates which I also believe is based on having a working CryptoAuthentication device.

    Would be great to see a community edition but they sure put in a lot of effort to prevent vanilla Espressobin devices from working. I don't mind buying the devices from Netgate, I just hope they don't EOL as quickly as some of their previous ARM offerings. I would imagine the espressobin will still be for sale long after Netgate stops selling a product based on it. Maybe that's when we'll see a community version.

    EDIT: Yes, there really is an extra chip inside. My SG-1100 has a cool little board soldered to GPIO.

  • Intermittent Connection Issues

    3
    0 Votes
    3 Posts
    473 Views
    stephenw10S

    Check this: https://docs.netgate.com/pfsense/en/latest/routing/unable-to-access-some-websites.html

    But I would check MTU or bad subnet/mask first.

    Steve

  • 0 Votes
    6 Posts
    993 Views
    bthovenB

    Thank you everyone.
    So both the fixed ip set on device and those set on pfsense must not be in the dhcp pool. I will have to change some of my fixed ips.

    I will definitely install pfblockng.

  • How to make pfsense to work with AD users?

    2
    0 Votes
    2 Posts
    302 Views
    stephenw10S

    If you're using firewall rules based on url aliases and the firewall is using different DNS to the clients they may be resolving differently and therefore not applying.
    If those URLs resolve to many URLs such as, for example, google.com they will likely never be effective as the IPs change frequently.

    Steve

  • Beginners Questing coming from Mikrotik

    2
    0 Votes
    2 Posts
    369 Views
    stephenw10S

    You can lagg the two SFP ports and connect them to your switch. That will hive you some redundancy but won't improve the speed since they are each 10Gb anyway.
    Using the SFP ports connected to an external switch does make it easier if you want to bring in a number of VLANs for example. You would have to tag those through the internal switch otherwise.

    You can use outbound NAT rules and port forwards for individual IPs in the DMZ if you wish. Or 1:1 NAT rules to achieve the same.
    If the /29 is routed to you via another IP you could just use it on the DMZ interface directly. You do lose an IP as the interface address though if you do that.

    Steve

  • Assymetric Routing symptoms with only one WAN link

    2
    0 Votes
    2 Posts
    259 Views
    stephenw10S

    So what is the actual problem here? You are unable to browse the web from clients behind the firewall?

    That blocked TCP:SA traffic looks like a coincidence to me if it's always from the same remote IP. It's something in particular triggering that.

    Do you have outbound NAT set to automatic still?

    Check the routing table in Diag > Routes, do you have a default route?

    How are you getting a WAN IP? DHCP from your ISP? Is it pulling a valid IP and gateway? I would assume it is since you can ping out correctly.

    Check you can open TCP connections? Go to Diag > Port Test. Try to open port 443 to netgate.com.

    When you try to open a webpage from a client what actual error do you see?

    Steve

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.