Thanks Rico !

/ br. Pete

That's what I was thinking. I wasn't sure if there was any kind of exotic configs that might work just as well. I now need a POE+ switch so I might be upgrading the 3750 at some point. I think Cisco changed their licensing model on the 3850s and the cat9k making it harder to deal with as a home user. I like Cisco but it is expensive for home use. I really do like L3 multicast though, so that helps justify it.

For the scenario of connecting directly to pfsense router instead of the switch, I think I will be able to figure this out based on this video: https://www.youtube.com/watch?time_continue=249&v=XdzfgapJYqw

Will do testing and report if any issues arise!

@jimp said in User Manager Access:

b9ed452dbba4689e6280efa7f503e30809a3d8e4

Updated mine to fix this issue, really appreciate that you posted this!!

Oh.. My bad, apologies. Thank you for such a quick reply!

Traffic from one PC to another with both in the same subnet does not hit your Firewall/Gateway, so there is no traffic to show for pfSense.

-Rico

I'm a bit confused though my original ip was a /24 and now my new Ip's are /30 I hope this doesn't pose an issue.

That's not really a pfSense issue, it's between you and your ISP.

You use the extra IPs to create virtual IPs for pfSense. Then you can create port forwards that route traffic from the virtual IP to the LAN host.

For example, I have a block of 14 usable addresses, and I have a VIP - IP Alias for each one. When creating you port forward, you select the VIP as the Destination.

Yup, for reference it's a known bug and has been fixed see this post:
https://forum.netgate.com/topic/143621/user-manager-access/2

https://redmine.pfsense.org/issues/9541

Steve

If there's no output at all on the serial port the hardware is dead. You should always see something from Coreboot even if there's no media present.

The only possible exception to that is if you've disabled the serial port in Coreboot. In which case you can reset the Coreboot values to default by powering up with the reset button pressed:
https://pcengines.ch/howto.htm#serialconsole

However it's much more likely your terminal setup not correct. Try 38400baud or 9600.

Steve

That is exactly the issue. It's funny you mentioned this as I was just in the process of opening up another browser and I saw this reply come in.

It worked. For anyone else that may experience this issue, do as @Rico mentioned. It works.

Cheers Rico.

Solved!!

The problem is in the script "check_proxy_wpad.sh". His must edit, like so:

#!/bin/sh status=$(/bin/ps -wx | /usr/bin/grep 'nginx-wpad.conf' | sed -e '/grep/d') if [ "$status" == "" ];then /usr/local/sbin/nginx -c /usr/local/etc/nginx/nginx-wpad.conf else exit 0 fi

You might run rehash after loading those so the command become available directly.

Steve

If you assign things in a different order to start with, then the labels on the system won't align properly. But again, that does not matter in the long run. Use your own names and it won't be an issue.

You haven't shown the full interface assignment list, so it's impossible to say what led to that situation.

Either way -- Ignore the OPTx names and set your own custom names. The labels only reflect what is assigned out of the box in a default configuration. They do not have to be set that way, and typically will not match once a customer starts customizing their system.

Also:
https://www.freebsd.org/cgi/man.cgi?query=rate&apropos=0&sektion=1&manpath=FreeBSD+11.2-RELEASE+and+Ports&arch=default&format=html

It could well be related to the Traffic Graphs page where it shows flow info for IPs on that interface also.
You might try using the traffic graphs widget instead which does not display that.

Steve

It's actually been stable for the last week. I'm glad you mentioned that mine is a Netgear switch too so if it happens again I'll take care on that.

Thanks all.

Hmm, Ok. So it sounds like the APs are in fact behind pfSense. Traffic from clients on wifi goes through pfSense and out on one of the new high speed WAN connections you have and not through the Cisco firewall.

If doesn't really matter what path the authentication takes the captive portal doesn't manage that it manages traffic from the clients to the internet. It should be on whatever internal interface the APs are connected to. You will have to add pass rules to allow the APs to reach the cloud controller though.

It also sounds like you don't want authentication on the APs at all. Clients have to login at the captive portal anyway.

It does look like the Meraki APs support radius accounting so you could probably do limited connection time per user there directly but if you need to set bandwidth limits per user or use total data limits I think you would need to use a captive portal.

This is not something that we often see though.

Steve

Second version of the monitoring script. Now all static routes from config.xml are pushed to an array for main gateway, no script editing is needed except you have to set correct main and backup gateway names before the first run.

gateway_monitor_v2.txt

What latency do clients see to the file stores?

smb is notoriously terrible over high latency links. What speeds do they see if they try pulling files in some other way? SCP for example?

I would still try enabling mss clamping in IPSec as a test.

Steve

d5cc103f-5982-42b6-adb5-eeb94b28c82c-image.png

That's the Forwarder.
As the image stated, it's deactivated.

The Resolver ?

@tman222 - My apologies...I should have mentioned that if I did use Verizon's router, I was going to administrate/login to it and disable DHCP, etc. I just wasn't going to plug it in cold to the pfSense interface I would configure for it.