General pfSense Questions

• 

  No log entries for external ping in 2.4.4-RELEASE-p1 ?
  • chudak

  7
  0
  Votes
  7
  Posts
  126
  Views

  

  @kom kill me!
• M

  Firewall + Summary view - i need help to understand the "cake"
  • MOdesty

  5
  0
  Votes
  5
  Posts
  115
  Views

  

  Windows boxes out of the box are going to be Noisy little bastards.. And even if your not using IPv6 are going to put a lot of NOISE on the network via ipv6 You have a few options Just ignore it and live with the log spam Set firewall not to log the noise Configure your client boxes to not send out so much ipv6 noise when your not using ipv6 - with windows easy way is to just disable it.. Take a look here for what option best suites your needs. https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users
• O

  LDAP on CLI Console
  • Ozy311

  2
  0
  Votes
  2
  Posts
  83
  Views

  O

  Yes, we do that here. There is some manual work to be done, but see https://github.com/opoplawski/ansible-pfsense/tree/master/roles/pfsense_setup for basically how we do it. I think I still need to figure out how to start nslcd automatically after reboot. /etc/rc.conf.local I thought used to do it, but perhaps not anymore with 2.4.4.
• M

  Connecting it to my already configured network
  dns dhcp captive portal • • mark7807

  1
  0
  Votes
  1
  Posts
  78
  Views

  No one has replied

• 

  auth and unauth squid proxy in parallel
  • adamw

  2
  0
  Votes
  2
  Posts
  56
  Views

  

  No Not ideally, maybe if you have an ACME/LE trusted cert but even then I would not recommend treating your firewall as a general purpose web server.
• C

  Failing cloudsense fragmented packets test
  • chrcoluk

  15
  0
  Votes
  15
  Posts
  122
  Views

  C

  Ok it is fixed on the DC instance now. I simply enabled scrub again and it works. How strange is that? Considering scrub messes with fragmented packets. So with scrub disabled the frag test fails, are you able to test that? Same fix works on LAN as well. Ok glad the cause is found, it is odd, but good nevertherless. thanks :)
• U

  Connect 2 wan 1 from 1 nic
  pfsense • • uzairali001

  5
  0
  Votes
  5
  Posts
  97
  Views

  U

  @grimson Thanks, I do read manual but in this case I don't know where to start so I asked question here and yes I only have 1 physical line (at-least for now), I will add quad gigabit ethernet nic to my PC next month.
• D

  DNS resolver: SRV record for _vlmcs._tcp
  • dcnieho

  6
  0
  Votes
  6
  Posts
  141
  Views

  

  @dcnieho said in DNS resolver: SRV record for _vlmcs._tcp: I tried adding the A record, but some reading told me i need an IP address on the right side, not a FQDN. OK, then you use a CNAME record instead of an A record. A CNAME is an alias to an existing FQDN. A records point to an IP address. I wonder what is the problem i really solved here? You need to ask the right server to get correct information. Can i instead configure the DNS resolver to rewrite _VLMCS._TCP.DigiClassroom in any query to _VLMCS._TCP.hiddenschooldomain? Bind might have some funky voodoo handler for something like this but I don't think Unbound does. You can add host overrides so that you can give a specific custom response to the lookup of a particular host. You can add a domain override so that any queries about *.hiddenschooldomain get forwarded to another DNS to respond to.
• S

  pfsense- rebranding
  • suneerkadooran

  4
  0
  Votes
  4
  Posts
  138
  Views

  S

  The only way is to download the source code, edit the references to pfSense and recompile. You may then use and support the product using the name of your choice.
• J

  PFSense Shell Command Line
  • jemu

  2
  0
  Votes
  2
  Posts
  220
  Views

  

  No. The pfSense shell : pfSense - Netgate Device ID: 20cc46dfabc85c78e087 *** Welcome to pfSense 2.4.4-RELEASE-p1 (amd64) on pfsense *** 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Option 8 - is a classic shell. Cisco uses IOS commands, pfSense has a GUI. With the Cisco GUI (if it has one) you couldn't do all the things you can do with the IOS commands. pfSense : the other way around. "Option 8" exists to see the OS file system and to interact with, start some basic or complex "FreeBSD" commands and yes, there are even some less known (and rarely used) made-by-pfSense scripts files. You cant' manage pfSense purely from the command line. See also threads like https://forum.netgate.com/topic/125603/cisco-vs-pfsense/9 (and Google can tell you more, as usual)
• K

  VIMAGE on pfsense
  • kraduk

  1
  0
  Votes
  1
  Posts
  46
  Views

  No one has replied

• F

  online LDAP server problem
  • fayRofa

  4
  0
  Votes
  4
  Posts
  81
  Views

  F

  @mr-newbie thanks for your reply i'm trying to setup user management/privilege in which our users can login with their LDAP credentiel(username and pasword),i want to know why on "system usermanager>settings>test " all are ok but via Diag>authentication,autnetication failed,please can you test "ldap.forumsys.com" or do you know any online ldap server for test on it?(you can see my ldap server config attached) thanks
• S

  Sheduled Reboot
  • snaker

  7
  0
  Votes
  7
  Posts
  4259
  Views

  

  /etc/rc.reboot like he said. Locking this ancient thread.
• Z

  Boot halts on #
  • zoqask

  7
  0
  Votes
  7
  Posts
  99
  Views

  

  fsck requires read-only mode because it operates on the filesystem metadata directly. A read-write filesystem could change in the middle of a fsck operation and break it worse.
• G

  How do I find this device?
  • gregeeh

  10
  0
  Votes
  10
  Posts
  222
  Views

  G

  @bmeeks said in How do I find this device?: @gregeeh if you do not want this traffic filling up your logs, create a rule near the top on your LAN interface that has any as the source, UDP as the protocol, ff02::1 as the destination address and 10001 as the destination port. Set the rule to drop but not log. Right now that traffic is hitting the firewall's default deny rule and that rule is logging the dropped packet. By inserting your own rule up higher in the chain, the packet is "handled" by your rules and thus never gets to the default deny rule (which is at the bottom of the rule chain). Most helpful. Thank you.
• S

  Share WAN connection
  • seb.r

  14
  0
  Votes
  14
  Posts
  278
  Views

  S

  @johnpoz said in Share WAN connection: You do understand the pfsense can be a sip proxy right.. Good point. I have installed siproxd, set outbound to WAN and inbound to LAN2. Everything else was left default. After reloading states FB6490 can register to the SIP registrar on FB6490(UM) BUT at the same time now FB7390 cannot register anymore to FB6490(UM). What does this mean? @chpalmer said in Share WAN connection: His cable company is his phone company from what Im getting.. You got it right. And because the device is the property of the provider and also configured by the provider I am very limited.
• K

  Traffic Graph does not show IP's...
  • Kartoff

  7
  0
  Votes
  7
  Posts
  125
  Views

  

  Hmmm, no idea. On my traffic graph, the grid lines pop in & out, and throb like they're dancing to the beat but nobody else has this problem except me.
• D

  SSO PFSENSE ?
  • dariendubiera

  1
  0
  Votes
  1
  Posts
  64
  Views

  No one has replied

• H

  Sudden drop in throughput (900/900 on modem vs 30/100 on pfSense)
  • HighMans

  15
  0
  Votes
  15
  Posts
  201
  Views

  X

  ATT offers 2 other shi, i mean amazing boxes, im on the phone with them now getting one sent out.
• K

  Solved: SNORT[#####] grock'd
  • kozokeith

  1
  0
  Votes
  1
  Posts
  58
  Views

  No one has replied

• 

  Posting to a forum issue
  • Pippin

  15
  0
  Votes
  15
  Posts
  281
  Views

  

  Made a capture on OPT1, if someone is willing to take a look at it. Thanks. 0_1544569894586_opt1withvpn.pcap
• L

  Security implications of installing netdata (or other monitoring tools)
  • lightningbit

  3
  0
  Votes
  3
  Posts
  92
  Views

  L

  As far as I can see, it seems to be self contained : https://docs.netdata.cloud/installer/#pfsense extract : Note first three packages are downloaded from the pfSense repository for maintaining compatibility with pfSense, Netdata is downloaded from the FreeBSD repository. pkg install pkgconf pkg install bash pkg install e2fsprogs-libuuid pkg add http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/netdata-1.11.0.txz the netdata package does not seem to add extra dependencies unless I'm looking wrong but something like netdata (also like ntopng) is designed to run 24/7 I'm running it on a test pfsense in an isolated network, for now the test setup seems to run
• R

  General Config Question
  • rollin1

  4
  0
  Votes
  4
  Posts
  87
  Views

  R

  Thanks for the help. I just added the LAN nic to the same local network to get things configured.
• S

  Problem loading netdata
  • SteveLambert

  3
  0
  Votes
  3
  Posts
  169
  Views

  L

  @stevelambert Try to change the binding in usr/local/etc/netdata/netdata.conf change bind to = 127.0.0.1 to bind to = * restart netdata : service netdata stop service netdata onestart
• S

  [SOLVED] Suddenly no internet connection for clients
  • sensori

  5
  0
  Votes
  5
  Posts
  130
  Views

  

  Ah, that can do it if there are unpopulated tables in the ruleset. pf cannot load and hence there is no NAT. Steve
• M

  kernel: arpresolve: can't allocate llinfo (on interface with BGP instance)
  • mohsh86

  4
  0
  Votes
  4
  Posts
  86
  Views

  

  Ok well if it comes back I'd check the other interfaces to see if it's ARPing there. It's not doing so there if you were pcapping on the actual interface in question. Also make sure you have all the hardware offloading options disabled. Steve
• R

  unable to install packages in pfsense
  • Riya_94

  3
  0
  Votes
  3
  Posts
  86
  Views

  

  Updating to latest : See forum "Installation and Upgrades" , you'll find examples how to proceed. If the GUI is ko, access the console. Option 13. See also https://www.netgate.com/blog/pfsense-2-4-4-release-p1-now-available.html and the very important https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html
• M

  Config BUG: Using Ramdiskconfig... make proxy config unskipable.
  • megs

  2
  0
  Votes
  2
  Posts
  42
  Views

  M

  partial resolving: reapply another time changes ( saving) to records modifications... it should work at the second time. It was a WebGui config interpreter bug. ( maybe because by defaut the first field active is the proxy support one, and may the active field is tested as changed by this way and need to be valid to be registered. And so all modifications on misc options recall us "the password of support proxy info do not match..."
• T

  Complex Routing Question
  • TheQuank

  10
  0
  Votes
  10
  Posts
  282
  Views

  

  Nice. I expected that to work but I could also easily imagine something unexpected getting in the way. Steve
• N

  Someone is trying to hack in my mail server what can I do?
  • nambi

  7
  0
  Votes
  7
  Posts
  286
  Views

  T

  I take it the "3 emails a day" are being sent by your mail server software to alert you? If it is from random senders I would consider those phishing emails. Any mail server with ports open to the Internet is going to see a lot of attack attempts. If you have a lockout after 5 incorrect passwords they will likely give up and move on. Suricata or Snort can try to block those attempts, yes. They can be set up so if an alert is triggered the IP is blocked for the desired amount of time. Generally for in-office mail servers, we set our clients up with our spam filtering service, and in pfSense only allow connections on port 25 from the filtering service IPs. So the world cannot just connect to the mail server.
• F

  Issues with High Latency on PPPOE Reconnect
  • Flole

  52
  0
  Votes
  52
  Posts
  1171
  Views

  F

  I somehow had something wrong with the Interfaces that caused it to crash, reconnecting WAN and PPPOE fixed it. I will try with the problematic onboard NIC later, the new NIC which is a em3@pci0:2:0:0: class=0x020000 card=0x10838086 chip=0x10b98086 rev=0x06 hdr=0x00 vendor = 'Intel Corporation' device = '82572EI Gigabit Ethernet Controller (Copper)' class = network subclass = ethernet works perfectly fine aswell.
• 

  2.4.4-p1 increased memory buffer
  • imcdona

  2
  0
  Votes
  2
  Posts
  171
  Views

  

  I'm aware of anything specifically that changed that would cause that but it could be any number of things. You might check the ps -aux output for a single process using that. Steve
• P

  No web configurator if wan unplugged
  • paoloest

  2
  0
  Votes
  2
  Posts
  92
  Views

  

  That should not happen but there can be significant delay opening the dashboard if there is no upstream connectivity. Check the system logs for errors at that point once you are able to get connected again. Steve
• T

  New latency every 30 seconds with 2.4.2 caused by radvd 2.17_3
  • tcsac

  17
  0
  Votes
  17
  Posts
  1060
  Views

  A

  sorry for the delay. LACP is not in use - its a rather simple one WAN, two LAN out configuration with a couple VLANs in play. Minimal changes have been made to the defaults.
• E

  Access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or direct
  • eco

  8
  0
  Votes
  8
  Posts
  1610
  Views

  

  This was definitely a problem in 2.4.4, I hit that on a few systems, no default gateway set or a bad default. But it should have been OK on 2.4.3 and should be fixed in 2.4.4p1. Steve
• E

  Kibana+Elasticsearch+Logstash [ELK] v6.3.0 pfSense v2.4.3p1 and Suricata using docker-compose | docker for windows
  • evaluationcopy

  6
  1
  Votes
  6
  Posts
  824
  Views

  K

  @evaluationcopy Hi - I have been trying for probably 10 or 12 hours to research and parse the pfsense sylog with snort data. I cannot get it to parse. Based on your sense, it sounds like you have already concluded that snort in particular this - snort[12345] is not parsable in logstash? If you know of a way, id really like to know! Thanks
• M

  FTP Helper on the LAN interface
  • mikee

  22
  0
  Votes
  22
  Posts
  281
  Views

  

  The bottom line is if you need Active FTP clients behind a firewall and the services provided by the FTP_Client_Proxy service are not a good fit, pfSense is not for you. The availability of certificates has nothing to do with the fact that when a client requests a file, it tells the server where to connect to and that reverse server-to-client connection has to be opened on the client side firewall. Or firewall(s) in your case. SSH has been around for 20+ years. SFTP for 15+. They still insist on using FTP.
• J

  Console access
  • joelt

  4
  0
  Votes
  4
  Posts
  123
  Views

  

  @joelt said in Console access: Cisco 2901 That's what you're using as a console server? That has USB ports does it recognise the 8860 console port? It also had usb console exactly like the 8860, though it probably uses a different usb/serial IC. Steve
• R

  pfSense API?
  • rsaanon

  2
  0
  Votes
  2
  Posts
  84
  Views

  

  Hi, The question is known . Check pfsense API. Not something for tomorrow, it's a huge job, and needs an entire GUI internal rewrite (like the GUI will be using also the API to handle ALL settings). HP code and passes in the arguments? A huge hassle I guess. A local scripts that read the concerned VPN section in the config file, changes, sets the Disable flag for one VPN server, and resets (removes) the same flag for another server. The write back your changes. Then a "reload_filters". Maybe you should stop the VPN server first - do what I said above, and start VPN.
• B

  Signing CSR's - valid Digest Algorithm Issue
  • bberry

  8
  0
  Votes
  8
  Posts
  147
  Views

  B

  Thanks @jimp for looking into this, I am happy to hear that there was actually an issue here and that you were able to resolve the issue so swiftly. I look forward to applying the fix when made available.