@stephenw10

Thanks for the reply. That completely makes sense. I'll experiment on upload traffic shaping to see if this solves my issue.

@ak-0 said in Internal routing of Vlans:

@Derelict
Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

Actually what i want to achieve is if traffic from Vlans goes out first it should reach
Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
Tracert should be
1.Vlan IP (192.168.100.1)
2.Lan IP (192.168.10.1)
3.Gateway IP (1.2.3.4)
instead of
1.Vlan IP (192.168.100.1)
2.Gateway IP (1.2.3.4)
I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

@tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.

I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.

You are using a wireless router as an access point so this should still work if it is still routing (and NATing).

But it would be much better to configure it as an access point only and put everything in the same subnet.

https://docs.netgate.com/pfsense/en/latest/wireless/use-an-existing-wireless-router-with-pfsense.html

Steve

Can you show screenshots?
Normally you just open the properties of your VPN connection, security tab and set 'Type of VPN' to L2TP.

Also check
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html
and
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html#troubleshooting

-Rico

@grimson RDP is open just for 1 IP... this should be a way to monitor the blocked sessions.

I have installed three official Netgate pfSense boxes at three different small businesses (2 restaurants and manufacturing plant), including one at my home.

@averyfreeman said in Web gui slow - rest of system doing OK:

DNS appears to be working fine...

Pretty hard to monitor or adjust settings without web gui

What about console access? What happens when you run top?

@mohammad-0 said in Installing VIM on pfSense ¿Should I?:

Long story short, to install regular vim just do...

Tnx.

I've used vim for many years and much prefer it to the vi included with pfSense.

@gertjan

I don't see any traffic from the Amazon Echo when using Wireshark (this is very strange) with one caveat. It was in a failure mode. I fired up Wireshark to start debugging. I first filtered on the source IP address (ip.src == 192.168.1.162). I saw some records from the Amazon Echo that it is using MDNS protocol. A web search led me to these resources:

https://docs.netgate.com/pfsense/en/latest/packages/avahi-package.html
https://www.lawrencesystems.com/pfsense-and-rules-for-iot-devices-with-mdns/

Avahi is a system which facilitates service discovery on a local network. This means that a laptop or computer may be connected into a network and instantly be able to view other people to chat with, find printers to print to or find files being shared.

I installed Avahi and placed the Echo back in the VPN tunnel. Later on in the day, it stopped working again about 12 hours later. The Echo only appears to work consistently when assigned to the WAN iface. This morning, I assigned the Amazon Echo back to the VPN iface and will monitor some more. Based on my last experiment, I expect it to fail sometime within the next 12 hours.

@kom said in pfSense not responding to any ports:

I don't have the time to dig deep into this and I'm not really an IPSec guy, but my first random guess would be asynchronous routing.

yeah I've had some trouble with packets going back and forth via different routes due to the complex routing config here... which is why I had to mess with some of the sloppy state firewall rules. However, those were all caught by the firewall and logged. The puzzler here is nothing is showing in the firewall logs this time.. so I don't even know where to start to try and fix it.

The part I can't figure out is why there is no response caught by tcpdump. Even if the packet is lost in routing, shouldn't there still be an outbound packet? Also.. one-way connections work both ways which is also odd. Argh.. what a headscratcher.

That is likely either a filesystem issue or an issue with the disk itself.

First thing to do is boot it into single user mode and run fsck -y / a few times until it doesn't find any problems or fix any problems.

If that is all clean and the problem persists, try running a SMART test on the disk to see if anything turns up.

There are not currently any plans to take on mirrors from third parties.

Hello Steve
The Pfsense does not have DHCP server
There are many PC navigate on the same subnet. All with static IP (10.1.1.x)
So, I have one PC to be LTSP server inside the same subnet.
The dnsmasq do it a DHCP server for LTSP clients. In this way that I have no ability to fix the communication through Ltsp server/client/PFsense to out internet or have ping answer.

Thank you

Douglas

@stephenw10 said in LTSP - Pfsense - (clients LTSP UP but not connect Internet):

You should be able to ping 8.8.8.8 without DNS.

Check the routing table on the client run netstat -rn.

The only other explanation is that the rules you have in pfSense are somehow passing only traffic from the server and not the clients. But the default allow rules on LAN would apply to all traffic from that subnet.

Steve

Thanks for the insight Steve, this information you provided me saved me lots of time. Appreciate it, the previous guy had put a SYSlog server into place, but the license had expired so I lost out on that end as well lol. Still no word from the data center.

Chris

This is a 2 year old thread, with no details when first asked.

I would suggest you start your own thread with details of "exactly" what your doing... Large number of certs means what 10, 100, 20,000? For example of a bad way to ask a question.