https://www.netgate.com/products/tnsr/

@stephenw10 Good to know! That has already been taken care of in this instance by accident, but it's good to know for the future! Much appreciated :)

@jknott
The PFsense kernel is compiled with option "device ENC", so you can see this interface even if you don't use IPSEC. In this case, it is in the state "down".

Is the ERL also routing and NAT'ing?

If the AT&T routing has a 192.168.2.X sibnet on it's LAN then it is not in bridge/modem mode. The subnet between the AT&T LAN and the ERL WAN and everything on it, including pfSense, will be 192.168.2.X.

So probably you need to set the bridge interface to the .2.X subnet. Then you will be able to add the AT&T router as a gateway.

A diagram might help a lot here.

Steve

@coreybrett said in TINC:

Unfortunately I can't find any documentation for the package. I've played with it a bit, but haven't had much luck.

Yes, THAT is the "problem"

and there are a few "quirks" that is not "true" to the way tinc actually operates, like the forcing of an address in the host configuration, even though it's a host that is not going to be connected to and would be a dynamic IP host.

Okay... Corrected itself. (smacks forehead...)

Because netgate/pfsense no longer provide unsupported version for download for security reasons
https://forum.netgate.com/post/788629

There would be zero reasons to run those OLD unsupported versions that do not have current security issues corrected, etc.

Thanks for the help, Steve.

I can't get this working properly. Tried with this NAT rule:
0_1550324449733_Capture.PNG

The secondary gateway (IP 10.10.10.1) doesn't seem to be able to communicate through the GIF tunnel.

Also tried with the option discussed above (with patches), no more luck. No byte is going through the tunnel.

0_1550324584001_Capture2.PNG

Any idea of what's going on ?

If you want to use Netflows to view that then you need a netflow collector to export the data to.

If you only need an instantaneous reading you could use something like wireshark that can graph traffic from a packet capture.

https://docs.netgate.com/pfsense/en/latest/monitoring/monitoring-bandwidth-usage.html

Steve

You don't need proxy+nat if your using host override. You don't need any nat reflection!

Yes, it was added in the change set referenced there.

@stephenw10 Now i get it. I just enabled ipv6 in networking and logging in firewall settings and created rules to block ipv6 totally without any logging. Now logs look much better. Those logs are great learning tool. Thank you kindly ALL for clarification.

Are you tracerouting from Windows (ICMP) or Linux/FreeBSD/OSX (udp by default)?

If you traceroute to something through the VPN that's not the firewall does that succeed?

Steve

That should not apply in this situation as 172.16.0.1 is the internal IP of the outer firewall so, presumably, does not have a gateway and hence also wouldn't have those rules.
It doesn't apply to the inner firewall as that is outbound traffic from a device on the 192.168.9.X subnet which is always allowed.

I assume you are NATing the outbound traffic in the inner firewall, the default configuration?

I would run a packet capture first on the WAN interface of the inner firewall. Filter by host IP 172.16.0.1 and try to access the outer firewall from a client on the 192.168.9.X subnet.

If you see traffic there try the same thing on the outer firewall LAN interface.

Either the outer firewall is blocking that traffic deliberately or it has some touting problem that means it cannot reply. For example perhaps that traffic is not being NAT'd for some reason so it has no route back to 192.168.9.X. The packet cap should show what's happening.

Steve

@steve973 said in Questions about using pfsense to restrict internet content for my kids:

@akuma1x The family shield servers.

Ok, since it's the family shield servers, you can set the kids VLAN to use a DHCP server, and then use the Family Shield DNS servers as the main DNS for that subnet/network. That will lock it up pretty good. That's how I set it at my house, with the kid network.

Jeff

Mmm, it's OpenVPN it should just route between the ends like any other subnet.

The only possible way I could see that doing anything is if you have NAT reflection enabled (on that rule or globally) and the printer in trying to hit port 587 on the public WAN IP.
In that situation it would be reflected back to the mail server over the tunnel. But that would be a misconfiguration on the printer.

Steve

Well, I have some interesting things happening with my routing that I can't explain. I will have to come up with a diagram to show the design and routes to explain the issue.

You can see what can be done in that video hangout at this point:
https://youtu.be/xm_wEezrWf4?t=935

If you were set to splice whitelist and bump everything else I would expect any https not in the whitelist to fail unless you have installed the Squid CA on all the clients.

Steve

@kartoff Sure, if you can reproduce the problem.