OK, I got it working! Here is what I did, Found the needed script, it's at https://svn.nmap.org/!svn/bc/3320/nmap/scripts/make-mac-prefixes.pl Downloaded the latest file from the IEEE, at http://standards-oui.ieee.org/oui.txt Ran said script ... :-). It's perl make-mac-prefixes.pl oui.txt nmap-mac-prefixes And it works - thanks for the help! Would it make sense to include this latest file in pfSense somehow?

I want to setup multiple OpenVPN servers using a common CA, with the ability to revoke users from a central location.

An Ethernet connected modem is by far the best way to do this. If the delay is simply in the USB modem booting you can set a longer boot delay in pfSense to allow for that. Maybe use: https://www.netgate.com/docs/pfsense/hardware/boot-troubleshooting.html?highlight=kern%20cam%20boot_delay#booting-from-usb You can also add 'ue' to the list of interfaces to ignore in the mismatch check but that's an ugly workaround. Steve

Are you elsewhere when you do that? If you do that from your local LAN, it's normal.

@swmcl_pf -- I powered off by momentarily pressing the power button and then re-powered. The system says it is doing a backup or re-install in the background. This is the same as before. The process finished and I confirmed the message as read. I then did a backup. I'm not entirely convinced that it was doing anything in the background at the time of my post but I am happy that the backup has been completed. Case closed ?

in the interface options section just change the snaplen to something only a few bytes vs the default of the whole thing.. We really just need to see the headers we don't need all the data to troubleshoot what is going on.

@johnpoz Thank you so much. I will do the changes by monday and let you know. Once again thanks for your time. Lokesh Kamath

@hiranuk said in Wifi MAC authentication: behind another router. As I said if there are any routers in between the access points and pfSense, you will never see the original MACs. MAC addresses are only valid on the local link. The Ethernet frames, which carry the IP packet have the MAC addresses. When those frames reach a router, the IP packet un-encapsulated and forwarded via a new Ethernet frame and the original frame is discarded. All you'll see at pfSense is the MAC address of the last router the packet passed through.

It was already in Hybrid mode. I duplicated the NAT for WAN to WAN2 but it didn't help.[image: 1539361353333-wan2nat-resized.png] Edit: Clarification

Ahh, Thanks for the reply. I'll open it up and see what's going on and probably end up swapping the CPU. Thanks again for the input!

Thank you very much.

Thanks very much. It's looking good now.

The only way to do what you want is Captive Portal. And that would only be at the start of their login session, not a random time in the middle. Though I suppose you could keep CP off, then enable it to show a message to everyone. Kinda ugly though. Otherwise you get into things like squid and intercepting HTTP/HTTPS and doing MITM on TLS, which is a mess.

@bxueye4 said in NST or SecurityOnion for log analysis?: @tim-mcmanus said in NST or SecurityOnion for log analysis?: I have used SecurityOnion for excellent results. I set it up as an ESXi VM and then mirrored the traffic from two different WAN ports to it as well as two different physical LANs. Very helpful with pcaps and analysis in near-real time, which is what I was mostly using it for. Easy to download, setup, and start working with. I will use it again if the occasion arises, I still have the VM floating around somewhere... glad to hear it worked well. i plan on mirroring too. the VM installed on its own SSD easy enough and seems ready to go. that's as far as i've gotten, will drill down into it soon. thx Remember to set the VM NIC to promiscuous so you actually see traffic.

Hey @Derelict thanks for the video explaining how to configurar the HA. The manual that I was looking at is a bit out dated that is why I was having so many doubts. Now things are way more clear.

Just wanted to post an update - while its only been 4 days since I got the new modem so far I have not had any more lockups/dropouts even pushing 200GB per day transfer (I've been trying to run frequent speed tests, several pings, plus normal traffic). Also while I have some channels with "corrected" frames on the modem its only 10 or so at most and 0 uncorrectable (down from many thousands) On pfSense Status > Monitoring reports only 0.21% maximum packet loss and 0% average and my ping has stayed below 50mS even under load and immediately returns to <10mS when load lets up. The dmesg output shows no unexpected messages, no flapping, no "watchdog" errors and no "llinfo" errors. It seems stable once again. Hopefully I didn't just jinx it. EDIT: 7 days now going strong.

@emammadov said in My OpenVPN is hacked?: TCP:PA TCP Push Ack. Google it. http://packetlife.net/blog/2011/mar/2/tcp-flags-psh-and-urg/ Default deny rule IPv4 Default firewall rule to deny all IP4 traffic Block all IPv6 Block all IP6 traffic

Hardware is System Netgate SG-2440 I've checked cables etc., I see no packet loss even under heavy load, and throughput through the router (from LAN -> router -> WAN) is normal (~700Mbps, which is likely a limitation on the Xfinity side and not the router).

Yes, the easyrule won't cover that. Easy to overlook LANnet as source in the rules Steve