Thank you all for answering me. You´re completely right. I forgot there is a any any rule per default. What i meant was if there is NO rule anything is blocked. Sorry for misunderstanding.

@_neok Yes, old backup works.
;)

Solved it, it wasn't the network. It was pfSense itself. I tried another box and everything got back to normal. I guess some code was misbehaving within pfSense itself.

I was this close *makingfingersabouttotouchhandgesture* to dust off my license for Mikrotik's CHR to see if with its complicated management at least it got some insights to match. Glad I didn't, I needed to sleep already! :)

@cmdias said in Simplest way to LOG all URL that users browse to:

I was actually just downloading untangle last night ... can you give me more information about the "bridge mode" between PF and Untangle ?

Back in the days i was using SONIC WALL + WEBSENSE and it as super simple to setup..... miss those days! lol

Take a look at step 3 here -> https://www.untangle.com/untangle-ng-firewall/resources/how-to-deploy/

Here's some info on a bridge mode deployment:

In Bridge mode, NG Firewall is set between your existing firewall and main switch. When in Bridge mode NG Firewall is transparent, meaning you won’t need to change the default gateway of the computers on your network or the routes on your firewall – just put NG Firewall between your firewall and main switch and… that’s it! You’ll need to give NG Firewall’s External interface an IP in the subnet of the firewall, set the Internal interface to bridge and bridge it to External.

To get a better idea of what you'll have access to, check out their live demo here -> http://demo.untangle.com

In this case it's the key exchange protocol PuTTY can't use, not the keys themselves.

@tdcockers said in Slow Download speed behind pfSense:

If you are running pfSense virtualised (I'm using xcp-ng) then you may need to disable tcp offloading on the VM. Fixed my problems when I had slow downloads and some inaccessible websites, while uploads appeared to be fine. If CPU usage is appears high for the amount of traffic you are moving, that's probably your culprit.

@tdcockers I'm thinking of using xcp-ng here shortly once my employers main server is decommissioned and they donate it to me. Anything I should know ahead of time? I have never worked with any virtualization, just something to try in my homelab.

Hello,

thank you, and yes, this was the only workaround I found: export the current config, remove the menu entry and reload the config. But since this leads to a re-installation of all installed packages, I was hoping for a more direct approach to simply correct the running system.

So long,
Marc

stephenw10 - I was just saying the same thing about SSL and STARTTLS then realized you had already clarified that!

In that example I gave above about the "test1" and test2" groups they were sitting side by side in the root domain which is why I don't at all understand why one works and one doesn't when my authentication container is the root domain itself. If it see's one OU it should see both right? Unless there's a way to make pfSense do a more detailed query when someone tries to log in I've about decided that this won't work.

One thing I have not tried yet because it seems kind of messy to deal with later on down the road is listing each individual OU in the authentication container field. This would be easy to do since it lets you select OU's with checkboxes but if for some reason I ran into a scenario where pfSense couldn't talk to AD and I couldn't pull up that list of checkboxes it would be hell to sift through all that data in that tiny field if an OU got deleted or something screwing the whole thing up. Hopefully that makes sense....

Thanks for the responses everyone!

Per Netgate Support, downgrading to 2.4.3_p1 until fixed.

@marvosa said in Problem with Static ARP entry for VLAN/Virtual Interface:

@joelones said in Problem with Static ARP entry for VLAN/Virtual Interface:

the switch port of my Mac OSX is trunked to VLAN10

Please clarify... cause none of this sounds right

What I meant to say, was the the port of the netgear switch on which my Mac OS X box is connected allows untagged as well as VLAN 10 traffic to pass.

But I suspect the Mac OS X update did something to affect this behaviour as it was working fine before the update and pfSense saw the VM's MAC address now it does not.

/etc/crontab - root's crontab for FreeBSD $FreeBSD$

SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin

#minute hour mday month wday who command

#*/5 * * * * root /usr/libexec/atrun

Save some entropy so that /dev/random can re-seed on boot.

#*/11 * * * * operator /usr/libexec/save-entropy

Rotate log files every hour, if necessary.

#0 * * * * root newsyslog

Perform daily/weekly/monthly maintenance.

#1 3 * * * root periodic daily
#15 4 * * 6 root periodic weekly
#30 5 1 * * root periodic monthly

Adjust the time zone if the CMOS clock keeps local time, as opposed to UTC time. See adjkerntz(8) for details.

#1,31 0-5 * * * root adjkerntz -a

pfSense specific crontab entries Created: July 24, 2018, 8:39 pm

1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout
1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata
*/5 * * * * root /usr/local/bin/vnstat -u
1 0 * * * root /bin/pkill -HUP -F /var/run/bandwidthd.pid

If possible do not add items to this file manually. If done so, this file must be terminated with a blank line (e.g. new line)

Hope it helps you!

Ah, so that's an older version of the development package for ACB2.
That is now merged into the base in 2.4.4 so I don't think it's available as a package. At least 2.11 was though so it's likely that bug is fixed.
At this point I would either remove it and go back to the v1 ACB package or go to 2.4.4 snapshot if you're able to. The usual warnings apply though, don't run it in production etc...

Steve

Still waiting for :

ipconfig /all

Consider :

@bisssane said in pfsense work and after few days , it doesn't work:

for the DNS, it is not activated on Pfsense, I use the DNS server of the company

This can work, but is probably not setup correctly.

So, is this "DNS company server" on the same LAN as other devices ?
Do devices on LAN(s) obtain the correct IP address from pfSense as "the DNS server" ? (the ipconfig /all test)
If the DNS server is on a separate LAN, firewall rules permit traffic to reach the DNS server ?
Etc etc etc.

Detail your setup, and you'll have an answer right away.

( Btw : know that pfSense can handle DNS just fine and all that with zero config needed ^^)

It is the total number of entries allowed in firewall tables. This includes aliases as well as lists of hosts from features like URL table aliases, bogons, packages that make lists like pfBlocker, and anything else hooked into the aliases/tables function of pf.

You probably need to use the root user there.

Steve

Yes, related to the(reverse NAT?) issue with upgrading the standby; the first attempt at upgrading did not complete before timing out. I believe I got a "upgrade already in progress" when I ran a subsequent upgrade from shell and then wound up rebooting...

You can setup pfSense bridged so it doesn't route anything.
https://www.netgate.com/docs/pfsense/interfaces/interface-bridges.html

If you don't use pfSense to route the traffic, and the USG is NATing, then you won't have any internal visibility from Snort. No way to see which internal IP is sending bad traffic if you get malware for example.

Steve