@stephenw10 said in how to remove a lagg:

Just got to doing this, these instructions were perfect.
Thank you ,

I found the problem, I had my VPN set up at 10.0.0.0/24

This guy used AirVPN for that reason.
https://forum.netgate.com/topic/130820/pfsense-unraid-bittorrent-airvpn-confusing
I have never used them so can't comment on them.

Steve

@selstam2 Seen this prob posted somewhere else. My first thought was, how come Pfsense, promoted as High-Availability capable, has this prob... then it occur to me this may happen only under some circumstances... It happens on my case because I notice my Pfsense box boots faster and becomes ready BEFORE my Arris modem (issues DHCP req when modem not ready to respond), which leads me to think a script or a Pfsense delay boot... hasn't bother me much for me to take any action 'cuz my UPS spoils me :)

@stephenw10 said in LDAP AD Extended Query with 2 groups:

clear both those queries work individually but you want to authenticate only users who are members of both groups?

Sorry, I wasnt being clear in previous post. I found this post to be similar to my issue:
https://forum.netgate.com/topic/103988/ldap-extended-query-with-multiple-groups

The solutions in there did not work for me. Is there a way to make this work? My pfSense version is 2.4.2.

Thank you,

Thank you @azzir
This was very helpful. I was trying to compile similar query for Splunk.
After spending some time, I could come up with following.

host="pfSense.HOME.COM" filterlog | rex "(?P<Month>\w+)\s\s(?<Day>\d{1,2})\s(?<Hour>\d{1,2}):(?<Minutes>\d{1,2}):(?<Seconds>\d{1,2})\s(?<RouterName>[^\.]+)\.(?<Suffix>[\S]+)\s\w+\s\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s(?P<LogType>\w+):\s(?<RuleNumber>\d+),,,(?<Tracker>\d+),(?P<RealInterface>\w+),(?P<ReasonForLogEntry>\w+),(?P<Action>\w+),(?P<Direction>\w+),(?P<IPVersion>\w+),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>\d+),(?<id>\d+),(?<offset>\d+),(?<flags>\w+),(?<ProtocolId>\d+),(?<Protocol>[^,]+)" | rex "^6,(?<class>\w+),(?<flowLabel>[^,]*),(?<hopLimit>\d+),(?<protocolText>[^,]+),(?<protocolId>\d+)" | rex "tcp,(?:\d+,)?(?<Length>\d+),(?<SourceAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<DestinationAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<SourcePort>\d+),(?<DestinationPort>\d+),(?<DataLength>\d+),(?<TCPFlags>\w+),(?<SequenceNumber>[\d:]*),(?<AckNumber>\d*),(?<TCPWindow>\d*),(?<urg>[^,]*),(?<TCPOptions>.*)" | rex "udp,(?:\d+,)?(?<Length>\d+),(?<SourceAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<DestinationAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<SourcePort>\d+),(?<DestinationPort>\d+),(?<DataLength>\d+)" | rex "icmp,(?:\d+,)?(?<length>\d+),(?<SourceAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<DestinationAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<ICMPData>.*)" | rex "(?<icmpType>request|reply),(?<EchoId>\d+),(?<EchoSequence>\d+)" | rex "(?<icmpType>unreach|timexceed|paramprob|redirect|maskreply),(?<icmpDescription>.*)" | rex "(?<icmpType>unreachproto),(?<icmpDestinationIpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<unreachableProtocolId>.*)" | rex "(?<icmpType>unreachport),(?<icmpDestinationIpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<unreachableProtocolId>[^,]+),(?<unreachablePortNumber>\d+)" | rex "(?<icmpType>needfrag),(?<icmpDestinationIpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<icmpMTU>\d+)" | rex "(?<icmpType>tstamp),(?<icmp_id>[^,]*),(?<icmpSequence>[^,]*)" | rex "(?<icmpType>tstampreply),(?<icmpId>[^,]*),(?<icmpSequence>[^,]*),(?<icmpOTime>\d*),(?<icmpRTime>\d*),(?<icmpTtime>\d*)" | table Month,Day,Hour,Minutes,Seconds,RouterName,Suffix,LogType,RuleNumber,Tracker,RealInterface,ReasonForLogEntry,Action,Direction,IPVersion,tos,ecn,ttl,id,offset,flags,ProtocolId,Protocol,class,flowLabel,hopLimit,protocolText,protocolId,Length,SourceAddress,DestinationAddress,SourcePort,DestinationPort,DataLength,DataLength,TCPFlags,SequenceNumber,AckNumber,TCPWindow,urg,TCPOptions,ICMPData,icmpType,EchoId,EchoSequence,icmpDescription,icmpDestinationIpAddress,unreachableProtocolId,unreachablePortNumber,icmpMTU,icmpId,icmpSequence,icmpOTime,icmpRTime,icmpTtime code

Tools used:
To validate regex aginst data: https://regex101.com/
Official Documentation About Log: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

@johnpoz said in PfSense Box cant ping LAN:

@jahonix

That https://textik.com is slick as shit! Added to my toolbelt links. Thank!!!

That will make for some really nice ascii art network diagrams.

edit: here is another one like that http://asciiflow.com/

I had ASCIIflow in that german support topic as well, but after trying both, it certainly lacks a few functions compared to textik. Textik handles links/lines between boxes and they stay linked/sticky whereas asciiflow doesn't have some sort of linking functionality :)

Did you have client pointing to multiple nameservers?

Having your client say with

192.168.1.1 (pfsense - local dns)
8.8.8.8 (googledns - public dns)

This is common mistake made... I see it ALL the time!!! Users do not seem to grasp that a client doesn't ask both, or move to the next one when NX returned, etc.

While you might list your ns in order on your client. You really can not be sure which nameserver a client might ask for any given query. Sure if one does not answer with specific time period for a query, the client will ask the other listed ns. And once a client gets answers from 1 it stick to that one..

So if you ask google for pfsense.localdomain.tld your going to get back NX.. Once a client gets back NX it will not go ask other ns for that since it was told - hey doesn't exist. Doesn't make any sense to bug the other NS for something that clearly does not exist. It will not ask again until the neg ttl expires on that NX.

While you can point your clients to multiple NS.. They all need to be able to resolve the same stuff! So if you want to point to google and opendns and 1.1.1.1 ok sure - they should all be able to resolve www.publicdomain.com

But using even different public that provide different blocking features can get you in trouble. While opendns might block xyz, maybe googledns allows it, etc. Which one is your client going to be asking? You can not be sure.

Listing internal and external dns is going to cause you grief for sure. All your nameservers listed on your client should be able to resolve the same stuff. So sure you can run multiple internal NS that can all resolve any internal stuff, and then forward/resolve to get the public stuff. If 1 is down - no answer at all (ie timeout) then yes client will ask other one. Your fine here since no matter what NS you ask you are sure you will get the same answer.

Thank you very much for your help.

Bumping this topic for No-IP group support... Would be a fantastic security enhancement for our sites.

I'm happy to provide a paid/Enhanced group for testing.

Good news. I think it has been resolved. Some background: I loaded my config into VM environment, no errors. But no real traffic for a good test. I reset to factory on physical box. Did basic setup. No errors. Restored original config, on reboot errors came back. So I started disabling rules firewall rules 1 by 1. When I finally got to the NAT rules, I found the culprit. Once this rule was disabled error stopped. Best and worst part is I re-enabled the rule and pfr_update_stats: assertion failed did not come back.

The offending rule was nothing special. WAN IP to LAN3 IP UDP port 70. No advanced options changed.