Hello forum,

I need some help. I am not a networking expert. I am a noob to pfSense.

I have my set up functional as this:

Internet –> Cable Modem --> pfSense (Qotom) --> Dlink Switch (DGS1100 - 8 port easy smart) ---> Ubiquity AC Pro AP.

The way configured now is simple. No Vlans defined. That is the part I need help on.

What I want to accomplish is to have an SSID defined which will always route traffic via openVPN client (PIA). I have not defined the client yet - but I will be doing so once I am able to define vlans.

Should I define Vlans on pfSense and also on Dlink Switch? If yes how do I instruct the Vlan defined on pfsense to use a specific port of the switch?

The dlink Switch is only accessible on its own default IP. Should I connect to it and change it to an static IP of my choice so that I can access the web GUI of the switch?

The Unifi AC Pro AP also has capability to identify the vlan for wireless traffic. So I must probably identify the tag for specific vlans for a particular SSID. Am I right?

Appreciate the time spent on responding to my questions.

Regards

Guru

@jahonix:

As long as both ends of a cable are configured the same way it doesn't matter.
One manufacturer (r+m) made a comparison and found TIA568A to be capable of slightly faster transmission speeds than TIA568B. I cannot find the paper ATM though and can't explain why that should be.

Just found on de.wikipedia that 568A is supposed to be the preferred standard in Europe and 568B is around in the US for historical reasons … oh well.

The only difference between pairs is the twist rate.  Each pair has a different twist rate, to minimize cross talk.  However, with a 10 or 100 Mb cable,the same 2 pairs are used and only the signal direction reversed between A & B.  With Gigabit, all 4 pairs are used.  568B goes back to what eventually became 10baseT, StarLAN.  StarLAN was designed to share an existing 3 pair CAT3 cable with a telephone.  The phone would be on the first pair (blue/white), with the 2nd (orange/white) and 3rd (green/white) used for the LAN.  It also used a 6 position connector, as was common for phones.  This also means that Ethernet was designed to share a cable with phones, but that's not recommended practice now.

https://en.wikipedia.org/wiki/StarLAN

@Grimson:

@kcallis:

This morning, in a moment of inspiration, I thought I would get tor working. So I configured polipo as well as tor and decided that it wasn't working for me. I removed the packages and find that I could no longer access the internet.

Those aren't official packages, so whatever you did there probably messed with the pfSense install itself. Do a fresh install.

I was hoping for a snazzy way to solve this problem, but the tried and true solution always win! I was just burning my USB thumb drive when I saw your response!

K.

The startup/shutdown beeps use the PC Speaker and not a sound card. Disable the sound card.

If you want the servers in your DMZ to be accessible via IPv4, yes, you do.  If you have IPv6 available and you're happy with your DMZ devices being only accessible through IPv6 (assuming they support it), then there's no requirement that you create IPv4 port forwards.

Disregard, got it working. Forgot to create a new virtual interface on my NIC on Mac OS X box.

Did you add the firewall rule ?

If you did try changing it to an any any rule and does it then work?

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Add_Firewall_Rules_for_IPsec

TBH I just followed https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and it worked, I then tweaked my settings to suit what I wanted after.

Dude I have been doing this for over 30 years, getting paid to do it for 25.. Before there were real computers and "networks" ;)

Just not possible to "teach" you security in a few posts… I can answer your questions on how to block or allow something specific in firewall rules.. More than happy to help you understand how to read the headers in an email message, etc.

But you have not given any actual evidence of being "hacked"  more you have seen 1 too many movies or tv shows.. Did you just binge watch some episodes of Mr Robot? ;)

Turning on pfsense is not going to fix your issue or really make you any more secure from being "hacked" than any off the shelf router.. When it comes down to it out of the box they do the same thing - they block unsolicited inbound and allow you out via a nat.  Its not a magic box you turn on and it makes your network secure from being "hacked"..

It just a tool you use to secure your network.. But without the understanding of how to use the tool, its not some magic thing you turn on..  Many new users hear oh I can turn on IPS and will be secure from hackers - sorry it doesn't work that way.  If anything going to block the user from what they want to do when they want to do it.. And provide them with so much information it will just be overload of info they do not understand anyway..

For all we know you bought your phone off ebay and was jailbroken when you got it.. As to your bank account username and password being changed - sorry makes no sense.. Why would someone do that? And then not take any money?  Come on did you maybe forget your password?  And the username you norm use wouldn't work so its different than the normal username you pick... Maybe you smoked a bit of thee good stuff and got a bit paranoid after watching mr robot and thought someone changed your password - ie "hacked" you...

Don't mean to make fun - You got some p0rn spam that said it was from you and your getting hacked? ??

Hi,

The page you mentioned does exist - but I guess it isn't really part of the GUI anymore.

From what I make of your question, you are using a tool that parses the html of that page to feed your own stats.
That's ok, but understand that pfSense can change format, data, etc all the time.

It's up to you to change your parsing tools.

I guess that after changing the kernel version, from 9 to 10 to 11 (FreeBSD) interface internal naming, numbering, details, data, whatever, changed, so these pages are useless right now. Consider them as left overs from an old GUI version.  They have to be updated first if you want to see any data. Because you wrote - or at least: set up - de parser, you might as well 'repair' the pages graph.php (and ifstats.php). It's PHP, not a hassle for a "IT" guy.

Btw : never ever keep old version 2.4.0 have been replaced by two newer version already, when asking questions you should use the latest, because now you are asking a question about a version that no one uses anymore … (not a problem of course, but your question becomes non-answerable).

Take a packet capture of the RADIUS auth exchange. Load it up in Wireshark and inspect the reply from the AD server, see if it has the Class attribute and how it looks.

Sorry for the delayed reponse…

@johnpoz:

"he wants to access the same site"

That I think is still unclear.. I think its more he wants to access site xyz wan 1, and then site abc via wan 2.  But sure it could access site xyz 1 time with wan 1 and then next time with wan 2, etc..

This is exactly what I meant. Sorry for the broken English…

Example: user 1 is a mobile user. He wants to connect to site "xyz.com" using wan 1. A few moments later, he wants to access this same site but using wan 2 without disconnecting from his actual LAN.

As he does not have admin privileges he cannot access pfSense admin page to update his default gateway.

@johnpoz:

I think best way to do something like that would be with 2 proxies and then pointing your browser at specific proxy to use wan 1 or wan 2.

This is a perfect workaround! I can set 2 proxies so users can choose which proxy to use. As each proxy is linked to a specific gateway the magic is done! Thanks a lot :-)

kind regards

I beleive my issues are related to the APU2 BIOS. I've rolled back all but one unit to BIOS V4.0.7. So far, no issues with those routers for the last few days. I haven't reinstalled any packages yet.

I got it! Well, almost!

From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.

I also had to install certbot, and its annoyingly long dependancies.

After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.

–---------------------

Worked!

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem   Your key file has been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem   Your cert will expire on 2018-04-16\. To obtain a new or tweaked   version of this certificate in the future, simply run certbot   again. To non-interactively renew *all* of your certificates, run   "certbot renew"

Tks for that. I was scared someone would say that :(

Will try the same setup on another computer with 2 nice and see how it goes. Will update.

Tks

What is the model of the linksys switch ?

What spec is the fiber ?

They'll be under /var/log/snort :-

[2.4.2-RELEASE][admin@pfsense]/var/log/snort: ls -alg
total 100
drwxr-xr-x  9 root  wheel    512 Jan  5 20:52 .
drwxr-xr-x  7 root  wheel  1024 Dec 19 20:59 ..
-rw-rw–--  1 root  wheel      0 Dec 22 12:17 alert
drw-rw–--  3 root  wheel  4096 Jan 15 11:15 snort_igb0.256577
drw-rw----  3 root  wheel    512 Jan 13 00:08 snort_igb0.343654
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.427080
drw-rw----  3 root  wheel  3072 Jan 15 00:20 snort_igb0.516395
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.658303
drw-rw----  3 root  wheel    512 Dec 19 21:10 snort_igb035478
drw-rw----  3 root  wheel  12288 Jan 15 09:05 snort_pppoe054518
-rw-rw–--  1 root  wheel  56255 Jan 15 18:05 snort_rules_update.log
[2.4.2-RELEASE][admin@pfsense]/var/log/snort:

The entries in red are directories, the info is stored under here.