The startup/shutdown beeps use the PC Speaker and not a sound card. Disable the sound card.

If you want the servers in your DMZ to be accessible via IPv4, yes, you do.  If you have IPv6 available and you're happy with your DMZ devices being only accessible through IPv6 (assuming they support it), then there's no requirement that you create IPv4 port forwards.

Disregard, got it working. Forgot to create a new virtual interface on my NIC on Mac OS X box.

Did you add the firewall rule ?

If you did try changing it to an any any rule and does it then work?

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Add_Firewall_Rules_for_IPsec

TBH I just followed https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and it worked, I then tweaked my settings to suit what I wanted after.

Dude I have been doing this for over 30 years, getting paid to do it for 25.. Before there were real computers and "networks" ;)

Just not possible to "teach" you security in a few posts… I can answer your questions on how to block or allow something specific in firewall rules.. More than happy to help you understand how to read the headers in an email message, etc.

But you have not given any actual evidence of being "hacked"  more you have seen 1 too many movies or tv shows.. Did you just binge watch some episodes of Mr Robot? ;)

Turning on pfsense is not going to fix your issue or really make you any more secure from being "hacked" than any off the shelf router.. When it comes down to it out of the box they do the same thing - they block unsolicited inbound and allow you out via a nat.  Its not a magic box you turn on and it makes your network secure from being "hacked"..

It just a tool you use to secure your network.. But without the understanding of how to use the tool, its not some magic thing you turn on..  Many new users hear oh I can turn on IPS and will be secure from hackers - sorry it doesn't work that way.  If anything going to block the user from what they want to do when they want to do it.. And provide them with so much information it will just be overload of info they do not understand anyway..

For all we know you bought your phone off ebay and was jailbroken when you got it.. As to your bank account username and password being changed - sorry makes no sense.. Why would someone do that? And then not take any money?  Come on did you maybe forget your password?  And the username you norm use wouldn't work so its different than the normal username you pick... Maybe you smoked a bit of thee good stuff and got a bit paranoid after watching mr robot and thought someone changed your password - ie "hacked" you...

Don't mean to make fun - You got some p0rn spam that said it was from you and your getting hacked? ??

Hi,

The page you mentioned does exist - but I guess it isn't really part of the GUI anymore.

From what I make of your question, you are using a tool that parses the html of that page to feed your own stats.
That's ok, but understand that pfSense can change format, data, etc all the time.

It's up to you to change your parsing tools.

I guess that after changing the kernel version, from 9 to 10 to 11 (FreeBSD) interface internal naming, numbering, details, data, whatever, changed, so these pages are useless right now. Consider them as left overs from an old GUI version.  They have to be updated first if you want to see any data. Because you wrote - or at least: set up - de parser, you might as well 'repair' the pages graph.php (and ifstats.php). It's PHP, not a hassle for a "IT" guy.

Btw : never ever keep old version 2.4.0 have been replaced by two newer version already, when asking questions you should use the latest, because now you are asking a question about a version that no one uses anymore … (not a problem of course, but your question becomes non-answerable).

Take a packet capture of the RADIUS auth exchange. Load it up in Wireshark and inspect the reply from the AD server, see if it has the Class attribute and how it looks.

Sorry for the delayed reponse…

@johnpoz:

"he wants to access the same site"

That I think is still unclear.. I think its more he wants to access site xyz wan 1, and then site abc via wan 2.  But sure it could access site xyz 1 time with wan 1 and then next time with wan 2, etc..

This is exactly what I meant. Sorry for the broken English…

Example: user 1 is a mobile user. He wants to connect to site "xyz.com" using wan 1. A few moments later, he wants to access this same site but using wan 2 without disconnecting from his actual LAN.

As he does not have admin privileges he cannot access pfSense admin page to update his default gateway.

@johnpoz:

I think best way to do something like that would be with 2 proxies and then pointing your browser at specific proxy to use wan 1 or wan 2.

This is a perfect workaround! I can set 2 proxies so users can choose which proxy to use. As each proxy is linked to a specific gateway the magic is done! Thanks a lot :-)

kind regards

I beleive my issues are related to the APU2 BIOS. I've rolled back all but one unit to BIOS V4.0.7. So far, no issues with those routers for the last few days. I haven't reinstalled any packages yet.

I got it! Well, almost!

From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.

I also had to install certbot, and its annoyingly long dependancies.

After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.

–---------------------

Worked!

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem   Your key file has been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem   Your cert will expire on 2018-04-16\. To obtain a new or tweaked   version of this certificate in the future, simply run certbot   again. To non-interactively renew *all* of your certificates, run   "certbot renew"

Tks for that. I was scared someone would say that :(

Will try the same setup on another computer with 2 nice and see how it goes. Will update.

Tks

What is the model of the linksys switch ?

What spec is the fiber ?

They'll be under /var/log/snort :-

[2.4.2-RELEASE][admin@pfsense]/var/log/snort: ls -alg
total 100
drwxr-xr-x  9 root  wheel    512 Jan  5 20:52 .
drwxr-xr-x  7 root  wheel  1024 Dec 19 20:59 ..
-rw-rw–--  1 root  wheel      0 Dec 22 12:17 alert
drw-rw–--  3 root  wheel  4096 Jan 15 11:15 snort_igb0.256577
drw-rw----  3 root  wheel    512 Jan 13 00:08 snort_igb0.343654
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.427080
drw-rw----  3 root  wheel  3072 Jan 15 00:20 snort_igb0.516395
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.658303
drw-rw----  3 root  wheel    512 Dec 19 21:10 snort_igb035478
drw-rw----  3 root  wheel  12288 Jan 15 09:05 snort_pppoe054518
-rw-rw–--  1 root  wheel  56255 Jan 15 18:05 snort_rules_update.log
[2.4.2-RELEASE][admin@pfsense]/var/log/snort:

The entries in red are directories, the info is stored under here.

Do not update microcode now, wait.
@https://support.lenovo.com/ee/en/solutions/len-18282:

Withdrawn Broadwell & Haswell CPU Microcode Update:  Intel provides the CPU microcode updates required to address Variant 2, which manufacturers like Lenovo then incorporate into their UEFI firmware. Intel has notified manufacturers of quality issues in the initial Broadwell and Haswell microcode updates with instructions to no longer distribute the affected microcode. As such, Lenovo has withdrawn previously issued UEFI firmware containing the affected Broadwell and Haswell CPU microcode. We will issue revised UEFI firmware updates as soon as possible following Intel’s release of revised Broadwell and Haswell CPU microcode. Servers affected by this issue are noted, below, as “Earlier update X withdrawn due to a microcode quality issue.”

@robi:

I'd love to see some general-purpose tool to edit BIOS files and update microcode inside them. Something that would know most BIOS formats, open the BIN file, advise which binary microcode file to choose, and compile a new image from it.
Because most manufacturers won't care to release BIOS updates for motherboards older than 1-2 years.

pfSense would also want to have a nice GUI somewhere to allow us to browse for a microcode pack we can download from Intel etc. and apply it at each boot at runtime. And write in the logs whether the runtime update was successful or not.

It is not so simple. Every BIOS is copyrighted by AWARD, AMI and whoever else… Phoenix  ;D. So you just can't edit it without buying proper license and most manufacturers use also security checks, for example I just can not flash edited BIOS into Asus motherboard with standard methods — only BIOS flashback function or hardware tools, also there are some special BIOSes like HP uses for their enterprise grade hardware.
Even not so universal tool for BIOS modding like UBU have had copyright problem with AMI.

No, pfSense is still not able to use a user/pass for WAN 802.1x

I would to like access my clients to the 3 virtual machines depending on the client.

If by "depending on the client" you mean that you can identify your client by specific IP ranges/addresses, then it isn't that much of a problem. You can create Port Forwards with specific source addresses coming to the WAN IP to specific internal hosts. So for example:

Src | Dst | NAT

1.2.3.4/24 | <wan ip="">| 10.0.0.11 (Host 1 in DMZ)
2.3.4.5/32 | <wan ip="">| 10.0.0.12 (Host 2 in DMZ)
3.4.5.6/28 | <wan ip="">| 10.0.0.13 (Host 3 in DMZ)

That is completely possible. Only if you want to allow access from ANY (whole internet) or you want to address the same host twice with a source already configured (e.g. 1.2.3.4/24 shall also access 10.0.0.12) that would only be possible with proxies of any kind.

Otherwise just use different Forwardings for different clients :)</wan></wan></wan>