@dridhas Block from North America to that IP address as the destination.

@dridhas said in Wireless with VLAN not allowing traffic:

TPLink

The name for "quality" network gear! Yeah, right! 😉

So where are you actually stuck here? I don't see a question. 😉

It sounds like you are going to setups pfSense as 'router on a stick', a single NIC with VLAN interfaces. So you are going to havbe to configured the DDWRT device to handle those VLANs to separate switch ports. Or use some other managed switch for that purpose.

Steve

@tac57 said in pfSense -> Ubiquiti EdgeRouter X VLAN Help?:

Any Ubiquiti EdgeRouter ER-X experts out there?

I am very much not that! But it looks like you're trying to use the same subnet on two ports of a router which would normally not work. They would have to be configured as a bridge or as switch ports.

Steve

Mmm, I wouldn't expect to see an issue with any of that.

Do you see anything using a lot of CPU in System Activity when this happens?

How are you testing? 941Mbps is the limit of what I expect to see there so if you are seeing 950 there is probably some averaging errors happening.

It could be some hardware off-loading issues. I would disable all hardware off-loading at least as a test.

If you compiled your own driver to get i219V support I assume the i350s are using that too?
Have you tried the in kernel driver in setup 2, without the i219V?

Steve

Are you running 2.5.2?

Do clients connect but just can't pass traffic?

Are you routing traffic just to local resources or all traffic?

Do you see ant thing blocked in the firewall logs?

Steve

Not easily. That is usually accomplished by having staff and student VLANs where you can apply different firewall rules to the traffic. So if it's wifi for example you can have a separate ssid with 802.1x authentication that only staff can connect to.

Steve

@jegr said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

@bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

And a ... I'm not giving up kinda moment.
I haven't even bothered implementing that "trick" on the Job ones ....

I appreciate it! I have some 2.4.5 systems in the wild myself that customers aren't able to update right now and those had rising numbers of dead/zombie processes (dying bogon procs) that we were able to fix that way - so thumbs up from me for the fact finding mission 😄

Glad to be able to give a little back 😊

And ...
Now i know that to tomorrow on the job for 7 firewalls 😕
Done ....

And home fwall 😊
Fresh install w. ZFS , and config restoren only one minor "quirk"
iftop didn't install , but the pkgmgr. was informing about that 👍

0cae61d6-e22b-46aa-b42e-6eaa8ab59577-image.png
/Bingo

@dialsoft Did you get this figured out?

@johnpoz https://redmine.pfsense.org/issues/12480 thank you ;)

@macwarrior said in Dual Port WAN (6100 is not available) HELP!:

Hello all,

I built an ASUS ProArt B550-Creator with 2x2.5G ethernet ports to use for pfSense (I know, probably overkill but Netgate 6100 is not available right now) and I added a SolorFlare 4-port SFP card. Can I turn 1-port of the SolorFlare SFP card into 1 WAN and a 2.5G ethernet port into a WAN (to = 2 WAN's) and the other 3 SolorFlare SFP ports into LAN's?

Thank you in advance,

MacWarrior

Yes, you can turn all but one ports into WAN if you wish. PfSense allows you to use/define ports as you see fit.
Only requirement is that the NIC’s are supported and has a driver in the pfSense distribution (Which may be an issue with that SFP card).

@stephenw10 Re-saving the ACB settings fixed the inconsistent schedule on both boxes.

@jc1976 said in Driver Update:

I've gone through all the documentation and whatnot, and it's all just very odd to me.

My nic is a genuine intel.. it's not an intel by HP or Dell.. straight intel.. and i would've thought by now the drivers would've been updated. the I340 is a fairly old card, and considering that intel has cards that are running at 10Gb+, what happens to those who are running pfsense on connections such as that at the enterprise level?

what about the latest 800 series cards? Will the iflib work with them?

Agree that it can be very confusing, especially with Intel, because for a while (and it may still be true) the version numbering scheme used by Intel on their web site for various NIC drivers differed from the scheme used for the same Intel drivers in FreeBSD. That makes it hard to determine which is actually the most "current" version.

But for the most part, FreeBSD depends on Intel contributors to provide updates for Intel NIC drivers in FreeBSD.

The 21.09 release has been postponed. There are a few reasons for this such as some issues found in late-stage testing. We want to make sure the next release will be a quality release. There is a high focus on 22.01. We are confident it will be worth the wait.

@patch You can create whatever rule you want be it allow or block or reject - and set it not to log.. But unless you were using something like avahi to pass on the mdns query - pfsense really has no use for such traffic, and wouldn't be doing anything with it. If you allowed it.

Pfsense is clearly blocking it already, what interface your seeing the traffic on would be the interface you create the rule on to block it and "not" log it.

@stephenw10
Thanks

@zatco said in Unable to Reach CloudFlare IP address via DNS/IP:

Is it possible ISP could be blocking the IP?

anything is possible - but that shouldn't create a ping permission denied.. Do a sniff on your wan - do you see the ping go out? I would assume no if your getting permission denied on the send to.. But if see it go out - maybe your getting a specific reject back?

Or maybe that IP specifically is blocking your IP.. But again that really shouldn't create that error, unless there is a specific reject that comes back..

Sniff on your wan will show for sure be it your sending it out the wire..

Traceroute via linux normally defaults to UDP, and is not a icmp message other than ttl expired that comes back.

@gertjan So this time I tried in putty:

And it did work. Then I tried cron, also does work!

So the key is to use .255 at the end.

I still wonder why the web-GUI-thingy works with the MAC only, but on the other hand, when I first added the host to the Wake-on-LAN Devices list, it had an IP-address, so it might have saved it there.

Thank you @Gertjan !!

@albgen said in high CPU usage bzip:

@viktor_g

thanks.

can i disable at all PC/SC and if yes how?
i have experienced another bug on this feature which i'm not using..

It will be disabled after the patch is applied.

@pzanga said in looking for advice on implementing site to site VPN:

@stephenw10
Thanks again. The test worked. So now I'll update the individual PCs as needed.

And thanks for the reading material. I really appreciate it.

If your Windows devices are part of an Active Directory Domain, you can easily manage the Windows Firewall policies via Group Policy. Here's a link to some Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security. What you will want to do is add "allow" rules for traffic inbound from your remote site networks.

@atreides

I wholeheartedly agree, there should be a 'discard changes' option.

Thanks for your suggestion. Pity it has not been implemented to-date!

@bingo600

Cool thing!

Adding aliases is not that big deal even if there are >100

Adding and merging FW rules is a whole other ball game at least for me.... Burned my fingers a couple of times...

@stephenw10 @johnpoz

So, that rule I sent was the only rule I had set up on the OPT1 interface. I also failed to mention that I modeled the OPT1 interface after what I had the WAN interface configured to- which was to NOT block private or bogon networks.

But I just found out with more testing that my comcast router cannot actually ping any of my devices...So, not worried about that. My devices (including Pfsense) can ping the CC router and that's fine.

My only worry now is why the WAN interface didnt work with all the same settings configured as OPT1. Everything is the same between the two, but I'll take that up with Protectli if my own troubleshooting doesnt do anything.

Thank you both for the help! I'm hoping to become more proficient with Pfsense and incorporate it into my career, so it's been great to have good support just starting out. Appreciate ya'll

Overriding: all depends on how you do it.
If you force a speed/duplex on one end, leave the other end at autoneg, it typically gets the speed correct, but mucks up duplex.

If instead of forcing you leave autoneg but specifically advertise a speed and duplex, if the other side is autoneg it works correctly.

So a 1G NIC can do 10/100/1000 for speed, and full/half for duplex. If you force "1000/full" leaving other side autoneg, you'll wind up with 1000/half.
If you advertise "I only do 1000/full" the autoneg works.

Indeed, it won't hurt anything.

In my case I imported the OpenVPN configuration which defined an interface. I had previously defined and deleted a physical interface which I had configured DHCP. The 2 aligned to the same name, OPT3. This may be an uncommon result.

Does it link if you connect it to the LAN port?

Try spoofing the MAC address on the WAN.

@guardian said in [SOLVED] How to access cable modem login [Rogers Hitron 192.168.100.1]:

I do agree with you that 80/443 is the most likely and more or less impossible to close from a practical point of view.

Its impossible to really block those ports at firewall, if you want the internet to work ;)

Stopping C&C would be a list of bad IPs/Networks - there are many of these lists available. To those you can block all ports, not just 80/443

@johnpoz so, after a hiccup, somehow i forgot to assign static dhcp address to the server and the access to docker server stopped working.
Once the DHCP static ip was set, everything went back to normal.. 😃

@stephenw10 Thank you. I was able to get in. I needed to set the local LAN to a different subnet.

If you renew the certificate in the GUI it keeps most of the attributes the same (DN info, key, etc) but updates the certificate.

If you use the CLI command mentioned above it creates and activates a completely new certificate for the GUI.

The renewal method is usually less of a pain in the long run, but the other method works as well if the GUI method isn't viable.

@natbart just want to say thanks for figuring this out, it’s working great for me so far. just recently upgraded Fibe and my HH3000 would literally just freeze when maxing the connection out. Ecstatic that I can finally drop kick that POS and just have my pfsense box. Glad you didn’t give up and managed to figure it out. Great work.

I couldn't update bogons on my 2.4.5-p1 , due to fetch using the expired certificate.

I spend quite some time to solve it here , due to my FreeBSD inexperience.
https://forum.netgate.com/topic/167276/solved-can-t-update-bogons-on-a-2-4-5-p1-cert-expired

Success in the end.

/Bingo

@stephenw10 Thank you steve for your answer.

@xavier8854 said in Cannot ping WAN gateway:

? (192.168.1.254) at (incomplete) on mvneta0.4090 expired [vlan]

As already mentioned if you can not arp it, you can not ping it - and no nothing is going to work if that your gateway to the internet.

You need to figure out why you can not arp for that.. Even if dupe you should see answer to arp..

You should test in 2.5.2. However it looks like this known issue: https://redmine.pfsense.org/issues/9889

Also see: https://redmine.pfsense.org/issues/12327

Steve

OK, using syslog-ng is fun and opens up a lot of options but.... it shouldn't be necessary!

I opened a bug for this and created a patch to log as Level NOTICE:
https://redmine.pfsense.org/issues/12464

You can apply that diff against 2.5.2 using the System Patches package.

Steve

@pontiac
In either Dashboard widget or Status/Traffic Graph, select the wrench icon and change the setting, and save.
e31a8ccf-7682-4962-9933-e39166307762-image.png

@stephenw10
I was going to get the port forwarding working through a double NAT, but worried about leaving open ports to hackers. I decided to go with adding to my unraid server a docker container for Nginx, cloudflare with free argo tunnel, bought a domain .com from Go Daddy for $20, and used three youtube videos from IBRACORP for setting up ngix with cloudflare and free argo tunnel.

Cloudflare CDN: How to Setup + Purchase Domain + NGINX Proxy Manager on Unraid (2021) (sets up SSL full encrypt)
Cloudflare: How to Set up Cloudflare Argo Tunnel FREE on Unraid - Bypass CGNAT (sets up argo tunnel (IP obfuscation))
NGINX Proxy Manager: How to Install and Setup Reverse Proxy on Unraid (2021) (sets up nginx)