unfortunately there is currently no api to automate stuff

Havn't heard of that happening.. might be gateway is detecting some up/down event on the gateway and resetting states? But i would expect that to happen only for gateway/route related changes being applied..

Is it checked?: System/Advanced/Miscellaneous "State Killing on Gateway Failure"

Any workaround for this?  I realize this thread is a couple months old, but I am experiencing the EXACT same issues, and I REALLY don't want to upgrade firmware.

On 2.2.6 here…

Only noticed it because I have the need to install a package, and it won't retrieve the list.  My pfsense box has been up over a year otherwise...

Thanks,

-Alan

I expect an alias would work, but I haven't tried using one.

@Fons:

Hi,

every time clients behind the pfsense-firewall are having a conversation using the ip-telephone on their desk the conversation is broken after 15 minutes.

the firewall is on the latest version. we have our own voip-central wich handles all calls. the voip-central connects to a sip-trunk thru the firewall.

neither me, our supplier or the manufacturer can find any setting on the telephones, the voip-central or on the providers end that could cause the sip-connection to break after 15 minutes (or any amount of time)

so I have two questions regarding the firewall:

could it be that some rule or setting could cause this connection break? and how to find this? is it possible that states are broken after a certain amount of time and not been being build up again in time? and how to set this?

(well actually four questions)

I hope someone can help us out on this.

regards, Fons

SIP has a reinvite interval of 15 minutes.  It's likely that the reinvite is being NATted and the port is being changed.  Do a capture on the LAN side of the router, wait the 15 mintues until the call drops, and view it in Wireshark.  When you inspect the call you'll see the ports next to the RTP in the chart.  See if they change after the 15 minute mark.  Then do the same thing on the WAN side and look for the same thing.  If the ports change on the LAN side but not the WAN then the router is doing something.  I've never seen a router do it, though, of any make.

Hegar and Johnpoz, thanks for your replies. I will try that today. I get why you ask why there is PFSense over PFSense but this is just a section of the network I am working on so it probably makes no sense to see an additional PFSense for no reason. I'll post what I find tomorrow.

Heh, I was hoping to get a hint without having to break out Wireshark.  But having done it, that traffic seems to be DHCP-related.  There is a ton of discovery, requests, offers and NAKs that never end.

cap1.png
cap1.png_thumb

If you set a 2.3.x box to see the 2.4.x repos then it won't see packages because the package repos it's aimed at are for 2.4

Understandable. :)

The list doesn't show local packages because of a different bug (fixed on 2.4.2).

Ah! Thank you!

As said above, im curious as why one system of a CARP cluster "automagically" has pfSense-2.3.5 (Meta package) installed while the other still has 2.3.4 (which is correct). Both are still on 2.3.4-p1 as we have to schedule downtimes first with customers. So I don't know where the Meta package change comes from (1) and why the systems (not only this two but 3 others, too) have started changing their update path back to current after 2.3.5 has been released. That's a bit of a mystery ATM as a simple pkg-static update shouldn't change a thing with the selected pkg repo.

Strange…

Thanks a lot for clarifying those other points!

Jens

Actually I've just upgraded a couple test systems here and the xdebug package is removed automatically, so there isn't anything to do manually, just upgrade when it's available.

"However I am unsure as to the level of security it is providing"

In what aspect?  Are you trying to control you users outbound access?  Are you wanting to look for bad traffic either inbound (that you have opened with a port forward) or your clients talking outbound to something or on your own network between vlans?  Like a infected client?

Out of the box all unsolicited inbound traffic would be blocked.  To be honest if you feel that deployment of pfsense was an uphill battle.. Advanced security features IPS/IDS is going more than likely just cause you grief other than any added security.. There is a large learning curve on such systems.

"intnet as the internal network for those vms"

This is gibberish…  intnet?  Not a term...

"but no other machines on the lan"

Pfsense would have ZERO to do with lan devices talking to each other.. Pfsense is a router/firewall - not a switch... Devices all on the same network 192.168.1/24 traffic would not go through pfsense unless it was setup as a bridge..

"but then I fired up another machine on the intnet"

Again not sure where you are getting this term "intnet" it is not a networking term.. Do you mean internal network?  internet?  What does intnet mean in your context?

Pfsense can for sure just route.. But why would you not firewall as well.. If you want to firewall/route between 2 networks and not NAT (network address translation)… Those would be how pfsense would do it between 2 lan networks.. It would really really help if you drew up your network as you want it to be so we could understand what your trying to accomplish vs using some nonsense term.. Been in the biz 30 some years and I not sure what you mean by intnet.. I would guess either internal network or internet.. But can not be sure from your context, etc.

Oh interesting. In my understanding if there was only one user this attack would not be possible and possibly if the user logging in already has the maximum escalated privileges this attack becomes much less useful. I understand that these are likely small enough use cases they would not warrant mitigation for the login page token expiry.

Thanks for the explanation!

i dont know if freebsd supports my controller card yet but i put a 30gb msata in and i have pfsence running now

That config means advertise a default route and the correct syntax is

network 0.0.0.0 mask 0.0.0.0
So you were missing the mask and also the entry for the default route.

i_p route 0.0.0.0 0.0.0.0 "IP Address of Default Gateway"_