Yes, that's a vulnerability in Chrome and other Chrome-based browsers. Completely unrealted to pfSense.

Unless you've somehow installed Chrome in pfSense but I can't begin to imagine what that would require. Or why you would do it! 😉

Steve

@Rich-W If I may make a suggestion--

if so, could you try a different gateway server to test your ISP and pFsense?

Do you have a spare system that has two Ethernet ports?

Do you have access to some free gateway server software?

If you do, with the temp gateway server, set its ISP (WAN) side to get the IP address from your ISP, unless that is to be hard coded by you, then do that.

If this fails, the ISP is having some kind of routing problems.

Now with this gateway server, have it use Class B private for DHCP to the "LAN". This is so there will not be some weird routing issue by double NATing on CLASS C pvt.

Use a switch between the gateway LAN and the pFsense WAN ports (so you don't have to make up a special cross-over cable).

pFsense should show the correct WAN address and it should be a CLASS B PVT address.

Now if you fail on the ISP side of the temp gateway system, that would indicate to me they are having a routing problem. If you fail on the WAN port of pFsense, pFsense appears to be having a problem.

I've had to do all this once or twice to figure out what the problem was I was having. And I had a set up like this so that I could test a new gateway server's DHCP for the "LAN" to know I could swap the boxes. I was testing some network appliances I was building several years ago.

Regards,
Wylbur

@stephenw10

I am assuming this from the preboot memory test for the Dell server, which booted without stopping and since I had 3 sites to get back up....onward Christian soldiers?

I'll have to deal with this now. Shit, never a dull moment...

Many thanks and regards, Stephen
oh by the way...nice name!

What monitoring IP are you using on WAN2?

Check the routing table after it comes back up. Do you have the expected IP and subnet shown on WAN2? Is the static route to the monitoring IP re-added?

Steve

You can also see WAN quality graphed in Status > Monitoring.

But, yes, that data is really only useful if you're monitoring something beyond your ISP, like 1.1.1.1 or 8.8.8.8.

Steve

@stephenw10 Good idea on the boot delay. I used 60 sec (did not try 30) and it seemed to work. Thank you!

It's the last thing in the message buffer before the kernel trap:

VMware memory control driver initialized [fib_algo] inet.0 (bsearch4#32) rebuild_fd_flm: switching algo to radix4_lockless aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS> kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode

And it's unusual to see the aesni device loaded at that point. It would normally be loaded during bootup if it was already enabled.

@johnpoz said in Virtual IP subnet cannot connect to internet:

@BlueSun said in Virtual IP subnet cannot connect to internet:

There's an Automatic NAT Rule, which I don't see

You said your outbound rules were auto and it was added, I was just adding that screen for completeness

Well, I set the outbound NAT rules to Automatic, but for some odd reason it didn't create the rules you have in your screenshot, so I had to add them manually.

d60a6317-0b25-4106-b407-971b002cdac0-image.png

Hmm, I'm not sure anything can disable that other than manually. Can you see a change in the config history that disabled it?

You can use igb1 you just can't add igb1 to a bridge. Though I always prefer not to see tagged and untagged traffic on an NIC if possible because it avoids config errors causing problems.

Yes, you can still bridge the VLAN interfaces.

@johnpoz it had sandbox folders in it like snapshots of something. I never deleted that. It was really weird. Both V-100 spotlight folders and .trashes had that. I don't expose the NAS it's protected behind the firewall. Could have been a timebomb bug and it never got implemented because I blocked it. I thought maybe someone else has that bug and they don't know what is making the IP show as high risk. I don't even think OS x uses sandbox Microsoft does. Someone has to have seen this weird HDD resources consumption issue too. One can say it's the perfect place to hide. Some hidden folders that no one really looks at on any USB drive that is plugged into a apple OS. An invasive actor might use it for a container to do proxy chains with, or an exit node. The normal users would not think to look at it, they just use the NAS and the NAS uses their Internet without them knowing. That could cause a bad IP reputation without them knowing. I was flat out confused, thinking why is the folders all the sudden so massive in size. Just a weird situation. It's like a scary Halloween Pumpkin bug. Hey, that reminds me of the Metasploit's pumpkin I saw during a lab in October.

Screenshot_20230916-103329.png

Screenshot_20230916-103348.png

@THEVIKING said in Upgraded mobo lost internet connectivity:

I have Pfsense router setup to send all traffic thru VPN to 192.168.20.100 (my PC)

This doesn't make a lot of sense - so your pc is hosting vpn server? That outside clients connect too? Or your routing your traffic out through a vpn on pfsense (client to some vpn service)

You have some vpn on pfsense and your doing a port forward through the vpn?

None of these scenarios have anything to do with you changing the mother board your pc and pfsense.. Not one of those scenarios has anything to do with pfsense and you changing your pc motherboard.

The only thing that could change on your pc that might effect something you have setup on pfsense is the IP address of your PC, if its still 192.168.20.100 pfsense doesn't give 2 shits what motherboard or OS or anything - it only cares about the IP address.

A D2250 should work it would just be bandwidth limiting for PPPoE. But something like that will already be old, better to start with something newer anyway. 👍

@SteveITS said in Confusion in understanding one of the "Deny unknown clients" setting:

We used to have tenants

While that seems like a very valid use case.. Thanks for a great example.. But that kind of puts you a bit above your typical home/smb sort of use don't you think ;)

Mmm, in fact it generally work better with mobile devices in my experience. Any recent version of Android or iOS can detect the redirection and prompt the user before they've even opened a browser.

lol yeah, @dennypage with just that it still works.

So was it passing full speed until recently?

That's what I would expect because the system routing table should be correct. Incoming traffic should always come from that route unless you have some route asymmetry somehow.

It's the port forwards (NAT) that allows traffic from a single source IP to arrive via any gateway.

Is the OpenVPN server configured to listen on 'any' interface?

If you can put a switch between igb2 and that PC? That would solve this.

However if you set OPT1 to track interface for IPv6 it will probably stop this happening. Even if you have no IPv6 on the WAN.