@zkab said in UPS & NUT strategy:

@dennypage OK ... I disabled SNMP in pfSense
In APC UPS I don't have public community - have entered my own community string (read-only)
Running SNMP v1

Go back and make the ro community “public”. You can use a different community later, but for now stay with public.

Edit: And please confirm functionality with snmpwalk before attempting anything else:

snmpwalk -v 1 -c public 192.168.1.12

Hmm, what if you set a source IP like:

[22.05-RELEASE][admin@3100.stevew.lan]/root: ping -S 192.168.18.1 localhost PING localhost (127.0.0.1) from 192.168.18.1: 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.278 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.089 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.085 ms ^C --- localhost ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.085/0.150/0.278/0.090 ms

@jpgpi250

You don't need to.
If pfSense was a file server, or web server, then these packages could expose services exposed to the Internet. This would mean that a known bug could be important for you.
Or, pfSense is a firewall, so most if not all vulnerabilities are not accessible.
You can make the system even more safe by limiting the admin access on the LANs side to a known interface like LAN, and use other interfaces for all your other local devices, or make the admin interface only accessible to the device you use to admin pfSense.

Take one example : the openvpn plugin issue : these plugins are not installed on pfSense.
You are most probably not using dnsmasq, as unbound, the resolver is the default.

Most, if not all of these vulnerabilities are always known to the pfSense Netgate dev team, as they are the one also the ones that contribute to FreeBSD. If a patch is available, they will rebuild the package and update it in the repository.

You can run once in a while option 13, as this will update pfSense FreeBSD packages maintained by Netgate.
I've automated the scan for available system packages for pfSense with a script. If a package is up-datable, I'll receive a mail.

edit : Btw : I'm just another pfSense user. If needed, 'they' will give more info.

SFP modules and fibre usually work more consistently in my experience and present more options in the NIC.

That allows you to get modules tested to be compatible at each end. It's possible to get custom DAC cables where each end is programmed for the device it's connected to but waaaay more expensive!

Steve

Ah, well that's a good catch! Hmm, interesting. Nothing there really indicates lagg or lacp directly so I guess enabling that is somehow touching some other code... 🤔

Update:

Its not PPPOE - its IPOE that my Sky provider uses (my bad :))

Also,

I have now got this working to some degree in that I can see the WAN public IP on PFSense WAN port.

Just incase anyone else has this issue this is how I have resolved it..

Put the VR600 into bridge mode, make sure DHCP, IGMP, Wireless and Firewall are all turned off. Then under Advanced, networking, remove any other connection, then add a new connection, set as VDSL, and specify a VLANID of 101. Below is a link to show this in more detail.

[https://community.tp-link.com/en/home/forum/topic/266902](link url)

In you PFSense setup..
Under interfaces, WAN..
Make sure you set as follows
IPV4 - DHCP
IPV6 - DHCPV6
Next select the DHCP Advanced configuration, then look for Send Options.

Under Send Options you specify this below:

dhcp-client-identifier "abcdefgh@skydsl|1234567890abcdef",dhcp-class-identifier "7.16a4N_UNI|PCBAFAST2504Nv1.0"

Next under DHCP6 Client Configuration
Use IPv4 connectivity as parent interface = true
Do not allow PD/Address release = true

Next reboot the VR600 router, you will notice that at first it presents with a local IP, but after about 20 seconds the public IP will appear.

Note that the VR600 router would usually display a satellite indicator icon to show that it is connected to the ISP. This is not the case when you are bridging to it from PFSense, this light will not display even when it is connected. I thought it is worth mentioning this.

I hope this helps someone :)

@nguser6947
Yes, that's doable with pfSense for sure.

pfSense provise multiple ways to route traffic to specific gateways:

default route static route policy routing (can be configured in firewall rules)

In your case, as I got it, you want to route any traffic over the VPN except that one from devices connected to the specific OPT interface.
So you can use the default route and point it to the VPN server, which might be already done, I guess. (Normally the VPN provider pushes the default route to the client.)

For the OPT interface use policy routing to bypass the VPN and direct traffic to the WAN gateway.
Read the Policy Routing Configuration chapter in the pfSense book for details.

Also obey the Bypassing Policy Routing section with the RFC1918 alias if you need to access local destinations from the OPT interface as well, e.g. DNS access to the pfSense Resolver.
Remember that a policy routing rule directs any traffic it's matching to to the stated gateway. I.e. if the rule matches you cannot reach local destinations. Therefore you have to an additional rule for local destinations.

@johnpoz Ok then, thanks once again johnpoz

No they are not forked. (at least up to now)
The plus version has more often updates, incorporates fixes to core product and as the blog says might also have some additional features
Eg Implementation of captive portal is one important change.
IMHO, freebsd 13 is the next big thing,

Its the same base product with different customisations and different release trains. Or at least this is how I understand it is. I might be wrong :)

@stephenw10 Thanks, Ill give this another go and post the logs.

@stephenw10
The AWS side will likely propagate whatever you advertise to it, because I manage both ends and that's just how the virtual private gateway works in AWS.
I guess there might be a slight risk here, but hopefully AWS won't make a change that reject these routes.

Of course, ideally I hope that pfSense will allow the source to be configured in a future release of the OS. As far as I know, other firewall vendors are able to do so.

/Thomas

That ^. Looks like it targets Linux on MIPs so almost certainly not.

Steve

Hmm, I would not expect a 3100 to throttle at 650Mbps with a default config.

You may have something else in the link throttling that somehow. Or some connection issue to/from the 3100. Though that usually produces a far lower result.

Steve

@stephenw10
Done! Thanks!

@jimp said in Boot Environments ready?:

If your system uses ZFS, yes.

If you use that menu entry it should tell you if your system is capable or not. If you get a list of boot environments and options, then you're good.

If you get an error, then it's not supported as-is (for example, perhaps you are using UFS, not ZFS)

I did do a clean update to ZFS before.

Thx

@stephenw10

Yes sorry 100Mbs Down and 100Mbs UP dedicated line

Right now you do but that's only until we finish testing the direct upgrade and switch the repo branch.

Steve

@steveits
Thanks a lot :)