Pretty much the only thing that can cause a link even like that, other than it actually losing link, is if you are running Snort or Suricata in in-link mode and it restarts. Is that possible?
A gateway event on the OpenVPN tunnel could be triggering that restart. Do you have the OpenVPN tunnel interface assigned?

Steve

@bogusexception said in pfSense Captive Portal on VLAN with Unifi WiFi APs... ...oh my!:

@stephenw10 Sorry I wasn't clearer. Most like brevity and complain when there are details. The following use case is strictly for the VLAN operation desired:

Employee see AP's SSID, "Team" for example. They enter the known password, known by all team peeps. They are presented with the CP (captive portal) challenge for user & pw from pfsense. They have their own user & password on pfSense, and use it to get past the challenge. Once successful, they are on their own, with traffic restricted at pfSense using VLAN firewall rules, like the other VLANs.

Now for each of your questions:

Do you mean simply entering the wifi pass key (WAP2/3)?
Yes. Steps 1 & 2 above.

Or are you using the Unifi captive portal for that?
I was/am not aware that is an option-that is, only entering their unique creds when connecting to AP. I'm fine with that!

If it's the latter then serial captive portals could be a problem.
I see what you mean, like cascading them. No, none of the incomplete/outdated examples I found do that.

Really, as long as each user can log onto the network (VLAN 20) via WiFi, i is a win. I just picked the closest examples I could find, and none are working as the OPs say they do.

P.S. Not that it should matter, but there is no addressable switch in this scenario: just a pfSense box with 2 physical interfaces, and a few APs. They just have user access group restrictions more involved than most.

I hear you can't use the LAN interface if there are VLANs on it by some, but at the moment I can't get the CP credential challenge page to come up once they log into the AP's SSID that matches traffic for VLAN 20.

Seems overly complex, thought about using wpa2-enterprise & freeradius ?

@rmac1813

I just gave that as an example. I also mentioned Internet2 as another. Many people have yet to move on from 1500 byte MTU and even struggle with frame expansion, to allow VLANs etc., which happened years ago.

My first work experience with IP was on token ring, which supported much larger MTU.

With even home Internet connections over 1 Gb (my ISP recently announced plans for 8 Gb) I wonder how long before ISPs start allowing larger MTU. A few years ago, I first came across a 10 Gb connection in my work. It was for a major bank's data centre.

Mmm, I'm not aware of any issues with multiple keys registered by the same user (email address).

You can choose multiple subscriptions in the store. I believe we did add a limit there since some people immediately tried to get 1000 keys!

Steve

@johnpoz

Yup, that was it. I at least have most things acting normally now. I'll find out as I keep going if anything else pops up, but I'm thinking that was probably it. Now I just need to migrate my whole network to new VLANs... 😅

@robh-0 Hi Rob, requirement 2.2 in PCI DSS v3.2.1 is to create configuration standards for all in-scope system components. Here is the requirement text:

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:

• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).

As an update, I've now been advised that I can use the firewall STIG to create my configuration standard (Firewall SRG - Ver 2, Rel 2 https://public.cyber.mil/stigs/downloads). It's not pfSense specific so it will be a case of going through and applying the recommendations to pfSense where applicable.

So for me this is sorted out - thanks for your responses.

Yup, can be a VLAN. pfSense treats a VLAN the same as any other interface.
It can even be something obscure like PPPoE. Though I would not recommend that unless you have no other choice. 😉

Steve

@rwillett said in iperf3 on pfsense server (slower) different to client (faster) - Why?:

Interestingly I didn't get much better throughput on the Macbook client with 5 threads.

Well this is pretty maxed out for gig connection already.

7] 4.00-5.00 sec 111 MBytes 935 Mbits/sec [ 7] 5.00-6.00 sec 112 MBytes 935 Mbits/sec

So no you prob wouldn't see much better than that ;)

Those firewall logs are all blocked ACK traffic to connections that have already closed. Not a problem:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

So did you have pfSense in place when you were using the USG-Pro?

Either way I'm not really sure how you can pass multicast through the UXG-Pro with or without pfSense.

Steve

@stephenw10 log compression off and higher log size seems to have stabilized it.

Theres about 12 computers in that closet. There is cooling and venting into the closet and the alarm never went off but the case was pretty hot to the touch. Will keep an eye on it. thank you.

@johnpoz said in pfSense as initial network filter:

https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html

Thank you John for sharing.

Huh, that is good to know. And also truly bizarre!

Thanks for the update.

Steve

Thanks all for the help. Manually clearing the logs and then restarting suricata seems to have helped; I now see the logs rotating as they should.

@jimp My CPU is soldered on a mini ITX MB but the heat sink may be removable. However I have never seen CPU temp above 40 deg C so I don't think its an issue.

I read somewhere in these forums that there was a BIOS setting that fixed a users errors. I found a "Turbo Mode" in BIOS that I disabled so maybe that will help. I haven't seen any more errors since my first post.

@natanaelmm29 said in Cannot access DMZ server from LAN:

specific file and put 255.255.0.0 mask instead of /24

Yup that would do it ;)

Glad you got it sorted.

Hello again and again, thanx for your reply!
I am with you at the points of failure of new hardware... :)

So far, I am glad (and thankful) for you looking at the reports. Glad, because there seems to be no "obvious" config problem.

I guess I will sit it out, since I am playing with the thought of purchasing a new device to run pfs on. I am bugged by this ever since upgrading, but so far (luck?) nothing "happened" with the system (aka break down, not working, nuclear explosions). So I will save my money, not buying yet another mSSD but saving it for the new device (either 4100 or 6100).

Maybe someone has another idea about it (but since a pro like you cannot come up with the ONE solution or explanation, I doubt it -no offense, guys and girls)...

Be aware that most of those functions won't work for non-root users even if they are in the admin group.

You should install the sudo package, grant access to the admin group users to run things as root, and then run the menu with sudo /etc/rc.initial.

They will be prompted to input their password again unless you configure sudo to allow access without a password.

@jimp Thankyou so much, its very helpfull

@stephenw10 AWESOME. Worked great

SO:

Bug: zfs + ram disk for tmp and var Result: wipes /var/db/pkg and replaces with links (and /root/var/db/pkg, and /var/db/cache)

Easy workaround for now:

Do a full backup including extra info. It will contain all of your packages AND settings delete the link folders recreate a base pkg database # mkdir -p /var/db/pkg /root/var/db/pkg /root/var/cache # pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade # pkg-static upgrade -f (from https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#forced-pkg-reinstall ) Edit the backup XML file as @stephenw10 described. One line to delete: <use_mfs_tmpvar></use_mfs_tmpvar> Restore the backup. All packages will be restored including their configuration.

@johnpoz @stephenw10

I see. pfBlocker is on my list to learn next. Will start looking into it and explore. Will come back to you guys and the forum if there're questions in the future 😁

thanks for the input 👍