@stephenw10 ahhh you got it, I need to setup vlans in proxmox & pfsense... Been stuck on this for days, Thank you. You saved my home lab!

@johnpoz
My bad, I reinstalled pfSense.

I reflashed the device and now it works fine. No more timeouts/delays and no more weird networking issues we were battling with in another thread.

@nd-t

I would have never thought to run pfsense in AWS. How are your clients connecting to the internet to get to their pfsense instance?

They are base64 encoded and stored in the config file. So backing up the config includes that.

See: https://docs.netgate.com/pfsense/en/latest/captiveportal/file-manager.html#managing-files

Steve

Speeds that low look like a link speed/duplex mismatch somewhere if you have removed the shaping. So look for something failing at layer1.

So the P2 will effectively end up being (in my example) 10.200.10.0/24 to 10.100.10.0/24.
Each side 'hides' it;s local 10.10.10.0/24 subnet behind another, same sized, subnet. You could use any unused subnet for that I just chose 10.100.10.0 and 10.200.10.0.

So on each side that would be the Binat address.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

However if you do not need access between the two subnets dircetly but only from the pfSense_1 OpenVPN subnet this becomes easier. You only need to BiNAT on the pfSense_2 side like:

Screenshot from 2022-05-12 14-02-05.png

On the pfSense_1 side the P2 would be just be 172.10.10.0/24 to 10.100.10.0/24

To access the remote side VPN clients would need to use the equivalent NAT address.

Steve

@josephchrzempiec said in Monitoring my network bandwidth remotely?:

The laziness in me just wants to see trafic nothing else

that is all that page is - have you even looked at it?

Its a graph showing you your traffic of the interface you pick that is it!

traffic.jpg

If your really anal about it - you could just hide all the other stuff on the page with your fav web tool that allows that - say ad blocker..

newgraph.jpg

Just set the graph how you want it - and remove all the other elements on the page.. No need for scripts no need for programming - just point and click.. There you go.

@stephenw10 said in The firewall has encountered an error:

There's no time stamp so we can't say if that's related but it certainly shouldn't do that.
Check the System and Snort logs.

Okay thanks, I also notified Snort via email....

The gateway is what your ISP passes to pfSense to use as the next hop for routing. It's a router at their end of the WAN connection.

See: https://docs.netgate.com/pfsense/en/latest/network/subnets.html#ip-address-subnet-and-gateway-configuration

Steve

It's possible but you would need to carefully select the signatures you enable. I would not recommend it.

But it won't alert you in real-time anyway.

I agree with the above; use something running on the Mac to monitor those connections.

Steve

800MB in one hour is not that much by modern standards. A single Mac running icloud backup will burn through that easily.

At 1Mbps on your ADSL WAN it's not possible to upload 800MB in one hour. So that must include upload and download.

I would find out what their actual cut-off limit is and add your own limiter to prevent hitting it. Though in my opinion if you're paying for 10/1Mbps you should be able to use it.

Steve

@whitetiger-it said in How to find who is generalizing traffic:

I know only traffic totals (and only a little); I don't remember if stats is for single PC.
I do not know the other tools and therefore I ask you for advice.
However, I need to find the PC that is generalizing traffic in INTERNET UPLOAD.
The traffic over PC’s ethernet card is also for other reason, for example to NAS, server or printers.

Yeah, think your are right about Traffic_Totals - that’s only for combined traffic. BandwidthD or Darkstat is what you are looking for. They will summarize traffic for individual IPs.
But if you route traffic to your servers, printers and what not (through pfsense to another interface), that will be included by default to. But there is likely a “internal network” type definition you can setup to have them exlude traffic to other local IP scopes.

@danielr It's a Netgate domain, you can run md5 checks against the files if you wish, but the software itself is not only unsupported now but also may not allow installation of packages properly as the maintainers may not be maintaining those old versions anymore.

v2.3.5 was released nearly 5 years ago and many CVEs have been discovered, patched and replaced in the last 1500 days.

@stephenw10 said in Pfsense Admin Portal Protocol:

Ok, so you could do something like this:

Disable the anti-lockout rule on LAN.

Add a floating rule:
Pass, IN, all interfaces, TCP, source: <the_IP_to_allow>, destination: This firewall, port 443.

Add a floating rule below that:
Block, IN, all interfaces, TCP, source: any, destination: This firewall, port 443.

Make sure you have console access so you can roll back that change if you get locked out!

Steve

Dear Steve, Thanks a lot for your explanation.

Yes, you can add those two sets of subnets as P2s in a policy based config and it will work. The BGP session will use the APIPA addresses and the the routed traffic will be carried by the other P2. It will of course fail if BGP passes other routes since they are not carried.

To allow traffic to/from those APIPA addresses, which are blocked by default, be sure to enable it:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#allow-apipa

Steve

It could be configured to use the wrong primary console. That's the last messages you see on voth consoles before it switches to primary only.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/boot-issues.html?#booting-with-an-alternate-console

Steve

@stephenw10

Or more precisely, don't send a frame that exceeds the recipients maximum size. There's nothing in an Ethernet frame that says what the MTU is.

@danielr That's covered in the docs here:
https://docs.netgate.com/pfsense/en/latest/backup/restore.html#restoring-from-the-config-history

However you cannot restore to an external backup file easily.