@stephenw10 this was the best application for the mobo, CPU, and some memory I had lying around. Plus, I got sick and tired of all the limitations of the stock gateway from Centurylink. pfSense is so much better now that it is running as expected.

7cd2741f-aeec-4d0a-a026-36e1e56c3ab0-image.png

Being able to set things up the way I want them to be and control cross VLAN traffic is precisely what I wanted. And I did not feel like spending money on some hardware FW appliance with all the issues they usually run into.

Unfortunately there isn't (yet) ab MBIM or QMI driver for FreeBSD and hence pfSense.

I would expect the current Sierra devices to work if they present a known USB PID and u3g recogises it. But limited to AT connection interface.

Steve

@stephenw10 said in Sourcing default firewall blocks:

TCP ack packets

Makes sense. Thank you very much.

In addition to that, there have been amplification attacks based on ntp. So using an external service increases your attack surface in any future possible breach attempts.

Best security practices dictates to use as less external services as possible.
Same goes for dns and forwarders.

(and the beauty of running a stratum 0 ntp server, over pps, remains with the few who have attempted the task.
Now, I wish datacenters had glass roofs so gps could work on top of racks.. :)

Internet is back.

Aug 1 10:15:24 dpinger WAN_DHCP XXX.YYY.128.1: sendto error: 65 Aug 1 10:15:27 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP " Aug 1 10:15:32 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP " Aug 1 10:24:53 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP " Aug 1 10:24:53 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP "

@1OF1000Quadrillion Okay.

@justice41 Yeah, you'll most likely have to search for FreeBSD support on that card, like you said. Maybe one of the pros here can comment. I don't have any 10Gb networking gear, so I can't say for sure on that one.

Here's an old post from the forum:
https://forum.netgate.com/topic/128108/new-firewall-with-10gbit-asus-xg-c100c-help-needed

Jeff

@Gertjan

you are right, actually WAN GW is 10.125.190.254

as per your advice I changed settings to no interface (wildcard) and relaunched NTP service and everything works fine now, even package manager. All packages are in the place available for downloading.

Thank you

@ivanildogalvao said in Redirect traffic to a link using Proxy.:

However, from the moment I start using Squid and SquidGuard this does not work, not even with NAT Outbound, Squid always throws http and https traffic to the standard link (WAN1).

Hi,

Please note this:

https://docs.netgate.com/pfsense/en/latest/routing/multi-wan.html

Under the LOCAL SERVICE

"By default, traffic using a proxy such as Squid will bypass policy routing and use the default route for traffic at all times. It also bypasses expected outbound NAT and leaves via the WAN IP address directly."

3d698f2c-5b4e-4f64-b203-75971e97cfcd-image.png

Also worth noting is that you were correct - before I reverted my config because all routing was broken and I had no connectivity except on my fallback OPT1 HW interface, I did check the GPS settings and was able to change to 9600. On 2.5x with the baud rate able to be changed, the GPS immediately started working and had a lock, with PPS working and all was well.

Let's not mount that extra drive at boot then but well after the ECL does its thing. Where's a proper place to put the mount command? Would also need to remember to manually save (backup) any changes to the config to the extra drive or perhaps modify another script?

@DaddyGo Thank you very much for the offer. I am going to try on my own first, before tapping into your expertise. Elliott

@genfoch01 said in can not access pfsense via lan:

but it was not connected as i wanted to configure pfsense before i connected it to the wan

Hummm. Not really needed - except if you hooked up devices on its LAN that you do not trust at all.
And worse : I can happens that you access the GUI with big delays (2 minutes) if the WAN is down.

Why skipping 192.168.2.1 ?

You did set up the DHCP server on LAN, right ?

remove switch from LAN, hook up your PC directly.
Set the device using manual IP settings like :
IP = 192.168.1. mask 255.255.225.0 or /243
Now you can - should be able - to ping 192.168.1.2 - and connect to the GUI on 192.168.1.2

or, if you're sure the pfSense DHCP server on LAN is set up correctly, connect your PC to pfsense and it will obtain an IP in the 192.168.1.x-y range - the range is the pool of the DHCP server.

@Rapboy2019

After using Packet Capture, as described above, you can download the capture and view it with Wireshark to find the MAC address of the offending device.

Hello @jimp,

Sorry for my late reply. Lots to do and this issue was put on hold.

Your 1st option was to good one.
In the <cert> part for each certificate issued by the CA, the <caref> values were missing.

I added the correct caref value on each certificate and re-import the backup file into pfSense. After e reboot, everything was fine.

Thanks for your answer.

Kind Regards

@Gertjan

Thanks you for your suggestion. I will change it and check. Because RTT is in the 10ms - 120ms range, I feel too high.

Important bit:

db:0:kdb.enter.default> bt Tracing pid 369 tid 100130 td 0xfffff80016c02620 kdb_enter() at kdb_enter+0x3b/frame 0xfffffe0467e9a160 vpanic() at vpanic+0x19b/frame 0xfffffe0467e9a1c0 panic() at panic+0x43/frame 0xfffffe0467e9a220 trap_pfault() at trap_pfault/frame 0xfffffe0467e9a270 trap_pfault() at trap_pfault+0x49/frame 0xfffffe0467e9a2d0 trap() at trap+0x29d/frame 0xfffffe0467e9a3e0 calltrap() at calltrap+0x8/frame 0xfffffe0467e9a3e0 --- trap 0xc, rip = 0xffffffff80dadc55, rsp = 0xfffffe0467e9a4b0, rbp = 0xfffffe0467e9a4b0 --- strlcpy() at strlcpy+0x25/frame 0xfffffe0467e9a4b0 hn_vf_rss_fixup() at hn_vf_rss_fixup+0x73/frame 0xfffffe0467e9a5b0 hn_rxvf_change() at hn_rxvf_change+0x28b/frame 0xfffffe0467e9a630 in6_update_ifa() at in6_update_ifa+0x111b/frame 0xfffffe0467e9a700 in6_ifattach() at in6_ifattach+0x487/frame 0xfffffe0467e9a840 if_up() at if_up+0x6a/frame 0xfffffe0467e9a880 ifhwioctl() at ifhwioctl+0xaf5/frame 0xfffffe0467e9a8e0 ifioctl() at ifioctl+0x475/frame 0xfffffe0467e9a980 kern_ioctl() at kern_ioctl+0x267/frame 0xfffffe0467e9a9f0 sys_ioctl() at sys_ioctl+0x15b/frame 0xfffffe0467e9aac0 amd64_syscall() at amd64_syscall+0xa86/frame 0xfffffe0467e9abf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0467e9abf0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x802234fca, rsp = 0x7fffffffd188, rbp = 0x7fffffffd200 --- db:0:kdb.enter.default> ps <118>Configuring IPsec VTI interfaces...done. <118>Configuring WAN interface... Fatal trap 12: page fault while in kernel mode cpuid = 3; apic id = 03 fault virtual address = 0x60 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80dadc55 stack pointer = 0x28:0xfffffe0467e594b0 frame pointer = 0x28:0xfffffe0467e594b0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 370 (php-cgi) trap number = 12 panic: page fault cpuid = 3 KDB: enter: panic

So some issue in the hn driver when it's trying to bring up WAN.

Is you WAN configured in some unusual way?

You should first try diasbling all hardware off-loading if you haven't done that yet.

Steve

@sylvain613 So, you're using the bxe1 for WAN and igb0 LAN1 and igb1 LAN2? Also, could you post Status > System logs > General ... look for things that produced an error. Also, what interface are you using for IDS/IPS ... LAN1 and LAN2? Provide as much info on your setup.