@feedyourtv Most probably a hardware issue. The fault will propagate sooner or later.
Usually is due to faulty decoupling capacitors on the motherboard.
To say that ashrock boards are problematic is as invalid as by saying that windows never blue screen.

If it was a software issue, this board would be full of complaints, rest assured.
Have fun, as long as it works out for you this way :)

@jim82 said in WAN looses connection randomly with 24-36 hours - tried everything:

14 days after and my connection is rock solid. Thanks for your help.

👍

@netblues
One other thing, that current IP changes daily when SLAAC and privacy addresses are used. I agree firewalls should be used, but there are some things in IPv6 that make it safer than IPv4. Also, IIRC, pfSense and just about every other firewall defaults to deny all, so unless the OP actually did something to leave it wide open, he should be OK.

Ive been running a clean install (i.e not an upgrade of 2.4.4p3) of 2.4.5p1 with a minimal restore of config (too many rules to recreate from total scratch) for a few days now and gradually things have worsened. The culprit is pfctl which can be seen consuming 100% of CPU in System Activity.
I have pfBlocker installed but have it set to run cron once per day at 3am and it doesnt appear to cause the load.
I did notice on day 1 of running a clean install that the increase in latency occurred at exactly the precise time /usr/bin/nice -n20 /etc/rc.update_urltables was scheduled to run.
Rebooting seems to reset things to some degree but at this point I suspect I have to roll back to 2.4.4p3 as this latency is making video conferencing virtually impossible.

overview.png

states.png

notraffic.png

memory.png

cpuload.png

Hi,

Please don' t bother it , I have managed to fixed it :)

thing seems just simpler than I thought , no need to bridge anything , just plugin my router into the LAN port ,reset my router , that's it.

Thanks again

Best regards,

@klausneil said in PROXY NOT WORKING:

I put the proxy data in the browser

http traffic basically appears in the squid access table (in transparent mode)
(if not, there is a configuration issue and the request does not reach Squid)

https content becomes visible (table) only by inserting the Squid intermediate certificate into browsers
(will appear in this form in the table - domain.xyz:443)

or you can use WPAD and / or PAC solutions, yet

thanks @netblues and @JKnott for your feedback. I focused on the vm host (XCP-NG) network config and found resources for enabling vlan interfaces in xen..I can now see vlan capable interfaces when creating vlans in PFsense.

Enable Vlan interfaces:
http://think-brick.blogspot.com/2016/02/pfsense-on-xenserver-enable-vlan.html

XCP Trunking:
https://xcp-ng.org/docs/guides.html#vlan-trunking-in-a-vm

now time to get this vlan routing setup..

Yeah you need to enable powerd to see the Speedstep freqs used.

Though in reality modern CPUs don't save much by using P-states. The savings from C-states are much larger in my experience. It all helps though. 😉

Steve

No.
Adding the CA cert to Mikrotik would allow connection from the Mikrotik itself but would not do anything for connections from phones (or other hosts) behind it. It would onyl help if the clients are already using the Mikrotik to proxy traffic.

Steve

@raviktiwari said in Sending and Recieving emails...:

As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfSense ...

That's totally normal. If you have a to serve port Xx, you'll be needing an server type application that you should (totally) trust, it should be set up to 'listen' to that port, and that port should be reachable by the public that could have to use that port Xx. This actually means that anybody on planet earth can connect to 'your' server.
( people tend to use firewalls on server type devices to lock down non-served ports. Think about this for a minute or so.
If your laughing right now , then ok, perfect. You got it. A firewall on a server is ... quiet useless - There is no reasons to 'close' non served ports, because they are black holes by nature.
This reasoning is valid if the admin admins his server. That is : that he controls what executes,a nd when, on his server - and how it is executed. When the looses control, well, the first thing that would fall is the firewall - so start with not using a firewall on a server => one thing less to 'admin ;) and one thing less to mess up l.

Like Apache2, nginx will be listening to port 80 and or 443. postfix will be listing to 25 TCP and probably also 465 TCP and 587 TCP (now out phasing)

postfix will show / produce huge logs daily ****, filled up connection attempt from 'other' devices on the Internet connecting to your IP:port to try to 'dump' their rubbish. That normal, and you should consider it as simple back ground noise.

Important to know : postfix, as worlds most used mail server, is pretty darn good to take care of the rela mails 'for you' and discarding the rest.
But : postfx is as good as the admin maintaining it.

The setup of a postfix server is ..... huge.
And, IMHO, its totally impossible to encapsulate the settings with some sort of GUI like VirtualMin or others. You have to master - with your head - the master.cf and main.cf files. This is my opinion of course, as I needed a multi domain, multi IPv4, multi IPv6 with added IMAP/POP mailbox support. It should work with Outlook Express (back then) - all Thunderbird version, as up to the latest "Office 365".

For me, it all started here (I guess) : http://www.postfix.org/SMTPD_ACCESS_README.html
This is gold : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt is still actual as of today !!

A firewall can't help you here "with some rules". *** What really helps to get out the 'door knockers' is a tools like fail2ban.
It parses the postfix logs, searches for known - non accepted by postfix - incoming connections, and if they repeat themselves, or come back to often, the firewall gets loaded with a block rule for that IP.

Se it here in action.
fail2ban parses also ssh logs, web server logs, teamspeak logs, etc, and acts if it finds something suspect.

*** most traffic, even mail traffic, is SSL encoded, so a firewall hasn't even access to the payload, it would see the source IP, and that's it.

**** you'll meet up with logrotate for log file management.

edit : sorry for losing the subject.

edit 2 : I'm not running postfix on or after pfSEnse postfix of course (@work) . ISP lines are mostly big mega f*ck to host mail servers, as they are listed as such.
It's a typical VPS usage, or what I use : a pair of https://www.ovh.com/ca/en/dedicated-servers/ which includes all the IP's needed, and, hopefully I never need it : a huge DOSS protection - on a naked (no GUI) Debian 9/10 install.

When you start to run postfix yourself, bind (named) wiill follow as a master DNS server for your domains, and a web server will follow. Some Squirrel (old ... I know)/Roundcube instances, a MariaDB (ex. MySQL) for housekeeping etc etc.

Btw : the "rock science" used by the big ones has nothing to do with what I / you do. They will not tell how they do it for - logical - security issues. But English/German/Belguim/French/Spanish biggest ISP did this : they took a copy of postfix, as it is 'free ware' (somewhat), and adapted it to it scales up on a pure maddens level.
They ware using qmail back then .... they all paid the price. And no, no 'Exchange' for them.

In Linux (mint) is set both IP4 and IP6 to nothing for WAN
Now Linux doesn't get any WAN traffic

It goes to pfsense first and comes back to LAN
This works but I think I'm creating a mess

With policy based IPSec you will need phase 2 policies carry the traffic he is sending and you probably don't right now.

For example if his subnet is 10.130.100.0/24 he probably has a P2 on his tunnel that is:
10.130.100.0/24 to 10.128.0.0/16

That will grab any traffic coming from hos local subnet destined for you office networks and send it over the tunnel.

But if he tries to access another remote site, say 10.130.200.0/24, that traffic will be ignored as it's not covered by the policy.

To connect between spokes in a hub and spoke design like that you need P2 policies on each tunnel to carry it. So for that example the remote worker would need a P2 on his tunnel:
10.130.100.0/24 to 10.130.200.0/24

And the remote site he'd connecting to would need:
10.130.200.0/24 to 10.130.100.0/24

That escalates quickly if you need to connect between a lot of sites.

It's much easier if you have route a based VPN like OpenVPN or VTI (route based IPSec). But that would require changing all the tunnels.

You could proxy the traffic on your office network somehow so his traffic appears to be coming from there.

You could setup an OpenVPN server for this one worker (or more remote support staff). If you choose a tunnel subnet that is inside 10.128.0.0/16 then the existing IPSec tunnels will already carry that traffic.

Steve

@redfox

let's go step by step 😉
read this thread, here I describe exactly how to create the environment for game play:

https://forum.netgate.com/topic/153514/nat-issues-when-playing-games-on-two-computers

once you have interpreted and have a problem, write and I will help

++++edit:
@redfox "How would your suggestion work in my situation?"

playing can be dangerous behind a firewall as ports need to be opened
but with a good setup this shouldn't be a problem

With AEAD ciphers the "hash" function gets used as a Pseudo-Random Function (PRF) instead. It's still necessary, but not necessarily used for hashing. strongSwan is smart enough to do the right thing there.

2.5.0 allows choosing PRF explicitly as well https://redmine.pfsense.org/issues/9309

it actually looks normal to me. i can post it later, but ill have to do extensive redacts.

interestingly, the upgrade pre-2.4.5 one has this entry in its backup xml:

<opt3> <descr><![CDATA[LAGG0]]></descr> <if>lagg0</if> <enable></enable> <spoofmac></spoofmac> <mtu>9000</mtu> </opt3>

and the new fresh install of 2.4.5 does not, but it does have all sub-interfaces for all the vlans, like this:

<opt1> <descr><![CDATA[VLAN_130]]></descr> <if>lagg0.130</if> <enable></enable> <spoofmac></spoofmac> <ipaddr>redacted</ipaddr> <subnet>24</subnet> </opt1>

You can't find 2.4.4 info, because that version doesn't exist anymore (snmp bug).

The actual version works just fine :

root@DiskStation2:~# snmpwalk -v1 -c public 192.168.1.1 | grep 'pfSense' SNMPv2-MIB::sysDescr.0 = STRING: pfSense pfsense.brit-hotel-fumel.net 2.4.5-RELEASE-p1 pfSense FreeBSD 11.3-STABLE amd64 SNMPv2-MIB::sysLocation.0 = STRING: pfSense HOST-RESOURCES-MIB::hrSWRunParameters.426 = STRING: "-q -f /etc/pfSense-devd.conf"

Btw : for "regex" reason, this

snmpwalk -v1 -c public 192.168.1.1 | grep '2.2.5'

will not work. "2.4.5" isn't a literal search string !

@barakath said in Email Alert for CPU Temperature:

Diagnostics--> Edit file.

Look at it, then never look or even use that option again.

To see / load / upload to any device - not just pfSense, but any device around you (Phones, VCR, Access Points, wall clock, coffee machine, you name it), use a SFTP (example : WINSCP, or the far superior SmartFP) to access you pfSense over port 22.
Also : activate the SSH access.
While you're at it, test also the console access, which show the same info / same access.

Also, install Putty (windows SSH client - MAC users have a SSH client build in).

Ones you have access, install a descend text editor like 'nano' (or use the good old build in editor 'vi'):

pkg install nano

Copy the file using select in the Github windows and Ctrl-C - from here https://gist.githubusercontent.com/JMac87/1303f78c56a54165447568318eeca3b3/raw/8eaf407f0aa90d0134be12b51c0996bf9337da70/cpu_temp_alert.sh (the 'raw' view).

Then, on pfSense, - login menu option 8 - open non exiting filer with nano like :

nano /root/temp.sh

and then paste ( Ctrl-V) the script.
Ctrl-O to write the file, Ctrl-X to exit nano.
'chmod' the file (see above).
etc etc.