@JKnott said in Issue with network and Gmail and other Google pages:

Well, I'm allergic to Apple gear

LMAO!

I thought of it as fine tuning: Path to file: /boot/loader.conf.local..........................

and these as well: System -> Advanced -> Miscellaneous -> Power Savings
Check "Enable PowerD" and set to "Maximum" or Hiadaptive" for all power states..........................

Anyway, I'm glad you solved the problem.

PS:Unfortunately, I can't open the link, so I don't know how good a description you found.

LPADS has been working for me for some time, including a test. A few minutes after trying to log out and log in to pfsense, I can’t log in anymore and the SSL connection does not work, I see the error "Unknown CA (48)" in network traffic. What reliable actions need to be done?

Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm..

What gov is this?

@jimp said in Renewal of Internal CA:

You could spin up a 2.5.0 VM, import your CA, renew it there, export, and then copy the contents back to your current setup.

If it's that old, though, you'll probably also want to let the renewal process upgrade it to a stronger key/hash/etc.

Thanks for the great feedback.

@Druplex said in Unable to load dynamic Library:

@Gertjan am on 2.4.4-p3, i had upgraded to 2.4.5 but gave me the same same error so i just reverted back and the error is still on.

Ok.
Packages were updated / upgraded to support 2.4.5 and PHP dependencies.
You can't upgrade packages using and 'old' version of pfSense like 2.4.4-p3 if a 2.4.5 exists, as the package could actually need (example) PHP 7.2.b) while pfSense 2.4.4-p3 is using 7.2.a.
There will be a PHP library version mismatch. That what you are seeing.

Normally, when you upgrade pfSense, you don't stop there.
The list with installed packages will also get updated, and show you if any packages should be upgraded. At that moment, these upgrade might not be optional, as they could use old (PHP) libraries, and pfSense just replaced them with more recent ones. This explains the error you saw.
Just finish upgrading, and all will be fine.

Downgrading pfSense will not help here.

Golden rule : Do not install/upgrade (use ?) packages any more as soon as a new version of pfSense comes out and you decide to stay on the old version.
That is : closely observe what sub packages, like PHP, get installed with it them. Some will work on neraly any version of pfSense, some use a lot of shared resources with the OS or other pfSense core files, and need to get upgraded - at least re installed.

See Netgate release notes. Netgate's upgrade video and the huge quantity of forum posts about the subject.

Keep in mind : most packages are created by people like you and me. Package maintainers should only have to support their package using the latest pfSense version. No one want to make a package installable on all kind of recent and ancient pfSense version (like Microsoft doesn't support his older versions neither, it's just to much of o job).

I finally got to make the change and have been monitoring the last week with great success. We haven't had one error in the last 10 days which leads me to believe that changing the time has fixed the issue we were experiencing.
Before we had it set to 00:00 CEST now it's set to 12.00 CEST.

The firewalling and NAT are done in pf, not ipfw. If you enable the captive portal, it uses ipfw for the CP blocking functions. Perhaps you were thinking of ipfwSense.

@JKnott said in Increase swap size:

@Raffi_

I also wonder why you'd need more swap on a router. However, in the Linux world, it's possible to create a swap file, which serves the same function as a swap partition. Perhaps the same is possible with FreeBSD.

Thanks, that's a good point. I will not spend any time looking into ways to do it even if it is possible. It was just something I was curious about more than something I needed. If for example it was a single command I could have run and it was fool proof, I would have gone for that. But being that in the case of pfsense it would be a partition adjustment. There is no way I'm doing that. Especially, for something that really isn't necessary as you point out.

@stephenw10 First of all, thanks for your answer.

I tried with Outbound NAT in automatic mode and in manual mode with the rules:
WAN1 10.128.10.0/24 * * * WAN1 address * this is not a rule to the WAN 2 where the 192.168.104.0 network exists.
Should i make a NAT rule to WAN2 ?
Something like:
WAN2 192.168.104.0/24 * * * WAN2 address * ?

I also tried to enable the Bypass firewall rules for traffic on the same interface setting. Unfortunately i still not able to reach the 192.168.104.0 network from the 10.128.10.0 or visa versa.

I thought adding a static route on each firewall and add the correct firewall rule (to allow traffic from the other network on the concerning interface) should do the trick? but how i understand from you i miss something (NAT?) ?

Note that i can ping the Zyxel USG200 interface and devices of the 192.168.104.0 network from the Pfsense diagnostics ping tool but not from my computer.

@stephenw10 , Thank You

Steve, thank you.
I read through your post and went at it again after factory resetting the switch and basically putting the OPT interfaces back to how they were when I received the SG5100 from Netgate.

OPT1 (ix0), OPT2 (ix1), OPT3 (ix2), OPT4 (ix3) = added but not enabled
From there I went to Interfaces => VLANs
Define VLAN tag 10 interface ix0 (opt1), VLAN tag 20 interface ix0 (opt1)
Enabled VLAN 10 and VLAN 20. Assigned static IPv4.
Defined DHCP for VLAN 10 set range but added a static IP address for the Cisco switch outside of the pool range. Defined DHCP for VLAN 20, set range.

On another computer connected directly to the Cisco switch, I defined VLAN 10 and 20.
Set port 1 as a trunk. Tagged VLAN 10 and 20.
Set port 8 as access. Untagged for VLAN 20.
Added an IPv4 interface for VLAN 10, DHCP.

Usually this is where I get kicked off but this time after I connected port 1 from the switch to ix0, the switch was listed under DHCP and Online in pfSense. In addition, my other computer that is directly connected to the switch was still connected using the switches default IP address. I’m assuming it’s because VLAN 1 and VLAN 10 are both active on the switch and I have that computer plugged into a port that I didn’t mess around with.
I plugged a device into port 8 and confirmed it got an IP address in the VLAN 20 range.

One issue I found is that I cannot connect to the switch from my laptop that’s on the LAN connection. But I’m guessing that’s probably a firewall issue. I can still connect to the switch directly from my other computer so I can do switch configuration from there.

I’m going to back up the settings on the switch and pfSense before I go any further. I guess for most people getting to where I am now seems trivial. After all, I don’t even know if the device works on port 8 since I just did a simple connectivity test, but after spending the last several weekends setting up, resetting, plugging in, and unplugging, I’m happy that I can finally move onto the next steps.

Thank you very much for your help!

Just want to add to this in case someone else runs into it. There is in fact some sort of issue with passwords that have special symbols which work just fine in OpenDNS (and special symbols are required), but in pfsense, the login doesn't work. For example, changing my password to not include an "&" but to instead use a "$" fixed my issue. I'm guessing there is some bug in how the password is being encoded from the html form field or something.

As others have mentioned, checking the verbose logging flag is encourage so you can go into the system logs after you force an update and see if it logged in successfully or not. Hope that helps someone!

@bereby said in New machine, Hardware question:

XG-7100

you're right:
look at its original configuration, which has an i7 CPU and a 200W power supply .....

who is already looking at the XG-7100, wants serious hardware...
(many just like to experiment or want a significant reserve in their system)

only this "ugly" hardware originally outlined, should be conjured up a bit of a network appliance type

35 -50W power consuption / rack case / all-in-one face / Intel NIC / etc.

(and for sure 10 Gig SFP+ WAN or other interface...)

☺ jahhh and don't think I'm against Netgate hardware, (since I've already said that) it's also perfect, but you only have a choice if you know what you can do and choose
(Intel vs. AMD in network appliance theme)

Not in pfSense. At least not without changing your network configuration.

That traffic goes from 192.168.90.3 to 192.168.90.5 directly at layer 3. It probably goes through at least 1 switch at layer 2.

It never goes to pfSense at all so there's nothing it can do to see that.

What you could do, for example, is configure a mirror port on the switch and then analyse the traffic on that to get flow data.

You could bridge two ports in pfSense and make sure those systems were connected to different sides of the bridge. Then traffic would go through pfSense so you could see it and filter it. That is generally considered a bad idea unless you absolutely need it though.

Steve

Yup, those Ethernet connected Netgear LTE modems work well.

You can use many USB LTE modems directly with pfSense though. What exactly is the device you have?

Steve

it’s not a problem, everyone starts somewhere ☺

in which slot (on MOBO) do you put the new NIC, what version of HP device do you have?

HP Technical Reference Guide according to Google
524afccc-ca32-401f-8050-fc3c4e10e059-image.png

INTEL PRO PT 1000 Quad Port Network Adapter
c285dceb-dba9-415a-883f-93e2e002462d-image.png

@gyahoo said in DNS domain forwarder stopped working:

I am at a loss as to how to proceed.

Get on a current version of pfsense - the 2.3 line is DEAD, has been for over a year, shoot Oct will be 2 years... There were like 2 years of warning that 2.3 was going to be DEAD!

Once you get on current.. Come back if your having issues.

So 2.3.4 is from 2017... You honestly thought it was up to date, with zero updates in like 3 years - on security software? its not a notepad app you downloaded from some guy that wrote something he needed and shared it. How did you not check on that? Simple 2 minute visit to the website would of told you if your current or not, etc.

according to https://docs.netgate.com/pfsense/en/latest/monitoring/raw-filter-log-format.html#bnf-grammar

the purpose of the tracker id is

<tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug

I've written this script to fix my rules and make the tracker id numbers unique

import xml.etree.ElementTree as ET ONE_SECOND = 1 def main(): start_epoch = 1585650686 root_element = ET.fromstring(XML_DATA) rule_elements = root_element.findall('rule') for rule_index, rule_element in enumerate(rule_elements): rule_id = str(start_epoch + (rule_index * ONE_SECOND)) tracker_element = rule_element.find('tracker') tracker_element.text = rule_id created_time_element = rule_element.find('created').find('time') created_time_element.text = rule_id updated_time_element = rule_element.find('updated').find('time') updated_time_element.text = rule_id fixed_xml = ET.tostring(root_element, encoding='unicode') with open('fixed-firewall-rules.xml', 'w+') as f: f.write(fixed_xml) XML_DATA = ''' <filter> <rule> ... // copy and paste the exported rules here </filter> ''' if __name__ == '__main__': main()