First check: https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html

Can you connect to the pfSense webgui? Can it connect out? Do you see available packages for example?

Steve

The only thing I would change is where the Netgear router is patched. I would patch it into one of your switches instead of the modem. As pictured, your wireless has no access to your LAN. If that was your goal, then you're fine... otherwise I'd enable AP mode and plug it into a switch.

You could go for a more intricate and arguably cleaner design by consolidating down to one switch, running extra cable to each room, possibly setting up VLANs, etc, but that involves time and money. Your current setup is completely functional, so If it's meeting your needs, there's nothing wrong with it.

Unsure. That server is a tween server. On the left side ESXi is installed and the right side was not in use, so got pfSense there as needed several NICs for this setup. I think it could be CPU temps getting too high, as every time I saw pfSense showing them in yellow my network was slow. Interesting is that the other motherboard with the same pair of xeons and 24GB running ESXi 24/7, never had a problem.
I can't run tests with that configuration anymore and I didn't get any others suggestions here or on the other two forums I've posted, so replaced the entire box with a spare i5 desktop and it is running very well.

I can confirm, that by cloning the MAC address everything is working !!!! thanks for the support @stephenw10, its much appreciated. Let the fun begin now !

@JohnKap said in (2) Firewalls, (2) different networks, both mostly work, 1 can't get to a specific IP:

@ccgllc said in (2) Firewalls, (2) different networks, both mostly work, 1 can't get to a specific IP:

Routing table: Works all the way to the last-to-next node, so don't think so - but do you have something specific I can check?

I would compare the routing tables on the two devices, the fact that they're on the same subnet they should be pretty much the same. I'm thinking maybe there is an entry there that is confusing witch interface to use when going to those affected ip addresses.

Routing tables are as expected:

127.0.0.1
The LAN port & network
The WAN port & network

No other entries.

e.g. There are no "tables" I'm aware of that the firewall would build to direct traffic to a specific IP address that is not part of either its WAN or LAN group - all of those go out the default route on the WAN and passed to the next node to handle (in this case, my ISP).

Maybe that can help: https://forum.netgate.com/topic/151929/pfsense-wan-interface-wont-get-ip-address
and check the DHCP log file for what it shows (Status / System / Logs / DHCP)

@noplan said in OpenVPN connected-disconnected users log:

done but with email ...

#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a'); if ( strrchr (__FILE__ , 'disconnect') ) { $local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . " hours, or " . round(((getenv('time_duration'))/60),2) . " minutes, or " . getenv('time_duration') . " seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED."; } notify_all_remote($local_connect_value); ?>

the script is called in openVPN server
31811e2a-0a24-4db3-a156-363932eeac30-grafik.png

output
c91d2ac8-e261-45ad-8bd2-c9bf34d82754-grafik.png

see also here
https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/26

very good works!

Hi!

Sorrrrry for the delayed reply, the last few days have been hectic to say the least...

Funnily, setted up as it was initially (virtual IPs on WAN connection), it actually failed at boot too... I am at a loss as to why it worked anyway after.

In the thread I had posted in the virtual IP related forum I was actually asking if my problem of servers using virtual IPs misbehaving could be caused by those errors, I assume they did but cannot say for sure.

At boot is actually fails twice by the way... One time before the interface gets its IP and after it did.

Both times it looks something like this

Mar 31 15:58:04 check_reload_status rc.newwanip starting pppoe0 Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: No IPv6 address found for interface WAN [wan]. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: on (IP address: ddd.eee.fff.ggg) (interface: WAN[wan]) (real interface: pppoe0). Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.200'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.201'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet ' aaa.bbb.ccc.202'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.203'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.204'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.205'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.206'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.207'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Default gateway setting Interface WAN_PPPOE Gateway as default. Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface wan Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Creating rrd update script Mar 31 15:58:23 php-fpm 30436 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - ddd.eee.fff.ggg -> ddd.eee.fff.ggg - Restarting packages.

(this is after getting the IP...)

The fact that it fails before the interface gets its IP suggests this would fail for both PPPoE and DHCP too... Should this script be run before the interface has an IP?

I put the virtual IPs on Localhost and it seems to work but I won't be able to test how it behaves when the connection is reestablished for a few days because of the current situation.

I have a question though. Wouldn't it be preferable that the script does as if Localhost had been chosen for the virtual IPs when it "sees" that the WAN interface is actually a PPPoE connection?

I absolutely love having this workaround if it turns out it fixes my problem but I am sure others will do the same "mistake" I did...

Thank you very much for your help and have a nice day!

Nick

Yes that is normal.

Yes you can build a firewall block rule to block your LAN clients if you wish.

Rules are parsed from top to bottom.
so-
pass rule for your computer
block rule for rest of LAN
pass rule allowing all (default allow all rule.)

pfsense will indeed pass any traffic outside it's own LAN subnet(s) out the WAN.

My biggest question here is why would you be on the same LAN as those you don't trust with your cable modem? What model modem is it anyways? Should not be much they can do other than to factory reset it and reboot it. Which would both be only temporary outages until it got its config file from the ISP.

Thanks so much.

Ramses

Ah !
Was trying to give some info, as you seem to need it.

What are your questions ? Possible to give some details ?

damm that didnt cross my mind
i was looking goin for sudo ?

Diagnostics > Backup & Restore and backup the Interfaces selection.

e34ac8d8-4b5f-4497-9545-9814aaf88f09-image.png

Use your favorite xml editir (notepad++ will do just fine) and swap and order as you like.
Save the file.

Select "Interfaces" only, and import.

To be sure : reboot - but I guess it isn't needed.

Result :

dffd6e70-4828-4cdb-8092-89ff1dd420c3-image.png

@kiokoman said in UPnP not working:

Session Traversal Utilities for NAT (STUN) is a protocol that serves
as a tool for other protocols in dealing with Network Address
Translator (NAT) traversal. It can be used by an endpoint to
determine the IP address and port allocated to it by a NAT

maybe we can add this options to miniupnp webgui if it's missing and it's needed, idk

You can create feature request on the redmine.pfsense.org for this.
it's easy to add to WebGUI, and it may be useful for some ISPs issues.

but https://redmine.pfsense.org/issues/10398 needs to be resolved first

Yeah this is not a road I would ever choose to go down!

Hello!

For my customers I prefer to have something that is more in line with a typical home/small office router form factor and look/feel. I have been replacing sonicwall TZs with sg-1100's and sg-3100's, and have been very happy with them.

I have lots of older computers lying around that make great pfsense routers, and I have put a few together to play with, but for personal production systems I prefer to have something that is not home rolled and that I wont have to futz with. Once again, the negate devices have fit the bill.

I have also played with some protectli devices, but the end cost of those once you add in parts and time is close to that of netgate devices. The support for netgate devices is also head and shoulders above other support, which can be priceless.

I am not trying to be a netgate fanboy. At the end of the day it is in my own business & personal, selfish, best interests, that netgate continue to produce and support pfsense, and I feel that one of the best ways to help that happen is to buy their devices. Their hardware appears to be well spec'ed, engineered, packaged, and supported, so I dont feel like I am compromising anything by purchasing it over other options. For my time and money, I come out ahead with netgate hardware. YMMV.

John

The timestamps on those ppp logs appear strangely out of order. Do other logs on the firewall also appear like that?

The system time could be being updated if there is some issue with the system clock.

That would usually throw a bunch of other errors though.

Ignoring that though the log appears to show it successfully connect, then the remote side stops responding to LCP causing it to disconnect and start over. Then it successfully connects again.

Steve