Hello!

For my customers I prefer to have something that is more in line with a typical home/small office router form factor and look/feel. I have been replacing sonicwall TZs with sg-1100's and sg-3100's, and have been very happy with them.

I have lots of older computers lying around that make great pfsense routers, and I have put a few together to play with, but for personal production systems I prefer to have something that is not home rolled and that I wont have to futz with. Once again, the negate devices have fit the bill.

I have also played with some protectli devices, but the end cost of those once you add in parts and time is close to that of netgate devices. The support for netgate devices is also head and shoulders above other support, which can be priceless.

I am not trying to be a netgate fanboy. At the end of the day it is in my own business & personal, selfish, best interests, that netgate continue to produce and support pfsense, and I feel that one of the best ways to help that happen is to buy their devices. Their hardware appears to be well spec'ed, engineered, packaged, and supported, so I dont feel like I am compromising anything by purchasing it over other options. For my time and money, I come out ahead with netgate hardware. YMMV.

John

The timestamps on those ppp logs appear strangely out of order. Do other logs on the firewall also appear like that?

The system time could be being updated if there is some issue with the system clock.

That would usually throw a bunch of other errors though.

Ignoring that though the log appears to show it successfully connect, then the remote side stops responding to LCP causing it to disconnect and start over. Then it successfully connects again.

Steve

@provels well then plz close this issue due to user issue. lol
redown loads and hides in corner lol

@Muhammad-Ibrahim said in Captive portal not working:

users are already authenticated

What do you see ? What do users see ?

Again https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html
and share (like putting it in a forum post so we can see it) the info you get when typing the suggested commands mentioned on that page.

This part :

c46a820e-7493-4f44-a386-5358f6f1901d-image.png

should be compared with this screen in the GUI : Status > Captive Portal

If the list differ : go 876bb6f7-870d-470f-abf0-f6a0b847ebcf-image.png

Take note : portal settings should not be changed while users are logged in. If you have to, use the red button.

Or : next bet solution : did you install the "mentioned a thousand times in the captive portal forum" patch ?

If they are just vlans on the same physical interface then sure that would be fine.

example
samemac.jpg

@pendragonsound said in No Internet after upgrading Comcast Business Gateway/modem:

Disclaimer: We don't use pfSense, but this forum was one of the most informed places I found with useful information on the SecurityEdge problem, so I thought I would contribute back what I've learned.

Much appreciated!

Hey thanks for the hint
We got here some dgs-1100-08 hanging around in their dusty boxes :)

Let's go testin!!!

@teamits It's only a couple of years old, so I don't expect that it's a legacy issue. I've installed Win10 a few times on it since then anyhow.

O thanks, steve you're helping out a rusty old man here lol
PfSense I can do but this router NOWTV hub 2 is made so you can not do much with it.
I have heard you can use Wireshark to sniff. the admin password and so on as I googled it but it would be easy just to do it as you said.

It was the workaround I needed to learn so I could get back to my Pfsense router and you pretty much said it.

Many thanks, ill give it a try and see how I get on but so far Steve thank you for your help and hope you're well ;)

@Gertjan

Thank you for all the input!

As mentioned previously this is not a true bridge mode. It is what they are calling "DMZ+". You can force the pfSense router to "not accept offers" from the modem, but then you will never get an IP.

They are playing games with DCHP in the modem. If the modem would honor the renew request every time, it would be fine, but it does not. Instead it forces a rediscovery every other time which kicks off the rc.newwanip process. AND every time the rc.newwanip occurs it causes a VPN hiccup.

Therefore I think I will stick with the solution I came up with. It seems to be working fine, passing through a modem lease renewal from it's gateway somewhere in the last 36 hours without causing a hiccup.

I have notifications turned on and set to notify me by email over the other WAN if this one goes down. Then I can check (via the modem's WiFi directly) and set the new IP address for the modem's Public IP and it's Gateway IP.

I was able to regain access to the Modem management interface from within my LAN by setting the upstream gateway shown in the modem interface for that WAN gateway.

This solution is working very well indeed!!

Phizix

That's right, though you do have to watch that the rules on your tunnel interface have reply-to in the ruleset. For GIF/GRE, they should have it by default, but double check that to be certain. You need that because otherwise the reply packets would take your default route outbound no matter what you have set on the rules.

Also make sure you don't have any outbound NAT active on the tunnel interface.

One last note, I strongly suggest you put devices using those public addresses on their own segment like a DMZ interface. It's a bad practice to mix public and private subnet traffic on an interface for a variety of reasons. So unless LAN is dedicated to using only the public addresses, you should make another interface.

Ok thanks for the response, and all you do for the project.

@timboau-0 said in 'Pentest' proofing / WAN / IPSEC:

@bmeeks

ummm both pfsense and the Virtual machine are on the same host (in a DC)

Does HyperV still have issues with promiscuous mode on vm's - think I might have run into problems with that previously..

(LOL after I switch the 2.4.5 back to 2.4.4 today so I can run more than one virtual processor!)

Not sure about that. ESXi was what I used when I was active. Only experimented with Hyper-V once just for kicks.

@jimp said in WAN - States Details:

Any time the filter reloads the stats will reset to 0. So any kind of interface event, timed filter reload (for things like schedules), or many other reasons.

The stats are not meant to be long term. Only a brief visual indication that a rule has been used.

OK,
I believe a disconnect is happening when this is being reset. I'll wait to see if it happens.

Thank you for your assistance.
Have a good Day

@Derelict, thanks so much by your answer.

I have saw the information of link and I don't see it clearly. I am not a expert programmer.

I only want show by Console, or via SSH, in text mode, the same information thar appears in the OpenVPN Status GUI page and be able to capture the output text.

Do you know where can I found examples to do something similar to this?

Regards,

Ramsés

@Gero said in 32-bit support:

I'm currently in the repair task of an vintage Tektronix oscilloscope

Nice! Have fun. 👍

Yeah that is normally where you install your edge router - at the edge ;) If you also want to use it as internal or core router that is fine too, etc. You can have more than 1 router in a network...

Unless your really worried about complicated firewall rules between your locations/networks routing of traffic can just be done on your L3 switches..

If your looking to replace hardware in your setup - this is perfect time to evaluated that overall design, and does it make sense... Maybe it made sense when it was done, or maybe shortcuts were taken at the time... Or maybe the guy doing it at the time didn't have a freaking clue... But trying to maintain some setup, just because that is the way it was setup before you is not a good plan..

Look at the details of the network, what talks to what, how much bandwidth is available and or used, etc. What hardware you have to work with.. Or what budget you have to replace, uplift aging hardware, etc.

What I can see from just your original drawing - is does not seem optimal at all.. Now maybe you drew it wrong, maybe you left out details and works different than it looks? But my gut reaction to that drawing is its borked..