Found the problem: the WAN interface kept restarting if 'Speed and Duplex' was set to 'autoselect'. Changed to 'Default', and the problem is resolved.

@luisenrique said in squid + ad auth lookuot ad account:

Due to some unknown reason the account used to authenticate squid users in AD is blocked after several unsuccessful attempts to authenticate the account is blocked by AD policies, I have rectified the key in both systems and the same thing happens , I am sure that It is squid, because I change to another account and the same thing happens to me or I establish an account that does not exist and stops, so the users are being able to authenticate themselves to navigate.

as aditional information i see in logs
basic_ldap_auth: WARNING, could not bind to binddn 'Invalid credentials'
i set the password inboth system but it continues see error

Figured it out. I created an IP alias that contained the Student IPs I wanted to connect to, and a Port Alias with the different ports that NS uses, then created a NAT rule with those aliases and now things are working perfectly in the Tutor console from the Admin side. Feeling kind of silly that this didn't occur to me earlier lol. The Tech console still presents some weird behavior but I think that's due to the console's settings, so I'll take a look at that.

@ilbicio Well done!
I have total clients connected now!
Weeehooo!!
Thank you very much.

P.S. I hope one day I will learn how to collect OpenVPNusers connection history in Zabbixю

It will be difficult to recommend hardware given your budget, which doesn't include shipping unless you have eBay or Amazon in Africa.

That was an important detail missing from the original post and I agree, it's going to be extremely difficult to make any recommendations based on your budget and consider shipping.

2 weeks ago i installed a "Dual SSID" UBI AP AC Pro.
I installed the Unifi Controller on a VM DEB10 server , and configured it for the two "Tagged Vlans"

Then i connected to a switch port (not directly to pfSense) , but the recipe is the same.

You need to keep in mind that the "Controller & AP" talks untagged , so whetever Vlan you make untagged on the port , has to be able to talk to the UBI Controller

AP Switch port
AP Native : Controller Lan communication Vlan , untagged.
SSID-1 : Tagged
SSID-2 : Tagged

/Bingo

i hope it's okay to reopen this problem, but with the newest pfsense release, 2.4.5, this stopped working.
I noticed there is now a GUI Option for $config['system']['no_apipa_block'] but disabling and enabling it won't make it work again.

At first the Traffic was blocked in the FW but after adding a rule to allow every traffic from LAN, the log looks better but still strange:
bf4ccb2d-96e8-4179-abf5-4e94d0088165-image.png

It's only sending TCP-SYN?

I'm pleased to see atime is off already on a 2.4.4 ZFS file system install.

Yah!

[2.4.4-RELEASE][admin@...]/root: zfs get atime zroot NAME PROPERTY VALUE SOURCE zroot atime off local

Version 2.4.5

561b8465-7df9-4bfb-8f10-b70e9ca01726-image.png

Well I found this thread: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release/15
seems to match what I have going on. Thanks for pointing me in the right direction. I have applied the driver and confirmed it is loaded.. Lets see what happens!

Thanks

...

On review I notice its the same thread you linked to... I like to do things the hard way and found it on my own to ;-)

@casperse
Is it a public bridge in the vm or has is something to do with docker?
Anyway, I would start another thread here or in Routing.

Well, things get a little more difficult to fathom.
I have installed a fresh SD Card into the "faulty" APU2 and now have no errors.
For the record, I did originally reboot the APU2, firstly via software, then hardware and the error was still present.
Obviously the fault is now intermittent. Anyone had a similar error?
or does anyone know what the error actually refers to?

"nginx: 2020/03/24 12:06:33 [alert] 52803#100257: send() failed (55: No buffer space available)"

@cobrahead Awesome! Got it, I added one more above that one to allow access from OPT2 to one address on the LAN, for the printer, and it works like a charm! I appreciate your help.

How much more involved are vlans to configure?

Is Snort showing any alerts/blocks?

@viragomann said in [SOLVED] RDP to PC that is connected to external VPN...:

Yes, open up the firewall on the host is the preferred solution, but as I understood the VPN connection is only for your own purposes. In this case, the NAT is a proper workaround.

Well like I said before, the VM I connect to does not have a firewall running.

The drawback of this is, that each connection from the VPN seems to come from pfSense on the destination device. So you're not capable to identify the real source.

That's ok. I have the VPN configured where I am the only user who connects to it, to the source would be me.

Incorrect gateway (changed during upgrade)? https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html#upgrading-from-versions-older-than-pfsense-2-4-4

Hi,

No need to go to http//whatever.on.the.internet.tld
Like Mercedes knows all about Mercedes cars, Netgate/pfSense knows all about pfSense : https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

I would open my tool box, that is : clicking on " Diagnostics > Packet Capture" and set up for a capture on port 1194 and UDP (?) and start it.
Then, try to connect using your remote App.
Stop the capture.
Look at the result : something came actually into on your WAN (?) NIC on this 1194 port ?
If not : the problem is up stream : traffic didn't make it to pfSense.

Read the entire check list on the trouble shooting page : execute every step, and if you do not understand : ask.

"before using Pfsense I open NAT-DMZ on the router from WAN to local IP. " pfSEnse is not any different from any other router on planet Earth.
You have to create a NAT rule, using incoming port, outgoing (destination) port, a 'LAN' (DMZ) IP address and that's it.
But if 1) applies, and nothing comes in ... well yeah .... 1 explains 2.

"I have a program that does not work in the domain environmen" : I don't understand.
That's a typical user that describes an error.
Your are the network admin ? Start detailing what actually happens. We, from here, know nothing about your network / needs / setup.
Give details and we figure it out.