@teamits It's only a couple of years old, so I don't expect that it's a legacy issue. I've installed Win10 a few times on it since then anyhow.

O thanks, steve you're helping out a rusty old man here lol PfSense I can do but this router NOWTV hub 2 is made so you can not do much with it. I have heard you can use Wireshark to sniff. the admin password and so on as I googled it but it would be easy just to do it as you said. It was the workaround I needed to learn so I could get back to my Pfsense router and you pretty much said it. Many thanks, ill give it a try and see how I get on but so far Steve thank you for your help and hope you're well ;)

@Gertjan Thank you for all the input! As mentioned previously this is not a true bridge mode. It is what they are calling "DMZ+". You can force the pfSense router to "not accept offers" from the modem, but then you will never get an IP. They are playing games with DCHP in the modem. If the modem would honor the renew request every time, it would be fine, but it does not. Instead it forces a rediscovery every other time which kicks off the rc.newwanip process. AND every time the rc.newwanip occurs it causes a VPN hiccup. Therefore I think I will stick with the solution I came up with. It seems to be working fine, passing through a modem lease renewal from it's gateway somewhere in the last 36 hours without causing a hiccup. I have notifications turned on and set to notify me by email over the other WAN if this one goes down. Then I can check (via the modem's WiFi directly) and set the new IP address for the modem's Public IP and it's Gateway IP. I was able to regain access to the Modem management interface from within my LAN by setting the upstream gateway shown in the modem interface for that WAN gateway. This solution is working very well indeed!! Phizix

That's right, though you do have to watch that the rules on your tunnel interface have reply-to in the ruleset. For GIF/GRE, they should have it by default, but double check that to be certain. You need that because otherwise the reply packets would take your default route outbound no matter what you have set on the rules. Also make sure you don't have any outbound NAT active on the tunnel interface. One last note, I strongly suggest you put devices using those public addresses on their own segment like a DMZ interface. It's a bad practice to mix public and private subnet traffic on an interface for a variety of reasons. So unless LAN is dedicated to using only the public addresses, you should make another interface.

Ok thanks for the response, and all you do for the project.

@timboau-0 said in 'Pentest' proofing / WAN / IPSEC: @bmeeks ummm both pfsense and the Virtual machine are on the same host (in a DC) Does HyperV still have issues with promiscuous mode on vm's - think I might have run into problems with that previously.. (LOL after I switch the 2.4.5 back to 2.4.4 today so I can run more than one virtual processor!) Not sure about that. ESXi was what I used when I was active. Only experimented with Hyper-V once just for kicks.

@jimp said in WAN - States Details: Any time the filter reloads the stats will reset to 0. So any kind of interface event, timed filter reload (for things like schedules), or many other reasons. The stats are not meant to be long term. Only a brief visual indication that a rule has been used. OK, I believe a disconnect is happening when this is being reset. I'll wait to see if it happens. Thank you for your assistance. Have a good Day

@Derelict, thanks so much by your answer. I have saw the information of link and I don't see it clearly. I am not a expert programmer. I only want show by Console, or via SSH, in text mode, the same information thar appears in the OpenVPN Status GUI page and be able to capture the output text. Do you know where can I found examples to do something similar to this? Regards, Ramsés

@Gero said in 32-bit support: I'm currently in the repair task of an vintage Tektronix oscilloscope Nice! Have fun.

Yeah that is normally where you install your edge router - at the edge ;) If you also want to use it as internal or core router that is fine too, etc. You can have more than 1 router in a network... Unless your really worried about complicated firewall rules between your locations/networks routing of traffic can just be done on your L3 switches.. If your looking to replace hardware in your setup - this is perfect time to evaluated that overall design, and does it make sense... Maybe it made sense when it was done, or maybe shortcuts were taken at the time... Or maybe the guy doing it at the time didn't have a freaking clue... But trying to maintain some setup, just because that is the way it was setup before you is not a good plan.. Look at the details of the network, what talks to what, how much bandwidth is available and or used, etc. What hardware you have to work with.. Or what budget you have to replace, uplift aging hardware, etc. What I can see from just your original drawing - is does not seem optimal at all.. Now maybe you drew it wrong, maybe you left out details and works different than it looks? But my gut reaction to that drawing is its borked..

Awesome folks!!!! Yeahhh! Thx!

Nice, enjoy!

@NollipfSense thanks for the reply,, Base on the link,does it mean that we use the pfsense as our isp router for PPPOE? from: ISP modem/router(PPPOE w/ own public IP) >> Pfsense(WAN) >> LAN. #as far as I know, they just provide a local IP generated from the ISP router for pfsense to use,if im not mistaken. to : ISP(physical Lan) >> Pfsense "configured with PPOE"(WAN) >> LAN. #bypassing the ISP modem/router( with PPPOE config) and configure it directly to pfsense

@Gertjan Fantastic sir. Looks a lot better, I have my second circuit being installed tomorrow and might put a Velo for a 3rd WAN link to be safe.

@Gertjan yeah, I think the issue was the ping_check.sh script. I was having issues a while ago with my WAN interface not renewing my IP. Someone suggested this script to address that. I have removed that cron job. As for 192.168.1.148, this is my iPhone. What will typically happen is we will be watching our Roku and the video will pause. I will then use my phone or tablet to login to pfSense to see what is happening. Sometimes I can login and then pfSense becomes unresponsive (because it is rebooting), other times it is already in the reboot process and I need to wait 1-2 minutes for it to come back. Anyways, I will see what happens after removing the ping_check.sh script.

So just to update what I settled on, I have gone with a pair of OpenWRT virtual machines running in a high availability setup with Keepalived and VRRP. Keepalived works fine without any special settings on the Hypervisor switch/VM - some connections will drop when you power off the active instance, but they come back within five seconds or so - I did a test where I RDP'd from outside the routers to a device on the inside, loaded up a live TV stream on the machine inside the routers, powered off the active router and neither the RDP stream nor the live tv stream were interrupted. Shame that this isn't available within FreeBSD/PFSense (I understand keepalived on freebsd hasn't been updated since 2011) - or that CARP has the option of running without changing MAC addresses. Have to say OpenWRT also boots up quicker (in about 10 seconds) and routing performance was better - was getting nearly 5 gigabits in my Iperf3 tests where PFSense under identical conditions would do a smidge over 2 gigabits.

We can't speculate as to what you were doing then -- only you or other admins on that firewall would know. A guess would be that you've used an accented or other international character in a client-specific override description or common name.

Many thanks for your continued help on this, much appreciated and glad we got to the bottom of it! It's been running fine for the last few days, which is great news! They're both running the latest firmware, but, I'm going to provide the feedback to the manufacturer to get their feedback as to why it's happening in the first place. Many thanks once again!

a self signed cert on a imap 143 port ? imap 143 is the 'clear text' version. If you want to use TLS for IMAP you would be suing 993. pop and TLS : 995 Mail clients that send mail should use 587 (TLS possible but now needed) or even better : 465. Port 25 : should be used only for inter mail server communication. This port was never intend to be used by mail clients. It's so wrong to do so. Very soon, ports like 80, 110,143 (21) etc will be out of business for good. Remember : you have a web site on port 80 ? Google won't index you any more. Btw : Modern 'fat' mail clients like Outlook don't even accept self signed certs any more. Maybe, if you imported the CA ans stamped it as 'trusted' you might get away with it.