If you have any IPv6 connectivity at all but not full connectivity that can really bork stuff.

I have seen sites appear to fail because clients think they can connect ober v6 but cannot. Triple check that!

Steve

@bealefay said in View all connected devices:

Good afternoon.
Tell me how I can see in pfsense a list of all connected devices.

You can't, short of writing a script to ping all devices. The arp cache will show devices that have recently sent packets to or through pfSense.

How to reserve an IP address for a device in DHCP LEaser?

On the DHCP server page, you can map IP addresses to MAC addresses.

The system writes that the IP must not match what the DHCP server issued.

PfSense will not let you assign an IP address that's within the DHCP pool.

I would also like to know where you can see the interface speed of the connected device.

Take look at the "Dashboard" page.

thanks a lot ;)

My bill is in the mail. 😉

@NollipfSense said in WAN Interfacce Traffic Graph with LAN Host Name / IP.:

@ramses-sevilla said in WAN Interfacce Traffic Graph with LAN Host Name / IP.:

If I see Traffic Graph and select Interface: WAN1 and Filter: Local, all traffic destined / originated to/from my LAN appears destined / originated by the WAN IP and not appear the Internal Hosts that really originated the traffic.

Natted or NAT!

@NollipfSense, thanks so much by your answer.

I know that is because the NAT applied in the WAN Interface but I ask if there is any way to see the Bandwidth consumed between the LAN Interface and each WAN Interface "pre-natted".

Best regards,

Ramsés

Dear Andrew!

Could You be so please to describe hardware logical scheme when all traffic (in/out) from mine gate are captured for further forensics analyses by other IDS/IPS software like Snort, Surucata, WireShark, Splunk...

This is something close to port mirroring and send mirrored traffic to capturing applience with pfSense, am I right?

Thank You for efforts!

@JKnott said in pfSense router cannot ping or perform nslookups:

Can you ping something that's in your half of the Internet, such as 8.8.8.8?

It pings just fine

Also, try plugging an ordinary computer, running Windows, into it, see what you get, and give them a call if you're still getting the /1.

I'll give it a try.

It depends what you want to Limit. You can filter sites by group membership.

No.

Yes, as long as you can match the required groups in firewall rules. If it's only by AD group member ship that may not be possible. You might be able to have Squid use a different source IP/WAN directly, I'm not sure I've ever seen that tried.

Steve

As stated those are almost always blocked by ISP or even at the cable modem (docsis)...

As stated sniff on your wan while your sending traffic to that port - does it get there?

Also sending rejects on wan (that is connected to public internet) is almost always going to be a BAD idea!!!

example - I just checked 445 to my public on can you see me, and nothing seen at my wan via packet capture.

WooHoo!!!

I have got it to work!!

I added to the Nextcloud config.php file

'overwriteprotocol' => 'https',

I think it has something to do with HAProxy handling ssl.

Anyway its SOLVED!

There is no shaping or limiting of any kind on the firewall. We don't actual use/generate that much traffic, but there are a lot of opening/closing of tcp sockets. There are lots of small packets.

The only package installed on the firewall is openvpn-export-client.

On and off pfctl will bounces around 100% and then disappear maybe 20-30 seconds on and then 20-30 seconds off.

Thanks for the responses, this is giving me stuff to look at!

Works fine through an SG-3100 here. Though it resolves to 128.59.105.24 as the main IP for me.

Steve

Mmm, I'm not aware of any way to do that in pfSense.

One thing you can do is setup a bandwidth sharing scheme. That uses dynamic pipes to share whatever bandwidth is available equally between connected clients so that one client cannot use it all.

Steve

Not personally but there may be others who can.

You should be able to get it working in OVH though.

Steve

@jimp Working I just changed admin@192.168.40.1 to root@192.168.40.1 , removed sudo and it worked.

Thanks,

@stephenw10 Thanks, I will try that!

That's annoying. I was hoping to add an OID for code signing.

thanks.

Those look more like ram errors. They are completely different the earlier crash.

I know it's been a while, but I just wanted to provide an update. I recently connected my iMac to ethernet and turned off the wireless. Since I've done this, the changes don't seem to freeze up pfSense in the browser anymore. It's weird. I've tested it by making several changes within DHCP Server > LAN this morning and then clicking the Apply Changes button. It finished up in about 1.5 seconds and it never froze. I then reversed the changes I made while testing and clicked Apply Changes again and same thing...finished in about 1.5 seconds and never froze. I'm not sure why the problem seems to have gone away since it's been connected over ethernet, but I'll take it! Thanks to everyone who chimed in on this.

@stephenw10 Thanks. That confirms to me that a single pfSense router (even better in a HA dual setup) would be a much cleaner setup for the following reasons:

A shared LAN would require hundreds of static routes One pfSense box allows me to have multiple WANs in failover mode, with time-based bandwitdh restrictions, etc., etc. Option of a HA setup just by getting a few extra ethernet ports With an AMD FX 6xxxx and 16 GB o memory I only see 10% load. If needed, functions like firewalling, DPI, antivirus and proxy could always be run in separate boxes. I should able to route non-critical traffic between VLANs inside my HP1920 switches (like network projectors, public printers, media servers) to alleviate my main router. I have only found 1 example of a shared LAN after days and days of searching. There's plenty of examples of HA or transit/transport link between pfSense boxes

Thanks for the insight. Tomorrow (monday) I'll start redoing everything. I have exactly one month to get everything running until school starts... with one machine for now, and HA as soon as I can get the second unit setup with extra eth ports.