Yes choose option 1 at the console menu and re-assign the interfaces as required onto the new NIC.

You will have to recreate the VLANs there though so they are also assignable if you have those interfaces in place already.

Steve

Ok, you don't have a gateway set on the LAN rules so you are not policy routing.

In which case you should be able to connect to those IPs directly as long as they are in the same subnet as your WAN. Are they?

Can you ping them from pfSense in Diag > Ping?

You have filtering disabled on both the bridge members and the bridge itself. That's not normally how it would be configured, most people want to filter the traffic to the hosts in the DMZ.

Steve

@stephenw10 Hi Stephen, yeah I figured it out in the end... Now just have to get the Mac's working ! :-)

@manjotsc Worked after changing to from this https://www.youtube.com/watch?v=Qz68aZ6Yf5g&t=279s
"plink -no-antispoof -P 8934 -i C:\Users\admin.ssh\id_rsa_putty.ppk root@192.168.40.1 tcpdump -i igb2 -U -w - not tcp port 22 | "C:\Program Files\Wireshark\Wireshark.exe" -i -k"

to

"C:\Program Files\PuTTY\plink.exe" -no-antispoof -P 8934 -i C:\Users\admin.ssh\id_rsa_putty.ppk root@192.168.40.1 tcpdump -i igb2 -U -w - not tcp port 22 | "C:\Program Files\Wireshark\Wireshark.exe" -i - -k

@jsparla - The ideal situation there is that the company selling home automation solutions might work with us to find the best way to integrate tested, supported hardware appliances running pfSense software from Netgate. Many other companies use our appliances as a piece of the overall solution they offer. The SG-1100 and SG-3100 come to mind as highly flexible, supported, affordable solutions for larger projects.

We have a partner program that might fit right in with the business model you reference.

Feel free to contact sales@netgate.com and have a chat to see how we can help.

Thanks!

Something there is different. DNS maybe?

Can the Windows device resolve outlook.com? What error do you get when you try to load it?

You have any packages running on pfSense?

Steve

@demoso said in WIFI calling hiccup over bridge:

allowing an untagged LAN on the wireless AP has fixed this issue

Normally, when you use VLANs with an AP, it's to use multiple SSIDs. While you could send VLAN frames over WiFi, I really don't see the need to, in that you're unlikely to have something like a phone and computer share the same cable with different subnets.

Usually it's because it can't add that route for some reason. Since there doesn't appear to be a conflicting route there, a permissions error maybe?

Steve

If you have any IPv6 connectivity at all but not full connectivity that can really bork stuff.

I have seen sites appear to fail because clients think they can connect ober v6 but cannot. Triple check that!

Steve

@bealefay said in View all connected devices:

Good afternoon.
Tell me how I can see in pfsense a list of all connected devices.

You can't, short of writing a script to ping all devices. The arp cache will show devices that have recently sent packets to or through pfSense.

How to reserve an IP address for a device in DHCP LEaser?

On the DHCP server page, you can map IP addresses to MAC addresses.

The system writes that the IP must not match what the DHCP server issued.

PfSense will not let you assign an IP address that's within the DHCP pool.

I would also like to know where you can see the interface speed of the connected device.

Take look at the "Dashboard" page.

thanks a lot ;)

My bill is in the mail. 😉

@NollipfSense said in WAN Interfacce Traffic Graph with LAN Host Name / IP.:

@ramses-sevilla said in WAN Interfacce Traffic Graph with LAN Host Name / IP.:

If I see Traffic Graph and select Interface: WAN1 and Filter: Local, all traffic destined / originated to/from my LAN appears destined / originated by the WAN IP and not appear the Internal Hosts that really originated the traffic.

Natted or NAT!

@NollipfSense, thanks so much by your answer.

I know that is because the NAT applied in the WAN Interface but I ask if there is any way to see the Bandwidth consumed between the LAN Interface and each WAN Interface "pre-natted".

Best regards,

Ramsés

Dear Andrew!

Could You be so please to describe hardware logical scheme when all traffic (in/out) from mine gate are captured for further forensics analyses by other IDS/IPS software like Snort, Surucata, WireShark, Splunk...

This is something close to port mirroring and send mirrored traffic to capturing applience with pfSense, am I right?

Thank You for efforts!

@JKnott said in pfSense router cannot ping or perform nslookups:

Can you ping something that's in your half of the Internet, such as 8.8.8.8?

It pings just fine

Also, try plugging an ordinary computer, running Windows, into it, see what you get, and give them a call if you're still getting the /1.

I'll give it a try.

It depends what you want to Limit. You can filter sites by group membership.

No.

Yes, as long as you can match the required groups in firewall rules. If it's only by AD group member ship that may not be possible. You might be able to have Squid use a different source IP/WAN directly, I'm not sure I've ever seen that tried.

Steve

As stated those are almost always blocked by ISP or even at the cable modem (docsis)...

As stated sniff on your wan while your sending traffic to that port - does it get there?

Also sending rejects on wan (that is connected to public internet) is almost always going to be a BAD idea!!!

example - I just checked 445 to my public on can you see me, and nothing seen at my wan via packet capture.

WooHoo!!!

I have got it to work!!

I added to the Nextcloud config.php file

'overwriteprotocol' => 'https',

I think it has something to do with HAProxy handling ssl.

Anyway its SOLVED!

There is no shaping or limiting of any kind on the firewall. We don't actual use/generate that much traffic, but there are a lot of opening/closing of tcp sockets. There are lots of small packets.

The only package installed on the firewall is openvpn-export-client.

On and off pfctl will bounces around 100% and then disappear maybe 20-30 seconds on and then 20-30 seconds off.

Thanks for the responses, this is giving me stuff to look at!

Works fine through an SG-3100 here. Though it resolves to 128.59.105.24 as the main IP for me.

Steve