We set the LTE as bridge mode but not too happy with it. Looking at getting the MikroTik LHG 4G/LTE to replace it

So in this scenario both your DCs are down? Because AD can for sure share their dns info.

If both your DCs are down - you have bigger problems then a copy of your dns records running on pfsense ;)

But sure running bind on pfsense would allow for zone xfers from your AD dns..

@freska99 I'll keep an eye for next time it happens, I am pretty sure it is going happen again, because It had happend to me, couple time.

Thanks.

@dreamslacker Bingo, that was the piece I forgot, thanks!

@jimp LOL! I have been thinking this very thing and will probably do it. If I do, I’ll report back.

@marvosa said in how to block bad guys who is sharing internet by laptop:

We even have a few clinics that are sharing a single T1...

A real T1? These days, those are generally emulated over Ethernet. I first did that over 10 years ago. They have also been run over SHDSL for many years. I was working with that stuff back in the early '90s.

I suppose there are still some parts of the world that rely on 2 cans and a string. 😉

Possible solution here: https://forum.netgate.com/topic/141034/rate-limit-on-radius-reply-attributes-for-pppoe-connections-not-working/3
Pretty hacky though.... 😬

Steve

@jimp said in [2.4.4p3] Reboots with ctrl-alt-del on console even though hw.syscons.kbd_reboot = 0:

kern.vt.kbd_reboot

That was a quick fix, that indeed works. I wonder if that could be in the default tunables table, or maybe even a GUI options somewhere, I musn't be the only one who rebooted their box unintentionally by pressing this often-used MS combination...

Thanks!

Just crosslinking the other thread, basically asking the same question.
https://forum.netgate.com/topic/148666/cve-2019-19521-and-pfsense

To date: no "official" statement there either, but same assumptions about FreeBSD != OpenBSD, plus pfSense not using anything of the mentioned auth mechanisms exept for SSH, which would fail anyways.

Diagnostics > Backup & Restore > Download configuration as XML

It looks like you have something configured using 192.168/16 somewhere that is conflicting. It's not in the routing table though.
I would open your config file and search it for 192.168 and see what pops out at this point. There will be a lot of entries since you're using that for LAN.

Steve

@tkohhh said in User account - need permission to run scripts via SSH:

why is logging on as root considered insecure?

Root has absolute power and can do a lot of damage. Mere mortals cannot damage anything out of their own area. If you only have local access and no one else can log in with the root ID, then you're okay. One common practice is to require those with root access to log in with their own ID, then su to root. This creates a log entry to show who assumed root access. Of course, never allow root login via anywhere beyond the local LAN. If I want to connect remotely, then I have to fist connect to my main system and then connect to my firewall from there. You can also enable passwordless connections, which use a public/private key pair, to ensure connections only from that one computer.

@stephenw10 Good call - I'll start here next time pfsense is in this state and see if those requests are making it out of the firewall. I ended up rebooting pfsense last night and everything came back up fully functional. I have no doubt this situation will happen again, and I usually have a chunk of time to mess around with it.

If this indeed only happens during a power outage or loss of provider, I can at least know to reboot the system when the automated alerts tell me things have come back up - that alone is a big win. I can't confirm as I didn't think to check the uptime in the past, but it seems as good a theory as any right now.

I'll keep an eye on this post for any new comments, and I truly appreciate everyone's time and assistance in helping me resolve this issue.

What happened? How could I have diagnosed further before resorting to a reboot?

Probably packet captures to see what was actually going out WAN.

Evaluating the routing table to see what the state of the network was at the time.

Yes, this should be two IPs. Two interfaces in the same subnet is not valid.

If you really want them completely separate and it's running in ESXi then you could just use two pfSense VMs.

Though I notice you have the firewall labelled as "pfSense LB", is it running as a load-balancer?

Steve

Yes, you can just set a pass firewall rule for he Plex device as source above the load-balancing rule and specify a single gateway.

You should not have to though. The port forward coming in is independent of the load-balancing of outbound connections. It might be affected if the Plex detects the external IP and advertises that somewhere.

Steve

You can put a schedule on a firewall rule:
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-schedules.html

But that would require scheduling it enabled too and it doesn't sound like that would fit your usage.

You might be able to just set the rule as disabled using a php shell command/script. Then call that from a cronjob.
https://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html

Steve