Another vote for replacing the USG with PFsense. I haven't seen anything in your diagrams that would warrant having two firewalls in your environment.

There's no other way I'm aware of I'm afraid. If you need to use source hash you need to use a subnet as the translation so you need to use a set of smaller translation rules.

Steve

nice! I'm working on a similar project. when I circle back to pxe boot from pfSense I'll expand on this.

I would check for a missing or bad default route when this happens. Diag > Routes

If there is no default route client traffic will not be able to get out. pfSense itself would not be able to ping out to arbitrary sites.

However the gateway monitoring will show onlint because that has a static route via the WAN gateway.

Do you have more than one gateway in System > Routing > Gateways?

If the default IPv4 gateway is set to automatic setting it to the WAN dhcp gateway instead should get you back a default route if that is what you're hitting.

Steve

Hmm Ok, well I know you can order from Voleatech: https://www.voleatech.de/de/produkt/sg-5100/

They are probably closest to you and have stock of most of our devices.

Steve

As is always the case, I was able to resolve this immediately after posting.

the comments in https://www.ceos3c.com/cloud/aws-with-pfsense-part-2-route53-dyndns-with-pfsense/ suggest that there is some uncertainty around prefixing the zone id with "us-east-1" which may have changed around 2.4.0. My old VM had been through many upgrades so perhaps it was still working with the old value while my fresh install on the sg-3100 was not.

I deleted the dynamic DNS entry entirely and recreated it from scratch with just the hosted zone ID sans the us-east-1 prefix, and it worked immediately.

Hopefully this proves useful to someone in the future.

@stephenw10 said in PfSense and Disabled Interfaces:

You're right. Yes really network cards were messed up (by FreeBSD itself). re0 became re1, and vice versa. Defined it as you advised on MAC addresses.
Changed their places in the slots. re0 became re0, re1 became re1.

kernel ae0: phy read timeout: 17.
kernel arpresolve: can't allocate llinfo for on ae0
In the interface properties, remove auto-negotiation and set the exact connection speed, for example 100 FD.

Hi Sir Steve,

Just to give you an update, my client is now able to ping external IPs, I just changed the Default gateway from None to Automatic under System>Routing>Gateways. Kindly see image below:
DFG.png

My problem right now is, still my client was not able to access the internet or even ping 8.8.8.8 or google.com. Can you help me troubleshoot with this? I can't see any problem with our set-up. Below are some of my configs:

WAN INTERFACE.png

ROUTES.png

GATEWAYS.png

YOUR HELP IS GREATLY APPRECIATED, SIR STEVE! :) GOD BLESS!

@jimp Leonardo Acropolis thinks you are a genius.

CzV2TktW8AAAgzT.jpg

@guilherme_egb

Thanks.

That's great. Thank you very much. I'll give that a try and let you know how it goes.

Many thanks

how can I make the pydio work with the certificate?

You don't. Install certbot on your pydio box and then let it get its own certificate.

The file could be stock and still not affected, it depends on the bug and how the library is used. I haven't looked deeply at that particular issue, but in similar cases in the past we've seen instances where we happened to not use a particular affected component so even though the vendor library was flawed, pfSense was not vulnerable. So it does take a bit deeper analysis than just inspecting version numbers.

Still, it is very out of date, so we are certainly looking at what the impact of updating it will be.

@racecarr

Hello,

So our company decided to revert back to ring central after using dialpad for about a month.

Our experience with their product and services was low-grade - in terms of voip quality and end-user app usability (stability and lack of admin accessibility).

They rely to some extent on google data centers for some of their data operations which can be an advantage but also a dependency that is not fault tolerant. We experienced this when some database servers experienced disruption and our users where unable to access the app to get into their accounts to make calls.

I do not recommend dialpad. It appeared to me their systems are underdeveloped when it comes to non-Ai and non-sync features, meaning the primary usage of voip with them was inconsistent and low-quality as they seemed to have emphasized other feature enhancements over the main functionality, being voice-over-ip call quality and connection stabilization .

Squid probably isn't tracking that accurately anyhow. You'd be better off with a setup more like netflow but that would require an off-box collector to keep the data and make graphs. ntopng may help locally.

Just installed aprwatch package.

Settings used :
6a2513ff-1864-4fd3-9651-57e24d546982-image.png

Had to stop it an hour later : my (self hosted) mail box received hundreds of mails from arpwatch.

This means :
My Sys > Adv > Notifications has been set up correctly ;)
"arpwatch" sends mail using the pfSense mail notational system .... and it does as advertised.

Btw : take note of the warning :

43769840-23e6-4917-b4ec-e65cbf94cfe7-image.png

I know what 'gmail' might do when you bombard it with pretty identical mails (from the same IP). It will do what it should do : it will discard and block them ....
Upfront, you should white list (make the sender mail a contact, etc).
gmail is nice to be sued as a things-go-bad-notifier, but do not spam them.

@fluctuationit

Is the VM network adapter bridged or NAT? If NAT, you have the same subnet on both sides of it, which will not work.

Fixed by disabling dhcpv6 which I didn't even need because router advertising is enough to get ipv6 working. Still don't know why dhcpv6 was causing the cpu spikes though.

Great input, I'll look into each of these and learn about them.

Thanks very much again.