@gordon Well done👍

I agree it seems like odd behaviour.

It would be interesting to test with the bridge unassigned if you're able. That could be inconvenient to setup though.

Steve

@stephenw10 True dat. Thanks!

Thanks @stephenw10,

Typically it hasn't broken on me today but I'll check. My suspicion is that it will show as being up. I think if it was on the hypervisor side the disable / enable would not work which is why I think it's in pfSense.

Next time it dies I'll check and report back.

You can set the requested prefix in the dhcp6 settings if that's what you're asking.

Your second attachment didn't upload correctly.

There's no need to put log files in a docx attachment. Doing that just means far fewer people will read it. You can attach .txt file which will open directly in the browser or just put the logs in code tags:

Aug 9 11:14:20 dhcp6c 11264 got an expected reply, sleeping. Aug 9 11:14:20 dhcp6c 11264 removing server (ID: 00:03:00:01:dc:xx:xx:xx:xx:b7) Aug 9 11:14:20 dhcp6c 11264 removing an event on igb0, state=REQUEST Aug 9 11:14:20 dhcp6c 11264 script "/var/etc/dhcp6c_wan_script.sh" terminated Aug 9 11:14:20 dhcp6c dhcp6c REQUEST on igb0 - running rc.newwanipv6 Aug 9 11:14:18 dhcp6c 11264 executes /var/etc/dhcp6c_wan_script.sh Aug 9 11:14:18 dhcp6c 11264 failed to update an address 2a02:xxxx:xxxx:0:xxx:xxxx:xxxx:6938 Aug 9 11:14:18 dhcp6c 11264 failed to add an address on igb0: Invalid argument Aug 9 11:14:18 dhcp6c 11264 create an address 2a02:xxxx:xxxx:0:xxx:xxxx:fe31:6938 pltime=3600, vltime=3915999254614645792 Aug 9 11:14:18 dhcp6c 11264 make an IA: NA-0 Aug 9 11:14:18 dhcp6c 11264 invalid prefix length 57 + 8 + 64 Aug 9 11:14:18 dhcp6c 11264 create a prefix 2a02:xxxx:xxxx:80::/57 pltime=3600, vltime=7200 Aug 9 11:14:18 dhcp6c 11264 make an IA: PD-0 Aug 9 11:14:18 dhcp6c 11264 nameserver[0] fd00::xxxx:xxxx:xxxx:3ab7 Aug 9 11:14:18 dhcp6c 11264 dhcp6c Received REQUEST Aug 9 11:14:18 dhcp6c 11264 IA_PD prefix: 2a02:xxxx:xxxx:80::/57 pltime=3600 vltime=7200 Aug 9 11:14:18 dhcp6c 11264 get DHCP option IA_PD prefix, len 25 Aug 9 11:14:18 dhcp6c 11264 IA_PD: ID=0, T1=1800, T2=2880 Aug 9 11:14:18 dhcp6c 11264 get DHCP option IA_PD, len 41 Aug 9 11:14:18 dhcp6c 11264 IA_NA address: 2a02:xxxx:xxxx:0:xxx:xxxx:xxxx:6938 pltime=3600 vltime=7200 Aug 9 11:14:18 dhcp6c 11264 get DHCP option IA address, len 24 Aug 9 11:14:18 dhcp6c 11264 IA_NA: ID=0, T1=1800, T2=2880 Aug 9 11:14:18 dhcp6c 11264 get DHCP option identity association, len 40 Aug 9 11:14:18 dhcp6c 11264 unknown or unexpected DHCP6 option opt_86, len 16 Aug 9 11:14:18 dhcp6c 11264 get DHCP option opt_86, len 16 Aug 9 11:14:18 dhcp6c 11264 get DHCP option DNS, len 16 Aug 9 11:14:18 dhcp6c 11264 preference: 10 Aug 9 11:14:18 dhcp6c 11264 get DHCP option preference, len 1 Aug 9 11:14:18 dhcp6c 11264 DUID: 00:03:00:01:dc:xx:xx:xx:xx:b7 Aug 9 11:14:18 dhcp6c 11264 get DHCP option server ID, len 10 Aug 9 11:14:18 dhcp6c 11264 DUID: 00:01:00:01:24:de:xx:13:xx:xx:xx:x:xx:38 Aug 9 11:14:18 dhcp6c 11264 get DHCP option client ID, len 14 Aug 9 11:14:18 dhcp6c 11264 receive reply from fe80::xxxx:xxxx:xxxx:3ab7%igb0 on igb0 Aug 9 11:14:18 dhcp6c 11264 reset a timer on igb0, state=REQUEST, timeo=0, retrans=909 Aug 9 11:14:18 dhcp6c 11264 send request to ff02::1:2%igb0 Aug 9 11:14:18 dhcp6c 11264 set IA_PD Aug 9 11:14:18 dhcp6c 11264 set IA_PD prefix Aug 9 11:14:18 dhcp6c 11264 set option request (len 4) Aug 9 11:14:18 dhcp6c 11264 set elapsed time (len 2) Aug 9 11:14:18 dhcp6c 11264 set identity association Aug 9 11:14:18 dhcp6c 11264 set IA address Aug 9 11:14:18 dhcp6c 11264 set server ID (len 10) Aug 9 11:14:18 dhcp6c 11264 set client ID (len 14) Aug 9 11:14:18 dhcp6c 11264 a new XID (b29d1b) is generated Aug 9 11:14:18 dhcp6c 11264 Sending Request Aug 9 11:14:18 dhcp6c 11264 picked a server (ID: 00:03:00:01:dc:xx:xx:xx:xx:b7) Aug 9 11:14:17 dhcp6c 11264 reset timer for igb0 to 0.998159 Aug 9 11:14:17 dhcp6c 11264 server ID: 00:03:00:01:dc:xx:xx:xx:xx:b7, pref=10 Aug 9 11:14:17 dhcp6c 11264 IA_PD prefix: 2a02:xxxx:xxxx:80::/57 pltime=3600 vltime=7200 Aug 9 11:14:17 dhcp6c 11264 get DHCP option IA_PD prefix, len 25 Aug 9 11:14:17 dhcp6c 11264 IA_PD: ID=0, T1=1800, T2=2880 Aug 9 11:14:17 dhcp6c 11264 get DHCP option IA_PD, len 41 Aug 9 11:14:17 dhcp6c 11264 IA_NA address: 2a02:xxxx:xxxx:0:xxx:xxxx:xxxx:6938 pltime=3600 vltime=7200 Aug 9 11:14:17 dhcp6c 11264 get DHCP option IA address, len 24 Aug 9 11:14:17 dhcp6c 11264 IA_NA: ID=0, T1=1800, T2=2880 Aug 9 11:14:17 dhcp6c 11264 get DHCP option identity association, len 40 Aug 9 11:14:17 dhcp6c 11264 unknown or unexpected DHCP6 option opt_86, len 16 Aug 9 11:14:17 dhcp6c 11264 get DHCP option opt_86, len 16 Aug 9 11:14:17 dhcp6c 11264 get DHCP option DNS, len 16 Aug 9 11:14:17 dhcp6c 11264 preference: 10 Aug 9 11:14:17 dhcp6c 11264 get DHCP option preference, len 1 Aug 9 11:14:17 dhcp6c 11264 DUID: 00:03:00:01:dc:xx:xx:xx:xx:b7 Aug 9 11:14:17 dhcp6c 11264 get DHCP option server ID, len 10 Aug 9 11:14:17 dhcp6c 11264 DUID: 00:01:00:01:24:de:xx:13:xx:xx:xx:x:xx:38 Aug 9 11:14:17 dhcp6c 11264 get DHCP option client ID, len 14 Aug 9 11:14:17 dhcp6c 11264 receive advertise from fe80::xxxx:xxxx:xxxx:3ab7%igb0 on igb0 Aug 9 11:14:17 dhcp6c 11264 reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091 Aug 9 11:14:17 dhcp6c 11264 send solicit to ff02::1:2%igb0 Aug 9 11:14:17 dhcp6c 11264 set IA_PD Aug 9 11:14:17 dhcp6c 11264 set IA_PD prefix Aug 9 11:14:17 dhcp6c 11264 set option request (len 4) Aug 9 11:14:17 dhcp6c 11264 set elapsed time (len 2) Aug 9 11:14:17 dhcp6c 11264 set identity association Aug 9 11:14:17 dhcp6c 11264 set client ID (len 14) Aug 9 11:14:17 dhcp6c 11264 a new XID (322b29) is generated Aug 9 11:14:17 dhcp6c 11264 Sending Solicit Aug 9 11:14:16 dhcp6c 11264 reset a timer on igb0, state=INIT, timeo=0, retrans=891 Aug 9 11:14:16 dhcp6c 10971 called Aug 9 11:14:16 dhcp6c 10971 called Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>end of closure [}] (1) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>end of closure [}] (1) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[8] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[sla-len] (7) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[1] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[sla-id] (6) Aug 9 11:14:16 dhcp6c 10971 <3>begin of closure [{] (1) Aug 9 11:14:16 dhcp6c 10971 <5>[igb1.1] (6) Aug 9 11:14:16 dhcp6c 10971 <3>[prefix-interface] (16) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[infinity] (8) Aug 9 11:14:16 dhcp6c 10971 <3>[56] (2) Aug 9 11:14:16 dhcp6c 10971 <3>[/] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[::] (2) Aug 9 11:14:16 dhcp6c 10971 <3>[prefix] (6) Aug 9 11:14:16 dhcp6c 10971 <13>begin of closure [{] (1) Aug 9 11:14:16 dhcp6c 10971 <13>[0] (1) Aug 9 11:14:16 dhcp6c 10971 <13>[pd] (2) Aug 9 11:14:16 dhcp6c 10971 <3>[id-assoc] (8) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>end of closure [}] (1) Aug 9 11:14:16 dhcp6c 10971 <13>begin of closure [{] (1) Aug 9 11:14:16 dhcp6c 10971 <13>[0] (1) Aug 9 11:14:16 dhcp6c 10971 <13>[na] (2) Aug 9 11:14:16 dhcp6c 10971 <3>[id-assoc] (8) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>end of closure [}] (1) Aug 9 11:14:16 dhcp6c 10971 <3>comment [# we'd like some nameservers please] (35) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>["/var/etc/dhcp6c_wan_script.sh"] (31) Aug 9 11:14:16 dhcp6c 10971 <3>[script] (6) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[domain-name] (11) Aug 9 11:14:16 dhcp6c 10971 <3>[request] (7) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[domain-name-servers] (19) Aug 9 11:14:16 dhcp6c 10971 <3>[request] (7) Aug 9 11:14:16 dhcp6c 10971 <3>comment [# request prefix delegation] (27) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[0] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[ia-pd] (5) Aug 9 11:14:16 dhcp6c 10971 <3>[send] (4) Aug 9 11:14:16 dhcp6c 10971 <3>comment [# request stateful address] (26) Aug 9 11:14:16 dhcp6c 10971 <3>end of sentence [;] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[0] (1) Aug 9 11:14:16 dhcp6c 10971 <3>[ia-na] (5) Aug 9 11:14:16 dhcp6c 10971 <3>[send] (4) Aug 9 11:14:16 dhcp6c 10971 <3>begin of closure [{] (1) Aug 9 11:14:16 dhcp6c 10971 <5>[igb0] (4) Aug 9 11:14:16 dhcp6c 10971 <3>[interface] (9) Aug 9 11:14:16 dhcp6c 10971 skip opening control port Aug 9 11:14:16 dhcp6c 10971 failed initialize control message authentication Aug 9 11:14:16 dhcp6c 10971 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Aug 9 11:14:16 dhcp6c 10971 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:24:de:xx:13:xx:xx:xx:x:xx:38 Aug 9 11:14:11 dhcp6c 60699 exiting Aug 9 11:14:11 dhcp6c 60699 script "/var/etc/dhcp6c_wan_script.sh" terminated Aug 9 11:14:11 dhcp6c 60699 executes /var/etc/dhcp6c_wan_script.sh Aug 9 11:14:11 dhcp6c 60699 removing an event on igb0, state=RELEASE Aug 9 11:14:11 dhcp6c 60699 script "/var/etc/dhcp6c_wan_script.sh" terminated Aug 9 11:14:11 dhcp6c dhcp6c EXIT or RELEASE on igb0 running rc.newwanipv6 Aug 9 11:14:11 dhcp6c 60699 executes /var/etc/dhcp6c_wan_script.sh Aug 9 11:14:11 dhcp6c 60699 status code: success Aug 9 11:14:11 dhcp6c 60699 dhcp6c Received RELEASE Aug 9 11:14:11 dhcp6c 60699 status code: success Aug 9 11:14:11 dhcp6c 60699 get DHCP option status code, len 2 Aug 9 11:14:11 dhcp6c 60699 DUID: 00:03:00:01:dc:xx:xx:xx:xx:b7 Aug 9 11:14:11 dhcp6c 60699 get DHCP option server ID, len 10 Aug 9 11:14:11 dhcp6c 60699 DUID: 00:01:00:01:24:de:xx:13:xx:xx:xx:x:xx:38 Aug 9 11:14:11 dhcp6c 60699 get DHCP option client ID, len 14 Aug 9 11:14:11 dhcp6c 60699 receive reply from fe80::xxxx:xxxx:xxxx:3ab7%igb0 on igb0 Aug 9 11:14:11 dhcp6c 60699 got an expected reply, sleeping. Aug 9 11:14:11 dhcp6c 60699 removing an event on igb0, state=RELEASE Aug 9 11:14:11 dhcp6c 60699 script "/var/etc/dhcp6c_wan_script.sh" terminated Aug 9 11:14:11 dhcp6c dhcp6c EXIT or RELEASE on igb0 running rc.newwanipv6 Aug 9 11:14:11 dhcp6c 60699 executes /var/etc/dhcp6c_wan_script.sh Aug 9 11:14:11 dhcp6c 60699 status code: success Aug 9 11:14:11 dhcp6c 60699 dhcp6c Received RELEASE Aug 9 11:14:11 dhcp6c 60699 status code: success Aug 9 11:14:11 dhcp6c 60699 get DHCP option status code, len 2 Aug 9 11:14:11 dhcp6c 60699 DUID: 00:03:00:01:dc:xx:xx:xx:xx:b7 Aug 9 11:14:11 dhcp6c 60699 get DHCP option server ID, len 10 Aug 9 11:14:11 dhcp6c 60699 DUID: 00:01:00:01:24:de:xx:13:xx:xx:xx:x:xx:38 Aug 9 11:14:11 dhcp6c 60699 get DHCP option client ID, len 14 Aug 9 11:14:11 dhcp6c 60699 receive reply from fe80::xxxx:xxxx:xxxx:3ab7%igb0 on igb0 Aug 9 11:14:11 dhcp6c 60699 removing an event on igb0, state=INIT Aug 9 11:14:11 dhcp6c 60699 removing an event on igb0, state=INIT Aug 9 11:14:11 dhcp6c 60699 reset a timer on igb0, state=INIT, timeo=0, retrans=60 Aug 9 11:14:11 dhcp6c 60699 remove a site prefix 2a02:xxxx:xxxx:80::/57 Aug 9 11:14:11 dhcp6c 60699 remove an IA: PD-0 Aug 9 11:14:11 dhcp6c 60699 send release to ff02::1:2%igb0 Aug 9 11:14:11 dhcp6c 60699 set IA_PD Aug 9 11:14:11 dhcp6c 60699 set IA_PD prefix Aug 9 11:14:11 dhcp6c 60699 set elapsed time (len 2) Aug 9 11:14:11 dhcp6c 60699 set server ID (len 10) Aug 9 11:14:11 dhcp6c 60699 set client ID (len 14) Aug 9 11:14:11 dhcp6c 60699 a new XID (923af0) is generated Aug 9 11:14:11 dhcp6c 60699 Sending Release Aug 9 11:14:11 dhcp6c 60699 reset a timer on igb0, state=RELEASE, timeo=0, retrans=925 Aug 9 11:14:11 dhcp6c 60699 release an IA: PD-0 Aug 9 11:14:11 dhcp6c 60699 Start address release Aug 9 11:14:11 dhcp6c 60699 reset a timer on igb0, state=INIT, timeo=0, retrans=278 Aug 9 11:14:11 dhcp6c 60699 remove an address 2a02:xxxx:xxxx:0:xxx:xxxx:xxxx:6938/128 on igb0 Aug 9 11:14:11 dhcp6c 60699 remove an address 2a02:xxxx:xxxx:0:xxx:xxxx:xxxx:6938 Aug 9 11:14:11 dhcp6c 60699 remove an IA: NA-0 Aug 9 11:14:11 dhcp6c 60699 send release to ff02::1:2%igb0 Aug 9 11:14:11 dhcp6c 60699 set elapsed time (len 2) Aug 9 11:14:11 dhcp6c 60699 set identity association Aug 9 11:14:11 dhcp6c 60699 set IA address Aug 9 11:14:11 dhcp6c 60699 set server ID (len 10) Aug 9 11:14:11 dhcp6c 60699 set client ID (len 14) Aug 9 11:14:11 dhcp6c 60699 a new XID (287b01) is generated Aug 9 11:14:11 dhcp6c 60699 Sending Release Aug 9 11:14:11 dhcp6c 60699 reset a timer on igb0, state=RELEASE, timeo=0, retrans=938 Aug 9 11:14:11 dhcp6c 60699 release an IA: NA-0

Steve

@cpjet64 said in Commercial Use:

So I just had quite the eyeopening call with Bob and I honestly had no idea how pfSense was setup. I would highly recommend anyone who is looking to switch to pfSense for customers or work to call him. He will tell you how it is and if you're like me then you will most likely end up buying an actual appliance from them. I still have to do a bit of research on TNSR for this application but I have a strong feeling the SG-1100 will fit my customers much better and make my life easier as well. Thanks for the comments!

You're welcome. And buying actual Netgate hardware is the best way to support the project. pfSense itself is free, and they make their living selling hardware and support.

I did it and aswered a couple of questions I had so I'm leaving it here.

yes backup/restoring config.xml backups CA and all certificates, noticeably tho if you use the passwd command from shell at anytime be weary the user password you just changed will be reverted back to the one in config.xml at every reboot, you need to change a user password from the webgui to make it stick

yes it is obviously possible to restore a confix.xml just after the install process before reboot, the installer asks you at the end if you want a shell before rebooting and you should say yes, then dhclient your network device (I'm using a vps with only one network device vtnet0) and then use fetch/scp to get the config.xml on the box, put it into /cf/conf/confix.xml and reboot, that's basically it.

Noticeably the fetch available in this environment cannot open https links without installing root certificates, which I didn't wanted to do because I don't know if it's a security risk (I believe so), so I opted to scp the file from another server I have, scp did not add the ssh key and would fail miserably, you need to ssh into the box to add the key to your know hosts (or add it manually) and then you can scp files from it.

So I've created the basic setup (one WAN device on vtnet0 with DHCP and one LAN device on ovpns0) on a VM on my laptop, issued all the certificates and set-up the main admin user and created a firewall rule to allow the OpenVPN port (UDP 1194) from WAN Net to This Firewall, got the ovpn config file from the box and then I exported the config.xml.
that's the config.xml I restored to the box just after install having access to it via VNC.

device name and assignation during first boot, which was my main question here. the device name is gonna be checked against what's in the config.xml BEFORE starting OpenVPN and creating ovpns device, that introduces a complication here if the device name do not coincide.

if the WAN network device name is the same (vtnet0, em0, etc.) in your VM/config.xml file and on your VPS it's all good, the box just starts without complaining, OpenVPN starts it's ovpns device assigned on LAN and you can connect to it just by changing the server IP address on you ovpn file and you got the GUI on the vpn address and at no time the default login has been exposed to the internet.

if the device name is not the same it's a bit tricky, because during boot up it's gonna ask you to assign devices BEFORE the Openvpn device (ovpns0) has been started, so you can reassign your WAN but you're gonna loose your assigned LAN because of this.
you can obviously fix this via shell (probably haven't looked into it, I'm just learning my way around pfsense) but the easiest way is to just use the same device name in your VM as you're gonna find on your VPS, in my case on my VPS the device name is vtnet0 and you can get that same device on virtualbox using the paravirt driver for your virtual NIC.

I believe you can also just change the device name in the config.xml file but I haven't tried it.

that's all folks, I hope this can help somebody in need of understanding how to do this.

Building a VPN aggregator this way on pfsense gives yo, bandwidth control for each VPN, firewall, IDS, etc.

Missed that page in my searches, thank you. Will give that a shot this weekend.

@lewis said in Allow LAN to LAN, not routing:

I said many times, I've never done this before, it's a live network that I cannot mess up.

My point exactly.

It isn't possible for you to block YouTube for all your users but allow it when it's linked from somewhere else.

I don't really have anything else to add other than that you can upload images here directly without having to link to some hosting site like Imgur. Just use the Upload Image button in the Edit bar when you're making a comment.

Hmm, then I would be testing against an external iperf server next if you can.

Steve

to be honest any sort of nat "reflection" is just an abomination if you ask me.. Why not just have your local stuff resolve the local IP vs any sort of reflection off your public IP.. Simple host override is all it takes.

Only reason I can think of doing a reflection would be to work around the horrible coding of some app that uses a IP vs a fqdn as destination.

Most of the ET Policy ones are related to my IOT network, I should really tighten up $home_net now I'm running Snort on the parent interface.

The SIP stuff is related to a VOIP phone sat on my network.

The rest was just normal day to day traffic.

Thx for the quick exact info!!

Thanks a lot i now understand it probably thru the console
I also discovered in the link https://community.adamnet.works/hc/en-us/articles/115002725594-Running-on-a-Transparent-pfSense-Bridge
It uses the mac address of both the WAN and LAN interface rather than ip address when assigning the LAN and WAN interface to the BRidge
This has to be tested before knowing if it works