• Complex Routing Question

    10
    0 Votes
    10 Posts
    1k Views
    stephenw10S

    Nice. I expected that to work but I could also easily imagine something unexpected getting in the way.

    Steve

  • Someone is trying to hack in my mail server what can I do?

    7
    0 Votes
    7 Posts
    1k Views
    S

    I take it the "3 emails a day" are being sent by your mail server software to alert you? If it is from random senders I would consider those phishing emails.

    Any mail server with ports open to the Internet is going to see a lot of attack attempts. If you have a lockout after 5 incorrect passwords they will likely give up and move on.

    Suricata or Snort can try to block those attempts, yes. They can be set up so if an alert is triggered the IP is blocked for the desired amount of time.

    Generally for in-office mail servers, we set our clients up with our spam filtering service, and in pfSense only allow connections on port 25 from the filtering service IPs. So the world cannot just connect to the mail server.

  • Issues with High Latency on PPPOE Reconnect

    52
    0 Votes
    52 Posts
    9k Views
    F

    I somehow had something wrong with the Interfaces that caused it to crash, reconnecting WAN and PPPOE fixed it.

    I will try with the problematic onboard NIC later, the new NIC which is a

    em3@pci0:2:0:0: class=0x020000 card=0x10838086 chip=0x10b98086 rev=0x06 hdr=0x00 vendor = 'Intel Corporation' device = '82572EI Gigabit Ethernet Controller (Copper)' class = network subclass = ethernet

    works perfectly fine aswell.

  • 2.4.4-p1 increased memory buffer

    2
    0 Votes
    2 Posts
    402 Views
    stephenw10S

    I'm aware of anything specifically that changed that would cause that but it could be any number of things. You might check the ps -aux output for a single process using that.

    Steve

  • No web configurator if wan unplugged

    2
    0 Votes
    2 Posts
    387 Views
    stephenw10S

    That should not happen but there can be significant delay opening the dashboard if there is no upstream connectivity.

    Check the system logs for errors at that point once you are able to get connected again.

    Steve

  • 1 Votes
    6 Posts
    4k Views
    K

    @evaluationcopy
    Hi - I have been trying for probably 10 or 12 hours to research and parse the pfsense sylog with snort data. I cannot get it to parse. Based on your sense, it sounds like you have already concluded that snort in particular this - snort[12345] is not parsable in logstash? If you know of a way, id really like to know!
    Thanks

  • FTP Helper on the LAN interface

    22
    0 Votes
    22 Posts
    2k Views
    DerelictD

    The bottom line is if you need Active FTP clients behind a firewall and the services provided by the FTP_Client_Proxy service are not a good fit, pfSense is not for you.

    The availability of certificates has nothing to do with the fact that when a client requests a file, it tells the server where to connect to and that reverse server-to-client connection has to be opened on the client side firewall. Or firewall(s) in your case. SSH has been around for 20+ years. SFTP for 15+. They still insist on using FTP.

  • Console access

    4
    0 Votes
    4 Posts
    667 Views
    stephenw10S

    @joelt said in Console access:

    Cisco 2901

    That's what you're using as a console server?
    That has USB ports does it recognise the 8860 console port?
    It also had usb console exactly like the 8860, though it probably uses a different usb/serial IC.

    Steve

  • pfSense API?

    2
    0 Votes
    2 Posts
    2k Views
    GertjanG

    Hi,

    The question is known . Check pfsense API.
    Not something for tomorrow, it's a huge job, and needs an entire GUI internal rewrite (like the GUI will be using also the API to handle ALL settings).

    HP code and passes in the arguments? A huge hassle I guess.
    A local scripts that read the concerned VPN section in the config file, changes, sets the Disable flag for one VPN server, and resets (removes) the same flag for another server. The write back your changes. Then a "reload_filters".
    Maybe you should stop the VPN server first - do what I said above, and start VPN.

  • Signing CSR's - valid Digest Algorithm Issue

    8
    0 Votes
    8 Posts
    1k Views
    B

    Thanks @jimp for looking into this, I am happy to hear that there was actually an issue here and that you were able to resolve the issue so swiftly. I look forward to applying the fix when made available.

  • WAN_DHCP6 2001:4860:4860::8844: sendto error: 13

    3
    0 Votes
    3 Posts
    477 Views
    wgstarksW

    Thanks for the reply. I actually realized what it was a couple of hours after I posted when I saw the same error message for DHCP4. My ISP seems to be having issues lately.🤨

  • ARP slow to load

    2
    0 Votes
    2 Posts
    472 Views
    jimpJ

    The ARP table page attempts to correlate entries with DHCP leases and reverse DNS resolution for hostnames. Either one of those could account for a delay.

  • Mystery Root user

    4
    0 Votes
    4 Posts
    791 Views
    GertjanG

    👍

    You next question will be : my UPS doesn't shut down pfSense anymore ....
    (or : what was the usage of this cable ? )

  • Issue smtp directly from gateway

    6
    0 Votes
    6 Posts
    681 Views
    S

    Let me check and will get back to you .

    Thanks

  • Web Interface Not Loading

    6
    1 Votes
    6 Posts
    1k Views
    B

    I have this same issue and am using 2.4.4p1. Was just installing a couple pfsense routers yesterday and ran into this.

  • Cannot get public static IP to work on WAN

    4
    0 Votes
    4 Posts
    277 Views
    KOMK

    Glad to hear you got it going.

  • pfSense DMZ Home Network Lab

    5
    0 Votes
    5 Posts
    574 Views
    T

    You could also do this with three NICs and two switches.

    NIC 1 -> WAN
    NIC 2 -> LAN
    NIC 3 -> DMZ

    Set up your FW rules so that connections can go into the DMZ, nothing can initiate a connection out of it. Then you're done. You'll have the physical segmentation you're looking for, and it's relatively inexpensive and fairly simple to do this.

  • Odd Craigslist Issue

    42
    0 Votes
    42 Posts
    11k Views
    S

    @stewart I too would like to get to the bottom of why this is occurring. It's my nature to understand all that I can. Currently I have a couple of projects going so for the moment I will leave this be for the next couple weeks as the issue is not a high priority right now.

  • UDP fragmented packet loss / IPv6 / VoIP / pfSense version inconsistency

    13
    0 Votes
    13 Posts
    3k Views
    L

    Looks like https://redmine.pfsense.org/issues/8165 is closed to early. We still see problems with IPv6 fragments, in our case with local created ones which simply disappear. Depending on certificates and keysizes used Strongswan will use "oversized" UDP packets in the IKEv2 connection etsablishment. If the remote side does not support IKEv2 Fragmentation (Windows older than Version 10 /1803) the packet is never leaving the pfsense box if IPv6 is used. A Capture done at the WAN Interface show that this packet is simply missing and therefore the handshake never completes. This is still the case on latest 2.4.4-RELEASE-p1.

  • Auto Config backup.

    12
    1 Votes
    12 Posts
    2k Views
    vallumV

    @tim-mcmanus said in Auto Config backup.:

    So your compliance needs are for data to be encrypted while in transit and at rest? What are the additional compliance requirements for data at rest? Sounds a lot like HIPAA or SEC/OCC compliance.

    yes at rest and as well as in transit. Also methodology used to achieve backup.

    You could simply get an Amazon CentOS server and put it on S3 storage to pass audits. S3 is encrypted at rest, but the data file itself would not be. Depends on your auditor and their mood.

    If Netgate had regular audits and could produce/maintain an ISO 27001 document demonstrating compliance, with additional assurances of data encryption at rest, that should also comply with your audit requirements. This is something you will get from any data center provider if they are hosting your stuff.

    But without knowing what your data at rest compliance requirements are, getting you an exact solution to your compliance needs may be elusive.

    well I already have external server in place which used git-crypt to store config and generates email for every change done in firewall with source ip and username.
    it took around 2 months to design this solution using dozens of open source modules. only problem is that keyless ssh is used which is not safe when firewall is in picture.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.