Today. :-)

https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html

Mmm, not sure why you would do that. Just leave it disabled for an always-on connection. That how to is for a much older version.
The setting is still useful for cellular connections where you are using expensive data just being connected for example.

Steve

@stephenw10 Thanks for your response. I do have the package installed.

@rico I had a similar issue. Thanks for your advice!!

@viragomann said in Bridging two networks:

So I assume you have a setup with LAN configured and accessing the web configurator via LAN.
As far as I know a restart was necessary after that to get it work.

I tried both - accessing from this "LAN" interface and from other interface. I also tried assigning bridge to "OPT2" instead of "LAN" as you suggest and did reboot pfSense, but that didn't help.

@derelict said in Bridging two networks:

Did you then move your management device to OPT1? That would be the only port on "LAN" at that point.

Yes, it supposed to be accessible via 192.168.1.x, but I can't access nor ping it.

Could problem be that one of these two LAN networks is at virtual port (between pfSense VM and host machine)? I also tried adding only 1 physical port to this bridge, but still can't access it.

To expand on @heper: Yes, pfSense will do this.

What version of pfsense are you using?

So after further digging, I found that my Unifi system in its previous update automatically turned on "Wireless Meshing" between 2 of my 50 WAPs. Both are hardwired, so there is no need for meshing, so no problems occurred the first 3 weeks after the update (therefore I never suspected it), but if one WAP gets overloaded with traffic and misses its heartbeat, it creates a temporary wireless bridge to reconnect and then creates a network loop. For some reason the switches RSTP setting isn't picking up the loop and its making its way all the way up the food chain to the pfSense box since the wireless bridge resides on a VLAN and needs routing through to the LAN. Since I took off the Wireless Meshing setting, everything has cleared up. I'm hopeful that this was the root of the problem and the peacefulness continues. I'll keep you guys informed and I appreciate all the help!

finally after 30 minutes in shell mode he was able to do the update and went up normally and now I can access the dashboard ... thanks everyone!

Yup. And if you find anyone bypassing your GPO somehow, grab a wrench and go pay them a visit.

Hi Steve.

Thanks for your reply. To be honest, I might need some help with this one as I didn't get the redirect settings in SquidGuard to work.

I am able to get SquidGuard to block unwanted sites (e.g. ad sites, porn sites, etc.); but, for some reason, the "Use SafeSearch engine" checkbox never worked for me - I had to add a couple of entries in DNS Resolver to force safe search for Google and Bing. When I remove those DNS Resolver entries, uncheck the "Use SafeSearch engine" box and try to create my own "Safe Search" rewrite, it doesn't work.

E.g.:

Rewrite Rules:

Target URL: google.com
Replace to URL: forcesafesearch.google.com
Opt: Redirect

For some reason, this causes the URL to become forcesafesearch.google.com to be forcesafesearch.forcesafesearch.google.com. If I try using the IP address, the system comes back with www.<ip address>.

To say I'm doing something wrong would be an understatement. I apologize for my lack of knowledge, but I'm still learning and any suggestions you can provide would be greatly appreciated.

Thank you.

@mascot said in How to set TTL?:

In this case my only option to have same TTL with "pf scrub" is to set it to maximum value of 255? (Side question: are there any downsides of having TTL=255?)
Also, shouldn't there be possible some workaround to avoid looping? Like router somehow recognizing and ignoring packets if they are in a loop?
Also, maybe for FreeBSD there is something like "iptables mangle" for Linux?

Well, as I mentioned, on IPv6 255 indicates a packet that's intended for the local LAN only. Will a router pass it? Also, recognizing packets it's seen before, that would require saving the packets it already sent and then comparing them with any new packets. That might keep a router a bit busy. Also, if a router sees a packet with 255, the assumption can only be that the previous router decremented from 0 and sent it on, violating the rule that says packets with or decremented to 0 must be discarded. You're trying to defeat the entire purpose of MTU, which is to prevent a packet from being sent forever around a loop.

If can do if you run the Squid web proxy. Squid can send it's logs to a syslog server.

Steve

Great info. That alone is helpful. I'm going to grab a packet capture on the syslog server and go from there. Thanks!

Thank you John.

So do you see the GPS in the Dashboard?

Checking here now only see the GPS in ntpq where as before pps, gps and internet NTP servers...

/root: ntpq ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== oGPS_NMEA(0) .GPS. 0 l - 16 377 0.000 0.003 0.026 ntpq>

Maybe I should switch it back?

Switched it back..thinking it takes a bit for PPS to come up (was seeing it before)

ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== *GPS_NMEA(0) .GPS. 0 l 12 16 1 0.000 0.028 0.000 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 0.000 0.000 23.134.96.254 252.74.143.178 2 u 1 64 1 41.763 0.186 1.522 eterna.binary.n 204.9.54.119 2 u - 64 1 28.596 3.498 2.029 ntp2.wiktel.com 212.215.1.157 2 u 1 64 1 29.253 9.657 1.283 45.32.75.249 (4 142.66.101.13 2 u - 64 1 65.164 2.326 1.400 ntpq>

Thank you very much.