whoa, just noticed I never responded... what did you end up doing?

To answer your question:

Should we give the new subnet a different Vlan than the current (Server subnet)?

In general, yes, it's a good idea to have your workstations on a different VLAN than your servers. There are many reasons... one example would be... let's say one of your workstations gets infected and it's trying to infect other devices via broadcast discovery... well... the infection won't spread to your servers because they're in a different broadcast domain.

Personally, I use different VLANs for everything... workstations, servers, printers, wireless, management, etc. It makes auditing easier and can help you with deployment, etc if you start implementing things like SCCM. Although, this may also be overkill depending on your environment and what your objectives are.

My performance vs security comment had to do with where to terminate your VLANs (switch vs firewall).

I don't think so.

To do that you would need to proxy the LDAP traffic and pfSense is not capable of that. Via the GUI at least.

However you could probably do it via something else that you could port forward to and change the certificates without bothering Windows.

Steve

@msf2000 Okay I have no idea what “OPT1” means as I’m a business owner not a network expert. What’s the benefit of doing this? I do not care that much about security, I need performance. If OPT1 is just some security thing I will likely not use it.

I’m not building a Pfsense to be a firewall, although I know it has one built in which is nice, I’m building is to be a more stable platform than DD-WRT, something that can support 1gbps speeds, 30k connections without crashing every few hours.

Also the Amazon link is a significantly better CPU than the SG-3100. I’d much prefer having an Intel processor than ARM. There’s also no mention of the type of NIC’s in the Netgate product. The Amazon one has all Intel NIC’s, which I greatly prefer to Realtek.

are these all on the same subnet?

pretty sure under the DHCP settings, you can define the DNS for that subnet. Where you would run your regular DNS to your other computers, then anything going to the Kids network could run the OpenDNS servers.

That was it! I had not entered the gateway on the switch! Thanks for the help! It seems that I have a lot to learn, I was sure I had something configured wrong with pfSense ☺

Not that I'm aware of

@signalz said in Var out of space, or is it?:

I'm having a problem with /var supposedly running out of space. It's configured for 60MB, on the dashboard it shows 108% CPU usage, but du -mhs /var says it's only using 30MB. The DNS service crashes constantly and watchdog can't always restart it. I stopped snort as a temporary fix. I've had it set up for a while so I don't think that's causing the problem. My most recent changes on this box were a change to an alias used by snort's passlist and adding services to watchdog to monitor. Why is /var out of space but really not?

Snort can use quite a bit of space in /var for its logs, especially on a busy network and if you have lots of Snort rules enabled and firing.

What kind of hardware are you running on? Why is /var so restricted? That is where all of the logging happens.

So I came across this and I know it is a little stale, but thanks for the tips.

I'm quite comfortable with VI, so that was no issue.

I was just wondering why you didn't create a symbolic link? I think that would be actually simpler. I'm not clear if that will go away after a reboot, or a firmware/os update. I wanted to offload my Pfblocker data. I set it up yesterday and within a few hours it has filled up my var partition.

No problem. Let us know if that doesn't help.

Steve

You'll need to configure a route to pass the customer to site 2 and also the reverse.

That's great to hear!

As far as the YouTube content... Hmmm that's a tricky one! Might be a little bit beyond my pay grade! Ruling out a coincidence, I'd be thinking it's something to do with the port that they use or a connection (firewall state) being kept open, but I'd only be guessing.

I don't use this service, but a quick look at those instructions and it seems to me you'd want to do the following:

At step 10, make a copy of the rule you created, edit it and change the gateway back to the default gateway. Make sure this rule is the last one in the list. Save the changes.

When you want to route everything thru the vpn, leave things as is. When you want to route everything thru your ISP, disable the vpn gateway rule by clicking on its check mark and saving the changes.

Well, first off pfSense blocks everything coming in to WAN by default, so unless you add a NAT rule to pass through those ICMP packets, nothing will happen. Plus, the Block Private Networks setting will prevent WAN from responding to any private ip traffic unless you remove that restriction.

Why do you think the local LAN fails? The local LAN does not pass through pfSense. What happens if you try to ping another device?

@recklessop said in Keep config after a "hardware" change?:

@bmeeks sorry... yes creating from a template... so new MAC's, UUID's, etc

A template and a clone are sort of two radically different things. A template usually starts with a "fresh" un-configured version of the VM's OS such as Windows, or in this case, pfSense. A clone is a simple copy of an existing VM byte-for-byte. Sounds like you need to re-create your template by configuring a firewall to be just like you want it, and then using that VM to create your template. What's happening is the config.xml file in your template is in an out-of-the-box state instead of having your custom configuration stored within it.

@jimp said in OpenSSH User Enumeration:

We pulled in patches for that to 2.4.4 a few days ago ( See https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html#security )>
But your port 22 shouldn't be open to the world anyhow, especially not with

Yep- Just for the naysayers our there.. I opened 22 on my test firewall this morning before I left for the field. As I sit here having lunch I checked in with it.
Did an update (daily on this box) to the latest snap. Within seconds of it being back up IP's started connecting to port 22 trying to guess user/pass combos. 16 different IP's in five minutes.

I can't imagine what that would be like if it had been open for days..