Firewall > Rules, WAN tab. Edit the OpenVPN rule. Change the protocol to UDP. Save. Apply.

Then update to 2.4.3-p1.

Thanks for the suggestions.

It turns out that it was the physical network adapter. I swapped it out and it has been stable for 5 days now.

You do understand that now your firewall will need human intervention on power cycle. Is your firewall not in a secure location.

What is exactly on there that might be of concern other than the CA, and private key for the web gui? Move the CA off..

This topic has been gone over a few times over the years - its just doesn't have a valid use case on a firewall..

Do any of the major players provide for FDE for their routers/firewalls? Cisco, Palo, Juniper, Fortinet?

Your still open to evil maid attack as well. So what does it buy you? Not like you can loose your firewall, forget it on the subway. someone break window on your car and take it while your parked for lunch, etc.

edit: For ref this the last time I recall this topic coming up
https://forum.netgate.com/topic/114030/installation-with-whole-disk-encryption

Use ZFS if you want to do it - just pointless IMHO and IMPO both personal and professional.

I've rebooted the ISP modem and pulled the ethernet cable out many times as well, and, like you said, no problem. I thought dns at first also but tried to access the gui via ip and it also hung. DNS was also affected though as I could not do an nslookup. Weird?!

@Derelict @JKnott Thanks guys for setting me on the straight and narrow. I'll now hunt down a hub with a BNC port instead of BNC NIC, and I still get to use pfsense :)

Thanks for that. I sort of had a gut feeling it would be Suricata.

I thought the settings allowed for the logs to be regularly emptied but that seems to be not working or either I did not set them up correctly. I will take look and see what I can find out.

Yes I did have Snort installed at one stage but removed it. So I guess I will have to learn how to delete that data that remains.

Much appreciated your reply.

If it can authenticate against Freeradius on localhost it should be able validate against an external radius server.

Can you authenticate against it from Diag > Auth?

Check for valid states being created.

Run a packet capture to make sure it really is trying.

Check the daloradius logs for evidence it's trying to authenticate or any errors.

Steve

It seems like many business branded comps (Dell, Lenovo, etc) have security issues on onboard ethernet (exposing either IPMI or AMT). On my router machine, I'm only using the onboard ethernet for a 'management lan' that gets no internet access at all. IPMI and switch management interfaces shouldn't need to access the internet anyway. WAN and LANs served by an intel 4-port card. I just don't trust those manufacturers to patch management bugs fast enough.

For all those who ran into this data usage issue, I'd urge you to reset your IPMI or AMT interface to factory defaults before locking it down. It's an annoyingly nontrivial task in some cases. If it's got gigs of data usage, I'd be concerned that a bad actor somewhere has pwned your management interface.

@waqar-uk said in General Questions from a Noob:

@johnpoz said in General Questions from a Noob:

@waqar-uk

Yeah they are fine for dumb - but why would you have purchased a smart if all you wanted wanted/needed was dumb. Was your future plan to use them as vlans? If so the v2 version has not gotten a firmware update while the v3 models seems to have a firmware update out that is suppose to fix their mishandling of vlans.

I just bough a TP link 8 port switch to use as a way to pass my Pfsense LAN to many of my devices, be they a wireless AP, power line networking and my main desktop direct Ethernet connection.

They're OK as a regular switch or even for port mirroring. However, you can forget about using them for VLANs.

I would suggest running a VPN between the AWS instance and your home router (which I assume is pfSense, if not why not! 😉 ) so that the NAS IP is always the same private IP.
The VPN itself can just use a dyndns entry or if you use OpenVPN it doesn't matter if the IP changes.

Steve

Yes, you are right. Looping is occuring between in router and pfsense.

Thx

@jegr said in pfSense as VPN+Firewall on hosted server:

@mkaltoft As I suppose your datacenter ISP that hands out the public IPs hasn't allocated you a public IP subnet/space that could be routed, just let him point all public IPs to IP of the pfSense in VM1. Then use 1:1 NAT or port forwardings to map .171 public to .171 private.

That makes a lot of sense - thank you so much.

@stephenw10 said in how to remove a lagg:

Just got to doing this, these instructions were perfect.
Thank you ,

I found the problem, I had my VPN set up at 10.0.0.0/24

This guy used AirVPN for that reason.
https://forum.netgate.com/topic/130820/pfsense-unraid-bittorrent-airvpn-confusing
I have never used them so can't comment on them.

Steve

@selstam2 Seen this prob posted somewhere else. My first thought was, how come Pfsense, promoted as High-Availability capable, has this prob... then it occur to me this may happen only under some circumstances... It happens on my case because I notice my Pfsense box boots faster and becomes ready BEFORE my Arris modem (issues DHCP req when modem not ready to respond), which leads me to think a script or a Pfsense delay boot... hasn't bother me much for me to take any action 'cuz my UPS spoils me :)

@stephenw10 said in LDAP AD Extended Query with 2 groups:

clear both those queries work individually but you want to authenticate only users who are members of both groups?

Sorry, I wasnt being clear in previous post. I found this post to be similar to my issue:
https://forum.netgate.com/topic/103988/ldap-extended-query-with-multiple-groups

The solutions in there did not work for me. Is there a way to make this work? My pfSense version is 2.4.2.

Thank you,