You will be able to download the image once it's ready.

Hi,

I managed to create multi ssid with my asus wireless router in AP mode with one VLAN bridged to the VAP. The two LAN devices attached to the wlan router are in static ip in my case 10.0.10.20 and 10.0.10.30 but I cannot still connect to the internet somehow. so is it better to invest into smart router and put it in between?

Yes after looking into it some more, I can see it is obvious that OpenVPN is the right way to go.

Thanks for the replies.

makes sense now that you have told me :) thanks Bud

"We want to sell to our customers appliances with pfsense installed on them"

Why would you not just partner with pfsense/netgate than?  https://www.netgate.com/partners/

While it might be legal since its open source to grab the code and compile it and use a different name, etc.  Got to be one of the most dick like moves I can think of..  If you do not like something pfsense is doing and you want to fork to work in a different direction ok then.

But to just state that hey we like your product, but we want to sell it and not give you any of the money is just screaming hey we suck so bad, but like money - buy our shit its cheaper…  talk about asshattery at the highest level..

Why not just work with netgate/pfsense and everyone is a winner!!

nothing more nothing less with ^23$ then that is all you get

Thanks All.  I don't recall (but my memory is getting worse) this was necessary in earlier version.
But now that I know I'm all set.

I had to give up the pfsene project over the holidays as these network cards could not handle the load. So i have ordered an Intel dual port Nic the 4 port i have is either dead or is version 1.0 so it didn't work in my box. Any ho thanks for the link even though i thought i knew lots :) i did learn a lot from the posts very informative.

@robatwork:

I had tried 8.8.8.8 as the monitor which also failed.  ….

As far as I know, "8.8.8.8" has been set up to reply to ping.
But this "8.8.8.8" can be far away for you - just count the 'hops' (actually : a router).
You should know that every 'hop' has the right to throw away traffic that it thinks is "useless" because, example, its overloaded. And guess what : ICMP is just the protocol that gets thrown away if needed.
A gateway monitor IP should as close as possible - often this is a device from your ISP.

@gelcom:

Thanks. It worked perfectly!

The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN.

This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan

Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs.

RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan.

You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn.

2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827
User-Name = "andy"
NAS-IP-Address = 172.16.1.11
NAS-Port = 0
Framed-IP-Address = 172.16.2.41
Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius"
Calling-Station-Id = "D0-4F-7E-85-D9-BE"
NAS-Identifier = "802aa8969d8c"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Start
Acct-Session-Id = "5A44C1A4-0000000F"
Acct-Authentic = RADIUS
Connect-Info = "CONNECT 0Mbps 802.11b"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014
User-Name = "andy-ipad"
NAS-IP-Address = xx.xx.xx.xx
NAS-Port = 47
Service-Type = Framed-User
State = 0x3011d33a3212c931f791fe04904119c2
Called-Station-Id = "xx.xx.xx.xx[4500]"
Calling-Station-Id = "172.16.2.41[4500]"
NAS-Identifier = "strongSwan"
NAS-Port-Type = Virtual
EAP-Message = 0x020300061a03
Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f
NAS-Port-Id = "con1"
Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

Re-installing and restoring my configuration worked and now I can see packages, thank you.

The DNS forwarder (dnsmasq) uses the option –stop-dns-rebind by default, which rejects and logs addresses from upstream nameservers which are in the private IP ranges. In the most common usage, this is filtering DNS responses received from the Internet to prevent DNS rebinding attacks. Internet DNS responses should never come back with a private IP, hence it's safest to block this.

There are some cases when public DNS servers have private IP address replies by default, though it is not recommended. In those cases, DNS rebinding can be disabled or an override may be placed in the DNS Forwarder Advanced Settings box as follows:

rebind-domain-ok=/mydomain.com/
Note this is automatically overridden for domains in the DNS forwarder's domain override list, as the most common usage of that functionality is to resolve internal DNS hostnames.

Just enable the descriptions in the firewall log settings… Or just view the full rules with

https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

And you can see which rule that number shows up on..

[2.4.2-RELEASE][root@sg4860.local.lan]/root: pfctl -vvsr | grep 1000000110
@23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
@24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
@25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
@26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
@27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
[2.4.2-RELEASE][root@sg4860.local.lan]/root:

Yes.
The one thing you may not do is resell pfSense (like bundled with your hardware). Using it is not restricted in any way.
Supporting the project with a Gold Membership or through buying pfSense/netgate hardware is a plus, of course.

thanks for the reply @chpalmer, just wanna get my voip clients to work. when doing an outbound calling I don't have any problem but for my inbound I work it out.

Everything fails eventually.

A good configuration backup taken regularly and a cold-spare system is a decent alternative.

GMIRROR should ride out most failures of a single hard disk.

ZFS should also help with a disk failure.

Two live units in HA/CARP will generally have zero downtime if a node crashes.

Pretty much my current setup (ddwrt provides nothing more than access points, pfsense handles everything else).  You may want to have a read through here: https://forum.pfsense.org/index.php?topic=116980.msg720119#msg720119  Although the author is using lede/openwrt principals are the same.

I have several TL-SG3210 (trying to be a cheaper SG300-10 derivate) and 1x TL-SG5428 as well as 1x TL-SG5412F.
Those are fully managed L2 "JetStream" switches and do not exhibit the behaviour of the entry-level smart switches. This is at home only. Since we use Cisco in the office and at client's site's extensively I probably would buy those for my home now as well.

Hi,

what are your DNS server settings on System / General Setup?

Here's my settings:

And Services / DNS Resolver / General Settings?

I recently fixed this myself, but i'm not 100% certain what i did to fix the problem, but i remember i changed some settings on these two places.

As you can see here:

https://vpn.ht/dns-leak-test

My DNS is not leaking, as it shows the Google DNS.  ;D