If it's a policy based IPSec tunnel the only workaround I'm aware of is adding a static route via the LAN:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html#static-route-workaround

Steve

Solaris developers that released ZFS under CDDL were setting the stage for everyone else like FreeBSD, IllumOS, the OpenZFS folks to take advatage of things like BEs.

Netgate folk did a very good job integrating the feature with the GUI interface. There are a lot of little bits behind the scenes, keeping them all straight and then presenting them in an easy to use manner is not a trivial thing.

@rloeb said in 4100 upgrade to 23.09 no internet connection:

@keyser Wow. They went general release with that serious a bug? Seems irresponsible. Not many users are going to check Redmine to see whether they should upgrade...

No, it was first discovered right after release as I understand it.

2e3017cc-7fd4-4fca-8014-f09df9ddbf2a-image.png

I had this happen to me recently after a power outage.
For some reason it changed the webConfigurator protocol to http/
I logged in using http and my custom port and changed it back to https/

@jfooobet said in Newbe: Wifi device disconnecting:

ISP router to work as AP somehow

Any wifi router can be used as just an AP, turn off its dhcp server and connect it to your network via one of its lan ports = just AP.. Normally its a good idea to set its lan IP to be on your network so its easier to adjust its wifi settings.

@hacesoft said in Crash Reporter after the PfSense update from 23.05 to 23.09:

it's faster to reinstall it than to repair it, that is, if the firewall is in place. ..

Yup, that is often the case. Unless it's a known issue/workaround.

Hmm. The client side is handled by dhclient and the associated script, it doesn't use either ISC dhcpd or Kea. So changing that should not have made any difference to the WAN.

However if the WAN was pulling an invliad IPv6 lease perhaps then one of those might have been trying to use a bad prefix which would have caused problems. Switching between them may have cleared that.

Yes, the gateway IP doesn't actually matter. For example my ISP here uses a private IP for the gateway but the WAN IP is public which is common for PPPoE.

For other connection types though the gateway is almost always in the WAN subnet which implies if you see a private IP on the gateway you probably also have one on the WAN.
If you see that it means something upstream is NATing the connection so incoming connections to the firewall would have to be forwarded through it.

But even then the block bogons and block private subnets rules would not block traffic from remote clients.

@stephenw10 Indeed, was done by search&replace within a minute. I'm confident we have a stable system now again. Thank you!

Thanks guys, data reset as suggested and the issue was fixed. 👍

☕️

@neil1454 said in 4 LAN ports same ip range:

Just like a commercial router would work.

You mean the soho wifi router you buy the store or online - the ones that come with switchports, and not discrete interfaces..

As mentioned by Steve - if you want switch ports use a switch.. Bridging interfaces is not a switch..

Here a typical block diagram of what makes up those routers your talking about

block.jpg

Notice the "switch" that makes up whats inside of it..

@stephenw10 ok. If it happens again i think i need to reinstall.

Wireguard act as an interface. If you are confident about routing configurations it is doable.
I own a GL.iNet Beryl AX and let me say that Wireguard configuration is more or less the same (actually maybe a little bit simpler on GL.iNet).
Not so immediate to setup a Wireguard client on both devices with NordVPN, but this is a specific provider issue...

Yes you probably want filtering only on the bridge itself if you have just one subnet:
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html

Otherwise you would need rules with the advanced option set to pass multicast traffic on each member interface.

And with only one subnet you shouldn't need Avahi at all.

@stephenw10

Hi Steve, Thank you, you're a star. I simply used the device id & password on a spare appliance and was able to obtain the unencrypted config. Evidently, there is os corruption on the flaky box with the suspect msata drive. Thanks again ;-)

It should be sufficient to allow https to 208.123.73.0/24. As long as DNS works locally.

@vitor-connectsolution

MS doc:
https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365

There are several caveats to their 3 options. To simplify everything, if you have a static IP it's by far easiest to use "option 3" on that page and set up a connector that allows relaying by IP. One can control access out by firewall rules.

For "option 1" (username/password) you have to enable SMTP AUTH for your account or for your tenant, and use 587. In pfSense, despite the web page saying to set "TLS/StartTLS" to "enabled" you have to uncheck the TLS option and use 587 as @viragomann suggested.

"option 2" also is easy to set up but you can only send to your domain...however you can set up a distribution list to send to external addresses.

@Gertjan said in notification:

microsoft.com really told you to use 465

I think you misread, he said to use 587 not 465. :) Never mind I didn't realize you were responding to OP there.

Yup, it is still possible, I have some systems here running from CF. But, yes, you need to take steps to avoid excess writes. In addition to use UFS and ramdisks I would also remove the SWAP partition at install. Do not run packages that write a lot of logs.
I will also add the CF is almost unbelievably slow! So be prepared for upgrades to take waaaay longer than you expect. Normal boot and running is fine though.

Steve