Take a packet capture of the RADIUS auth exchange. Load it up in Wireshark and inspect the reply from the AD server, see if it has the Class attribute and how it looks.

Sorry for the delayed reponse…

@johnpoz:

"he wants to access the same site"

That I think is still unclear.. I think its more he wants to access site xyz wan 1, and then site abc via wan 2.  But sure it could access site xyz 1 time with wan 1 and then next time with wan 2, etc..

This is exactly what I meant. Sorry for the broken English…

Example: user 1 is a mobile user. He wants to connect to site "xyz.com" using wan 1. A few moments later, he wants to access this same site but using wan 2 without disconnecting from his actual LAN.

As he does not have admin privileges he cannot access pfSense admin page to update his default gateway.

@johnpoz:

I think best way to do something like that would be with 2 proxies and then pointing your browser at specific proxy to use wan 1 or wan 2.

This is a perfect workaround! I can set 2 proxies so users can choose which proxy to use. As each proxy is linked to a specific gateway the magic is done! Thanks a lot :-)

kind regards

I beleive my issues are related to the APU2 BIOS. I've rolled back all but one unit to BIOS V4.0.7. So far, no issues with those routers for the last few days. I haven't reinstalled any packages yet.

I got it! Well, almost!

From desec.io. But while fixing the shell script I wasted my 5 free attempts for this hour. You can add the proper TXT record with desec.

I also had to install certbot, and its annoyingly long dependancies.

After the temp ban is lifted (i think one hour) I let you know if I can really validate the service and install the cert.

–---------------------

Worked!

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/fullchain.pem   Your key file has been saved at:   /usr/local/etc/letsencrypt/live/xxxxxxx.dedyn.io/privkey.pem   Your cert will expire on 2018-04-16\. To obtain a new or tweaked   version of this certificate in the future, simply run certbot   again. To non-interactively renew *all* of your certificates, run   "certbot renew"

Tks for that. I was scared someone would say that :(

Will try the same setup on another computer with 2 nice and see how it goes. Will update.

Tks

What is the model of the linksys switch ?

What spec is the fiber ?

They'll be under /var/log/snort :-

[2.4.2-RELEASE][admin@pfsense]/var/log/snort: ls -alg
total 100
drwxr-xr-x  9 root  wheel    512 Jan  5 20:52 .
drwxr-xr-x  7 root  wheel  1024 Dec 19 20:59 ..
-rw-rw–--  1 root  wheel      0 Dec 22 12:17 alert
drw-rw–--  3 root  wheel  4096 Jan 15 11:15 snort_igb0.256577
drw-rw----  3 root  wheel    512 Jan 13 00:08 snort_igb0.343654
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.427080
drw-rw----  3 root  wheel  3072 Jan 15 00:20 snort_igb0.516395
drw-rw----  3 root  wheel  2048 Jan 15 00:20 snort_igb0.658303
drw-rw----  3 root  wheel    512 Dec 19 21:10 snort_igb035478
drw-rw----  3 root  wheel  12288 Jan 15 09:05 snort_pppoe054518
-rw-rw–--  1 root  wheel  56255 Jan 15 18:05 snort_rules_update.log
[2.4.2-RELEASE][admin@pfsense]/var/log/snort:

The entries in red are directories, the info is stored under here.

Do not update microcode now, wait.
@https://support.lenovo.com/ee/en/solutions/len-18282:

Withdrawn Broadwell & Haswell CPU Microcode Update:  Intel provides the CPU microcode updates required to address Variant 2, which manufacturers like Lenovo then incorporate into their UEFI firmware. Intel has notified manufacturers of quality issues in the initial Broadwell and Haswell microcode updates with instructions to no longer distribute the affected microcode. As such, Lenovo has withdrawn previously issued UEFI firmware containing the affected Broadwell and Haswell CPU microcode. We will issue revised UEFI firmware updates as soon as possible following Intel’s release of revised Broadwell and Haswell CPU microcode. Servers affected by this issue are noted, below, as “Earlier update X withdrawn due to a microcode quality issue.”

@robi:

I'd love to see some general-purpose tool to edit BIOS files and update microcode inside them. Something that would know most BIOS formats, open the BIN file, advise which binary microcode file to choose, and compile a new image from it.
Because most manufacturers won't care to release BIOS updates for motherboards older than 1-2 years.

pfSense would also want to have a nice GUI somewhere to allow us to browse for a microcode pack we can download from Intel etc. and apply it at each boot at runtime. And write in the logs whether the runtime update was successful or not.

It is not so simple. Every BIOS is copyrighted by AWARD, AMI and whoever else… Phoenix  ;D. So you just can't edit it without buying proper license and most manufacturers use also security checks, for example I just can not flash edited BIOS into Asus motherboard with standard methods — only BIOS flashback function or hardware tools, also there are some special BIOSes like HP uses for their enterprise grade hardware.
Even not so universal tool for BIOS modding like UBU have had copyright problem with AMI.

No, pfSense is still not able to use a user/pass for WAN 802.1x

I would to like access my clients to the 3 virtual machines depending on the client.

If by "depending on the client" you mean that you can identify your client by specific IP ranges/addresses, then it isn't that much of a problem. You can create Port Forwards with specific source addresses coming to the WAN IP to specific internal hosts. So for example:

Src | Dst | NAT

1.2.3.4/24 | <wan ip="">| 10.0.0.11 (Host 1 in DMZ)
2.3.4.5/32 | <wan ip="">| 10.0.0.12 (Host 2 in DMZ)
3.4.5.6/28 | <wan ip="">| 10.0.0.13 (Host 3 in DMZ)

That is completely possible. Only if you want to allow access from ANY (whole internet) or you want to address the same host twice with a source already configured (e.g. 1.2.3.4/24 shall also access 10.0.0.12) that would only be possible with proxies of any kind.

Otherwise just use different Forwardings for different clients :)</wan></wan></wan>

@Teo:

Yes, I am accessing pfSense firewall sshd and web gui public IP from the LAN side.

And you have answered your own question.

If you're still having this issue I would go back to a very basic setup. No pfBlocker, no other packages. Check again. One of those things must be causing this problem.

Steve

PfSense was never designed to be a replacement for a proper switch so don't expect it to perform like one.

I assume you're still trying to workaround this: https://forum.pfsense.org/index.php?topic=142665.msg777764#msg777764
You'd get better responses if you'd actually described what you want to achieve instead of asking for random nonsense snippets.

Read the link in my signature, and describe your problem accordingly.

I haven't figured out your problem yet but this may give you something to check.  Website not being reach while Google.com is reachable can be a sign that IPv6 internet is working and IPv4 internet is not.  You could be reaching google via the IPv6 internet only.

???
What kind of packets?  With TCP, the packets are received and buffered while waiting for late packets to arrive.  With UDP, it's up to the app to decide what to do.  With some, it may also buffer in a manner similar to TCP.  Others, for example VoIP, will simply discard any packets that don't arrive in time.