OpenVPN doesn't know "site-to-site" vs "remote access". It just knows point-to-point and point-to-multipoint ("server/client" mode). pfSense masks all that in terms users are more familiar with by changing the GUI options to make it more like what our users have expected and requested over time.

Under the hood, a Remote Access VPN and Site-to-Site SSL/TLS VPN (with a tunnel network larger than a /30) operate in the same way using the client/server mode of OpenVPN.

Exit notify only makes sense for UDP, since TCP will already know when a connection closes.

If you re-read the OpenVPN man page with all that in mind, it makes more sense.

we have a primery and secoundary node. After these settings, it seems that the secoundary tries to do something when it is not Carp Master... Or am I mistaken... I could not find the logs again...

"Initiate at start" would not be compatible with an HA setup. In that case you'd probably want to force the HA side to be responder only.

There is an issue open which may help here, the changes in https://redmine.pfsense.org/issues/12075 coming in the next release will automatically set the node in CARP BACKUP status to responder only no matter what the GUI is set to, which will work around that. When the CARP VIP transitions it will get switched back.

You call that wanton abuse? :-)

lotsostates.png

(Not on my equipment, but from our test lab)

@jimp
updated, no problems...

2021-07-02_11-17-49.png

2021-07-02_11-15-52.png

Updated to the latest version, still same.

@jimp Greate news! After 10 minutes test drive no problems. Hope 2.5.2 is relased very sooooon. :-) The Multi Wan problem somehow, sometimes drives my IPSec VPN nuts. Like 10 pakets go through, then 10 pakets get droped....

There is a new snapshot up now (2.5.2.r.20210629.1350) which should be much better to test on. Update and give it a try.

There is a new snapshot up now (2.5.2.r.20210629.1350) which should be much better here. Update and give it a try.

@jimp said in Support for IPv6 firewall entries with dynamic delegated prefix and static host address:

While some people choose to only allow specific source hosts to specific destination hosts in a DB net, usually people don't get that fine-grained, either because the sources need to reach most if not all the resources in the target network, or because there aren't that many to bother with being that specific. Either way if someone has to get that complex with rules it's highly unusual for them to be using any kind of dynamic addressing like prefix delegation.

Now that I can completely agree with! But may I suggest that you name the feature in another way? As this works with and without prefix delegation, and is more concerned about using a shortform (host part only) on interfaces.

This is based on that I only understood the limit, when I read the sourcefile, and realized it did not use my PD, but the network the interface was assigned even if it was static.

@julio12345 Hi thank you for testing!

Today I did a clean setup of 2.4.5 p1 and then upgraded to 2.5.2 RC. I can confirm that DNS redirect works indeed. It only seems to break when I upgrade my test system where a copy of my production environment is running...and that has a lot of specific config obviously.

I will wait for a 2.5.2 image then so I can do a clean install and restore my configuration. See how that goes. The upgrade is no succes for me I'm afraid.

Again thanks for helping out!

@theonemcdonald Is fixed and am on 0.1.4 code.

Ted

@jimp
Yes, it works.

@jimp Updated to a newer version. No crash so far.

2.5.2-RC

@jimp said in 2.5.1 -> 2.6.0dev -> 2.5.2RC schedules syntax error:

killing the states when the schedule transitions

Thanks again Jim. I've added that one too. I went in and did edit/save for each of the schedules last night.
Schedule did turn off after i did that, will see if it kicks in tonight.

I can move the widgets on the dashboard but I dont get the same cursor when hovering the rules or NAT, so I cant move them like the widgets.

Not quite ready to share all the details yet, but it is progress in making ZFS more "officially supported" in its integration compared to its more experimental nature in past releases.

Since the layout can't be changed post-install, the groundwork needs to be laid there early.