@greatbush I have no idea what is going on to be honest - if your rules allow it, and traffic is getting there.. you should get an answer.

Your routing table shows the interfaces there.. Only thing that comes to mind is something wrong with the tag. But your doing the packet capture on the actual vlan interface right. Not the parent interface.

You can ping pfsense IP on the S interface right?

Das kannst du nicht vergleichen da hier Protokolle im Einsatz sind die die MTU/MSS selbständig aushandeln.
Das musst du bei VPN halt selber sauber umsetzten und die MSS von 1328 ist die die immer funktioniert, weil selbst PPPoE und DS-Lite groß genug ist das die Pakete sauber durch laufen ohne Fragmentierung.

@JKnott said in Should my dhcpv6 clients also get a /64 address?:

@Gertjan said in Should my dhcpv6 clients also get a /64 address?:

In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

That approach seems to work: just stopped dhcpv6 servers on all interfaces, and addressing and net functionality seems unchanged.

Well, that is simple. Thanks!

@jc1976 said in Squid on 2.8:

upgrade an issue developed between suricata, pfblocker, and unbound. when i disable the two packages, all works fine

Let's consider :
If you leave the 'unbound' (the resolver) settings to "all default", the way you found them when you first installed pfSense.
You remove / don't install the extra stuff = suricata and pfblocker.
Then : no issues what so ever.
Right ?

This means your issue isn't "pfSense 2.8.0" or the upgrade. Its an 'ordinary' package settings issue - call the admin 😊

Tell you boss that suricata can only filter non TLS traffic **, something that doesn't exist anymore. Check for yourself : who visits http (port 80) sites these day ? Who collects mail using port 110 ? Who sends mail using port 25 ?
Imho : suricata, for what it's worth, can't do much these days, it can 'see' the data payload in the packets. Everything is TLS these days.

** It is possible to do TLS filtering, but that demands a 'proxy' setup, making you a real expert.

pfBlockerng is blocking you, DNS or something else ? That's any easy one, and rather simple do debug.

@luckman212 said in New Tunable: kern.crypto.iimb.enable_aescbc on fresh install:

I did a fresh USB wipe and reinstall to get here, so these are "default" settings I think...

You should be good now, for wireguard. 👍

@johnpoz I see, thanks for explaining and the help!

@ashleygavin said in Vodafone UK - IPv6:

What error do you get if you wget -6 a website?
And you have the two default LAN firewall rules, one for IPv4 and one for IPv6, and only the LAN net? On WAN you won't need any rules for accessing internet. And do you see open states for the (web) connection?

NAT would not be a topic for IPv6 in the default config.

Hmm, I thought we'd fixed that. Let me see...

Ah, maybe not: https://redmine.pfsense.org/issues/16207

The default LAN to any rule should pass that traffic.

What rule did you add exactly?

@EChondo

What's your pfSense version ?
The instructions are shown here :

1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

@EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

No need to wait x days.
You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

@dlogan From the console restart the webconfigurator and/or PHP. Check the logs?

@jhg said in Installing 2.8 behind archaic PPPoE/VLAN from CenturyLink:

Is this available yet?

It's in testing now. No issues so far so should be available soon,

@johnpoz OK, good to know about the 1 interface setup. I didn't expect the block rfc1918 removal would allow access to the webConfigurator all by itself. I said that the block being applied meant that none of the rules I added from the shell command line had any effect.

Look, I've run the same 2.8.0 setup off the netgate intaller ISO many times now, with the result being a genuine case of "mileage may vary". The latest two one times, one on ewach VM on which I faithfully reproduced exactly that VM setup specified in the netgate documentation about instlalling on Proxmox VM, both ran the installation to completion but when the installed version booted that never completes, it just sits there, as it turns out, waiting for input. I noiced, just before it scrolled off the screen with startup messages, that the question usually asked if you assign interfaces from the console menu (should VLANs be set up at this stage, or something like that) was being asked, so I entered no and it asked my to identify which NICs the WAN and LAN was on. Those are questions the installer asked and used, so why would it be asked again douring bootup. To make matters worse, the answers I provided to the installer were completely ignored and defaulted to the WAN getting an IP from DHCP and the LAN on a static IP of 196.8.1.1/24 with DHCP enabled. I reassigned the IPs once the cosole menu was up, enabled SSHd but could not get ssh access from the LAN port, until I went in through the console and ran pfctl -d, then it connected without a hitch.

Another variance I noticed is that whenever I selected during setup to use a local resolver it never could not connect to the NetGate servers. I recently had trouble going from 2.7.2 to 2.8.0 on my internet facing pfSense which rendered my email servers broken. Eventually I got tipped off that the new default setting to bring in state policy bound to interface was causing the problem. So my primary pfSense has that option back to the floating option (it was an impossible mission to set the option on in the advanced section of each firewall rule that might be impacted since setting that option does not cause the gear icon to appear indicating that advanced options are in effect. But I painstakingly went through every rule twice and ensured the setting is on for all the rules. Still it required the default to be changed back to the floating before it would allow the mail serves to run their own recursive resolvers as they insist on doing. In both the VMs I installed since, I had tremendous difficulty getting rules in place to get the rules I add to work. The only way past it was to keep running pfctl -d while making changes to anything or else the configurator would just time out and even the pings I had running on another screen would stop. These instances being behind the real firewall I was happy to disable the firewall temporarily to get by but didn't want to disable i permanently in the advanced option so I kept trying to set up rules where things kept working when I run pfctl -e. I was disappointed every time, until I went to the state policy global setting and changed that to the floating option, then everything started working as expected. What it basically means, from what I can see, is that the installer cannot even set up 2.8.0 as a recursive resolver and that cursed state policy setting it introduced breaks a lot more things than just multi-WAN setups. So much so that not even the installer knows what it needs to do or 2.8.0 is just broken, period.

pfSense had been a fantastic product for a long time, especially for people that don't identify as netqork engineers needing to get a job done. By comparison to the MicroTIK community who's outright toxic even with their fellow network engineers, the pfSense community and documentation was extremely accommodating to uderinformed people such as myself. It is an absolute shame to see that getting diluted by buggy features, undocumented behaviours and a switch to make the netgate installer the only means to get the community edition when the installer does such a messed up job of it in the first place.

Part of what I'm saying is that the anti-lockout rule, on the LAN interface, wasn't having any effect whatsoever until I changed the state policy to floating, so even with the one-interface intalll option that would have been exactly the same thing regardless of the block rfc1918 setting. I'll try that next time and give you more feedback if you're going to be able to get something done about it. I don't know what your role and capability entail, perhaps you're just another user like me, but I can tell you this. You gave me feedback from a position of authority saying things that in practice does not match what I've experienced and am still experiencing.. It's like there's no regression testing for new releases or the installer to catch out stuff that does not work as assumed in the manual or the release notes or by the developers themselves. It genuinely pains me to see pfSense in such a steep decline, quality wise and I feel sorry for those who pay through their noses for the Plus version which i sure to have the same issues made worse by the paid support people not knowing about the root causes either. I used to be absolutely convinced that once I have the means that I'd upgrade my entire operation to high throughput Netgate devices running pfSense+, but as it stands it will be better for my business to hire a network engineer and buy the Cisco or MicroTIK devices they swear by. I'm sure you can see what bad marketing outcome that is. Poor quality will kill Netgate's feeder market, drive people away to OPNsense and when they need it, Cisco or Juniper or microTik which comes with qualified engineers to get the results they used to do for themselves on pfSense.

@sub2010

Hat jemand noch Ideen?

Sulla web GUI di pfSense vai in diagnostica e poi in command prompt,nella casella execute shell command digita il seguente comando: certctl rehash
Attendi un output e poi ricontrolla gli aggiornamenti o i pacchetti e dovrebbe funzionare.
pfSense 2.7.0 è una versione vecchia,quindi penso dovresti aggiornare alla versione 2.7.2 e poi alla versione 2.8.0,prima di fare qualsiasi cosa ricordati di salvare il file XML della configurazione attuale di pfSense.

Saluti

@NOCling How do you "flash" these modules?

@stephenw10 Today I rebooted the host (Hyper-V) and had no problem at all. Don't know if this points towards being a weird virtualization issue... But then, why would WireGuard be effected...

@nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others:

You can know everything about everything thanks to Google. But if you don't know what to search, it is useless.

The problem is resolved, by adding a bogus route, by hand.

Here's the explanation :

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

Thanks for help

Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly.

Again, thank you!

@drodgers Hey. I'm going through this exact thing now with Vodafone and pfSense and struggling. I've replicated your settings but it seems very intermittent.

My clients get ipv6 addresses and can ping out fine however browsing this forums dies because it responds with and ipv6 address.

For some reason as soon as I enable ipv6 netflix and paramount also stop streaming 🤦 They browse fine but as soon as you try to play a video it's a no go.

Any ideas or pointers please or could you post your most recent working config please?