Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Popular
    Log in to post
    • All Time
    • Day
    • Week
    • Month
    • All Topics
    • New Topics
    • Watched Topics
    • Unreplied Topics
    • All categories
    • Z

      GitLab CI (Docker on Proxmox LXC) Slow/Stuck with pfSense DHCP - Works with Static IP

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      1
      0 Votes
      1 Posts
      15 Views
      No one has replied
    • D

      Strange behaviour with alias firewalling: Pass is logged but traffic is blocked

      Watching Ignoring Scheduled Pinned Locked Moved Firewalling
      2
      0 Votes
      2 Posts
      54 Views
      D

      I managed to resolve my above issue and for anyone ending up with the same question:

      My issue was caused because of a colleague who added a floating rule, rejecting traffic coming form another alias with logging disabled on that rule. Unfortunately that alias contained a different FQDN that resolved to the same IP of the removed FQDN.

      What is the important lesson here:

      Apparently the PF box handles floating rules AFTER interface rules. And since logging of that floating rule was disabled, the firewall log logged the allowed traffic from the interface rule, but blocked the traffic afterwards based on the floating rule with no logging! You end up seeing an allow in your log, but it is blocked in the end!

      This must be a culprit some else will face one day or another :)

    • N

      [2.8.0] Limiter rule not honored on LAN download with multiple limiters & queues

      Watching Ignoring Scheduled Pinned Locked Moved Traffic Shaping
      4
      0 Votes
      4 Posts
      334 Views
      D

      I'm experiencing this issue as well. I've been watching for patches and new releases to see if this is resolved.

    • S

      pfSense and Squid going forward?

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      10
      0 Votes
      10 Posts
      351 Views
      JonathanLeeJ

      @JonathanLee https://github.com/pfsense/FreeBSD-ports/pull/1420

      I have tested this and it complies I do not know if anyone else has the ability to test this on pfsense dev mode but here is the pull that sets the Makefile to use Squid 7. I took a long long time to compile and it removes Auth for SMB_LM

    • JonathanLeeJ

      pfsense-tools.git clang gcc

      Watching Ignoring Scheduled Pinned Locked Moved Development clang gcc pfsense-tools
      12
      0 Votes
      12 Posts
      185 Views
      JonathanLeeJ

      If anyone wants to test this out

      https://github.com/pfsense/FreeBSD-ports/pull/1420

      I did get it to fully compile with the adapted Makefile they disable SMB_LM that has been removed

    • S

      pfSense as Firewall/Router/Switch all in one - Layer 3 virtual interface?

      Watching Ignoring Scheduled Pinned Locked Moved L2/Switching/VLANs switch svi virtual layer2 layer3
      5
      0 Votes
      5 Posts
      154 Views
      C

      @spickles I would think the easiest way to replace a Cisco ASA 5505 would be use pfsense as a firewall not a router. Keep using your Cisco L3 switch. I do that at my home. I use an Cisco L3 switch and route between my L3 switch and pfsense. You lose pfsense control over your local network. This would not be an issue with you as you will already have that with your L3 switch.

      Setup pfsense with no vlans and keep all the vlans on your L3 switch. Then set up your firewall rules and static routes to your L3 switch.

    • luckman212L

      New Tunable: kern.crypto.iimb.enable_aescbc on fresh install

      Watching Ignoring Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots
      14
      0 Votes
      14 Posts
      208 Views
      dennypageD

      I enabled my iimb by hand. Seems to work fine on my 6100.

      FWIW, the current documentation indicates that the default value of kern.crypto.iimb.enable_aescbc is 1 (enabled), although it has a warning that iimb can be slower than qat for cbc. I don't use cbc, so it doesn't matter in my case.

      I think the documentation is incorrect or outdated (at least for the 6100), as the code in /etc/inc/config.console.inc explicitly sets kern.crypto.iimb.enable_aescbc to 0.

      FWIW, there is also an interesting note on the qat/iimb trade-off earlier here. YMMV

    • P

      IPv6 disconnects after 1 minute on some LAN clients (pfSense Plus 24.11)

      Watching Ignoring Scheduled Pinned Locked Moved IPv6
      2
      0 Votes
      2 Posts
      34 Views
      U

      What is the difference between the device/PC that IPV6 works on and the ones that don’t? I would start with looking at the IPV6 settings on the devices/PCs that are having problems. I’m going to guess that your router advertisements are managed. Try stateless DHCP advertisements and see if that solves your problem.

    • bmeeksB

      Important Info: Inline IPS Mode with Suricata and VLANs

      Watching Ignoring Scheduled Pinned Locked Moved IDS/IPS
      24
      3 Votes
      24 Posts
      6k Views
      cyb3rtr0nianC

      @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

      Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

      I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

      I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

      Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.