I tried some other tests but no luck. I am officially unable to apply that gateway

Auch eine nette Frage:
https://forum.netgate.com/topic/160289/running-comunnity-edition-on-netgate-hardware

Ist noch ganz frisch. Bin mal auf die Antworten gespannt.

Ok half-solved, now the fritz nas works but the media but the media server doesn't.
Thanks everyone for the support :-))

@jknott

my folks are checkin this piece of hardware right now!
thanks for reminder.
brNP

@werter Спасибо, лично мне помогло.

Hast du die Sense schon mal komplett neu installiert?

Hier simmt bei dir gewaltig was nicht.

Not sure if possible with udp.. And have never tried it with tcp either.. It is listed as an option, but not sure on the details of that option.

We can call in maybe @Derelict he would have better understanding here of these options. I would think ;)

@bmeeks said in Different ways to setup DNS over TLS:

That way I won't have to fight the streaming services blocking Hurricane Electric space. Really that's the biggest reason I disabled the HE tunnel.

I'm using he.net for years now, it works .... well.
Two major downsides, as you stated : Netflix saw my IPv6 (geo located in Paris) as some kind of VPN type of access. So I could access Netflix, but as soon as I pressed Play, an obscure error message showed : "Do not use a VPN".
This changed a couple of weeks ago : no more issues.
The other one, for me, was Apple's icloud : the access is ok, but impossible to see uploaded photos. they refused to show up in the browser. I presume that it was some silly 'javascript' issue that went ko on IPv6 addresses as Apple should be IPv6 for years now. I don't think Apple has peering issues with Huricane neither.
But icloud works fine now , since ... a couple of weeks.

Anyway, 'NoAAAA' exists as a Python extension for unbound to block listed AAAA domains, which helped. The same NoAAAA - as it is special kind of DNSBL - is now integrated in pfBlockerNG now. So if some site has IPv6 difficulties, it can be excluded from DNS.

Btw : I love this cdc.org DNNSEC graph ....how on earth admin people can actually let such a situation sustain ? Resolvers that do DNSSEC checking will -as they should - fail on DNSSEC enabled sites with broken DNSSEC. I presume a site as "cdc" is rather important these days.

Using he.net is actually slowing down my overall network performances, as close to 3k accounts are using the he.net POP in Paris. This can't be good for performance, as IPv6 traffic is preferred above IPv4.

@Operations : sorry for going way out of subject. If you have questions : ask ;)

@provels said in 2.4.5p1 ISO too large for CD:

Hard one of those on my 486.

I have two of these, I have kept them as objects of remembrance, hmmm:

+++edit:
MMX instruction set, hhuhuhuh

https://en.wikipedia.org/wiki/MMX_(instruction_set)

+++edit2:

I almost forgot and this: - horror GPU :)

https://en.wikipedia.org/wiki/S3_Savage

@r801248 any update on this?

A transit network is just a network that connects routers that has no hosts on it..

So pick a network, 172.16.0.0/30 works.. No need for more address. And connect the 2 routers with it..

This can be physical network, or just a vlan..

Here..

It removes the asymmetrical traffic flow..

When you have hosts on your transit, that do not do host routing for the downstream network. Or when the downstream router is not natting you run into this.

Well power MAX can for sure be misleading..

Great device to add to your tool belt, if you have any care to what devices draw.. Is a kill-a-watt meter..

Or a smart plug with power reading.. So you can plug a device in, and see what it actually draws.. Say leave it on the plug for 24 hours min.. And try and atleast use it a bit like you think you normally would..

Cost of elect can vary quite a bit.. But at the national average of like 12cents per kwh.. A 100W will cost you 100 Bucks a year. Not counting delivery cost of the elect as well, and taxes on that etc.. so going to be 100+ a year to run something that sucks 100w if left on 24/7/365

I have gotten pretty into how much something draws, even before I went solar.. So Im the blue line - guess when I went solar ;)

I always use to be above even my non efficient neighbors (all the networking/computer toys) ;) The part I like the most is where I am under the 0... This is where I produced more than I used.. Which is the goal..

On a Windows laptop you can indeed just use file explorer (smb) to connect to other Windows hosts and view their file shares.
You may need to enter the remote IPs directly. If you are passing a dns search domain to clients and pSense as a DNS server they may be able to resolve LAN side hostnames if pfSense is a the DHCP server there.
The hosts you are connecting to need to allow smb connections from the OpenVPN tunnel subnet of course.

Anything you can do from the Android phone locally on WIFI should also work over OpenVPN.
I don't know what you are trying there. I'm not sure I've ever tried to access smb fileshares on a phone. There may well be an app for that.

Steve

@gertjan Agreed. However, an email outage is not as tragic as it once would have been. I, and I suspect many others, don't see email as critical communications. It's the use of an email address as identity that is troubling. I regularly go days or weeks without sending an email. I do use email addresses multiple times everyday to logon to various services. 2FA is a band-aid at best, security theater most of the time.

@teamits said in 1Gbps from Modem to PC, capped at 30-40Mbps through pfSense?:

@girbot-0 said in 1Gbps from Modem to PC, capped at 30-40Mbps through pfSense?:

now shows the Speed and Duplex for this card. (it didnt for the other one.). It was set to auto which wasn't working. Setting it to 1000baseT Full made it magically work.

I would guess if the driver doesn't support speed changes it doesn't show. I poked around and on an SG-3100 the LAN doesn't have a speed dropdown...it's a switch so that is meaningless there (the WAN does).

If the port was supposed to autodetect at 1000/full and changing it to 1000/full improved things, I would be looking at the connection...is the patch cable cat 6, etc. IOW that implies autodetect sets to something the hardware can't handle. Autodetect will detect the fastest speed and if the cable is insufficient there will be lots of errors.

Well its weird because it DOES autodetect speed. But internet no work. When I hard set it to what it auto detects it as. It works.
There's nothing in between pfSense and the modem to troubleshoot. It's literally a 6 foot cat7 cable between the two. I tried two cables. Same results. I'm using the same cables for all my wired stuff and everything LAN wise is good.

If I hook up direct PC to modem I get 900+ download speed. pfSense, still around 500. No packet loss or anything. It's like a hard limit somewhere. I'll check the bios, maybe there's an update that might help... I donno.

I'll grab a $35 intel pcie nic off amazon and see if that helps i guess.

@jegr
Ja, da ist aber die VPN-Gegenstelle das Default Gateway. Denn genau da schickt die pfSense die Response-Pakete hin, wenn die Requests auf eine OpenVPN-Tab Regel erlaubt werden.

@sohei said in Internet Zugang für Amazon Kindle blockieren:

Alternativ statt nur DNS erlauben zu "LAN Address" eben alle Ports erlauben, dann kannst du vom Kindle Tablet auch noch die Sense UI aufrufen oder auch NTP machen statt nur DNS. Und wenn man mal ggf. mit HAproxy spielt, klappt auch das. :)

Das problem daran ist, dass der Kindle nicht nur auf den NextCloud Server zugreifen muss, sondern auch auf andere "Server" und "Dienste" welche (derzeit) alle im LAN Segment stehen. Das würde bedeuten, dass ich für jeden Dienst eine Regel erstellen müsste. Da diese ganze Konfiguration noch maximal dieses Jahr halten muss, ist mir diese Quick-and-Dirty Lösung ganz recht. Wenn wir dann im neuen Haus sind, wird sowieso richtig umgebaut und alle Server in eine DMZ verschoben.

Wie weiter oben schon mehrfach erwähnt: wenn der Kindle und 'die ganzen anderen Geräte im gleichen LAN' letzten Endes an einem Switch vor bzw. hinter der pfSense hängen dann sieht die pfSense das (an ihrem LAN) nicht und man braucht auch keine separaten Firewallregeln dafür. Das ist unnütz. Die Geräte reden über den Switch direkt miteinander.

Die Firewallregeln für den Kindle sind nur dazu da:

um DNS, DHCP und NTP der pfSense zu nutzen den gesamten restlichen Traffic zur pfSense und ausserhalb des LAN (eben auch den kompletten Internetverkehr) zu blockieren

@mcury

Wow way too much time spent on this lately but finally getting it to where I want it to be.

Vlan1: Management
This is the Lan off the pfsense firewall. It has access to pfsense gui, all switches, ap, vlans.

Vlan3: Server
Unraid server running plex, LMS, a few other things
Allowed: pfBLockerNG, DNS, Plex to HDHomeRun tuner on Vlan4, Internet
Blocked: Firewall & Internal communication.

Vlan4: Home Theater
Denon Receiver, (3) piCorePlayers, (2) Nvidia Shields, Xbox, (2) HDHomeRun Tuners
Allowed: pfBLockerNG, DNS, Plex players to Plex on unraid, piCorePlayer to LMS on unraid, Internet
Blocked: Firewall & Internal communication.

Vlan5: Work
Work laptop, (2) VOIPs
Allowed: pfBLockerNG, DNS, Internet
Blocked: Firewall & Internal communication.

Vlan8: Wireless
(2) Iphones
Allowed: pfBLockerNG, DNS, Internet
Blocked: Firewall & Internal communication.

Vlan9: Guest Wireless
(2) Chrome books, (2) iphones, (2) kindles, PicorePlayer, roku, PC
Allowed: pfBLockerNG, DNS, Internet
Blocked: Firewall & Internal communication.

Equipment:
Pfsense box: HP Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz, 16 gigs of ram, HP 4 port ethernet card - Packages running: aprwatch, iperf, nmap, ntopng, pfBlockerNG, RRD_Summary, Status_Traffic_Totals, Telegraf

Access Point: Netgear R7800 running Openwrt

Switches: TP-Link TL-SG1024DE, (2) TP-Link TL-SG108PE

Server: ASRock X99 Extreme3, CPU 2GHz 12 cores(24 HT), 32gigs ram
Unraid
Parity Drive: 4tb
15TB HD Space
Cache Drive for Dockers
Unassigned drive for VMs (Windows, Hassio, Linux)

Things still testing:
Iphone control while on Vlan8 to items in Vlan3(plex), Vlan4(Receiver, PiCorePlayers, Shields, Roku).

Verify anything in Vlans 3+ can't get to pfsense box, switches, APs, Server.

I am sure I am forgetting something.

@dr1co Perfeito, vamos interagir por lá, para que aquele tópico fique mais assertivo em relação a eventuais dúvidas que poderão surgir.

@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.

About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.

I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.

@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:

You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.

Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.

Anyway I don't want to derail the topic to this, was just a comment.

I'm still insisting with the DC so they give me a bigger prefix.

@johnpoz: I just responded to @DaddyGo’s religious statement about beauty and mathematics in his signature. It was just a “BTW.”

I finally get it to work!!

It was a problem with a configuration of an IPSec tunnel that I had previously on one end.

It turns out that although it was disabled, it has configured the subnet 10.0.18.0/24

So I assume that this configuration is not supported and having the same subnet on these different services could cause the issue.

Thanks @viragomann for your help :) I really appreciate mate

@johnpoz
Does that mean pfsense's router advertisement is not sending the information?

@derelict

Part of the problem is we have no idea what that ISP is doing (and maybe they don't either).

Problem is solved, it looks like suricata was blocking my machine somehow.

@werter
Спасибо большое за помощь!
Наслаждаюсь результатом.

Для тех, кто столкнётся с подобной проблемой - надо прописывать Outbound NAT с локальной сети на удалённую на интерфейсе OpenVPN.

If I had to "guess" prob something stupid like pointing all rfc1918 routes to the gateway and removing the local route...

I had asked to see the route table had I not ;)

Kommt drauf an wer den VPN Dienst betreibt.

Ggf. ist das ja wie JeGr sagte, eine Tochter, der Tochter des Neffen der Cousine des Schwagers der NSA oder GVU.
Dann lieferst du denen deinen Kopf frei Haus

Ich nutze die DNS die ich von meinem Provider erhalte.

Google weiß ja schon was ich wann gesucht habe, die brauchen dann nicht auch noch jede einzelne DNS Abfrage von mir Archivieren.
Wobei das ggf. praktisch ist, wenn ich die voll indiziert durchsuchen könnte, sollte ich mal wieder ein Lesezeichen vergessen haben zu setzen.

Oder ich vor lauter Taps den richtigen nicht mehr wieder finde.

Hinterfrage einfach, warum jemand für 3-5€ im Monat deinen ganzen Datenverkehr bei sich durch ein Monster AES Device jagen sollte ohne dann daran ein Interesse zu haben.
In Zeiten von Big Data?
Der dann ggf. noch im Ausland sitzt und unter Recht von Staat xyz steht?

Da vertraue ich lieber meinem Provider der sich an die DSGVO halten muss.

Ah, nice!

@johnpoz Got it, thanks :)

@piba @stephenw10
Ok you convinced me. Updated the subnet.

I'm still unsure if its related to the Virtual IP or not (I don't believe it is) but I have been running into a issue when I try to join a second K8S control-plane node to the cluster. It runs through its join process and then seems to lose a connection and ends up killing the cluster. You can see a post I made about it here on ServerFault if you want. Assuming the issue is not VIP related, then I would say this Netgate forum thread is closed. Thank you everyone again for your help in this matter!

@JKnott @Derelict
Thank you guys.

I am passed this issue, everything is almost fine, after I added that specific link local, the ISP has sent me. My only problem is that the interface clients don't communicate between each other (for the time being, ping). The internet communicates with them, from anywhere, they communicate with the internet, but not between each other. I mean clients from one interface with clients from another interface. Clients within the same subnet talk to each other just fine.
The very first thing I tried is adding an allow from any to any firewall rule on IPv6 for both interfaces, all protocols, first rule from top to bottom, but nothing..

@elmnts Yes, I'll certainly re-install when the next version appears, or soon after, probably on a day when I'm at home by myself, and I've got a few hours to do some testing without danger of upsetting my partner's television viewing or internet use!

As I said, it isn't really urgent because I'm not running an environment where there is a particularly high risk of a user going somewhere they shouldn't or being hijacked, but it is nice to know the protection is there, particularly when life gets back to normal and we have visits from the younger family members who are all over social media!

@lispeedyg

@nocling said in Unifi Cloud Account Zwang - CloudKey Firmware 2.x:

Das hatte ich ja und da der UI Accound der Gerätebesitzer wird, kommst du nicht mehr dran.

Ah deshalb, ich hatte nie einen UI Account bis zur Firmware 2.x und einer Neuinstallation an einem anderen Standort, sonst hätte ich das gar nicht gemerkt.

Bonjour,

Je ;e suis penche sur les docker, c est pas mal en effet !
j ai pu sur une seule vm mettre plusieurs containers "proxy" pour aller taper sur ceux de la dmz.
Me reste a faire pareil pour la dmz. De ce que j qi pu lire , pfsense sous docker cq marchent pas top..
Merci en tout cas.

Sujet clos avant que ca ne degenere plus.

@bob-dig Yes, which is why I encouraged to connect directly. Which worked. Still going to only get a /64. Many ISPs do that for reasons known only to them. Makes no sense at all...

@johnpoz said in outlook not downloading folders:

Still not really understanding the exact issue.

That's why I asked OP whether OP forgot to login! It appears not a pfSense issue.

I used the 'Reinstall all packages' button from Diag > Backup & Restore for this on the my edge box. No problems I noted.

Steve