Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. Popular
    Log in to post
    • All categories
    • TNSR
    •      TNSR Announcements
    •      Feedback
    •      Installation and Upgrades
    • pfSense® Software
    •      Messages from the pfSense Team
    •      General pfSense Questions
    •      Installation and Upgrades
    •      Firewalling
    •      NAT
    •      HA/CARP/VIPs
    •      L2/Switching/VLANs
    •      Routing and Multi WAN
    •      Traffic Shaping
    •      DHCP and DNS
    •      IPv6
    •      IPsec
    •      OpenVPN
    •      WireGuard
    •      Captive Portal
    •      webGUI
    •      Wireless
    •      SNMP
    •      Documentation
    •      Development
    •          2.5 Development Snapshots
    •      Gaming
    •      Virtualization
    •      Hardware
    •          Vendors
    •      Bounties
    •          Completed Bounties
    •          Expired/Withdrawn Bounties
    •      Retired
    •          2.4 Development Snapshots
    •          2.3.3 Development Snapshots
    •          2.3.2 Development Snapshots
    •          2.3.1 Snapshots Testing and Feedback - ARCHIVED
    •          2.3-RC Snapshot Feedback and Issues - ARCHIVED
    •          2.2.5 Snapshot Feedback and Issues
    •          2.2.3 Snapshots Problems and Feedback - ARCHIVED
    •          2.2 Snapshot Feedback and Problems - RETIRED
    •          2.1.1 Snapshot Feedback and Problems - RETIRED
    •          2.1 Snapshot Feedback and Problems - RETIRED
    •          2.0-RC Snapshot Feedback and Problems - RETIRED
    •          1.2.3-PRERELEASE-TESTING snapshots - RETIRED
    •          1.2.1-RC Snapshot Feedback and Problems-RETIRED
    • pfSense Packages
    •      Cache/Proxy
    •      IDS/IPS
    •      Traffic Monitoring
    •      pfBlockerNG
    •      ACME
    •      FRR
    • pfSense International Support
    •      Chinese
    •      Deutsch
    •          Allgemeine Themen
    •          pfSense German User Group
    •      Español
    •      Français
    •      Indonesian
    •      Italiano
    •      Russian
    •      Nederlands
    •      Norwegian
    •      Portuguese
    •      Polish
    •      Romanian
    •      Swedish
    •      Turkish
    • Official Netgate® Hardware
    • Netgate Announcements
    • Off-Topic & Non-Support Discussion
    •      Forum Feedback
    •      Community Job Board
    • All Topics
    • New Topics
    • Watched Topics
    • Unreplied Topics
    • All Time
    • Day
    • Week
    • Month
    • dennis_s

      Announcing pfSense plus
      Messages from the pfSense Team • • dennis_s

      82
      4
      Votes
      82
      Posts
      2364
      Views

      A

      What's the benefit for the community of these changes exactly?

    • Antonio Briguglio

      SG-1100 does not connect network drives in windows 10
      General pfSense Questions • • Antonio Briguglio

      57
      0
      Votes
      57
      Posts
      163
      Views

      Antonio Briguglio

      Ok half-solved, now the fritz nas works but the media but the media server doesn't.
      Thanks everyone for the support :-))

    • JKnott

      New hardware
      Off-Topic & Non-Support Discussion • • JKnott

      47
      0
      Votes
      47
      Posts
      154
      Views

      noplan

      @jknott

      my folks are checkin this piece of hardware right now!
      thanks for reminder.
      brNP

    • N

      Trying to figure out why redirect host is showing up in my ping
      General pfSense Questions • • nosenseatall

      25
      0
      Votes
      25
      Posts
      61
      Views

      johnpoz

      But not sending .118 down the vpn, shouldn't send it to your gateway.. Try splitting the whole local network 192.168.80.0/24

      Also when you do that - take a look at the route table

      route print

      from a cmd line

    • maverickws

      IPv6 Help / tutorial / something please!
      IPv6 • • maverickws

      25
      0
      Votes
      25
      Posts
      159
      Views

      maverickws

      @JKnott ok sorry.
      Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.

      About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.

      I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.

      @Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:

      You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.

      Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.

      Anyway I don't want to derail the topic to this, was just a comment.

      I'm still insisting with the DC so they give me a bigger prefix.

    • C

      pfsense / HE tunnel / client vm problem
      IPv6 • • capt_scurrrvy

      25
      0
      Votes
      25
      Posts
      112
      Views

      C

      @johnpoz
      Does that mean pfsense's router advertisement is not sending the information?

    • J

      IPv6 WAN configuration for static IP address range but gateway from RA message?
      IPv6 • • JesperTreetop

      24
      0
      Votes
      24
      Posts
      93
      Views

      JKnott

      @derelict

      Part of the problem is we have no idea what that ISP is doing (and maybe they don't either).

    • M

      OpenVPN + Keenetic не видно сеть за клиентом
      Russian • open vpn keenetic • • Mahad

      23
      0
      Votes
      23
      Posts
      23
      Views

      M

      @werter
      Спасибо большое за помощь!
      Наслаждаюсь результатом.

      Для тех, кто столкнётся с подобной проблемой - надо прописывать Outbound NAT с локальной сети на удалённую на интерфейсе OpenVPN.

    • L

      pfSense on Hyper-V WAN IP Issue
      Installation and Upgrades • • lispeedyg

      21
      0
      Votes
      21
      Posts
      115
      Views

      provels

      @lispeedyg

    • E

      IPV6 Works on pfsense, but unable to get on LAN side
      IPv6 • • enjawd

      20
      0
      Votes
      20
      Posts
      97
      Views

      jwj

      @bob-dig Yes, which is why I encouraged to connect directly. Which worked. Still going to only get a /64. Many ISPs do that for reasons known only to them. Makes no sense at all...

    • M

      Second peer not passing traffic
      WireGuard • • myms

      20
      0
      Votes
      20
      Posts
      150
      Views

      stephenw10

      Yes. With multiple peers you need to set Allowed-IPs to determine which peer WG routes to.
      https://www.wireguard.com/#cryptokey-routing

      But to avoid confusion 'Endpoint' is a WG term the defines the external IP.

      Steve

    • A

      SG-5100 Firewall logs dissapearing
      General pfSense Questions • • azdeltawye

      18
      0
      Votes
      18
      Posts
      166
      Views

      A

      Well I think that was it!

      I disabled 'Log packets blocked by Block Bogon Networks rules' at 14:05 today. I just checked the filter log file and the last RTALERT and PADN entry occurred exactly at 14:06:01. Nothing but valid firewall events after that... Up until that point it was logging about 230 of those offending messages per hour.

      The funny thing is, I've always had that Bogon logging option enabled and never had a problem until now.. My ISP is Comcast and like the mention in bug report #3494, Comcast appears to send ICMP6 Multicast Listener Report messages out on their system which get flagged as Bogon traffic by pfSense. I guess Comcast must have made some changes recently that increased the flow of this type of traffic...

      Anyway, glad we got to the bottom of it. Thanks again for all the help! No way I could have figured this out on my own...

    • L

      Routing issue or ?
      Routing and Multi WAN • • ls112

      18
      0
      Votes
      18
      Posts
      93
      Views

      L

      @johnpoz I would agree. The Cacheboxes are capable of doing HTTPS caching we just haven't gotten around to enabling that yet. Summer project :)

      It still helps some right now:

    • B

      Invalid interface listen port
      WireGuard • • bjc

      17
      0
      Votes
      17
      Posts
      288
      Views

      S

      Hello!

      I am testing on :

      2.5.0-DEVELOPMENT (amd64)
      built on Mon Jan 25 09:13:15 EST 2021
      FreeBSD 12.2-STABLE

      Using Firefox 84.0.1 (64-bit)

      I dont see any form field validation happening and the code in wg_validate_post and wg_validate_peer will let you enter just about anything you want.

      I made a redmine issue with some stopgap code that might help. https://redmine.pfsense.org/issues/11311

      John

    • D

      Forwarding traffic from a LAN IP to another LAN IP
      General pfSense Questions • • draand28

      17
      0
      Votes
      17
      Posts
      55
      Views

      bingo600

      @draand28

      Glad that you got it to work.

      Thank you for reporting back

    • C

      Home connection - external bandwith.
      Routing and Multi WAN • • Comfy

      16
      0
      Votes
      16
      Posts
      116
      Views

      C

      @hieroglyph Bit of everything really so ill post another one up! Thanks.

    • P

      Coturn hinter pfSense (NAT)
      Deutsch • • pixel24

      16
      0
      Votes
      16
      Posts
      78
      Views

      P

      Das bedeutet 3478 TCP handhabe ich mittels Proxy damit er auf der 192.168.24.6 landet:




      Damit ich den Turn-Server 3478 TCP aus dem LAN unter turn.externaldomain.de erreiche:

      Einen Alias für die UDP-Ports:

      Diese per Port-Forwarding auf den lokalen Server:

      Und ausgehend:

    • I

      Roku won't connect to internet if both of it's MAC addresses are assigned the same IP
      DHCP and DNS • • imthenachoman

      15
      0
      Votes
      15
      Posts
      178
      Views

      JKnott

      @imthenachoman said in Roku won't connect to internet if both of it's MAC addresses are assigned the same IP:

      I recognize that line from a Blood Hound Gang song. :)

      Newhart

      Check the cast.

    • S

      OpenVPN (pf ist Client) bleibt über Nacht getrennt
      Deutsch • • sebden

      15
      0
      Votes
      15
      Posts
      77
      Views

      JeGr

      @viragomann said in OpenVPN (pf ist Client) bleibt über Nacht getrennt:

      Diesen Job sollte das Watchdog-Package weitaus gezielter erledigen können. Es überwacht die VPN und startet den Service ggf. neu.

      Jein, das überwacht ja lediglich den Service Status und wenn der Server Up ist wird da auch nichts neu gestartet, weil der Prozess ja läuft. Mich wundert eher, dass da der Client die Verbindung nicht wieder aufbaut, denn dafür ist das Keepalive Statement zuständig und das funktioniert im Normalfall problemlos egal auf welcher Plattform.

    • JeGr

      Specify outbound interface (priority) for WG
      WireGuard • • JeGr

      13
      0
      Votes
      13
      Posts
      129
      Views

      jimp

      @vbman213 said in Specify outbound interface (priority) for WG:

      Would policy routing This Firewall in a floating rule be used to push WG tunnel traffic over a preferred gateway or gateway group? There seems to be some discussion on Reddit suggesting that this is also possible too instead of changing the default gateway.

      Maybe, but that's always been a bit iffy -- It's worth trying, but if you do, carefully check the state table and packet captures to ensure that the traffic is exiting the correct interface with the correct address. A problem you might get into there is that it leaves, say, WAN2 with the source set to WAN1. Outbound NAT could work around that if it happens, but it's kinda ugly.

      The problem is that pf policy routing influences packets that are already fully formed and on an interface, whereas the routing table also influences source address selection for UDP packets. So sure policy routing can change how a packet exits, but it can't change the address from which WireGuard sends the packet.

    • W

      Cannot login to pfsense
      General pfSense Questions • • wintok

      13
      0
      Votes
      13
      Posts
      80
      Views

      W

      @stephenw10

      I have now enabled Kaspersky Security Network and it seemed to have no issue login to pfsense

      Thanks again

    • R

      [pfB_PRI1_v4] Too many alerts out for "196.55.215.129", 443, 5222
      pfBlockerNG • • rimaju

      13
      0
      Votes
      13
      Posts
      398
      Views

      n3xus_x3

      I have the same problem, the smartphone does not have any type of root , the connections are many... , for now I leave it blocked, there is no disservice at the moment

    • X

      Difference between ????
      General pfSense Questions • • xlameee

      12
      0
      Votes
      12
      Posts
      210
      Views

      X

      @johnpoz hello

      I have 2 pfsense with bind connected via site to site openvpn :)

      I need my site 1 to be the master and site 2 to be the secondary

      I need site 1 to have all the zones on site 1 and site 2 as master zones

      The point is to add hosts only on site 1 witch is the master and those entry to be synced to site 2 so I don't have to enter them on site 2 also to be able to resolve them there as well. Like the build in resolver on pfsense (if I want to resolve host on site witch is actually host on site 2 I have to put entry into the resolver on site 1) Right.

      :)

      and ... the rules witch are confusing me

      What rules should I set so both sites can sync with this function or in any other way

    • V

      10G Odyssey
      Hardware • • Voidrunner

      12
      0
      Votes
      12
      Posts
      102
      Views

      stephenw10

      Ah, nice catch! Weird though.

    • S

      Wegeleitsystem für blutige Grünschnäbel?
      Deutsch • • Sachte

      12
      0
      Votes
      12
      Posts
      96
      Views

      T

      TV direkt an der Fritte per LAN

      Einen TV eventuell gar mit Alexa und Co. direkt ans Internet zu hängen, würde ich nicht übers Herz bringen.

    • A

      Help trying to get EAP-TLS working (Pfsense / Unifi)
      Wireless • • alnico

      11
      0
      Votes
      11
      Posts
      57
      Views

      NogBadTheBad

      I'd try to get radtest working from the pfSense box first.

    • dem

      WireGuard doesn't come up at boot
      WireGuard • • dem

      11
      0
      Votes
      11
      Posts
      77
      Views

      dem

      OK don't blame VirtualBox, blame me.

      I think the issue was that I didn't have "Hardware Clock in UTC Time" set in VirtualBox so the system clock was jumping when NTP kicked in which disrupted something, perhaps crypto-related.

      Sorry for my error.

    • N

      Pinging but not browsing - Pfsense
      General pfSense Questions • • nachofest

      11
      0
      Votes
      11
      Posts
      76
      Views

      stephenw10

      Ok, so the Ubuntu VM probably wasn't using DHCP before and didn't have any servers set so it couldn't resolve.

    • M

      Static routes...not as expected?
      Routing and Multi WAN • • mmiller7

      11
      0
      Votes
      11
      Posts
      76
      Views

      M

      @derelict I've deleted my manually-entered static rules (but left the monitor IP and DNS); no change.

    • dem

      Can Interface public key be made optional?
      WireGuard • • dem

      10
      0
      Votes
      10
      Posts
      75
      Views

      dem

      Thanks @jimp!

    • A

      Using PfSense as a GeoIP filtering appliance ONLY
      Firewalling • • azon2111

      10
      0
      Votes
      10
      Posts
      79
      Views

      Gertjan

      @azon2111 said in Using PfSense as a GeoIP filtering appliance ONLY:

      self-hosted email where it actually thwarts quite a bit of spam messages

      I know all about that one.
      Back, in the 'good old days' I was said ones to myself : want to have my own domain names (private and company (a hotel)) and taking care of my own mails, as using a mail server from some where else binds you to the mail reputation of the host. Shared mails can be great, and the next day you can't mail to gmail, or yahoo, or whatever. Or the other way around : one of the biggest (Belgium) mail suppliers, skynet.be (don't laugh) was often blocked, me not being able to do anything about it.
      So I went for the 'do it myself'.

      What I did : tell postfix to be far more stricter as 'default' : for the incoming mail :
      No reverse host name ? => Hang up the phone.
      => You say "Paul' but your reverse lookup says "Jack" >= assign a big penalty to start with (this one has a identity crisis / split personality / other issue )
      No SPF ? => assign a big penalty to start with.
      No DKIM ? => assign a big penalty to start with.
      No DMARC (and IPv6) => assign a big penalty to start with.
      Mail with added files that are forbidden, like exe, com, docx, etc etc ? => Drop it.
      Then, with the already scored penalties, filter through spamassassin. And amavis - and razor. and more. If the mail is a winner => off to the spam box it goes.

      We have a guy called fail2ban that analyses the main postfix mail log 24h/24. For every mail that comes in, and the simple server to server transaction 'stinks'or the mail looks like spam, that mail server gets blacklisted at firewall level.
      This is the result. And this one to check for the reason why as SSH connects, Apache2 connects etc is also treated. Check out the "Postfix tab for more details.
      After more then a decade, me doing close to nothing these days, 80 % of all mail is stopped right at the doorstep - reduced to a line in the mail log :

      Like : 2021-01-21 16:10:10 postfix : From host a.b.c.d : Hi - and bye.

      Take note : for me, blocking IPs based on a country is not possible, as our clients are from all over the world.
      Example : last month, some agency called Expedia (States based) started to use a bunch of IPv4, formerly known as "from Pakistan ....".
      What also happens is : I get mail from Egypt, Cairo. From a fried. LIves in Germany. Who forgot to shut down his VPN (he has a complicated live and many issues with things called "torrents").

      Geoip IPv6 database will probably never exist as the one wouldn't fit in our galaxy. 25 of all our incoming mail is IPv6. And as aid in another thread this morning : my first IPv6 are already banned.
      Btw : I even added some domain names used by friends to my mail server, as I knew they would send and receive a lot of mails. That was just perfect to auto-train my anti spam AI.

      All this beauty is available of the selves, free, and keeps working over time.

      I use a dedicated IPv4 and IPv6 for each domain. This is VERY important.

      Also : self-hosted means for me : a 50 $ / month dedicated server in a big data center, as hosting behind an ISP line (our case) is a big no-no.

    • L

      Removing 127.0.0.1 as DNS?
      General pfSense Questions • • lewis

      10
      0
      Votes
      10
      Posts
      191
      Views

      L

      @johnpoz
      We do not always have the same skill levels at everything we do. Some things we know less about and know more about other things. That is the beauty of forums, after struggling to learn and try on your own, you hope that someone that does have the knowledge will step up and explain and not chastise.

      I'm not saying you chastised me but that each step learned from using pfsense is one that gives me some extra knowledge to know how to look for the next problem.

      Anyhow, in my case, I just want pfsense and all of the internal servers to use the local DNS servers. The firewall itself doesn't need to resolve or forward anything, it can use the locals as well. The problem was that is was adding 127.0.0.1 as the first nameserver for all of the DHCP hosts.

    • S

      mDNS Across VLANs
      L2/Switching/VLANs • • shley008

      9
      0
      Votes
      9
      Posts
      58
      Views

      S

      @dennypage

      To be clear, mDNS traffic WILL still move across the network and is still accessible if you are connected to the 2.4GHz side of your SSID. The problem was actually pretty hard to trace out due to the sporadic nature and the fact that the traffic was present on the network. It's just that the WAPs drop it over the 5GHz side if the meshing is enabled.

    • F

      WireGuard Server Behind Home Router
      WireGuard • • flynace

      9
      0
      Votes
      9
      Posts
      191
      Views

      stephenw10

      'Real soon now!'

      But yeah, it is close. We had to disable the public snapshots while we got all the changes in order and there are still a few things the need to be resolved.

      Steve

    • N

      Can't enable DHCP on LAN
      DHCP and DNS • • NotASpider

      9
      0
      Votes
      9
      Posts
      33
      Views

      JKnott

      What do you mean you can't enable DHCP? You just click on the appropriate buttons to enable and select the address range. Are you saying you don't get a DHCP address at all? Or something doesn't work after you get an address? What happens if you use a static address & config?

    • O

      Посмотреть трафик
      Russian • • oxigen87

      9
      0
      Votes
      9
      Posts
      58
      Views

      werter

      @oxigen87
      Попробуйте netdata. Оч. наглядная визуализация работы пф. И не только сети.

      https://forum.netgate.com/topic/155593/pfsense-netdata-verified-and-working-elegantly
      https://learn.netdata.cloud/docs/agent/packaging/installer/methods/pfsense

    • F

      IPv6 Dynamic Prefix with static suffix for LAN interface
      IPv6 • • foerkede

      8
      0
      Votes
      8
      Posts
      35
      Views

      F

      @bob-dig said in IPv6 Dynamic Prefix with static suffix for LAN interface:

      @foerkede Why would you? Best compatibility is to assign one /64 to your LAN via track interface. Then in the DHCPv6 Server on LAN you add a static mapping for one machines DUID together with a hostname and an interface identifier of your liking. Now you can use that hostname in firewall rules, even after your prefix changed.

      Yes that's a good way to manage the clients in the network and I will probably do that.
      My idea was to set the LAN Interface IPv6 to a memorable address, like <prefix>::1 as you do in IPv4, so you can configure static IPv6 addresses more easily (gateway and DNS config).
      But I forgot that if the prefix changes, I have to change all the static addresses on the machines too. So the DHCPv6 solution seems to be the only good one if you don't get a static prefix from your ISP.

      Thanks for your fast and helpful input!

    • S

      SG-3100 - NAT rule for single Public IP
      Official Netgate® Hardware • • Spearhead1

      8
      0
      Votes
      8
      Posts
      31
      Views

      S

      @teamits said in SG-3100 - NAT rule for single Public IP:

      Are you having the NAT rule create a linked firewall rule that allows traffic to 192.168.2.10:22? That should be the default.

      confirmed, this was working automatically. Figured out it was the source port needing to be "any". Thanks!

    • D

      Sg-2100 vlan setup no internet
      Firewalling • • drummerboyj

      8
      0
      Votes
      8
      Posts
      62
      Views

      D

      @teamits and that was it. its working now I had turned off tagging on 5 earlier on opt 1 because i saw that the default lan didnt have 5 tagged. Probably everytime i did the setup there would always be one step i messed up because on other attempts i had it tagged properly. anyways its working now thank you!

    • yon 0

      add wireguard bgp route mode
      WireGuard • • yon 0

      8
      0
      Votes
      8
      Posts
      124
      Views

      yon 0

      wg interface config ipv4 and ipv6 address,
      eg: 10.0.0.102/32, 2a0d:2400:12:c::102/128
      but the interface only has ipv4.