Ok half-solved, now the fritz nas works but the media but the media server doesn't.
Thanks everyone for the support :-))

@jknott

my folks are checkin this piece of hardware right now!
thanks for reminder.
brNP

But not sending .118 down the vpn, shouldn't send it to your gateway.. Try splitting the whole local network 192.168.80.0/24

Also when you do that - take a look at the route table

route print

from a cmd line

@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.

About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.

I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.

@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:

You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.

Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.

Anyway I don't want to derail the topic to this, was just a comment.

I'm still insisting with the DC so they give me a bigger prefix.

@johnpoz
Does that mean pfsense's router advertisement is not sending the information?

@derelict

Part of the problem is we have no idea what that ISP is doing (and maybe they don't either).

@werter
Спасибо большое за помощь!
Наслаждаюсь результатом.

Для тех, кто столкнётся с подобной проблемой - надо прописывать Outbound NAT с локальной сети на удалённую на интерфейсе OpenVPN.

@lispeedyg

@bob-dig Yes, which is why I encouraged to connect directly. Which worked. Still going to only get a /64. Many ISPs do that for reasons known only to them. Makes no sense at all...

Yes. With multiple peers you need to set Allowed-IPs to determine which peer WG routes to.
https://www.wireguard.com/#cryptokey-routing

But to avoid confusion 'Endpoint' is a WG term the defines the external IP.

Steve

Well I think that was it!

I disabled 'Log packets blocked by Block Bogon Networks rules' at 14:05 today. I just checked the filter log file and the last RTALERT and PADN entry occurred exactly at 14:06:01. Nothing but valid firewall events after that... Up until that point it was logging about 230 of those offending messages per hour.

The funny thing is, I've always had that Bogon logging option enabled and never had a problem until now.. My ISP is Comcast and like the mention in bug report #3494, Comcast appears to send ICMP6 Multicast Listener Report messages out on their system which get flagged as Bogon traffic by pfSense. I guess Comcast must have made some changes recently that increased the flow of this type of traffic...

Anyway, glad we got to the bottom of it. Thanks again for all the help! No way I could have figured this out on my own...

@johnpoz I would agree. The Cacheboxes are capable of doing HTTPS caching we just haven't gotten around to enabling that yet. Summer project :)

It still helps some right now:

Hello!

I am testing on :

2.5.0-DEVELOPMENT (amd64)
built on Mon Jan 25 09:13:15 EST 2021
FreeBSD 12.2-STABLE

Using Firefox 84.0.1 (64-bit)

I dont see any form field validation happening and the code in wg_validate_post and wg_validate_peer will let you enter just about anything you want.

I made a redmine issue with some stopgap code that might help. https://redmine.pfsense.org/issues/11311

John

@draand28

Glad that you got it to work.

Thank you for reporting back

@hieroglyph Bit of everything really so ill post another one up! Thanks.

Das bedeutet 3478 TCP handhabe ich mittels Proxy damit er auf der 192.168.24.6 landet:

Damit ich den Turn-Server 3478 TCP aus dem LAN unter turn.externaldomain.de erreiche:

Einen Alias für die UDP-Ports:

Diese per Port-Forwarding auf den lokalen Server:

Und ausgehend:

@imthenachoman said in Roku won't connect to internet if both of it's MAC addresses are assigned the same IP:

I recognize that line from a Blood Hound Gang song. :)

Newhart

Check the cast.

@viragomann said in OpenVPN (pf ist Client) bleibt über Nacht getrennt:

Diesen Job sollte das Watchdog-Package weitaus gezielter erledigen können. Es überwacht die VPN und startet den Service ggf. neu.

Jein, das überwacht ja lediglich den Service Status und wenn der Server Up ist wird da auch nichts neu gestartet, weil der Prozess ja läuft. Mich wundert eher, dass da der Client die Verbindung nicht wieder aufbaut, denn dafür ist das Keepalive Statement zuständig und das funktioniert im Normalfall problemlos egal auf welcher Plattform.

@vbman213 said in Specify outbound interface (priority) for WG:

Would policy routing This Firewall in a floating rule be used to push WG tunnel traffic over a preferred gateway or gateway group? There seems to be some discussion on Reddit suggesting that this is also possible too instead of changing the default gateway.

Maybe, but that's always been a bit iffy -- It's worth trying, but if you do, carefully check the state table and packet captures to ensure that the traffic is exiting the correct interface with the correct address. A problem you might get into there is that it leaves, say, WAN2 with the source set to WAN1. Outbound NAT could work around that if it happens, but it's kinda ugly.

The problem is that pf policy routing influences packets that are already fully formed and on an interface, whereas the routing table also influences source address selection for UDP packets. So sure policy routing can change how a packet exits, but it can't change the address from which WireGuard sends the packet.

@stephenw10

I have now enabled Kaspersky Security Network and it seemed to have no issue login to pfsense

Thanks again

I have the same problem, the smartphone does not have any type of root , the connections are many... , for now I leave it blocked, there is no disservice at the moment

@johnpoz hello

I have 2 pfsense with bind connected via site to site openvpn :)

I need my site 1 to be the master and site 2 to be the secondary

I need site 1 to have all the zones on site 1 and site 2 as master zones

The point is to add hosts only on site 1 witch is the master and those entry to be synced to site 2 so I don't have to enter them on site 2 also to be able to resolve them there as well. Like the build in resolver on pfsense (if I want to resolve host on site witch is actually host on site 2 I have to put entry into the resolver on site 1) Right.

:)

and ... the rules witch are confusing me

What rules should I set so both sites can sync with this function or in any other way

Ah, nice catch! Weird though.

TV direkt an der Fritte per LAN

Einen TV eventuell gar mit Alexa und Co. direkt ans Internet zu hängen, würde ich nicht übers Herz bringen.

I'd try to get radtest working from the pfSense box first.

OK don't blame VirtualBox, blame me.

I think the issue was that I didn't have "Hardware Clock in UTC Time" set in VirtualBox so the system clock was jumping when NTP kicked in which disrupted something, perhaps crypto-related.

Sorry for my error.

Ok, so the Ubuntu VM probably wasn't using DHCP before and didn't have any servers set so it couldn't resolve.

@derelict I've deleted my manually-entered static rules (but left the monitor IP and DNS); no change.

Thanks @jimp!

@azon2111 said in Using PfSense as a GeoIP filtering appliance ONLY:

self-hosted email where it actually thwarts quite a bit of spam messages

I know all about that one.
Back, in the 'good old days' I was said ones to myself : want to have my own domain names (private and company (a hotel)) and taking care of my own mails, as using a mail server from some where else binds you to the mail reputation of the host. Shared mails can be great, and the next day you can't mail to gmail, or yahoo, or whatever. Or the other way around : one of the biggest (Belgium) mail suppliers, skynet.be (don't laugh) was often blocked, me not being able to do anything about it.
So I went for the 'do it myself'.

What I did : tell postfix to be far more stricter as 'default' : for the incoming mail :
No reverse host name ? => Hang up the phone.
=> You say "Paul' but your reverse lookup says "Jack" >= assign a big penalty to start with (this one has a identity crisis / split personality / other issue )
No SPF ? => assign a big penalty to start with.
No DKIM ? => assign a big penalty to start with.
No DMARC (and IPv6) => assign a big penalty to start with.
Mail with added files that are forbidden, like exe, com, docx, etc etc ? => Drop it.
Then, with the already scored penalties, filter through spamassassin. And amavis - and razor. and more. If the mail is a winner => off to the spam box it goes.

We have a guy called fail2ban that analyses the main postfix mail log 24h/24. For every mail that comes in, and the simple server to server transaction 'stinks'or the mail looks like spam, that mail server gets blacklisted at firewall level.
This is the result. And this one to check for the reason why as SSH connects, Apache2 connects etc is also treated. Check out the "Postfix tab for more details.
After more then a decade, me doing close to nothing these days, 80 % of all mail is stopped right at the doorstep - reduced to a line in the mail log :

Like : 2021-01-21 16:10:10 postfix : From host a.b.c.d : Hi - and bye.

Take note : for me, blocking IPs based on a country is not possible, as our clients are from all over the world.
Example : last month, some agency called Expedia (States based) started to use a bunch of IPv4, formerly known as "from Pakistan ....".
What also happens is : I get mail from Egypt, Cairo. From a fried. LIves in Germany. Who forgot to shut down his VPN (he has a complicated live and many issues with things called "torrents").

Geoip IPv6 database will probably never exist as the one wouldn't fit in our galaxy. 25 of all our incoming mail is IPv6. And as aid in another thread this morning : my first IPv6 are already banned.
Btw : I even added some domain names used by friends to my mail server, as I knew they would send and receive a lot of mails. That was just perfect to auto-train my anti spam AI.

All this beauty is available of the selves, free, and keeps working over time.

I use a dedicated IPv4 and IPv6 for each domain. This is VERY important.

Also : self-hosted means for me : a 50 $ / month dedicated server in a big data center, as hosting behind an ISP line (our case) is a big no-no.

@johnpoz
We do not always have the same skill levels at everything we do. Some things we know less about and know more about other things. That is the beauty of forums, after struggling to learn and try on your own, you hope that someone that does have the knowledge will step up and explain and not chastise.

I'm not saying you chastised me but that each step learned from using pfsense is one that gives me some extra knowledge to know how to look for the next problem.

Anyhow, in my case, I just want pfsense and all of the internal servers to use the local DNS servers. The firewall itself doesn't need to resolve or forward anything, it can use the locals as well. The problem was that is was adding 127.0.0.1 as the first nameserver for all of the DHCP hosts.

@dennypage

To be clear, mDNS traffic WILL still move across the network and is still accessible if you are connected to the 2.4GHz side of your SSID. The problem was actually pretty hard to trace out due to the sporadic nature and the fact that the traffic was present on the network. It's just that the WAPs drop it over the 5GHz side if the meshing is enabled.

'Real soon now!'

But yeah, it is close. We had to disable the public snapshots while we got all the changes in order and there are still a few things the need to be resolved.

Steve

What do you mean you can't enable DHCP? You just click on the appropriate buttons to enable and select the address range. Are you saying you don't get a DHCP address at all? Or something doesn't work after you get an address? What happens if you use a static address & config?

@oxigen87
Попробуйте netdata. Оч. наглядная визуализация работы пф. И не только сети.

https://forum.netgate.com/topic/155593/pfsense-netdata-verified-and-working-elegantly
https://learn.netdata.cloud/docs/agent/packaging/installer/methods/pfsense

@bob-dig said in IPv6 Dynamic Prefix with static suffix for LAN interface:

@foerkede Why would you? Best compatibility is to assign one /64 to your LAN via track interface. Then in the DHCPv6 Server on LAN you add a static mapping for one machines DUID together with a hostname and an interface identifier of your liking. Now you can use that hostname in firewall rules, even after your prefix changed.

Yes that's a good way to manage the clients in the network and I will probably do that.
My idea was to set the LAN Interface IPv6 to a memorable address, like <prefix>::1 as you do in IPv4, so you can configure static IPv6 addresses more easily (gateway and DNS config).
But I forgot that if the prefix changes, I have to change all the static addresses on the machines too. So the DHCPv6 solution seems to be the only good one if you don't get a static prefix from your ISP.

Thanks for your fast and helpful input!

@teamits said in SG-3100 - NAT rule for single Public IP:

Are you having the NAT rule create a linked firewall rule that allows traffic to 192.168.2.10:22? That should be the default.

confirmed, this was working automatically. Figured out it was the source port needing to be "any". Thanks!

@teamits and that was it. its working now I had turned off tagging on 5 earlier on opt 1 because i saw that the default lan didnt have 5 tagged. Probably everytime i did the setup there would always be one step i messed up because on other attempts i had it tagged properly. anyways its working now thank you!

wg interface config ipv4 and ipv6 address,
eg: 10.0.0.102/32, 2a0d:2400:12:c::102/128
but the interface only has ipv4.