@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.
About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.
I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.
@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.
Anyway I don't want to derail the topic to this, was just a comment.
I'm still insisting with the DC so they give me a bigger prefix.
I disabled 'Log packets blocked by Block Bogon Networks rules' at 14:05 today. I just checked the filter log file and the last RTALERT and PADN entry occurred exactly at 14:06:01. Nothing but valid firewall events after that... Up until that point it was logging about 230 of those offending messages per hour.
The funny thing is, I've always had that Bogon logging option enabled and never had a problem until now.. My ISP is Comcast and like the mention in bug report #3494, Comcast appears to send ICMP6 Multicast Listener Report messages out on their system which get flagged as Bogon traffic by pfSense. I guess Comcast must have made some changes recently that increased the flow of this type of traffic...
Anyway, glad we got to the bottom of it. Thanks again for all the help! No way I could have figured this out on my own...
Diesen Job sollte das Watchdog-Package weitaus gezielter erledigen können. Es überwacht die VPN und startet den Service ggf. neu.
Jein, das überwacht ja lediglich den Service Status und wenn der Server Up ist wird da auch nichts neu gestartet, weil der Prozess ja läuft. Mich wundert eher, dass da der Client die Verbindung nicht wieder aufbaut, denn dafür ist das Keepalive Statement zuständig und das funktioniert im Normalfall problemlos egal auf welcher Plattform.
Would policy routing This Firewall in a floating rule be used to push WG tunnel traffic over a preferred gateway or gateway group? There seems to be some discussion on Reddit suggesting that this is also possible too instead of changing the default gateway.
Maybe, but that's always been a bit iffy -- It's worth trying, but if you do, carefully check the state table and packet captures to ensure that the traffic is exiting the correct interface with the correct address. A problem you might get into there is that it leaves, say, WAN2 with the source set to WAN1. Outbound NAT could work around that if it happens, but it's kinda ugly.
The problem is that pf policy routing influences packets that are already fully formed and on an interface, whereas the routing table also influences source address selection for UDP packets. So sure policy routing can change how a packet exits, but it can't change the address from which WireGuard sends the packet.
I have 2 pfsense with bind connected via site to site openvpn :)
I need my site 1 to be the master and site 2 to be the secondary
I need site 1 to have all the zones on site 1 and site 2 as master zones
The point is to add hosts only on site 1 witch is the master and those entry to be synced to site 2 so I don't have to enter them on site 2 also to be able to resolve them there as well. Like the build in resolver on pfsense (if I want to resolve host on site witch is actually host on site 2 I have to put entry into the resolver on site 1) Right.
and ... the rules witch are confusing me
What rules should I set so both sites can sync with this function or in any other way
self-hosted email where it actually thwarts quite a bit of spam messages
I know all about that one.
Back, in the 'good old days' I was said ones to myself : want to have my own domain names (private and company (a hotel)) and taking care of my own mails, as using a mail server from some where else binds you to the mail reputation of the host. Shared mails can be great, and the next day you can't mail to gmail, or yahoo, or whatever. Or the other way around : one of the biggest (Belgium) mail suppliers, skynet.be (don't laugh) was often blocked, me not being able to do anything about it.
So I went for the 'do it myself'.
What I did : tell postfix to be far more stricter as 'default' : for the incoming mail :
No reverse host name ? => Hang up the phone.
=> You say "Paul' but your reverse lookup says "Jack" >= assign a big penalty to start with (this one has a identity crisis / split personality / other issue )
No SPF ? => assign a big penalty to start with.
No DKIM ? => assign a big penalty to start with.
No DMARC (and IPv6) => assign a big penalty to start with.
Mail with added files that are forbidden, like exe, com, docx, etc etc ? => Drop it.
Then, with the already scored penalties, filter through spamassassin. And amavis - and razor. and more. If the mail is a winner => off to the spam box it goes.
We have a guy called fail2ban that analyses the main postfix mail log 24h/24. For every mail that comes in, and the simple server to server transaction 'stinks'or the mail looks like spam, that mail server gets blacklisted at firewall level. This is the result. And this one to check for the reason why as SSH connects, Apache2 connects etc is also treated. Check out the "Postfix tab for more details.
After more then a decade, me doing close to nothing these days, 80 % of all mail is stopped right at the doorstep - reduced to a line in the mail log :
Like : 2021-01-21 16:10:10 postfix : From host a.b.c.d : Hi - and bye.
Take note : for me, blocking IPs based on a country is not possible, as our clients are from all over the world.
Example : last month, some agency called Expedia (States based) started to use a bunch of IPv4, formerly known as "from Pakistan ....".
What also happens is : I get mail from Egypt, Cairo. From a fried. LIves in Germany. Who forgot to shut down his VPN (he has a complicated live and many issues with things called "torrents").
Geoip IPv6 database will probably never exist as the one wouldn't fit in our galaxy. 25 of all our incoming mail is IPv6. And as aid in another thread this morning : my first IPv6 are already banned.
Btw : I even added some domain names used by friends to my mail server, as I knew they would send and receive a lot of mails. That was just perfect to auto-train my anti spam AI.
All this beauty is available of the selves, free, and keeps working over time.
I use a dedicated IPv4 and IPv6 for each domain. This is VERY important.
Also : self-hosted means for me : a 50 $ / month dedicated server in a big data center, as hosting behind an ISP line (our case) is a big no-no.
We do not always have the same skill levels at everything we do. Some things we know less about and know more about other things. That is the beauty of forums, after struggling to learn and try on your own, you hope that someone that does have the knowledge will step up and explain and not chastise.
I'm not saying you chastised me but that each step learned from using pfsense is one that gives me some extra knowledge to know how to look for the next problem.
Anyhow, in my case, I just want pfsense and all of the internal servers to use the local DNS servers. The firewall itself doesn't need to resolve or forward anything, it can use the locals as well. The problem was that is was adding 127.0.0.1 as the first nameserver for all of the DHCP hosts.
To be clear, mDNS traffic WILL still move across the network and is still accessible if you are connected to the 2.4GHz side of your SSID. The problem was actually pretty hard to trace out due to the sporadic nature and the fact that the traffic was present on the network. It's just that the WAPs drop it over the 5GHz side if the meshing is enabled.
What do you mean you can't enable DHCP? You just click on the appropriate buttons to enable and select the address range. Are you saying you don't get a DHCP address at all? Or something doesn't work after you get an address? What happens if you use a static address & config?
@foerkede Why would you? Best compatibility is to assign one /64 to your LAN via track interface. Then in the DHCPv6 Server on LAN you add a static mapping for one machines DUID together with a hostname and an interface identifier of your liking. Now you can use that hostname in firewall rules, even after your prefix changed.
Yes that's a good way to manage the clients in the network and I will probably do that.
My idea was to set the LAN Interface IPv6 to a memorable address, like <prefix>::1 as you do in IPv4, so you can configure static IPv6 addresses more easily (gateway and DNS config).
But I forgot that if the prefix changes, I have to change all the static addresses on the machines too. So the DHCPv6 solution seems to be the only good one if you don't get a static prefix from your ISP.
@teamits and that was it. its working now I had turned off tagging on 5 earlier on opt 1 because i saw that the default lan didnt have 5 tagged. Probably everytime i did the setup there would always be one step i messed up because on other attempts i had it tagged properly. anyways its working now thank you!