That outbound rule editing changed something, as if there was something changed under the hood.

Right now the admin there is able to access systems on the other side of the tunnel, as intended.

Nothing changed on the OpenVPN server, btw.

That NATing isn't fully correct still

What I'd like to have:

server side IP should be able to ping a PC on the client side server side VM should be able to access a system on the client side, with a mapped IP in the client LAN

currently I have this, and rebooted for a check, the admin is able to access a server VM via RDP: GREAT, but not 100% yet ;-)

08be6411-788d-4b6b-a661-70faecf7845e-image.png

THANKS so far, I think I need some time afk now soon

@dwhacks said in Two IP's from ISP, Two PFsense routers (one a vm) cannot access B from A:

I did think of something while I was making another coffee: before setting up the router for site B I have dual WAN at site A. My ISP almost never changes the IP addresses, is it possible there is some residual config or states or something left over in my site A router making it think that the IP of site B is supposed to go to itself? Maybe is DHCP as thats what the routers use on WAN?

So Site A is (or was) "aware" of the IP that now resides on Site B then... well yes I suppose there could be some residual states or something which makes it think it should go back to itself. Similar to what I was after with the host override rules, which however you have clearly changed. I assume you have removed WAN2 completely, as well as any gateway groups etc that you may have had. And how about services Dynamic DNS, on site A is that also updated to reflect that dwhacks is no longer on that IP?

Try tracert to dwhacks.com to see what you get from pfsense on site A... That should give you a clue as to what it's doing.

Also you can run Pcap on WAN whilst pinging dwhacks to see if it shows up. Add a filter with the public IP for Site B so you only capture the important information.

@frawnsmoc I think you misunderstood me, the idea of the host override is to confirm if the DNS is being redirected, and not create a host override for google.

Perhaps perform a packet capture on localhost in pfSense, UDP port 53 and test with the nslookup again.

@strandte

allow_ or allow_snoop, thats one thing.
But what does is mean :

access-control: ::1 allow_snoop
access-control: ::1/128 allow

as ::1 and ::1/128 are the same for me.
So, allow_snoop gets set on ::1 and then overridden by 'allow' ?

Here you can see how the access_lists.conf file gets created :
/etc/inc/unbound.inc

First, "127.0.0.1/32 allow_snoop" gets thrown in and then "::1 allow_snoop".
You and I don't chose the 'allowed_snoop' from the GUI here, it's hard coded.

Then, all your local known interfaces, and this includes
127.0.0.0/8 allow
and
::1/128 allow

and as said : these are the same for me.

Note that the 'allow' here is the one I set up here :

f98bcfaf-53c5-4af3-8011-0db92ef32d97-image.png

I wonder what happens if I delete these two lines :

a9c12224-4af3-4fde-8015-2265b6b91de5-image.png

@swk said in Loadbalancing Failover legt alle WAN Verbindungen (& VPN) für 5-15 Sekunden lahm:

Netgate_Firmware_Upgrade 23.05.00

du solltest mal Updates einspielen, aktuell ist 24.11

@helis821 forgot to say - also doesn't work with windows firewall disabled

@UweV

So you assume that the upstream internet router does not tell pfSense that the prefix delegation has changed - correct?

Yes. The PCAP shows the server sending Router Advertisement's for the new prefix as expected which allows pfSense to update its route table and WAN, but it will not affect the delegated prefixes tracked by the LAN interfaces.

@matisardi said in Microsoft Exchange 2019 on premise:
@matisardi said in Microsoft Exchange 2019 on premise:

under WAN IP when it must be under configured virtual IP

If you have two public IPs you can use 1:1 NAT to forward all ports to the Exchange Server, which you can then control via firewall rules. That will also automatically handle outbound NAT.

Or you can use a virtual IP in your NAT rule, and handle outbound NAT yourself.

pfSense 2.7.0

Unrelated to your problem, but 2.7.2 has been out for quite a long time now. Also several patches for it.

https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

@patient0 ok thanks

Does this also mean that it's save to uninstall/remove it, if you don't need or use it?

@1013215273

Look again at the captive portal settings.
There are no IPv4 addresses to be set.
You have to select an interface, like LAN, or, so what I have, PORTAL (was originally OPT1).

How where why do you want to set "172.16.69.x" ?
What are you trying to achieve ?

@drodgers It's worth a try, just make sure your modem supports a 1508 MTU / Baby jumbo frames as it's a PPPoE connection

@Gertjan Thank you for your feedback, Gertjan!
I'll continue with that info :)

Have a great day

@Quirin said in Files not working:

I don't know how to tell more precise.

It was already precise enough 👍
I was doing the same thing on my side, double checking for an oversight.

The thing is : I don't use 2.7.2 anymore. It 25.03. I can't downgrade, but you could go to 2.8.0-Beta.
I can't recall if there were any issue as 2.7.2, I know I was using it for a while.
You have the System Patches package and activated all the Netgate patches ?

You do see the symlinks in the /usr/local/captiveportal :

[25.03-BETA][root@pfSense.bhf.tld]/usr/local/captiveportal: ll total 2182 -rw-r--r-- 1 root wheel 2139650 Feb 2 2024 ROOM-DIRECTORY-BH-FUMEL.pdf lrwxr-xr-x 1 root wheel 43 Nov 19 2023 captiveportal-2style.css@ -> /var/db/cpelements/captiveportal-2style.css lrwxr-xr-x 1 root wheel 43 Nov 19 2023 captiveportal-custom.css@ -> /var/db/cpelements/captiveportal-custom.css -rw-r--r-- 1 root wheel 82730 Mar 5 21:09 captiveportal-default-logo.png lrwxr-xr-x 1 root wheel 47 Nov 19 2023 captiveportal-mac-block.html@ -> /var/db/cpelements/captiveportal-mac-block.html lrwxr-xr-x 1 root wheel 46 Nov 19 2023 captiveportal-nvxx-logo.png@ -> /var/db/cpelements/captiveportal-nvxx-logo.png -rw-r--r-- 1 root wheel 5686 Dec 10 2019 favicon.ico -rw-r--r-- 1 root wheel 14606 Mar 25 15:48 index.php -rw-r--r-- 1 root wheel 14498 Mar 3 15:53 index.php.old -rw-r--r-- 1 root wheel 14474 Mar 5 21:09 index.php.orig -rw-r--r-- 1 root wheel 3072 Jan 7 12:36 rfc8910.php

and you checked the symlink image and font files ?

You had the inspector windows of your browser open.
What was the error when you hover over the place where the logo should show up ?
File not found ?
What was the file name of the logo image file in the html ?

@SteveITS

So far so good, I'll know tomorrow for sure.

@RickyBaker yes
Start as simple as possible and then build up your network. I would concentrate on the double paths reported by your switch.

I assume you run a unifi network application to optimise channel selection and minimise crosstalk.

@viragomann
Thanks for the reply.
I have not configured any static routes on the pfSense VM's.
I figured since traffic flowed without static routes from B to A that the opposite would be true as well.

On the 172.16.136.14 VM I have added a static route in the OS for traffic destined for 10.12.105.0/24 to route through 172.16.136.20 (instead of the default gateway 172.16.136.1)
I have also added a static route on the 10.12.105.10 VM since it is connected to multiple networks, but can still only reach the site B pfSense LAN IP address and nothing else on that subnet.

What routes should I configure in the pfSense machines?

@digitaldave Sounds like an alert on reply traffic (i.e., one of your LAN clients initiated a connection to that server).

Just curious, is your Snort instance running on your LAN or WAN interface? It's preferable to run it on LAN interface/s since, as you note, it will 'detect' a lot of noise that's otherwise blocked by the firewall anyway.

@SpaceXTexnologiya Perhaps a question best asked under the IDS/IPS section...

Neverthelss, I don't think you can limit the amount of CPU it uses, unless it's somehow possible to bind it to a specific core?
If you run it in Inline mode you could try changing to Legacy mode to see if that gives you a bit more throughput. Also you can limit the rulesets you use, and remove those not needed...

@backup2 said in Can't access internet with pfsense and proton vpn:

At this point, before routing my traffic through VPN, I can still access internet. However, when I go to firewall>NAT and edit "auto created rule - LAN to WAN" and "Auto created rule for ISAKMP - LAN to WAN" by changing interface from WAN to OPENVPNC, I can no longer access the internet.

That can be so, but at that moment, you're not done yet.

I'm not using Proton, but I did find their official ( ? ) setup guide.
Somewhere in step 5, you stopped after changing the mappings, and posted here.
Or did you do these steps ?