To chime in on that as well - if you really really want to get fancy.. You might even be able to get by with just 1 ssid.. where you assign vlans based on mac of the devices. Maybe just 2 if you want a enterprise auth ssid, and for those iot devices and such just use psk, I did a test a while back they first came out with the dynamic vlan support, and I did get it to work based on mac for psk devices.. I was thinking at one time to go down this path.. But haven't gotten back to it ;) Lots of devices - all working, segmented out how I want.. Haven't found the motivation to change it all up just to drop a couple of ssids ;) While sure the fewer the ssids the better if your looking to max tweak your setup.. A couple of extra ssids not going to be a big difference in overall performance ;) Here this might help https://help.ui.com/hc/en-us/articles/360015268353-UniFi-USG-Configuring-RADIUS-Server You can use freerad on pfsense for this vs using the radius server of usg.. I currently use 4 ssids = 4 different vlans 1 wpa2-enterprise with eap-tls auth, this is for my trusted devices. My phone, Wife's phone, my laptop, my tablet, etc. 2 wpa2-psk for iot devices, thermostat, alexa devices, smart bulbs, the like 3 wpa2-psk for roku/tv stuff. My harmony remote, tv, roku sticks 4 wpa2-psk for guest devices.. Even setup QR code on a business card I can give guest so they can just scan the qr code with their phone and get on.. Zero reason for them to type out the very long and complex psk ;)

@lifespeed So, don't select that. I don't know what you've done, but sometimes it's best to start from scratch, in case you did something you shouldn't have. Perhaps there's someone else here, who can help you with Comcast. My experience is with Rogers, where IPv6 works well.

Добрый. @Kowex said in Маршрутизация клиента OpenVPN в две сети IPSec: Выполнено? На Сервере №1 подключающимся овпн-клиентам пушить 192.168.1.0/24 (push "route 192.168.1.0 255.255.255.0";), а не 192.168.192.0/24 Покажите таблицу марш-ции на клиенте при поднятом овпн. Вкл. логирование и смотрите, что происходит в логах fw.

@valentinius thanks for your comment, but we are beyond that

There is a possibility to reset the pfsense tracked table. Find better routes to navigate?

@DaddyGo Com certeza, digo o mesmo também pois ainda quero encontrar uma solução para este problema. Até logo! E muito obrigado pelo suporte.

^ exactly.. You know what else is really common... Users using wifi on their isp device, while pfsense is behind it.. So you got something like a sonos that thinks is a good idea to bridge shit <rolleyes> Plugged into a wire on the lan, and using the wifi that is on the wan - and you run into shit like this.. Here is the thing, pfsense is not going to block shit with its rule on egress, even if was the wan putting it on the wire.. Since the rules are inbound rules, ingress.. So somehow that traffic is becoming inbound to the wan interface.

@johnpoz said in Time always slow 2.4.5: You go to the store and there is a bottle of booze listed for 24.99 on the shelf, but then you go to pay for it and there is sales tax and excise tax, and convenience tax, and whatever - and it ends up being 32$... Just put 32$ on the freaking shelf ;) Completely off-topic, but I like the banter.. this kinda reminds me of Bali eating out as a foreigner... Food + Service Tax + Tips + Peak Christmas Season Tax + Corkage.... plus foot rub, donkey ride, bracelet, coconut bag, photo, photo with snake, photo with monkey, photo with some random... then the tip to the driver once you get back to your accommodation, only to find the cleaners are waiting! But if I were to onsell the 3100 based on US prices of $399 as a small quantity reseller. Id assume I would have to buy this from Netgate USA with a max 15% discount and my ballpark calculations would be not including shipping: $399 - $60 discount = USD$339 add Shipping on bulk order = USD$??? $339 * $1.51 (2020-May-30 xe.com) = AUD$510 $515 + 10% GST for import = $561 $561 + 20% FX variance/margin/storage = $675 $675 + 10% wholesale GST = $745 It sounds about right and for me as a VAR, I get that wholesale GST back when I sell to the client. I guess Australia has simplified the taxes compared to other countries. @JeGr said in Time always slow 2.4.5: Don't know if the shop you checked auto-included VAT, import taxes and/or shipping - just sayin' :) Yup, those prices are exlcuding, so add another 10% on top of $750. So its a nice margin to be sitting on based on the above assumptions. Bintang anyone? Im sure its a rebranded Heinekan.

@serbus Well John, early this morning I tried again and got same unauthorized ... so, I tried the browser and got invalid key; so, I just generated a new key ... all is good.

Resolved by putting unbound into DNS forward mode, instead of resolver.

My notebook has been slow for several years already, even despite i use browser Google Chrome, maybe the problem is slow Internet speed?

@jimmythedog Thanks! Good find on that Sophos link.

Hello, by jimp: https://forum.netgate.com/topic/154153/test-request-upnp-fix-for-multiple-consoles-playing-the-same-game-static-port-outbound-nat

Rules are evaluated top down, first rule to trigger wins - no other rules are evaluated. https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html

Yup, Chelsio uses cxgbe for the same reasons. Steve

Tks for your support

Oke I noted it

perfect You see, it's already clear what's wrong... You can do two things: you experiment, but it can cost useless money, if it doesn't work and you buy one this (the compatibility of the I350 is legendary): https://www.dell.com/en-au/work/shop/dell-intel-ethernet-i350-t-quad-port-1-gigabit-server-adapter-low-profile/apd/540-11333/networking or https://www.bargainhardware.co.uk/intel-i350-t4-quad-port-rj45-1gbps-low-profile-pcie-x4-nic -or you go that way, which I have already experienced and you use a Broadcom T4 NIC (bce4), I know for sure it works: https://www.bargainhardware.co.uk/broadcom-bcm5709-quad-port-rj45-1gbps-low-profile-pcie-x4-nic (we use it without any problems) I'm sure with such a strong CPU, the (bce4) driver has no disadvantages when running pfSense

I believe it defaults to 10.0.8/24 - this is fine.. Any network that is unlikely to overlap either your remote user or your sites network is fine.

@johnpoz said in TCP:S vs TCP:FA: Why do you have all your vlans on both interfaces in hyperv? Only network that should be on wan is the wan network.. Corrected the Interfaces:

@fabiolanza I contacted the seller/company that confirmed the chipset was Intel made. I am waiting for them to list more so I can purchase.

Jetzt läuft es. Habe auf dem WAN Interface den Prefix von 64 auf 56 und den Haken bei "Only request an IPV6 prefix, do not request an IPV6 address". Danach ging es und der unbound läuft stabil.

There are coming back but there are no going out. Even the hosts I‘ve never heared.

The J3455 is not powerful CPU but I would expect it to push more then 100Mbps of OpenVPN given a reasonable connection to the server. You have to check top -aSH though to know what's limiting it. Steve

You're an idiot or a troll, I don't care. I don't have patience for people like you. Blocked.

Hi, Just wanted to know if there is a way to turn off firewall filtering but keep the LAN devices in communication, if yes how ? As I don't need firewalling, I just need the routing part. Thanks..

@ncm-com said in VLAN tag on more than 1 interface: but let say if the traffic between VLANs reaching 500mbps it will create a bottleneck on one interface that would not be the case if the traffic using two ports? And how does putting 2 interfaces in the same vlan solve that problem? but let say if the traffic between VLANs reaching 500mbps it will create a bottleneck on one interface that would not be the case if the traffic using two ports? Use different uplinks for your difrerent vlans.. vmnic 2 vlan X, vmnic 3 vlan Y... Putting vlan X on both vmnic 2 and 3 does what?? Put all your vmnics into same vswitch.. Use your port groups to break out the vlans. setup lagg of these 4 nics to your switch from esxi

I think you might be right, though, as when it joins to Windows it joins as a CDROM/USB device. I imagine I need to switch it to the correct mode, then, per details on this thread: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=3&t=2594 but can't find a series of commands that works. Here's what I get when I follow the same commands from that forum post: [2.5.0-DEVELOPMENT][admin@pfSense.localdomain]/root: sudo usb_modeswitch -K -W -v 2001 -p 0x0228 Take all parameters from the command line * usb_modeswitch: handle USB devices with multiple modes * Version 2.6.0 (C) Josua Dietze 2017 * Based on libusb1/libusbx ! PLEASE REPORT NEW CONFIGURATIONS ! DefaultVendor= 0x2001 DefaultProduct= 0x0228 StandardEject=1 Look for default devices ... found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 2001:ab00 vendor ID matched No devices in default mode found. Nothing to do. Bye!

@JKnott said in Issue with network and Gmail and other Google pages: Well, I'm allergic to Apple gear LMAO!

so ich glaub ich dreh jetzt durch !!! kurzum wenn ich: port 443 mittels and die zB 10.0.0.1 (die interne IP der Firewall weiterleite) 3 stk Frontends (1. shared mit LAN Adress IPv4 | https offloading | default backend | use forward option | dem default cert d pfsense einrichte [serverCert] | Add ACL for certificate Subject Alternative Names aktiviere.) (2. das auf das shared auf pkt 1 zeigt die ACLs für die Backends einrichte | default backend | cert = das LE widcard cert" für diese domain | Add ACL for certificate Subject Alternative Names aktiviere | Add ACL for certificate Subject Alternative Names.) (3. das auf das shared auf pkt 1 zeigt die ACLs für die Backends einrichte | default backend | cert = das LE mit dem TXT IEntrag u d _acme_challenge für diese domain | Add ACL for certificate Subject Alternative Names aktiviere | Add ACL for certificate Subject Alternative Names.) funktioniert das genau so wie gewollt .... naja .... @Bob-Dig hatte mich mit seiner Anmerkung " könnte ggf. auch deine Probleme erklären" drauf gebracht ... die frontends die auf der WAN0 laufen abgedreht .... siehe da man konnte aufgrund der port forwarding ein backend noch erreichen ..... shared frontend eingerichtet ... 2te & 3te domain fix zack bumm rennt mit ssl offloading... wieso es am WAN0 nicht geht versteh ich bis jetzt noch immer nicht .... verdacht der ISP tut was komisches trau ich der Bande zu :( ich geh jetzt staubsaugen weil ich grantig bin und morgen weitersuchen ! man liest sich!

spf+ tech specs are up to 16gbps.. But yeah highest modules you will find prob 10ge max.. Atleast at any reasonable price, etc.

@kevindd992002 No.

@Bob-Dig said in NAT Typ von STRIKT auf OPEN für mehrer Clients für COD MW: Hast Du überhaupt (...) tatsächlich sind das sogar die wichtigsten Fragen. Denn damit kann es sein, dass man 90% der Probleme schon im Keim erstickt :)

@bmeeks Ok. I see MicroUSB port on the back, and two USB-A ports on the front. None are in use, nor have I ever used any. This unit shipped with pfSense already installed and with base configuration. Although I am aware of the console option, I have never used it.

I think I'll just add a couple more interfaces and do it that way. I got to thinking about how I might be able to use the separate lans anyhow. Thanks to all for the input.

Bonjour, je redonne des nouvelles, j'ai essayé d'avancer sur la piste "définir une route du réseau WAN vers le LAN". Sur la livebox je ne peux pas configurer de route statique. J'ai donc voulu "tricher" en définissant l'interface WAN du pfsense comme passerelle de mon pc portable connecté en WIFI dans le réseau WAN. Techniquement, j'arrive donc à atteindre des postes du LAN moyennant la création des règles de pare-feu adéquat (RDP, SMB, HTTP...) Mais ce que je ne comprends pas c'est que mon pc n'a alors plus accès à Internet. Pourtant dans PFSense, ma livebox est bien définie comme passerelle par défaut et sur la configuration de l'interface WAN, l'IP de la livebox est bien définie comme passerelle Quand je fais un "tracert google.com" depuis mon PC dans le WAN, Quelqu'un saurait-il me dire pourquoi l'accès internet sur mon pc ne fonctionne pas en procédant de la sorte ?

@Mellowlynx To set a single IP in the outbound NAT, you have to select Network, enter the IP and select 32 for the mask.

A fix for this issue is in the latest snapshot and I confirm it works. Thanks @jimp .

@jayb1

Klar komm ich dann drauf, weil der pfSense ja dann die 192.168.100.10 zugeteilt wird. Unterbinde ich das, komme ich nicht mehr drauf.