@johnpoz said in NAT not opening on custom Ports: see my edit... Put a box on your wan network of pfsense and do your testing... As you can see from that edit - that site is not very reliable for what your speed is or should be.. Here just started download of file from one of my servers in the NL... I have a 500mbps connection seeing 53MBps down... My connection is fine - but that scott iperf showing junk.. You sure this was for me? I don't think i've mentioned anything about scottlinux?

@johnpoz I based my assertion, on a bad assumption. I asked for expert help. When nobody could tell me I missed something, there seemed only one explanation. No need for the kiddy stuff, we are all just trying to get this open source tool working for ourselves, correct? Apologizes to the team for bug talk.

@dimadur Рад , что помог . Удачи .

Thanks! On my OpenVPN tab I simply make a rule for each VPN subnet Im controlling. I have ten different tunnels coming into this location alone besides a roadwarrior setup.. I do think the OP could simplify his setup a bit in this fashion. from one of our spur sites.. Ive since tightened up the road warrior rule and thus done away with all the blocking rules.

I got a Rule that sorts out traffic trying to connect to my LAN from the radio network. For the rest its fine since i run the other network anyway

testing out to the internet for iperf not really going to be a valid test... Test from your lan to your wan network.. Put a box on your wan and a box on your lan and run iperf between them.. Once you go out to the internet you have to many variables to rule out just something on net is problem.. Rule out your local hardware first. By testing local!!

@bbcan177 said in Snort doesn't know about SRC-DST pairs thus unable to whitelist anything: To overcome those certificate errors, create a new DNSBL Alias and add those domains to the customlist at the bottom. Then select the "Disable Logging" and set the Group Order to Primary. Then run a Force Update... This assuming that you are on pfBlockerNG-devel. This will nxdomain those domains and also disable the logging of those domains. I did this already, thanks, I'm following your subsection on this forum also reddit... It worked, but then again it's not very much elegant solution... Especially that you can't add ALL possible sites there obviously and this list is getting bigger and bigger every day -it's a manual only process.. So yeah, not elegant at all..

@johnpoz Request sent now. That boy did not seem to have meant that configuration as an example. Thanks again for the clarification.

ATT offers 2 other shi, i mean amazing boxes, im on the phone with them now getting one sent out.

@johnpoz said in Share WAN connection: You do understand the pfsense can be a sip proxy right.. Good point. I have installed siproxd, set outbound to WAN and inbound to LAN2. Everything else was left default. After reloading states FB6490 can register to the SIP registrar on FB6490(UM) BUT at the same time now FB7390 cannot register anymore to FB6490(UM). What does this mean? @chpalmer said in Share WAN connection: His cable company is his phone company from what Im getting.. You got it right. And because the device is the property of the provider and also configured by the provider I am very limited.

To close resolve) this one : @rsaanon said in [Solved] dnsleak results show no leak, but IP address lookup shows internal/lan IP: I would have like to have pasted the screen shot of the above two tests, but I'm not sure how to include the screenshots on this forum. Copy the image fist (hit the print screen touch on windows keyboard to have the entire screen or use the build in capture tool) and then Paste it here while your typing your post (windows PC : Ctrl-V) .

It looks like FreeBSD is able to create IPv6 fragments (45 fragments created), but i have no idea where they are going to in case of the WAN interface. netstat -s -p ip6 ip6: 402474348 total packets received 0 with size smaller than minimum 0 with data size < data length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 fragments that exceeded limit 0 packets reassembled ok 614833 packets for this host 401766863 packets forwarded 2 packets not forwardable 45 redirects sent 746064 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 45 fragments created 0 datagrams that can't be fragmented 0 packets that violated scope rules 0 multicast packets which we don't join

@bugsmanagement said in Why is there a back door for Negate forums?: Alright Hey dude, I advice you to take a break and go to get a good reading like pfsense Book And avoid to make frenzy thread. without fairly knowing how the user interface is composed, I'll not to be too harder, but we need Brains first, and pfsense Book is you first reference source available. your Holy Graal bye.

@konstanti said in Доступ по URL: Еще вариант развернуть свой DNS сервер с контролем доступа или использовать сторонние решения , например, http://rejector.ru/ Не совсем удачное решение. Доступ по IP будет работать тогда для всех ) Но очень даже как костыль. Разрешенных пользователей резолвить 53 порт на нормальный dns, а "обделенных" на свой. Может как-то под пивко и озадачусь. Спасибо.

I've also tried disabling PF scrubbing to no effect.

I really appreciate everyone's help. And, this pfSense solution is to solve one specific problem. The balance of the solution will scale just fine. @netblues ... no problem making this persistent...I can do that no problem. @marvosa ... thanks for the assist.

I use : 2.4.4-RELEASE-p1 (amd64) built on Mon Nov 26 11:40:26 EST 2018 FreeBSD 11.2-RELEASE-p4 Your "CE" seems to be different.

@stewart said in Huge Suricata Stats Logs: @bmeeks That's what I would expect, but instead I get: I can't tail or head it. It just sits there. So I copied off the log file and nano'ed it. I just checked and it is better. Color me confused... I have a fixed file ready if you are willing to test it for me. If you are, send me a PM (chat message). You might also consider increasing the stats collection interval for your setup. That's on the INTERFACE SETTINGS tab where you enable stats log generation. The default interval is 10 seconds. You could try increasing that to 60 seconds (or even a little more) to see if that helps control the rapid growth of the stats.log file.

ok thank you I look at it

@rico said in Webgui does not start after reboot: Check this one out: https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html Never tried, but maybe it works for the pfSense WebGUI too. -Rico Great .... I knew I have read something about this ( your https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html ). never tried it neither. Can the "internal IP address of the web server" be set to the WAN IP ? Which is useless in 99,9 % of all cases anyway. Maybe 127.0.0.1. will do ... @zorrox will inform us soon.

@cumhuraltan sadece ubuntu bilgisayarda internet geldi bilgisayara restart atıncada gitti şuan vlanlar ip alıyor pfsense 'den ama internet yok

@unsunghero The sort answer is unfortunately, NO. pf is an enterprise grade firewall solution. It is never meant to be a plug and play box. It can do many complicated things, but then its like driving a racing car. You have more things to do apart from the steering wheel and the gas pedal. Here is a great reference for all things pfsense https://www.netgate.com/docs/pfsense/book/ It will answer all your questions, but then you need to invest some time and effort.

@piba I might try creating a lua script in the future, i guess i start reading about the inner working of Remote Desktop Gateway or try a attempt to decompile some MS binaries :-) to get a idea what they are doing. Thanks for the help so far.

gracias a ti saludos

@johnpoz said in How do I find this device?: My point is you should be more detailed with your info since they people clearly don't know - or they wouldn't be here asking in the first place. Here is my post: "Just look at those addresses. They're link local addresses, based on the MAC address. Just look for MAC addresses that look similar. Everything after fffe in the address is the same as the same bits in the MAC address." Given that every address listed included fffe, my comment was entirely accurate in that context. He was trying to find the source and I gave him a clue. I was not attempting to give a full tutorial on link local addresses.

Also as @johnpoz points out a laptop is a really bad choice as most laptops do NOT have more than one physical network interface. And if you're talking about routing via WLAN or using some old crappy USBtoEthernet adapter, that's so far out of the ballpark of pfSense usage that I can't even see where the ball went down - so to speak.

Добрый. +1 за опенвпн

Because you installed it "offline" and not from the pfSense repository, it won't display in the GUI list. https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html#errata

Thanks @jimp for looking into this, I am happy to hear that there was actually an issue here and that you were able to resolve the issue so swiftly. I look forward to applying the fix when made available.

@comthre3 said in Upgrade from 2.3.1 to 2.4.4, PHP errors all over the place: working mirror with older versions I had looked yesterday and found the /mirror/downloads/old/ directory showed a 403 error on the mirrors I looked at. We hadn't been keeping older versions downloaded, but may need to if they aren't readily available. What mirror did you find still offered them? after which, the device was unable to fetch new updates from the server using the GUI update tab I had issues on several 2.3.x installs with updates not working...changing to the development branch and back again seemed to fix it. See https://forum.netgate.com/topic/111872/2-3-3-is-live/21 (phil.davis post) for that issue.

Now all of a sudden DNS resolution stopped working on all of the clients on my internal network. o_O Restarting unbound and the client machines doesn't fix it. My network just hates me right now. edit Disabling pfBlocker fixed DNS resolution. edit2 Suddenly, my firehol blocklist rule was adding all of the internal clients on my network to blocked hosts.

What would fail with bogon still blocked is bogon's - but pretty sure pfsense pulls the rfc1918 space that is normally in bogon out... And lists in the different rfc1918 listing. rfc1918 is a bogon ;) Well if you want to get technical about its - better term is prob martian...

So this was the error : @mbrossar said in OpenDNS DDNS: Verbose logging is unchecked With verbose logging you would have seen that the password wasn't good

+1 for pihole. I've been using it for about a year now.

@bsa66 Happy Holidays to you too !

Exact. Static ones are ok, they are known - and when the lease is renewed, DNS doesn't restart. Classic DHCP, if checked, will restart DNS. This is a known subject (I won't call it an issue, but if unbound has a lot of work to do at startup, like rowing through all these pfBlockerNG 's feeds files; and you have a 'light' system (processor, disk, whatever) then yes, it starts to take time).

@rico said in 1&1 IONOS Cloud Server - Routing Socket - Network is Unreachable: Glad you have it working now. I would not open Management Port 80 and 443 to the whole Internet. Maybe you could lock it down to only a few Source IPs in your Firewall Rules. The best Solution is to use some VPN. -Rico Thanks Rico - I have a static IP so locked it down just down just to this one. Thanks again David

Se você está utilizando PPPoE para discar no pfSense, é porque está somente como um modem da sua operadora. Caso o modem suporte os 200mbps, não muda nada. do contrário, eles iram trocar o equipamento. Daí você pode receber um roteador que vai fazer a conexão e ti entregar um IP não 192.168.x.x. Se isso aocntecer, já pede para eles reconfigurarem o roteador para o modo bridge. Daí você liga ele na sua porta WAN do pfSense e configura o PPPoE lá mesmo. O IP que você irá receber após a conexão será sempre o mesmo, tanta numa configuração, quanto noutra.

Thank you :>). Have a great day!! GW

@rico Thanks for sharing