To chime in on that as well - if you really really want to get fancy.. You might even be able to get by with just 1 ssid.. where you assign vlans based on mac of the devices. Maybe just 2 if you want a enterprise auth ssid, and for those iot devices and such just use psk, I did a test a while back they first came out with the dynamic vlan support, and I did get it to work based on mac for psk devices.. I was thinking at one time to go down this path.. But haven't gotten back to it ;) Lots of devices - all working, segmented out how I want.. Haven't found the motivation to change it all up just to drop a couple of ssids ;) While sure the fewer the ssids the better if your looking to max tweak your setup.. A couple of extra ssids not going to be a big difference in overall performance ;) Here this might help https://help.ui.com/hc/en-us/articles/360015268353-UniFi-USG-Configuring-RADIUS-Server You can use freerad on pfsense for this vs using the radius server of usg.. I currently use 4 ssids = 4 different vlans 1 wpa2-enterprise with eap-tls auth, this is for my trusted devices. My phone, Wife's phone, my laptop, my tablet, etc. 2 wpa2-psk for iot devices, thermostat, alexa devices, smart bulbs, the like 3 wpa2-psk for roku/tv stuff. My harmony remote, tv, roku sticks 4 wpa2-psk for guest devices.. Even setup QR code on a business card I can give guest so they can just scan the qr code with their phone and get on.. Zero reason for them to type out the very long and complex psk ;)

@valentinius thanks for your comment, but we are beyond that

@jimmythedog That is both correct and incorrect. The problem is that none of the chains presented by the server will end up chaining to the expired AddTrust cert UNLESS that is what is presented by the server. Server administrators SHOULD NOT be including the CA certificates that SHOULD be being pulled from the clients trusted root store in the first place. They should only be pushing as much of the chain as necessary to get the client chained into and pulling from its own trusted CA store. Some clients (macOS, Windows) ignore superfluous certificates from the server and use their own store as soon as they have a match up the chain so they continue to validate even when the server admin makes a mistake. Some (like OpenSSL in FreeBSD and CentOS at least) try to use what is pushed to them by the server. Those fail.

Yup, Chelsio uses cxgbe for the same reasons. Steve

Oke I noted it

perfect You see, it's already clear what's wrong... You can do two things: you experiment, but it can cost useless money, if it doesn't work and you buy one this (the compatibility of the I350 is legendary): https://www.dell.com/en-au/work/shop/dell-intel-ethernet-i350-t-quad-port-1-gigabit-server-adapter-low-profile/apd/540-11333/networking or https://www.bargainhardware.co.uk/intel-i350-t4-quad-port-rj45-1gbps-low-profile-pcie-x4-nic -or you go that way, which I have already experienced and you use a Broadcom T4 NIC (bce4), I know for sure it works: https://www.bargainhardware.co.uk/broadcom-bcm5709-quad-port-rj45-1gbps-low-profile-pcie-x4-nic (we use it without any problems) I'm sure with such a strong CPU, the (bce4) driver has no disadvantages when running pfSense

@fabiolanza I contacted the seller/company that confirmed the chipset was Intel made. I am waiting for them to list more so I can purchase.

There are coming back but there are no going out. Even the hosts I‘ve never heared.

I think you might be right, though, as when it joins to Windows it joins as a CDROM/USB device. I imagine I need to switch it to the correct mode, then, per details on this thread: https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=3&t=2594 but can't find a series of commands that works. Here's what I get when I follow the same commands from that forum post: [2.5.0-DEVELOPMENT][admin@pfSense.localdomain]/root: sudo usb_modeswitch -K -W -v 2001 -p 0x0228 Take all parameters from the command line * usb_modeswitch: handle USB devices with multiple modes * Version 2.6.0 (C) Josua Dietze 2017 * Based on libusb1/libusbx ! PLEASE REPORT NEW CONFIGURATIONS ! DefaultVendor= 0x2001 DefaultProduct= 0x0228 StandardEject=1 Look for default devices ... found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 0000:0000 found USB ID 2001:ab00 vendor ID matched No devices in default mode found. Nothing to do. Bye!

@jayb1

@JKnott My goal is to get the client on the dd-wrt as it’s much smaller than my PfSense box and less objectionable to put in someone else’s home. I want to get it working in pfsense before playing with ddwrt. To clarify the reason the router emulating an ISP works is that I can get 2 IP addresses via DHCP making the connected 2 pfsense boxes think they have there own connection to the internet. Simulating having 2 ISP at my home. Any reason I can’t keep the openvpn server on my original ISP and the openvpn client on the cellphone connected to the ddwrt router ?

@johnpoz Thanks. That proves your point about the missinformation out there and why it's a good thing that it's back on default. Will give an update if my issues remain after what I did before and/or if I gathered more insights. Vincent

I don‘t have this enabled and it works like a charm. :)

So lets see some details.. You setup what network on this opt1 interface? Which specific interface is this? Is it actually enabled? What range did you setup for the dhcp server? And as mentioned - yes just plug a client into this interface does it get an IP? Do the lights come on on the interfaces? Do we even know the cables are good your using? etc. etc.. What other switches do you have? How are they connected.. What specific hardware is this? Is this like a 3100 with switch ports?

It seems that there is an issue with Server ? The process will require 80 MiB more space. 2 MiB to be downloaded. [1/4] Fetching pfSense-pkg-snort-3.2.9.11.txz: .......... done [2/4] Fetching snort-2.9.16.txz: . done pkg-static: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-pfSense_v2_4_5/All/snort-2.9.16.txz: Operation timed out Failed

If i reboot manually. After restore it does not automatically reboot.

Thanks for trying to reproduce on your end. When looking at https://www.freebsd.org/cgi/man.cgi?unbound.conf it indicates that a HUP is handled as a config reload and is different than a full restart. Mentioned in the interface and username sections

@zsing82 said in Script not executing... command not found: Debian boxes. BSD is a whole different animal Actually, for the most part Linux and BSD are similar, in that they're both Unix variations. However, there are some differences, but nowhere near the difference between either and the Windows shell commands.

While the packages list is resolved, I also have a big problem with the expired certificate. DDNS not updating and webservers that are updated I cannot access because of certificate expiration. https://forum.netgate.com/topic/154043/ddns-not-updating-cert-expired

@mykl With the Kingston UV500 series, I had no problem (for NGFW)

@dmd1234498 said in Unable to see computers on LAN over OpenVPN: how can I access drive shares As said : @JKnott said in Unable to see computers on LAN over OpenVPN: Did you export the client for the new configuration? and you should be connected of course (VPN should work). Then ; @Gertjan said in Unable to see computers on LAN over OpenVPN: \a.b.c.d where a.b.c.d is something like 192.168.10.10 then you can access to that PC "192.168.10.10" on the remote LAN. You could even use the network name of the PC if you know it. => back slash back slash and the IPv4 or IPv6 or name of the PC if you know it. in the address bar of the Explorer.

@chpalmer I think I may go back and disable the static routes and leave the rules, and see if routed did its thing or not...

Boa tarde! Sim, ao conectar site to site ele bloqueia o site que desejo e desconectando o acesso e permitido. Estou verificando se falta algum detalhe na qual deixei passar,

@bigbird007 said in Pfsense performance: wait for it to fail, see if I can work it out Finding the issue is actually easy with the FreeRadius package - process. First : stop the FreeRaduisx instance in the GUI, if it is running. Then, use the console or better SSH access, and enter god-mode : option 8. Type the magic command : radiusd -X A boatload of log line scroll over your screen. After an initial startup phase, thing will calm down on your screen. You can leave this screen open, and have break, day of, some sort of delay. When the process dies, one of the last lines will probably printed in red. That is your issue. The question was : what is the issue. The answer will be : read the red line.

Well if your NAS is multihomed and not pointing to pfsense as its default gateway - then yeah going to be a problem connecting to it from a network it has no idea how to get back to.

It is just a USB cable. Same with Cisco. You can carry the same cable to access either though the chipsets might require different drivers.

Hello, Thanks all for the help. It looks good now. Looks like as @jimp mentioned there might be problem with package server. Thanks to all

That was it

@aGeekhere Nice job I haven't seen this before, THX

okay, that is some info i can use for something.

@Gertjan Yes, the R6900 is from Netgear, and with ASUS-merlin firmware(not pfSense), but it is working great.

@bmeeks Understood. Thanks!

@bobbenheim perfect I didnt know about it! (No windows here :) )

@grateful I was assuming the routing between the two sites is already working, isn't it? You have only to enter the site A's LAN into the "Remote Networks" box in the OpenVPN settings at site B and vice versa. With the interface assigned to the OpenVPN instance at A and the forwarding at B it should already work. Edit: The interface introduces pfSense to tag the packets coming from in the VPN interface wtih "reply-to". With that pfSense automatically directs responses from the destination device back to site B.

Doesn't matter which way you do it.. Be it your routed is native or a vlan.. Or if you change this one or add the routed space.

@bmffsc said in redirect wan ip requests to lan ip address: reaching through http://212.252.119.3:8092/OurApp/ Horrible setup! Use a fqdn that resolves to this IP.. Now outside users can get to it via http://something.domain.tld:8092/ourapp where that resolves to 212.x.x.x. your public IP. And internally it resolves to 192.168.1.100 or whatever you local IP of that server is. So the same bookmark works be it they outside or inside.

@minesh-patel Microsoft says nothing about multicast/broadcast. However this guy https://azurenetworkingguy.wordpress.com/2016/08/21/53/ is adamant about it. No multicast traffic supported, no ha availiability etc Configuration sync which is xml/tcp based obviously works. I doubt you can do anything about it. And it seems the same issue also happens on aws. I guess you have to live with the native redundancy that cloud offers. I have no idea if stateful failover is an option in such environment.

@johnpoz This is strange because in DHCP for the internal subnet I have configured external DNS servers.

@johnpoz said in How do i revoke a user certificate from PFSense?: when do users get a cert in ipsec? Don't they just use the KEY ID as their username? Never setup ipsec with such login before. I am not really sure what you mean. I create a user certificate using the CA manager within pfsense. The manager points to my own Microsoft CA server. I install that user + root certificate onto my Phone and create an IKEv2 EAP-TLS (certificate) profile within StrongSwan. And normally when i delete the user certificate i cannot connect anymore. With this pfsense installation i am still able to connect. (Delete / Revoke has got the same end result)

Just do yourself a favor and stay away from the tplink switches... Whole thing that went on for 2 years or so them not actually understanding how vlans are suppose to work, and didn't allow you to remove vlan 1 from ports you wanted to put in a different vlan.. While they suppose to have fixed it in their later models and firmware.. I would just get some other brand - the netgear and dlink ones work.. I have both of those low end models never saw any problems with them actually isolating vlans. If your budget is higher than cheapest you can do this, there there are some much better switches you could get ;) If you have like 200 to spend - yeah some really nice switches ;)