@dsmith10 Has anyone ever found the solution to this? I'm running into the same issue. Tailscale can't port translate automatically because we have a CARP IP for our LAN's gateway.

@hispeed What rules do you have on the OpenVPN interface?

Yup, can be a VLAN. pfSense treats a VLAN the same as any other interface.
It can even be something obscure like PPPoE. Though I would not recommend that unless you have no other choice. 😉

Steve

Check the file: /var/db/notices_lastmsg.txt

That file should store the last message sent and prevent sending the same message twice.

Steve

@rwillett said in iperf3 on pfsense server (slower) different to client (faster) - Why?:

Interestingly I didn't get much better throughput on the Macbook client with 5 threads.

Well this is pretty maxed out for gig connection already.

7] 4.00-5.00 sec 111 MBytes 935 Mbits/sec [ 7] 5.00-6.00 sec 112 MBytes 935 Mbits/sec

So no you prob wouldn't see much better than that ;)

@charneval said in CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL:

The public ip address of the site A is : 92.245.173.212 and I create a nat rule from any to the port 8080 of the nas 172.16.9.240 connected in the site B.

So at site A you have a port forwarding rule for destination WAN address 8080 to 172.16.9.240 8080, correct?

If you don't need any information about the origin source address, you can simply masquerade the packets at site A.

Are both VPN endpoints pfSense and are both the default gateway in their respective local network?

@nedyah700 said in WAN_DHCP6 pending / unknown and dhcpv6 server not working:

@nedyah700 said in WAN_DHCP6 pending / unknown and dhcpv6 server not working:

@bimmerdriver I tried a past development release of 22.05 and had the exact same issue you are experiencing. Traffic flows without any issue but the gateway shows pending. I rolled back when I noticed the issue and haven't tried since.

I also have "Do not wait for a RA" and "Request only an IPv6 prefix" selected.

@bimmerdriver and @jimp I would also add that my Gateway / Monitor IP is an fe80, link-local, address. I swear I remember having this issue a year or so ago and it was resolved with an update.

In my situation, it has always been the case the gateway address is a link-local address. That does not cause a problem on 2.6.0 and it didn't cause a problem on 2.7.0 up to the point where this regression was introduced. As I pointed out above, I think this problem is related to the missing file /tmp/hn0_defaultgwv6.

Certificate errors have nothing to do with blocked traffic entries in the firewall log, which is what I assume you are referring to.
TCP ack flagged traffic like that is blocked when the state that initially allowed it has been closed. You would expect to see some blocked traffic like that in a normal firewall.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

Are you running Squid?

Steve

Hmm, do you see an outbound state for the openvpn traffic on vmx1?

@falassion
potrebbe essere che il modem /router perde la connessione, rilascia il dhcp e poi o non lo rinnova o pfsense non riesca più a rinnovare, bisognerebbe vedere i log ma se non hai niente tra il modem e pfsense ti conviene impostare un ip statico nella wan di pfsense anzichè usare dhcp e vedere se la situazione si ripresenta

@saint-0
io in ufficio ho la 2.5 con freeradius e mfa con google e funziona da un anno a questa parte, c'e' un solo utente che ogni tanto fa fatica e deve riprovare più volte prima di riuscire ad autenticarsi ma sinceramente non ho avuto ancora tempo di indagare sul perchè. volevo aggiornare alla 2.6 quindi se scopri qualcosa o che è un bug facci sapere !

@claudiove
non sei riuscito a fartelo sistemare dal tecnico fastweb ? la cosa è strana perchè uso fastweb + vpn da anni
l'unica differenza è che non uso il modem che mi hanno fornito loro ma ho l'ip statico direttamente su pfsense. potrebbe essere un bug o qualche servizio attivo nei loro modem?

@stefano1856
non mi risulta, pfsense ha strumenti per prevenire ma non per indagare su data breach già avvenuti, liste di spammer aggiornate probabilmente sono già presenti in snort / suricata o nelle liste di pfBlockerng

a me sembra tutto giusto dalla configurazione postata,
in entrata hai le porte del centralino che nattano verso 172.16.0.160
la 443 sulle 2 wan nattano verso nextcloud
in uscita nella lan hai tutto aperto alla fine e finchè non funziona tutto va bene così
come sono configurate le interfacce? forse c'e' qualcosa li o sulla tabella di routing
non c'e' niente nei log?

Still present in HaProxy-devel 0.62_10. While workaround is simple indeed (disable backend, save and enable backend, save) it’s still annoying and I don’t understand what’s exactly happening here.

Initial tests are good. I'll reconfigure the VLANs this way tonight.

@enesas
Is pfSense which is running the OpenVPN server the default gateway in the local network or is there another default gateway?

@exponentialverteilt

Vielen Dank für deine Rückmeldung! :-)

Wäre es möglich, dass du deine WAN-Konfiguration postest (nur um sicher zu gehen, dass ich nicht irgendwo einen Haken vergessen habe)? Vielleicht wage ich nochmal den Versuch, bevor hier Glasfaser liegt :)

Danke!

@nhsep said in Some websites don't load, but all get through the ISP router:

if I switch over one of my computer's interfaces to point directly at the ISP router not only can I get out, but I get a real response.

As @johnpoz said this statement raises questions!
What exactly are you doing to 'switch over'?

It implies you might be simply re-configuring it to use the pfSense IP as it's gateway rather then the ISP router. If that is the case and they are on the same subnet then you almost certainly have an asymmetric route which would explain the failure you're seeing entirely.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

Steve

@steveits Not sure if I resolved yet as had mem issues that had to be fixed, I did start adding sites manually to a white list which seems to solve some problems but not yet all. Am going to swing back around and see if I can get more info to share and hopefully resolve.

@keyser Just bumping this thread out of Interest.

Does anyone know if making IPsec Road warrior “usable” in larger corporations is actually on the roadmap from Netgate, or will it just be stranded at “one pool, one ruleset for all VPN users” going forward?

The Framed-IP-Address is not a solution in larger networks due to the massive maintenance issues it brings.

Those firewall logs are all blocked ACK traffic to connections that have already closed. Not a problem:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#troubleshooting-blocked-log-entries-for-legitimate-connection-packets

So did you have pfSense in place when you were using the USG-Pro?

Either way I'm not really sure how you can pass multicast through the UXG-Pro with or without pfSense.

Steve

@viragomann

Es war ein DNS Problem.
Habe ich zum Glück lösen können.

Vielen Dank für die Kommentare

Yes. System has 8GB of RAM with only 4% in use.

@stephenw10 log compression off and higher log size seems to have stabilized it.

Theres about 12 computers in that closet. There is cooling and venting into the closet and the alarm never went off but the case was pretty hot to the touch. Will keep an eye on it. thank you.

Oh nice! I didn't see that available, do now! Thanks all!

One of our developers is looking at this. I have opened a bug report for it:
https://redmine.pfsense.org/issues/13210

Steve

Hi ,
after creating the whitelist, create a "myAllowlist" Group ACL
Within this group in the "Target Rules List" area configure your Target Categories as a "whitelist".

908e8c6f-bf69-4e8b-befd-9bea2260ae96-image.png

At the bottom under "Default access [all]" configure as "Deny".

5f58ee89-7da0-4805-9945-9ff930e81f90-image.png

Save the configuration and after saving, to make the changes operational, go to "General settings" and press the "Apply" button

This blocks all traffic except the whitelist.

I hope it is useful
Greetings and good work

@brian-smit said in DHCP 169x IP until i reconnect LAN cable or Turn WIFI on or OFF:

reuse_lease: lease age 1217 (secs) under 25% threshold, reply with unaltered, existing lease "

Those are common - leases normally don't start to renew until 50% done. But as the client gets closer and closer to lease expire, it should start screaming for a renew.. Sending them more and more often.

Once a renew fails - it should send a discover..

I would watch your logs the next time it happens and look right away, set your log to keep more in the gu.. I think it defaults to only the last 50 entries. I have mine set at 2000.. This should allow you to see more entries.

@ttgest you can also try a regular expression tester online. I found a good one. I was having issues with t.co I wanted it blocked however it would block microsoft.com I had to adjust and test with the regular expression tester. Some basic examples below.

Screenshot_20220524-072731.png !

Screenshot_20220524-072641.png!

@ezvink Why are you using pfSense 2.5 and not 2.6version?

@shoulders Cool, thanks.

@johnpoz said in pfSense as initial network filter:

https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html

Thank you John for sharing.

Here is How I configured the Firewall/NAT rules. This even breaks local connectivity other than the pfsense GUI.

https://i.imgur.com/XYXnC8x.pnglinks.expanse.com

I have also tried setting the gateway on the firewall rule to NORDVPN and it still fails.

https://i.imgur.com/TWDi6G7.png

Moinsen,
habe eben auch mal kurz nachgeschaut.
Wenn die als barebone schon knapp 370 Euro kostet, dann noch RAM und SSD dazu...plus die oft angesprochene Problematik mit den Realtek NICs...
Ohne jetzt Werbung machen zu wollen:
du nutzt ja (wie in deinem anderen Beitrag angemerkt) bisher APU2x4 Boards (die haben Intel NICs!)...wenn du unbedingt mehr Leistung haben willst, dann vielleicht zum "Original" greifen, ein 4100er von Netgate ist zwar nochmal etwas teurer, hat aber 4 GB RAM und 16 GB Speicher schon dabei UND ist etwas zukunftssicherer mit 4 x 2,5 GB LAN Anschlussmöglichkeiten...
Nur als Idee...