NTP is 100% UDP and with UDP your application (in this case the NTP service) is responsible for both sending out the queries and listening for replies. This is completely unlike compared to TCP where TCP does all the heavy lifting for you with setting up the connection and dealing with the return traffic. The consquence of this is that any application using a UDP based protocol has to listen on a socket to do anything, even if it’s just a client querying other servers.

So my board came back and my bare metal pfsense is up and running again, installed from scratch. I remain unable to set up a new traffic shaper configuration with 2 WAN and 1 LAN interfaces.

@caraffandee said in Time to modernize core?: Hi, everybody. I’m relatively new to pfSense, so I’m grateful for it being free and supported. Yet, I’m quite surprised that core pfSense is using so ancient core packages such as php 5.6! When talking about security the usual mantra is as alway “keep up to date”! The why is pfSense stuck to such an old PHP version? According to php.net, V 5.6 will reach its end-of-life on December 2018. Freeradius 3 is available as a package

This is the scenario thata I am trying to accomplish:

Na dein VLAN 3 muss getagged auf dem Port des APs ankommen. Da musst du halt mal die Doku des Switches durchforsten, das hat mit der pfSense nix zu tun.

@ptz-m said in Маршрутизация OpenVPN: Винда идентифицирует соединения из тунеля (172. А должна из сети за клиентом. @ptz-m said in Маршрутизация OpenVPN: нужно правильный синтаксис писать iroute 192.168.1.0 255.255.255.0 Отмтайте тему назад и посчитайте, сколько раз про iroute вам тут говорили. Момент номер 2. Убедитесь что Zyxel не поднимает NAT для своего OpenVPN интерфейса. @ptz-m said in Маршрутизация OpenVPN: Вообще проще через Диагностика - Редактировать файл привести конфиг сервака на данный момент из /var/etc/openvpn/server1.conf Нет. Этого делать не надо. Если и сработает - до до первой перезагрузки. Плюс pfSense - практически идеал в смысле GUI настроек вообще, OpenVPN - в частности. Более того, даже для iroute есть GUI-аналог, да еще хорошо откомментированный: IPv4 Remote Network/s These are the IPv4 networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed. NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings. В pfSense можно настроить OpenVPN практическти не используя поля Advanced.

Below is the stubby config im using. resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED dnssec_return_status: GETDNS_EXTENSION_TRUE tls_query_padding_blocksize: 256 edns_client_subnet_private : 1 idle_timeout: 60000 listen_addresses: 172.28.57.252@8069 dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" round_robin_upstreams: 1 upstream_recursive_servers: cloudflare1 address_data: 1.1.1.1 tls_port: 853 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= cloudflare2 address_data: 1.0.0.1 tls_port: 853 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= dot.securedns.eu - HAProxy + Bind - address_data: 146.185.167.43 tls_port: 853 tls_auth_name: “dot.securedns.eu” tls_pubkey_pinset: - digest: “sha256” value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= ns1.dnsprivacy.at - Unbound address_data: 94.130.110.185 tls_port: 853 tls_auth_name: "ns1.dnsprivacy.at" tls_pubkey_pinset: digest: "sha256" value: vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY= ns2.dnsprivacy.at - Unbound address_data: 94.130.110.178 tls_port: 853 tls_auth_name: "ns2.dnsprivacy.at" tls_pubkey_pinset: digest: "sha256" value: s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg= dnsovertls.sinodun.com - HAProxy + Bind 9.12 - address_data: 145.100.185.15 tls_port: 853 tls_auth_name: “dnsovertls.sinodun.com” tls_pubkey_pinset: - digest: “sha256” value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= dnsovertls1.sinodun.com - HAProxy + Bind 9.12 - address_data: 145.100.185.16 tls_port: 853 tls_auth_name: “dnsovertls1.sinodun.com” tls_pubkey_pinset: - digest: “sha256” value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= dnsovertls2.sinodun.com - HAProxy + Bind 9.12 - address_data: 145.100.185.17 tls_port: 853 tls_auth_name: “dnsovertls2.sinodun.com” tls_pubkey_pinset: - digest: “sha256” value: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= dnsovertls3.sinodun.com - HAProxy + Bind 9.12 - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: “dnsovertls3.sinodun.com” tls_pubkey_pinset: - digest: “sha256” value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= DKG - knot - address_data: 199.58.81.218 tls_port: 853 tls_auth_name: “dns.cmrg.net” tls_pubkey_pinset: - digest: “sha256” value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= dns.neutopia.org - knot - address_data: 89.234.186.112 tls_port: 853 tls_auth_name: “dns.neutopia.org” tls_pubkey_pinset: - digest: “sha256” value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= getdnsapi.net - Unbound - address_data: 185.49.141.37 tls_port: 853 tls_auth_name: “getdnsapi.net” tls_pubkey_pinset: - digest: “sha256” value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= UncensoredDNS - ? - address_data: 89.233.43.71 tls_port: 853 tls_auth_name: “unicast.censurfridns.dk” tls_pubkey_pinset: - digest: “sha256” value: wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=

@unique24 said in pfsense bootet nicht mehr complet: Aber ist das nun nur ein Zufall. Einen Stromausfall als Beispiel kann ich nicht immer abfangen. Na dafür hat man eine USV. Man kann auch einen ZFS Mirror mit mindestens 2 Medien aufsetzen, aber das vermindert nur das Risiko eines Datenfehlers.

@tsis said in Horarios de navegación: @periko vi tu video, buena cosa y animada a ver … yo tengo habilitado el modo transparente pero no creo esa regla hacia el puerto del proxy, voy creando reglas por puertos que requiero 80,443,53 etc… seria más efectivo con una sola regla así evitas saltarse el squid, me di cuenta hoy que ayer pensaba que no funcionaba pero hoy vi que desde wifi usando el mismo segmento aparece la wifi con limitacion sin accedo a internet, en horario fuera de internet para un rango de ips. y por cable otro rango que si tiene servicio, luego entiendo que funciona. ahora como tu dices hay que ir perfilando temas para tenerlo todo atado. si tengo exclusiones de ip que no quiero que pasen por el squid entonces debería de tener las reglas de navegación por servicio o puerto, las típicas dns,pop,web etc … gracias

There is a Sync Tab that enable you to XMLRPC Sync to other hosts. Another option is to copy/paste pfblockerNG settings from a config.xml to the other pfsense config.xml

There is a Disable General/DNSBL tab settings sync settings in 2.2.1 Devel version.

@guitarcleiton said in Pacote não oficial E2guardian v5 para software pfsense: @marcelloc minhas versões são 2.3.5 x64 e 2.3.4 x86 Estou subindo a versão 5.1 para o repositório não oficial. Veja se nessa versão, o e2guardian funciona melhor no pfSense 2.3.x Para quem está usando o pfSense 2.3.x, depois de atualizar o pacote para a versão 0.5.0.3_8 ou superior, altere o modo de apply para Reload by SO rc.d script

Salva as configurações do sarg novamente. Estou veriifcando esse bug do pacote sarg. em algum momento o sarg.conf é gerado sem a informação do log.

To do what exactly? I would try not having it assign and see if everything works.

https://pf2ad.mundounix.com.br/en/index.html

@dano-pogac said in Upgrade 2.4.3 to 2.4.3_1 error in firewall rules: Hello I have same problem. When i add IPv6 Virtual IP in CARP there is added this line to /tmp/rules.debug The real fix is posted farther up in the thread. No need for workarounds.

If you need to reinstall on an APU (first or second gen), the amd64 serial-memstick image is what you’d need.

@rbarceloss Olá tudo bem pessoal. consegui resolver no meu tambem o mesmo problema que o do @rbarceloss porém agora parece que nao esta filtrando, digo gerando os logs, vejam o print abaixo. Ja revisei as configurações mas nao esta dando certo meu squidanalyser.

thank you so much, the graph in Monitoring section was exactly what I was looking for.

@onyxfire It’s already set, didn’t help either. Thanks for the tip though

@werter Обратите на IP 192.168.1.29 происходит блокировка не проходит синхронизация в интернете описывается как TCP SYN Flooding Attacks

хм… проверю завтра и отпишусь

Hola, Periko, Gracias, siiii si vendo internet y me a dado mucha curiosidad de saber que no podre pasar o tener 300 clientes, cual seria esa razon y que puedo hacer. Otra cosa es que una ves reinstale a pfsense y subi la copia de seguridad y todo bien pero algunos clientes tienen ip fija y por algun motivo el servidor DHCP repetia a otros clientes la misma ip ya asignada.

Works fine for me too, have you added a firewall rule on the WAN interface ?

We expect the store will be back online soon, then we can confirm the status. I’m truly sorry for this inconvenience. I’ll update you once the store is back online. Thanks! e: can you please send an email to sales@netgate.com so our sales can contact you with shipping status? Thanks!

I use can you see me all the time - works great. Keep in mind these are valid to test with TCP, not UDP. As mentioned already if you want to forward all ports to a box behind pfsense, then yeah 1:1 would be the better choice.

@caltommo said in HELP APPRECIATED** 3G/4G Modem as WAN Interface?!: how easy you think it would be to configure within PfSense? If it provides ethernet then there would be really nothing to configure in pfsense other than the interface to connect to. Why can you not just plug in say the netgear to your UPS? They also make a battery powered one that can run for like 24 hours on its battery. But its cost more… https://www.netgear.com/landings/nighthawk-mr1100-mobile-router/ That china thing is only a few dollars less than the netgear one I linked too. I show the LB1120 on amazon for $102

Hi, noch eine Frage. Hast du den VPN-Test via LTE gemacht, sprich dich aus deinem WLAN abgemeldet? Es kann nämlich sein, dass er die Route nicht findet da du ja schon im lokalen Netz mit WLAN verbunden bist. Die VPN-Tests solltest du wenn möglich über ein anderes Netz erledigen, sprich über deine Handy mit mobilen Daten (LTE/ G3). VG, p54

At first his ISP thought he was going over his rated speed, but we traffic shaped and determined that was not the problem. His ISP now thinks it is the PPPoE Keep Alives not being recieved thus terminating his line. How would he got about mitigating this on the SG-1000? Here is what the ISP said,

I managed to fix this. Annoyingly I was selecting the wrong physical NIC for the virtual switch…

Or : steal the RSS feed from that widget, and have the info been shot at you using any browser. edit : the feed is fed from here https://www.netgate.com/blog/

I’ve tried manually setting it up and following the wizard and I can’t find any settings to set the limit per gateway. Does anyone know how I’d go about this? I think the only option would be to set a limiter on the rule that points out a specific gateway and set the queue in the rule as well. Will have a further play tonight to see if I can get it sortof working

Hallo Das ganze ist ein Server bei einem Hoster mit einer einer Haupt IP und einem eingebundenen Subnet als Alias IP an WAN1 Die weitere Einzel IP oder das weitere Subnet (noch nicht geklärt) käme dann über WAN2 in die PFSense rein… Der LinuxServer hängt intern an LAN der PFSense. Reicht das für eine Beurteilung ?

Hello, c’est bon c’est en place pour l’OpenVPN, il n’écoute pas sur le localhost (car je n’ai pas réussi à le faire fonctionner comme ça) mais sur l’interface LAN (en fait j’ai un peu galéré car je pensais qu’il fallait que je mette à jour aussi la règle lié à l’interface OpenVPN qui avait été créée en wizard, mais il fallait que je la laisse sur l’interface OpenVPN) J’ai ensuite fait les 2 règles (une pour chaque Wan) pour spécifier, sur chaque interface WAN, une règle pour accepter toutes les sources à destination de l’ip du pfSense, sur le port OpenVPN. Et enfin bien sûr ouvert les ports sur les modems avec transfert vers le serveur VPN et ça me permet aussi depuis les modems d’ouvrir d’autres ports et faire les transferts de ports en conséquence dès les modems. Merci Chris4916, c’était un détail mais pour le coup c’est carrément plus souple de le paramétrer comme ça. Il me reste donc plus que mon problème de 4G car de ce côté là ça ne fonctionne pas : Sur le modem (Huawei) j’ai fait un transfert du 443 TCP vers mon 1194 UPD mais je ne parviens toujours pas à me connecter en VPN même en mettant dans l’openVPN client l’ip publique 4G. N’y a-t-il pas de solutions ? Pour info : tout fonctionne correctement quand je suis avec l’abonnement 4G Bouygues, mais ça ne fonctionne pas sous un abonnement RED by SFR ou SFR tout court.