Hi all,

I realized that I did never get back here and tell you how it went.

I did run on the old hardware for a while until it got unbearable. I than thought to go back to test different things suggested here, but when I started the new firewall again, everything just worked. All interfaces was there etc. I have now run it for several months with no issue. And the problem with the VPN that went down on the old firewall, is also solved, so it must have been too slow hardware. My thought is that it did need one more reboot(?) Maybe an update to get all drivers working or something?

@Gblenn said in New hardware - not working with config from old hardware:

I have been thinking about Sophos HW to use for my firwall and as far as I understand there isn't anything "special" about them. Except the SSD that might be locked from installing anything else on it (but thats apparently simple to get around?)

Yes, I actually did not even test to install PF Sense on the current SSD. I just installed a new SSD. And yes, it seems to be just an ordinary computer with many NICs.

@1-21Gigawatts Should be similar to Suricata, at the bottom of the Suricata > (interface) settings page. By default it has/creates a name though, so that seems odd.

If nothing else you can edit the list and make it blank.

@Gertjan Yes I'm running in debug mode

Jul 11 16:29:49 dhcp6c 82560 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
Jul 11 16:29:49 dhcp6c 82560 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jul 11 16:29:49 dhcp6c 82560 failed initialize control message authentication
Jul 11 16:29:49 dhcp6c 82560 skip opening control port
Jul 11 16:29:49 dhcp6c 82560 <3>[interface] (9)
Jul 11 16:29:49 dhcp6c 82560 <5>[igb0] (4)
Jul 11 16:29:49 dhcp6c 82560 <3>begin of closure [{] (1)
Jul 11 16:29:49 dhcp6c 82560 <3>[script] (6)
Jul 11 16:29:49 dhcp6c 82560 <3>["/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"] (46)
Jul 11 16:29:49 dhcp6c 82560 <3>end of sentence [;] (1)
Jul 11 16:29:49 dhcp6c 82560 <3>end of closure [}] (1)
Jul 11 16:29:49 dhcp6c 82560 <3>end of sentence [;] (1)
Jul 11 16:29:49 dhcp6c 82560 <3>[id-assoc] (8)
Jul 11 16:29:49 dhcp6c 82560 <13>[na] (2)
Jul 11 16:29:49 dhcp6c 82560 <13>[1] (1)
Jul 11 16:29:49 dhcp6c 82560 <13>begin of closure [{] (1)
Jul 11 16:29:49 dhcp6c 82560 <3>end of closure [}] (1)
Jul 11 16:29:49 dhcp6c 82560 <3>end of sentence [;] (1)
Jul 11 16:29:49 dhcp6c 82560 called
Jul 11 16:29:49 dhcp6c 82560 some IA configuration defined but not used
Jul 11 16:29:49 dhcp6c 82560 called
Jul 11 16:29:49 dhcp6c 82642 reset a timer on igb0, state=INIT, timeo=0, retrans=891
Jul 11 16:29:49 dhcp6c 82642 Sending Solicit
Jul 11 16:29:49 dhcp6c 82642 a new XID (93ca57) is generated
Jul 11 16:29:49 dhcp6c 82642 set client ID (len 14)
Jul 11 16:29:49 dhcp6c 82642 set elapsed time (len 2)
Jul 11 16:29:49 dhcp6c 82642 send solicit to ff02::1:2%igb0
Jul 11 16:29:49 dhcp6c 82642 reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091
Jul 11 16:29:49 dhcp6c 82642 receive advertise from fe80::88ce:87ff:fec6:156a%igb0 on igb0
Jul 11 16:29:49 dhcp6c 82642 get DHCP option client ID, len 14
Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
Jul 11 16:29:49 dhcp6c 82642 get DHCP option server ID, len 14
Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f
Jul 11 16:29:49 dhcp6c 82642 get DHCP option identity association, len 40
Jul 11 16:29:49 dhcp6c 82642 IA_NA: ID=1, T1=1000, T2=2000
Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA address, len 24
Jul 11 16:29:49 dhcp6c 82642 IA_NA address: 2a06:4000:8888:ffff::2 pltime=3000 vltime=4000
Jul 11 16:29:49 dhcp6c 82642 get DHCP option DNS, len 32
Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD, len 41
Jul 11 16:29:49 dhcp6c 82642 IA_PD: ID=1, T1=1000, T2=2000
Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD prefix, len 25
Jul 11 16:29:49 dhcp6c 82642 IA_PD prefix: 2a06:4000:8888::/48 pltime=3000 vltime=1546855634413031328
Jul 11 16:29:49 dhcp6c 82642 server ID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f, pref=-1
Jul 11 16:29:49 dhcp6c 82642 reset timer for igb0 to 0.958394
Jul 11 16:29:49 dhcp6c 82642 receive advertise from fe80::88ce:87ff:fec6:156a%igb0 on igb0
Jul 11 16:29:49 dhcp6c 82642 get DHCP option client ID, len 14
Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
Jul 11 16:29:49 dhcp6c 82642 get DHCP option server ID, len 14
Jul 11 16:29:49 dhcp6c 82642 DUID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d
Jul 11 16:29:49 dhcp6c 82642 get DHCP option identity association, len 40
Jul 11 16:29:49 dhcp6c 82642 IA_NA: ID=1, T1=1000, T2=2000
Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA address, len 24
Jul 11 16:29:49 dhcp6c 82642 IA_NA address: 2a06:4000:8888:ffff::2 pltime=3000 vltime=4000
Jul 11 16:29:49 dhcp6c 82642 get DHCP option DNS, len 32
Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD, len 41
Jul 11 16:29:49 dhcp6c 82642 IA_PD: ID=1, T1=1000, T2=2000
Jul 11 16:29:49 dhcp6c 82642 get DHCP option IA_PD prefix, len 25
Jul 11 16:29:49 dhcp6c 82642 IA_PD prefix: 2a06:4000:8888::/48 pltime=3000 vltime=1546855634413031328
Jul 11 16:29:49 dhcp6c 82642 server ID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d, pref=-1
Jul 11 16:29:50 dhcp6c 82642 picked a server (ID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f)
Jul 11 16:29:50 dhcp6c 82642 Sending Request
Jul 11 16:29:50 dhcp6c 82642 a new XID (61396e) is generated
Jul 11 16:29:50 dhcp6c 82642 set client ID (len 14)
Jul 11 16:29:50 dhcp6c 82642 set server ID (len 14)
Jul 11 16:29:50 dhcp6c 82642 set elapsed time (len 2)
Jul 11 16:29:50 dhcp6c 82642 send request to ff02::1:2%igb0
Jul 11 16:29:50 dhcp6c 82642 reset a timer on igb0, state=REQUEST, timeo=0, retrans=909
Jul 11 16:29:50 dhcp6c 82642 receive reply from fe80::88ce:87ff:fec6:156a%igb0 on igb0
Jul 11 16:29:50 dhcp6c 82642 get DHCP option client ID, len 14
Jul 11 16:29:50 dhcp6c 82642 DUID: 00:01:00:01:2b:8f:81:6a:20:7c:14:a1:bf:06
Jul 11 16:29:50 dhcp6c 82642 get DHCP option server ID, len 14
Jul 11 16:29:50 dhcp6c 82642 DUID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f
Jul 11 16:29:50 dhcp6c 82642 get DHCP option identity association, len 40
Jul 11 16:29:50 dhcp6c 82642 IA_NA: ID=1, T1=1000, T2=2000
Jul 11 16:29:50 dhcp6c 82642 get DHCP option IA address, len 24
Jul 11 16:29:50 dhcp6c 82642 IA_NA address: 2a06:4000:8888:ffff::2 pltime=3000 vltime=4000
Jul 11 16:29:50 dhcp6c 82642 get DHCP option DNS, len 32
Jul 11 16:29:50 dhcp6c 82642 get DHCP option IA_PD, len 41
Jul 11 16:29:50 dhcp6c 82642 IA_PD: ID=1, T1=1000, T2=2000
Jul 11 16:29:50 dhcp6c 82642 get DHCP option IA_PD prefix, len 25
Jul 11 16:29:50 dhcp6c 82642 IA_PD prefix: 2a06:4000:8888::/48 pltime=3000 vltime=1546855634413031328
Jul 11 16:29:50 dhcp6c 82642 dhcp6c Received REQUEST
Jul 11 16:29:50 dhcp6c 82642 nameserver[0] 2a06:4000:0:6::6
Jul 11 16:29:50 dhcp6c 82642 nameserver[1] 2a06:4000:0:6::5
Jul 11 16:29:50 dhcp6c 82642 executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
Jul 11 16:29:50 dhcp6c 36281 dhcp6c REQUEST on igb0 - running rtsold
Jul 11 16:29:50 dhcp6c 82642 script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
Jul 11 16:29:50 dhcp6c 82642 removing an event on igb0, state=REQUEST
Jul 11 16:29:50 dhcp6c 82642 removing server (ID: 00:01:00:01:21:56:39:cc:fa:32:37:34:e3:9f)
Jul 11 16:29:50 dhcp6c 82642 removing server (ID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d)
Jul 11 16:29:50 dhcp6c 82642 got an expected reply, sleeping.

Thanks for the useful info.

Mine was expired 150 days ago, but according to the info above, i've just renew-ed.

To clarify what does work:

What works is that from either site, a client device with an IP of 10.40.x.x is able to traverse the tailscale tunel to the other site by using the 10.65.x.x addresses. However, no device in this 10.40.x.x subnet can get to a 10.40.x.x IP at the other end.

I realise that I am NATing the outbound connections rather than directly routing them due to the limitations of pfsense, so I am thinking I need to translate the 10.40.x.x subnet on the way out of the site, but nothing I have tried seems to work so far.

@stephenw10 unfortunately I had not saved those off but to me as I recall they were same.

In the mean time I built a new instance with 2.8 instead of upgrading old and built it on the OMV UEFI instead of bios. Fingers crossed.

If it dumps again I will use both logs next post.

Thanks.

@Gertjan plus I have that authenticated ntp patch on that file also

Cool. You shouldn't see them again. Obviously shout if you do!

@sgw said in splitting a subnet, moving from LAN to WAN:

When I try to ping an IP that has not been used before and in the LAN-part (10.96.25.128/25) from "upstream"/"outside", it gets logged on the pfsense as blocked by the firewall (which is OK in terms of fw-rules).

So the pfsense seems to take over traffic pointed to these IPs.

Could I modify NAT-rules maybe? Is that related to Outbound NAT? Could I somehow exclude

It seems that the lower IP range ist routed to pfSense WAN address. If so, you can do nothing. You cannot use the same IP outside pfSense, because pfSense was not able to route the traffic to the VM, since the subnet is defined on the LAN.

You only option would be to use an IP of the upper /25 on the VM and forward it on pfSense. But note that doing this also requires an outbound NAT rule (masquerading) for the forwarded traffic.

@chudak Yup. That's exactly what we need for this to be reliable.

may be I go the issue we just nee dot reboot the firewall and select the old kernel and boot the firewall after boot it will reboot again and you can access the latest version of firewall which 2.8.0 I tried and it work for me.