@seism0saurus said in ACME with a private CA (step-ca):

Certificate Revocation Lists are basically broken.

Which has really ZERO to do with the cert you have on your local printer or switch, or some software your running gui like the unifi controller or your nas..

nas.jpg

What is the scenario where I would need to revoke this cert? It is accessed by me, on my local network. To be honest I could just use http for this but the browser complains.

Nevermind. I got it figured out based on Lawrence Systems video:
https://youtu.be/8jQ5UE_7xds?si=iH1hbJp1ZIj34XyI

@stephenw10

I agree 100%. the E2140 will not.

Just a little update there were several other issue other than the CPU.

The Netgear R6220 under powered - disabled Traffic Meter and every thing else, but Access Control, DHCP, port forwarding and WIFI. The RealTek NIC;s conflict with drivers and version(s), just downloaded updated driver package and replaced drivers.

After fixing those items I decided to pull the trigger and move this setup to the i7 NUC, just unplugged the hard disk and plugged it into the i7 NUC, ran the installer but select recover previous configuration from the menu, the followed the installation prompts.

Everything came back configured except the NIC;s just reassigned and set the ip address and bang done.

I am now hitting 1.1 GBPS on downloads and 940 MBPS on uploads. CPU utilization is between 2 - 5% on average and never peaks above 6%. Still using the Netgear but that is another can of woms I will tackle later (too much configuration) need to document and test the document that it is correct as I have allot of Home Smart Devices (i.e cameras, smart plugs, door bells, door locks, etc,,,,) they were a nightmare to setup and get working, do not want to repeat that.

But thank you for replying, as I am I noob with pFsense I can offer little help but if you have question for me just ask I will try my best to answer

DarkKnight

@Gertjan Correct.

Sorry, this was a mispost. I was replying https://forum.netgate.com/topic/180691/at-t-gateway-bypass-true-bridge-using-new-authbridge?_=1694719968811

Start your own thread, it's unlikely to be the same issues others have hit. While symptoms may be similar, there are numerous possible causes that can look the same, and trying to diagnose multiple people's issues in a single thread is not feasible.

@jbeez fixed... definitely user error. I was restoring a filter.inc from a prior version. Restored the proper one and its good to go.

So, I found a GUI "bug". I had correctly set the prefix ID's in the "Tracked Interface" for each VLAN, but at the RA page, I mistakenly reinserted the prefix ID in the fields that are for static (full, not delegated) prefixes. Removed the static prefixes and everything now works. GUI should not let you enter static prefixes on a tracked interface, aside from fc00 or fd. And if it does, it should check if they are correct. One of the prefixes was ::1/64.

@rub75f
So you set up an IPSec server on pfSense with intention to connect to internal devices. No, there should be no more to do.
However, it seems your mobile device cannot connect.

So do you have a public IP on pfSense WAN?
Or is there a router in front of it? If so how did you set up NAT on the router?

Do you have a static public IP or a dynamic?

On pfSense WAN you will have a firewall rule allowing the IPSec packets. So check if any packet hit the rule.

@alek said in pfBlockerNG blocking SMTP:

No ?

That's the easy / easier way.

Have a look at this list : Youtube Netgate everything you always wanted to know, and more.
There is a Muti WAN video. There is a video about VIP, Carps, etc.

The videos are old, but still very valid and very informative. It's a guy from Netgate talking about Netgate/pfSense.

@bob-dig said in IP logs are not being created/populated:

It is odd that this problem still exists for so long now. Sure, it is just an Package but it is the most important one in my book.

Yeah, @BBcan177 is likely a busy gentleman, but I’m sure a new build will surface eventually.

But pfBlockerNG is much more than “just a package”. I’ll bet you pfBlockerNG is BY FAR the most used package on pfSense. In fact I’d highly recommend Netgate to find the currency needed to purchase the talents of bbcan177 and the pfBlockerNG name, and start including it as a bulitin feature of pfsense. With the same development/maintenance and continuity as pfSense itself.

Without pfBlockerNG, pfSense would be a much much less relevant product.

@kiokoman

Thank you for your quick and clear reply!
This helped me out a lot, I didn't realize we could add "Send options" in such a way!

I haven't managed to get a public IP yet but am getting closer and closer :)

Have a great day

It can depend on the switch/router on the other end of the cable. For instance with Comcast routers often when replacing a router in an office (inside the Comcast router) I've found it's fastest to power off or reboot the Comcast router so it learns the IP has a new MAC. If you have the second router on, and are just plugging in cables, I would wonder if restarting the second router (or just leaving it off and powering it on) would help.

But overall CARP set up properly works basically instantly so that would be preferred. https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html

@NollipfSense @tompark
ok so here are the results of my efforts last night until 0130!
I am currently unable to get my plex to work.
the plex server is on the server 192.168.1.251 and I am trying to access it via the tv firestick. can anyone help?

Skynet.jpg

The entire running config can be backed up from Diag > Backup/Restore.

The file is /conf/config.xml if you're digging through the filesystem directly.

https://docs.netgate.com/pfsense/en/latest/backup/index.html

Steve

@ccigas said in Basic Firewall Set Up:

I guess from there, I would not have to allow DNS or HTTP/S through the firewall from there or is that not needed?

Typically, on an second LAN interface - called OPTx - you would block http and https acces to the Firewall (= pfSense) itself.
Don't block DNS, devices could use pfSense as a DNS, or whatever other DNS they want to use on the net.

@ccigas said in Basic Firewall Set Up:

For the DNS, it seemed to only work
pfSense doesn't use or care about DNS in receives from upstream routers.
The resolver - unbound - uses the 13 main root DNS servers (the real back bone of the Internet) to find domain info. That will always works.
There is no need - isn't used by default :
Ustream DNS servers,
ISP DNS servers,
Private info collection servers (Google and others);
etc.

If the default resolver doesn't work, something is wrong with your Internet access.

Btw : 'named' or bind, isn't used by pfSense. bind is much bigger and capable, and offers functionalities that hugely surpasses the needs of a firewall.