Hi, Because of the differences, is it still a question for me which pfSense version is this? (for example, it's a difference...) The second important thing is server mode (you use TLS), but that's all I see: instead of: I don't see your own cert for the connection either: instead of: like: and even a VPN User is required: with: exactly where does the DNS (10.0.1.31) point?? this is the box itself or a separate DNS server on the network

No idea. But doubtful. If the docker-hypervisor relationship is completely ignorant of the guest OS then maybe, but I wouldn't hold my breath.

@Rico sadly doesn't seem to solve the issue. I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working. I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's. Anyway thank you for all the help.

Open a ticket with the support, they can 100% help you out. https://go.netgate.com -Rico

@Rico word! i do not need to unserstand why i would do this ;) CSO local networks but here in ausrtia a lot of things are possible ;)

Yes the netmasks are all /24. For now it is 1 peer for testing. But in the future i would like to have the possibility to add more clients. The following is what I'm trying to accomplish:

@onlyfor1question said in pfSense installation hangs at a certain screen: @NollipfSense I just tried using that and I got the same error. Sounds as if you're having hardware issue...try pfSense 2.4.5rc to see whether you have the same exact issue.

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

There are ways to do this by sending logs to a remote syslog server and using third-party tools to scan the firewall log entries. However, be forewarned this will get very old to you very fast (getting alerts/emails for every unwanted firewall access attempt). A normal firewall will see dozens to maybe a few hundred connection attempts per day on the WAN side. Even if you limit the alerts to just a handful of ports, you will soon grow very tired of your email app "dinging" with new mail messages ... . I say this in a nice way, "you must be new to firewall administration"... . This is usually the first thing a newly minted firewall administrator thinks he wants until he has it, then he quickly turns it off.

The entire running config can be backed up from Diag > Backup/Restore. The file is /conf/config.xml if you're digging through the filesystem directly. https://docs.netgate.com/pfsense/en/latest/backup/index.html Steve

@akuma1x Cheers for getting back to me and sorry about the delay in reply. It turns out it was nordvpn in the background. I had it set to "NOT" auto-start with windows, which it wasn't and there was no icon in the app tray but when I went into task manager there was some part of it that was running in the background blocking all Lan traffic but not wan traffic. Really weird, and hard to diagnose! I turned on nord's auto-start with windows feature and turned it off again, rebooted and everything was back on. Really annoying, not happy with Nord.

Well it is up to the ISP device to provide reasonable support for a customer-owned firewall device while still providing the necessary IPTV, etc functionality.

@Gertjan thank you for your suggestion. I uninstall the pfBlockerNG and indeed it worked. Reinstall the pfBlockerNG-devel and it works with all my previous lists. Can I assume it was a bug or something like that?

i will try also to clone the MAC address from the providers router to pfsense pppoe interface

@ccigas said in Basic Firewall Set Up: I guess from there, I would not have to allow DNS or HTTP/S through the firewall from there or is that not needed? Typically, on an second LAN interface - called OPTx - you would block http and https acces to the Firewall (= pfSense) itself. Don't block DNS, devices could use pfSense as a DNS, or whatever other DNS they want to use on the net. @ccigas said in Basic Firewall Set Up: For the DNS, it seemed to only work pfSense doesn't use or care about DNS in receives from upstream routers. The resolver - unbound - uses the 13 main root DNS servers (the real back bone of the Internet) to find domain info. That will always works. There is no need - isn't used by default : Ustream DNS servers, ISP DNS servers, Private info collection servers (Google and others); etc. If the default resolver doesn't work, something is wrong with your Internet access. Btw : 'named' or bind, isn't used by pfSense. bind is much bigger and capable, and offers functionalities that hugely surpasses the needs of a firewall.

@kiokoman @stephenw10 , and everyone else. Thank you. That manual command allowed me to change the date and time, which in turn allowed the correct lease to be picked up. Internet is going well on all fronts.

@KOM ok thanks will try that

Damn that’s encouraging

@oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN: @kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ???? if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ??? Thanks in advanced Snort runs on the firewall. The firewall is not in the traffic path if two machines on the same LAN talk to each other. Only the LAN switch is in that pathway. The only time the firewall can see traffic from a LAN client is when that client is communicating with an IP address that is NOT part of the LAN. That would be a different LAN subnet where the firewall is the route to the different subnet, or some host out on the Internet (which means the traffic is traversing the WAN interface). So since Snort would not see one LAN client port scanning another LAN client (in the same subnet), it can't do anything about it. If you wanted to monitor traffic between LAN hosts on the same network, then you will need a managed switch that provides a span port (or port mirroring). You would then configure mirroring on the switch and set up a separate installation of Snort on say a Linux host on the LAN and connect that host to the span port on the switch. Only then could Snort on the Linux host see traffic between other LAN hosts.

Show your OpenVPN Config and Firewall Rules (Screenshots). -Rico

Some of those Realtek device should be supported: https://www.freebsd.org/cgi/man.cgi?query=rtwn_usb&apropos=0&sektion=4&manpath=FreeBSD+12.0-RELEASE&arch=default&format=html You might find they work OK. You alreadt have them so nothing but time to lose by testing them. Steve

You would set up a virtual address. https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual Then either port forward or use 1:1 NAT to the second address. Plus some WAN firewall rules to let the traffic pass.

Hola, desde la LAN a vpn externas

@KOM I will wait for the purchase of the new Hardware and perform the system update. Thanks a lot for the help.

Well, I have just got it working. The solution may be very specific to my scenario. First, I need to go through and test all the individual changes I made to ensure each one was needed, remove the cruft that was not needed and I will post the final solution here there after. What I had to do in this scenario was go Pfsense A, go to advance settings of IPsec, From there: Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec. This box was checked by default. I cleared it and traffic is now working both ways. I suspect what mattered here was the fact that Pfsense A didn't have a LAN subnet, and OpenVPN client subnet may have been seen as a LAN by this rule. I am sure one of the Pfsense developers could provide an explanation. Now I just need to check all the routes, rules, Phase 2 parts to ensure they are needed.

@Gertjan Other one are missing, because of google being blocked in china, cellphones and multiple chinese garbage browsers (360browser, etc...) are usually using one of these URL: https://connect.rom.miui.com/generate_204 (Xiaomi) http://www.qualcomm.cn/generate_204 (Huawei) http://www.265.com/generate_204 (Google Chrome, Asus cellphones. This website is owned by google) I also heard that nintendo devices are using http://conntest.nintendowifi.net for captive portal detection but anyway, i don't think that's very important..

@Gertjan said in Trouble With CaptivePortal on Two VLANs in One Interface: You are already using multiple interfaces - a VLAN is considered as a interface. Typically, each interface has its own dedicated AP(s) - using a dedicated radio (== Wifi) setup. A user should choose the correct Wifi SSID first to use the correct network. You can't automatize this. I just wanted to make it happen. I was planning to redirect the user to the correct VLAN by using just one SSID. But I completely got that I can not do it. Thanks for your helps. @free4 I still can not find an opportunity to try PacketFence. I will write down here if I can be successful on it.