@devey I hope others more knowledgeable would chime ... all I can think of off the top of my head is use a USB key in conjunction with certificates to be able to manage the group without system admin privileges

@werter OSPF - это уже лишнее в данной ситуации. Вопрос этот я решил через дополнительную фазу 2

I dig some more on the problem. It seems to be a dns problem with pfsense-pppoe and Windows.
I will update when i discover some more info

Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser.

Steve

@m0nji Ist doch schön wenn es auch für was anderes gut ist :)

@nds2k said in Torrent kills PFSense DELL R210II Box:

I shall try that when once other family members are not using the network.

If you know what device is using the torrent, and you have a ISP router in front of your pfSEnse, you could hook up that device only without taking your network down.

@nds2k said in Torrent kills PFSense DELL R210II Box:

Noted!

You didn't know that most ISP's do not like at all the usage of P2P protocols as they are used for distributing very legal info like Windows updates and the like, and also less legal files like ripped DVD etc ?
If the destination IP is from these "Windows updates" servers, then the content isn't blocked, of course.

Feliz fin de año a todos y que la pasen bien.

Después de investigar mas sobre las reglas del firewall, el portal cautivo, dns resolver y sobre las Zonas desmilitarizadas (DMZ), pude solucionar el problema de la redirección del portal hacia mi servidor web, tuve que borrar algunas reglas anteriores que en mi caso no son importantes.

Luego de configurar la interfaz de la DMZ, darle acceso a la red LAN con las reglas del firewall, le di un dominio a la ip del servidor WEB con el DNS resolver y en el portal cautivo en "after authentication redirect" colocar ese dominio, tuve como resultado que cada usuario que se conecte a mi router pueda ser redireccionado al portal cautivo y de ahí autenticarse con solo hacer click al botón que está por defecto del pfsense (Que con un poco de css, html y no puede faltar javascript voy a cambiarle el estilo con respecto a mi proyecto) de ahí ser redireccionado a mi pagina web al fin.

Bueno no del todo, mis pruebas se limitaron a dispositivos móviles en el cual no me ha dado el resultado que pienso que debería dar, ya que por lo menos en android al conectase de manera intuitiva (no por el navegador si no por un programa que desconozco) me lleva al portal para autenticarme, clikeo el botón y me redirecciona automáticamente a mi pagina web pero al pasar 1 o 2 segundos se cierra el programa que abre el portal cautivo y claro por ende ya me deja navegar e ingresar de nuevo a mi pagina web, pero ya saben tengo que abrir el navegador y tipear la url, la idea es que se quede en la pagina que me redireccionó ósea en mi pagina web.

Me imagino que en otros sistemas operativos diseñados para computadoras eso no debería pasar ya que el usuario tendría que abrir el navegador, buscar algo y por naturaleza del pfsense ser redireccionado al portal cautivo, y como ya está en el navegador este no tiene porque cerrarse como me pasó a mi en el celular.

Solo me queda arreglar eso y bueno, tal vez me aventure a buscar manera que los usuarios no busquen otra cosa fuera de mi servidor web, que ya con una regla de firewall les quito el acceso a internet pero me gustaría que fuesen redireccionados al mismo si eso pasa.

Buenas noches.

@j-sejo1 Hola, mira quiero que en mi red local (sin internet nada que ver, solo mi red wifi) las personas que se conecten a mi wifi cuando hagan una búsqueda en chorme, firefox o cualquier otro navegador, sean redireccionados a mi pagina web que se aloja en un servidor Nodejs, (107.0.0.1:443 localhost). Estoy usando VirtualBox para pfSense porque no dispongo de otro ordenador.

@kiokoman Ugh, thank you! Working now!

exactly - out of the box unbound does not allow vpn users to query it.. If you want your vpn users to be able to query unbound, you have to create a ACL to allow that. Per the example posted by @bingo600

Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

@mhmz

does it make any sense sitting on proxy server with deactivated aes-ni ?

@alexandre-angeli said in IPSEC perdendo conexão:

A IPSEC fica offline enquanto não usa, e comprovei o correto funcionamento, quando pingo ela "levanta" novamente.

Hmmmm, mas:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html

1a3034a0-a3b0-4adf-be66-231891d71266-image.png

OMG -- dude if I am sending 1gbps of traffic down your pipe, and your pipe is 10mbps.. How is any good traffic going to get to pfsense? at all??

This isn't complicated...

Your traffic cop at the end of the road, can't do anything about the 3 mile long pileup on the 1 lane road to him, if all the cars from a 10 lane freeway are trying to get onto the 1 lane dirt road..

You need to put someone up at the 10 lane freeway off ramp to your 1 lane dirt road, to only let cars onto that road that you want..

You really need to do some more research if you think any sort of firewall, be it pfsense or 100K super NGFW from cisco can do anything against a volumetric ddos that fills up your 1 lane dirt road to get to it..

edit: this is a bit late.. But ran across this just a bit ago, and thought this is a perfect example how a firewall can not stop a volumetric attack ;)

https://www.zdnet.com/article/google-says-it-mitigated-a-2-54-tbps-ddos-attack-in-2017-largest-known-to-date/

So even if you had 1, 10 or even 100 gig pipe, what hope do you think your firewall would have with such an attack ;) 2.5TBps - this is what I mean when the pipe is full, its full - nothing your firewall can do at the end of the pipe ;)

@nash27 said in Health Checks for PfSense:

route53 healthchecks

Don't those check from multiple locations? If your blocking access to where those checks are coming from - then yes they would fail.

I would assume that if your opening 443 on pfsense to the internet for managment, you would have that locked down to specific IPs - atleast that is what any sane person would do ;)

@sramsterdam showww, obrigado por compartilhar sua solução.

bandwidthd

https://www.netgate.com/resources/videos/bandwidth-monitoring-on-pfsense.html

Thanks.

@maverickws

have you checked iperf3 speeds between pfsense and xcp-ng itself?
Mine is bad. Additionally from pfsense to xcp-ng it has many retries during transfer

Only installed Ntopng, don't have any other packages besides the ones already pre-installed on Pfsense. 35 GB. 4GB RAM and 4 CPU cores.

It can depend on the switch/router on the other end of the cable. For instance with Comcast routers often when replacing a router in an office (inside the Comcast router) I've found it's fastest to power off or reboot the Comcast router so it learns the IP has a new MAC. If you have the second router on, and are just plugging in cables, I would wonder if restarting the second router (or just leaving it off and powering it on) would help.

But overall CARP set up properly works basically instantly so that would be preferred. https://docs.netgate.com/pfsense/en/latest/book/highavailability/index.html

@pfuzer pfsense with pfblockergng-dev and suricata

Ah es funzt u sieht schon viel besser aus :)

@CodeNinja said in How to setup a second local network for an IPSec connection?:

I'm also curious if its preferred/best practice to use "supernet" or this "multiple tunnel" construction like i currently do.

In many bigger scenarios, I see "supernets" or bigger CIDR masks to simplify tunnel deployments. Especially in centralized structures with one or two "main" sites with big uplinks and many small/branch offices network design often tends to do sth. along these lines:

Roll out big network structure on main(1) -> e.g. multiple 172.19.x.0/24 networks for security segmentation Dial Up / RAS VPN uses IP ranges either from an upper 172.19.x segment or another IP range altogether (e.g. 192.168.vvv.0/24) Branch offices use separate range -> e.g. 10.10.bbb.0/24 for office 1, 10.20.bbb.0/24 for office 2 (or 10.11.bbb.0 if you have a whole lot of branch offices).

With that setup, you can easily do tunnels from "main" to "site a" with <172.19.0.0/16> <-> <10.10.0.0/16> and have no problem whatsoever to grow in either space. If you have the need for new networks on site or on in the main location - just add another VLAN with /24 and as your tunnel is set up with /16 it already includes the new networks.

So yeah, pretty common to use CIDR ranges bigger than your local network to add some "space to grow" lateron.

I also noticed this morning that one of the connection had 8 tunnels where i expected only 4. 5 are duplicates from eachother and 1 is missing..

That seems strange. A duplicate can (and will) happen at times, when rekeying gets near and the lifetime is about to expire. Then it's pretty normal to sometimes see every phase with a second entry as the old one gets "disabled" (but not disconnected) and the new one takes over so the rekey/lifetime turnaround goes smooth. You then see new traffic accumulate on the newer P2 and the old one won't get any more and after expiry should vanish a few seconds/minutes later. But having the same phase 5 times is strange. And some were brought up only seconds after another. Weird. I'd disconnect the whole bunch and reestablish the tunnel and check if that happens again. Perhaps something with the edgerouter on the other site? Maybe setting the split option in P1 of the connection could help if pfsense tries to group the connection but the edgerouter doesn't support it (fully) - but that's just a guess.

Hey,

ich habs jetzt hinbekommen, also nicht selber :/. Mein Freund hat mir geholfen und es geht jetzt.
Vielen dank für die ganze Hilfe.

LG
Mathias

@minesh-patel Microsoft says nothing about multicast/broadcast.
However this guy
https://azurenetworkingguy.wordpress.com/2016/08/21/53/
is adamant about it.
No multicast traffic supported, no ha availiability etc

Configuration sync which is xml/tcp based obviously works.

I doubt you can do anything about it. And it seems the same issue also happens on aws.

I guess you have to live with the native redundancy that cloud offers.

I have no idea if stateful failover is an option in such environment.

Hi,
Because of the differences, is it still a question for me which pfSense version is this?
(for example, it's a difference...)

a5e04914-dd2a-4541-837e-1c1e7326f70d-image.png

The second important thing is server mode (you use TLS), but that's all I see:

a4666822-e747-4e05-9657-82e796510e7c-image.png

instead of:

0b4e10a0-be71-4b2c-ad2c-d118a3478c69-image.png

I don't see your own cert for the connection either:

8b5bbbd9-235b-4183-94a3-d0bd6e1d3d4e-image.png

instead of:

8fd16d58-39b6-45f3-a24c-c4f941401cf3-image.png

like:
ff6291f2-6a01-4d33-866c-1f5c2019df89-image.png

and even a VPN User is required:

3397cc2b-5bbd-4e55-933a-bccc0f134c07-image.png

with:

a4585c69-0d7d-49a8-8bc9-792285643332-image.png

exactly where does the DNS (10.0.1.31) point?? this is the box itself or a separate DNS server on the network

No idea. But doubtful. If the docker-hypervisor relationship is completely ignorant of the guest OS then maybe, but I wouldn't hold my breath.

@Rico sadly doesn't seem to solve the issue.

I deployed the OpenVPN on ubuntu behind the firewall and forwarded the port, now I got it working.
I am not sure why it's not working, to be honest, but the fact that it worked for a while and that its very slow without using any resources makes me believe something is unstable there, possibly with how my hosting solution manages VM's.

Anyway thank you for all the help.

Open a ticket with the support, they can 100% help you out.
https://go.netgate.com

-Rico

@Rico
word! i do not need to unserstand why i would do this ;)
CSO local networks but here in ausrtia a lot of things are possible ;)