@stephenw10 Yes, You are right.

Only few items were left in the partition.

root@:~ # mount /dev/ada0p2 /mnt
root@:~ # ls
.k5login .profile .shrc recover_configxml.sh
root@:~ # cd /mnt
root@:/mnt # ls
.cshrc .profile .rnd .snap .sujournal dev lib libexec sbin usr var
root@:/mnt #

@stephenw10
I dunno.... no clue, I rebuilt the 2 hyper-v adapters on the pfsense vm, the external and internal... and of course now it works. Oh well...

Thanks for responding to my question!!!

@stephenw10

Thank you so much.

@felipefonsecabh said in Access service in device connected via IPSEC trought public IP:

I have change local network to Any to carry traffic from any external IP?

Yes, if you are using policy based IPSec and need to keep using that. The policy has to match that traffic and the source IP could be any IP.

But if you do that it will match traffic at the other end for 'any' destination. All traffic from site1 will go over the IPSec tunnel. Which you probably don't want.

A route based VPN tunnel of some sort would give you more options.

@luanks01 said in configurar acesso remoto:

Tentei com e sem https e sem a porta também

Mostre como ficou a sua regra, pode ser que seu provedor não permita conexões na porta 443 de entrada, o que é muito comum em planos residenciais. Inclusive outras portas também são bloqueadas.

Caso esse seja o caso, tente alterar a sua porta dessa forma:

62b92a87-263b-4e08-910d-6bad7892887a-image.png

No campo TCP port, ponha uma porta alta qualquer, como por exemplo 4443, depois altere a regra que você criou anteriormente para permitir conexões na porta que você escolheu, no exemplo aqui desse post seria a 4443.

Lembrando que agora a gerência do firewall será nessa nova porta.

@felipefonsecabh said in Make a Túnnel trought IPSSEC and OpenVPN using PFSense:

Router of External Access can ping DVC1

What source IP does it use for that?
To pass the IPSec tunnel it must be in he 192.168.15.0/24 subnet.
In which case it can only be the External Access router blocking traffic clients on it's LAN. Or potentially redirecting traffic past the IPSec tunnel?
What is that device?

Steve

@BadMan
Не осилить азы и делать выводы, что ПО - дерьмо?
Такое себе.
Ссылка выше - иди читай.
Пока БЕСПЛАТНО делюсь.

@jbannister

SLAAC .... NPT ....
Never used these, as they are 'not needed' ( ? )

I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years.

I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT.
This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices.

I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing.
And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@rcoleman-netgate Ticket 1418760708 submitted.

Thanks!!

@cxcx_avjj

Hummm.

After a success login, I simply redirect the user to the known :

95300287-8e35-4a7f-823b-a26585729c92-image.png

as that would make the user understand he is 'online'.

But I could also redirect to a "home made", locally available web page, like the portal login page.
This file should be uploaded with the Services>Captive Portal>CPZONE>File Manager
Be aware : the prefix "captiveporal-" will get prefixed.

Take a look at what this button shows you :

c3c27d9a-d1d4-4fb1-9c2d-c7c7bc0515fc-image.png

You will see the login page.
And more important : the URL used, with the port number, as it is not port 80 (http) or 443 (https). Probably a 800x port.
And the zone ID used with a parameter called 'zone'.

So, this is posisbile :
ec125b9e-23a2-4703-86f7-640e3760853a-image.png

Where :
https://portal.yourzone.tld = your captive portal URL - I'm a https access
:8003/ The port of this 'cpzone1 ID access
captiveportal-recap.html My home made file called 'recap.html'
?zone=cpzone1 My zone ID of this portal zone

The "recap.html" html can have use PHP !
And because you can use PHP, and the recap.html is called with the "?zone=cpzone" parameter, you can now access whatever you want !

Take /usr/local/captiveportal/index.php as an example. You'll see how it extract the zone argument.
If, for example, you use vouchers, you can test vouchers for time left : Status > Captive Portal > CPZONE > Test Vouchers
Just take a look at /usr/local/www/status_captiveportal_test.php and you'll know how to extract the time from a given voucher.

How do you know what voucher is used ?
Well, your 'recap.html' can obtain the IP your device is using.
With this IP, and the "connected users database" (see /etc/inc/captiveportal.inc - this file is a must-read-and-understand) you can get the user login code, which is the voucher code.
With the voucher code you can obtain the time left.

Want to know what the default popup logout window does - or how to log out a user?
Again, go have a look at /etc/inc/captiveportal.inc

So, yes, the sky is the limit.
An yes, this goes beyond what you can find in the GUI.

And that worked?

If not then check for blocked traffic. Check the state table at both sites make sure traffic is going where you think it should.

Steve

@viragomann it's ok problem solved i can ping Local machine on LAN network after configuring check box redirect gratway

Ok, 550 x 2Mbps pipes is greater than the total available bandwidth. So it's possible you're simply seeing an upstream limitation dropping packets at which point pfSense has no control over it.
You might be better off setting a bandwith sharing dynamic Limiter on the interface rather than a hard 2Mb limit per user.

Até agora, o que eu consegui:
Fui em Firewall -> Virtual IPs -> IP Alias, e criei da seguinte forma:

172.25.16.1/24

Daí usei essa faixa como Phase2 da configuração do IPSec com a concessionária.

Daí a concessionária consegue pingar normalmente 172.25.16.1, que é o PFSense.

Daí criei um NAT 1:1 da seguinte forma:

Interface: WAN
External Subnet IP: 172.25.16.2 (endereço virtual do "Device" que é o dispositivo que quero enxergar)
Internal IP: Any
Destination: 192.168.102.10
NAT Reflection: Enable

Porém a concessinária não recebe o ping desse endereço. Alguém tem ideia do que está faltando, ou como posso fazer esse redirecionamento?

If I understand your post correctly, you have devices on your internal networks (LAN) that communicate with a database server located elsewhere on the Internet (accessible via your WAN).

If this true, then you need to simply add the IP address of the remote DB server to a Pass List by creating a list on the PASS LIST tab, accepting the default checked options, adding the IP address of the remote DB to the list using the controls at the bottom of the EDIT LIST screen, then save the new list. Now go to the INTERFACE SETTINGS tab in Snort for your WAN (since your are running Snort on that interface) and select the newly created Pass List in the drop-down selector there. Save that change and restart Snort on the interface.

You do NOT need to be changing the HOME_NET nor EXTERNAL_NET variable settings. Changing those is almost never required. And changing them from the defaults without a full understanding of what they are for and how they work will result in a setup that will NOT trigger rules properly. The fact you altered them in an attempt to solve the problem you describe indicates you may not understand what those parameters are actually for. They define the networks to be protected (HOME_NET) and the networks that are assumed hostile (EXTERNAL_NET). The default setup puts every address/network not defined in HOME_NET in EXTERNAL_NET. Literally, in the PHP code, $EXTERNAL_NET is defined as !$HOME_NET (the leading '!' character indicates a logical NOT operation).

Sieht du denn Anfragen von der Fritz kommen?
Du kannst ja einfach ein Capture erstellen mit der IP der Fritz als Filter, dann hast du recht wenig anderes Zeugs drin.

@gertjan I will attempt this tonight and report back. Thanks.

@zipping8761 haha - I warned you, but it a good learning experience ;)

@mrDick гляньте тут - https://forum.netgate.com/topic/131401/%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F-openvpn/75 настроено не по феншую, а переделать не получается. Но сколько лет работает на 3 офиса.

UPD по новым требованиям отключите сжатие и поставьте алгоритм на 512

UPD2 тьфу, забыл. Может уже и не актуально, но в Keenetic в ПЕРВУЮ ОЧЕРЕДЬ отрубите свой OpenVPN от других интерфейсов через CLI (там мануал есть в их хелпе), иначе эта пакость будет туннель пихать и в WI-Fi, даже если там гостевая сеть настроена!!!

@dwren78

Hmmm this is frustrating, could you describe what is happening in more detail? I am confused why it works when you have the Smarthub ahead of the pfsense router. I am not familiar with configuring the smart hub as a bridge, so where is the pppoe authentication done, in the smarthub or pfsense?

Are you getting a v4 address?
Is the v6 interface up?
Are you getting a link-local v6 address?

Dumb question, but I am going to ask it anyway, are you using your bt business pppoe username/password?

cheers

F

Obrigado, vou dar uma olhada.

@stephenw10 I didn't realize that I was able to create an interface for VPN. I did that (and it booted the remote users, lol), and was able to configure the FTP Proxy Client plugin to work with it. Thank you for your help!

Take a look at a HP t620plus thin client, it needs to be the plus model though not the t620.
The t620plus is thicker than the non plus because it has a pcie port to add a network card.

They are quad core 2.0ghz and use around 12-15w of power, you can find them on ebay for around £100.

The link below has some good information on the t620plus.
Link to parkytowers site

Yeah, you wouldn't want to do that because the backend/frontend need to stay the same protocol.

But if you want to be able to enter fqdn.com and have that redirect to www.fqdn.com/home/somepage.htm you should be able to. And doing it there prevents HAProxy accidentally overmatching.

Steve

@unififcf said in Block Internal vLan from accessing Web UI:

they said it is a TrueNAS

Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time.

But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.

@ptt and @johnpoz

It worked. Thanks so much for all your help

Yeah...I just saw this post...didn't see it in my search of the forum before:

https://forum.netgate.com/topic/147330/how-to-tag-interface-sfp-ix0-on-an-xg-7100/8

hmmm, I see what you are saying they route between the interfaces. In our small network, we have those vlans listed above with end devices spread out on different switches. I have the Eth 2, and 4 used to ensure routing. Yeah I should have the switches connected but they are not top of the line, and with the costs and this being a nonprofit it is hard to spend that money and even to get the money. I was hoping to utilize the SFP+ ports like I did on the Ubiquity UDM Pro of which we replaced.

I like this unit Netgate, so much better, though...I am now recommending this to everyone.

When you connected the PC directly to Eth1 did it show the expected link speed/duplex?

40Mbps is sufficiently slow to point to a link issue.

Steve

Parece que teve mais gente com esse problema, mas não foi nesse final de semana..
Eu tentaria primeiro clonar essa configuração do dyndns, salva, apaga a antiga, e dá um force update nessa nova, parece que só fazendo isso resolveu o problema para algumas pessoas.

Caso não resolva, dá uma olhada abaixo, tem outras soluções disponíveis

https://forum.netgate.com/topic/162498/solved-dynamic-dns-stop-updating-no-ip-but-from-pfsense-status-is-updated
https://forum.netgate.com/topic/164263/any-known-issues-since-update-dyn-dns
https://redmine.pfsense.org/issues/11815
https://redmine.pfsense.org/issues/12021

@stephenw10 forgot to report back but yes my problem has been solved.

Many thanks.

An HA pfSense setup would usually be between two devices in the same location, often in the same rack. It's intended to mitigate a failing node or connection to/from that node.
There is no reason it could not be between nodes in different buildings as long as they can be on the same layer 2 segments but there's not really much advantage in doing so.

Steve

@benjaminbeckcsl
Ohne Konfiguration ist das echt schwer

Hello,

Just to update about the crashs: they didn't happen again.
Also, I've being using Suricata 6.0.3 release since than, and no netmap issues 😸

So, I changed my RAM, and tested the old ones:
24H of MemTest86+ and at least 5hrs of GoldMemory (not the best tests, but still), resulted in not a single red flag for them (tested individually), AND I'm using them on other Win machines withouth BSOD or anything in the logs.

I already saw RAM tests failing to detect problems, so based on what you explained, I'm assuming that both 1 - the issue with Suricata's Multithreading ring access, and 2 - darkstat, were hitting some intermittent problem, that I could not with tests and other OS.

Anyway, thank you for helping me out solving this. Really appreciate @stephenw10 and @bmeeks !