@mrDick гляньте тут - https://forum.netgate.com/topic/131401/%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F-openvpn/75 настроено не по феншую, а переделать не получается. Но сколько лет работает на 3 офиса.

UPD по новым требованиям отключите сжатие и поставьте алгоритм на 512

UPD2 тьфу, забыл. Может уже и не актуально, но в Keenetic в ПЕРВУЮ ОЧЕРЕДЬ отрубите свой OpenVPN от других интерфейсов через CLI (там мануал есть в их хелпе), иначе эта пакость будет туннель пихать и в WI-Fi, даже если там гостевая сеть настроена!!!

@dwren78

Hmmm this is frustrating, could you describe what is happening in more detail? I am confused why it works when you have the Smarthub ahead of the pfsense router. I am not familiar with configuring the smart hub as a bridge, so where is the pppoe authentication done, in the smarthub or pfsense?

Are you getting a v4 address?
Is the v6 interface up?
Are you getting a link-local v6 address?

Dumb question, but I am going to ask it anyway, are you using your bt business pppoe username/password?

cheers

F

Obrigado, vou dar uma olhada.

@stephenw10 I didn't realize that I was able to create an interface for VPN. I did that (and it booted the remote users, lol), and was able to configure the FTP Proxy Client plugin to work with it. Thank you for your help!

Take a look at a HP t620plus thin client, it needs to be the plus model though not the t620.
The t620plus is thicker than the non plus because it has a pcie port to add a network card.

They are quad core 2.0ghz and use around 12-15w of power, you can find them on ebay for around £100.

The link below has some good information on the t620plus.
Link to parkytowers site

Yeah, you wouldn't want to do that because the backend/frontend need to stay the same protocol.

But if you want to be able to enter fqdn.com and have that redirect to www.fqdn.com/home/somepage.htm you should be able to. And doing it there prevents HAProxy accidentally overmatching.

Steve

@unififcf said in Block Internal vLan from accessing Web UI:

they said it is a TrueNAS

Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time.

But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.

@ptt and @johnpoz

It worked. Thanks so much for all your help

Yeah...I just saw this post...didn't see it in my search of the forum before:

https://forum.netgate.com/topic/147330/how-to-tag-interface-sfp-ix0-on-an-xg-7100/8

hmmm, I see what you are saying they route between the interfaces. In our small network, we have those vlans listed above with end devices spread out on different switches. I have the Eth 2, and 4 used to ensure routing. Yeah I should have the switches connected but they are not top of the line, and with the costs and this being a nonprofit it is hard to spend that money and even to get the money. I was hoping to utilize the SFP+ ports like I did on the Ubiquity UDM Pro of which we replaced.

I like this unit Netgate, so much better, though...I am now recommending this to everyone.

When you connected the PC directly to Eth1 did it show the expected link speed/duplex?

40Mbps is sufficiently slow to point to a link issue.

Steve

Parece que teve mais gente com esse problema, mas não foi nesse final de semana..
Eu tentaria primeiro clonar essa configuração do dyndns, salva, apaga a antiga, e dá um force update nessa nova, parece que só fazendo isso resolveu o problema para algumas pessoas.

Caso não resolva, dá uma olhada abaixo, tem outras soluções disponíveis

https://forum.netgate.com/topic/162498/solved-dynamic-dns-stop-updating-no-ip-but-from-pfsense-status-is-updated
https://forum.netgate.com/topic/164263/any-known-issues-since-update-dyn-dns
https://redmine.pfsense.org/issues/11815
https://redmine.pfsense.org/issues/12021

@stephenw10 forgot to report back but yes my problem has been solved.

Many thanks.

An HA pfSense setup would usually be between two devices in the same location, often in the same rack. It's intended to mitigate a failing node or connection to/from that node.
There is no reason it could not be between nodes in different buildings as long as they can be on the same layer 2 segments but there's not really much advantage in doing so.

Steve

@benjaminbeckcsl
Ohne Konfiguration ist das echt schwer

Hello,

Just to update about the crashs: they didn't happen again.
Also, I've being using Suricata 6.0.3 release since than, and no netmap issues 😸

So, I changed my RAM, and tested the old ones:
24H of MemTest86+ and at least 5hrs of GoldMemory (not the best tests, but still), resulted in not a single red flag for them (tested individually), AND I'm using them on other Win machines withouth BSOD or anything in the logs.

I already saw RAM tests failing to detect problems, so based on what you explained, I'm assuming that both 1 - the issue with Suricata's Multithreading ring access, and 2 - darkstat, were hitting some intermittent problem, that I could not with tests and other OS.

Anyway, thank you for helping me out solving this. Really appreciate @stephenw10 and @bmeeks !

@lucasll había puesto el IP y puerto del kerio en Advanced - Miscellaneus del pfsense pero ya encontré la solución. Mi DNS superior no resolvía las direcciones fuera de la VPN. Utilicé un repositorio alternativo que el DNS era capaz de resolver.

@jgq85

It wouldn't be a WAN port. The WAN port connects to the Internet, though you could consider the port on the UDM as "WAN" as it's the one that's closest to the Internet. You can connect it to pfsense with either a separate LAN port on pfsense or VLAN.

@norcarde A transparent proxy would solve your application problems, but they are a hassle to setup and can introduce their own problems.

@santi buen día. Ya revisé el log. Dónde obtuve la ip a la cual de está conectado, la agregue a la lista blanca, además, del puerto. Pero sigue sin funcionar .

@devey I hope others more knowledgeable would chime ... all I can think of off the top of my head is use a USB key in conjunction with certificates to be able to manage the group without system admin privileges

@werter OSPF - это уже лишнее в данной ситуации. Вопрос этот я решил через дополнительную фазу 2

I dig some more on the problem. It seems to be a dns problem with pfsense-pppoe and Windows.
I will update when i discover some more info

Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser.

Steve

Hallo nochmal :) @m0nji @NOCling
Kann mir jemand erklären, weshalb der PC hinter der pfSense via VPN nun zwar über Remote Desktop erreichbar ist, jedoch ein Ping von einem User PC im VPN an den Windows Pc mit "request timeout" fehlschlägt?
Edit: hat sich erledigt. Es fehlte nur die korrekte windows 10 Firewall Einstellung.

@nds2k said in Torrent kills PFSense DELL R210II Box:

I shall try that when once other family members are not using the network.

If you know what device is using the torrent, and you have a ISP router in front of your pfSEnse, you could hook up that device only without taking your network down.

@nds2k said in Torrent kills PFSense DELL R210II Box:

Noted!

You didn't know that most ISP's do not like at all the usage of P2P protocols as they are used for distributing very legal info like Windows updates and the like, and also less legal files like ripped DVD etc ?
If the destination IP is from these "Windows updates" servers, then the content isn't blocked, of course.

Feliz fin de año a todos y que la pasen bien.

Después de investigar mas sobre las reglas del firewall, el portal cautivo, dns resolver y sobre las Zonas desmilitarizadas (DMZ), pude solucionar el problema de la redirección del portal hacia mi servidor web, tuve que borrar algunas reglas anteriores que en mi caso no son importantes.

Luego de configurar la interfaz de la DMZ, darle acceso a la red LAN con las reglas del firewall, le di un dominio a la ip del servidor WEB con el DNS resolver y en el portal cautivo en "after authentication redirect" colocar ese dominio, tuve como resultado que cada usuario que se conecte a mi router pueda ser redireccionado al portal cautivo y de ahí autenticarse con solo hacer click al botón que está por defecto del pfsense (Que con un poco de css, html y no puede faltar javascript voy a cambiarle el estilo con respecto a mi proyecto) de ahí ser redireccionado a mi pagina web al fin.

Bueno no del todo, mis pruebas se limitaron a dispositivos móviles en el cual no me ha dado el resultado que pienso que debería dar, ya que por lo menos en android al conectase de manera intuitiva (no por el navegador si no por un programa que desconozco) me lleva al portal para autenticarme, clikeo el botón y me redirecciona automáticamente a mi pagina web pero al pasar 1 o 2 segundos se cierra el programa que abre el portal cautivo y claro por ende ya me deja navegar e ingresar de nuevo a mi pagina web, pero ya saben tengo que abrir el navegador y tipear la url, la idea es que se quede en la pagina que me redireccionó ósea en mi pagina web.

Me imagino que en otros sistemas operativos diseñados para computadoras eso no debería pasar ya que el usuario tendría que abrir el navegador, buscar algo y por naturaleza del pfsense ser redireccionado al portal cautivo, y como ya está en el navegador este no tiene porque cerrarse como me pasó a mi en el celular.

Solo me queda arreglar eso y bueno, tal vez me aventure a buscar manera que los usuarios no busquen otra cosa fuera de mi servidor web, que ya con una regla de firewall les quito el acceso a internet pero me gustaría que fuesen redireccionados al mismo si eso pasa.

Buenas noches.

@j-sejo1 Hola, mira quiero que en mi red local (sin internet nada que ver, solo mi red wifi) las personas que se conecten a mi wifi cuando hagan una búsqueda en chorme, firefox o cualquier otro navegador, sean redireccionados a mi pagina web que se aloja en un servidor Nodejs, (107.0.0.1:443 localhost). Estoy usando VirtualBox para pfSense porque no dispongo de otro ordenador.

@kiokoman Ugh, thank you! Working now!

exactly - out of the box unbound does not allow vpn users to query it.. If you want your vpn users to be able to query unbound, you have to create a ACL to allow that. Per the example posted by @bingo600

Thank you very much! Your solution fixed my problem! I missed to add the tunnel network to the remote networks on site B.

@mhmz

does it make any sense sitting on proxy server with deactivated aes-ni ?

@alexandre-angeli said in IPSEC perdendo conexão:

A IPSEC fica offline enquanto não usa, e comprovei o correto funcionamento, quando pingo ela "levanta" novamente.

Hmmmm, mas:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html

1a3034a0-a3b0-4adf-be66-231891d71266-image.png

OMG -- dude if I am sending 1gbps of traffic down your pipe, and your pipe is 10mbps.. How is any good traffic going to get to pfsense? at all??

This isn't complicated...

Your traffic cop at the end of the road, can't do anything about the 3 mile long pileup on the 1 lane road to him, if all the cars from a 10 lane freeway are trying to get onto the 1 lane dirt road..

You need to put someone up at the 10 lane freeway off ramp to your 1 lane dirt road, to only let cars onto that road that you want..

You really need to do some more research if you think any sort of firewall, be it pfsense or 100K super NGFW from cisco can do anything against a volumetric ddos that fills up your 1 lane dirt road to get to it..

edit: this is a bit late.. But ran across this just a bit ago, and thought this is a perfect example how a firewall can not stop a volumetric attack ;)

https://www.zdnet.com/article/google-says-it-mitigated-a-2-54-tbps-ddos-attack-in-2017-largest-known-to-date/

So even if you had 1, 10 or even 100 gig pipe, what hope do you think your firewall would have with such an attack ;) 2.5TBps - this is what I mean when the pipe is full, its full - nothing your firewall can do at the end of the pipe ;)

@nash27 said in Health Checks for PfSense:

route53 healthchecks

Don't those check from multiple locations? If your blocking access to where those checks are coming from - then yes they would fail.

I would assume that if your opening 443 on pfsense to the internet for managment, you would have that locked down to specific IPs - atleast that is what any sane person would do ;)

@sramsterdam showww, obrigado por compartilhar sua solução.