@viragomann said in pfSense on Proxmox via vmbr0 - got LAN access, but no WAN/internet access - why?:

@newsboost
You cannot use a passed-through NIC on Proxmox itself. The only available NIC you can use is enp1s0f3.

That makes completely sense to me and probably explains the error message, thanks! But I'm really confused now, because it seem to work, i.e. it provides VLAN 100 internet access and yet it seems that the interface is still being passed through, because enp1s0f0 = igb0 = WAN and enp1s0f1 = LAN (vlan trunk) = igb1... Are you sure this should not work, because it seem to work? And why does it work, is it kind of "undefined behaviour" perhaps? Great comment, thanks!

That's not a prlausible reason to have two subnets on Proxmox.

The explanation was not good enough... So, VLAN 1 (subnet 192.168.1.0/24) is my management VLAN and the VMs I create in Proxmox should preferably not have access to the management VLAN so I thought the safest and quickest solution would be to use another subnet for all my experimental VMs... That way, they don't have access to the more important devices/machines/printers/servers on VLAN 1... I think this is a better explanation, hopefully...

Just connect the bridge vmbr0 to a physical NIC port and assign a static (!) IP to the bridge in Proxmox. This should be a trusted subnet of course.

You're right - and I did just that and it also works:

209a52c4-6261-487e-9fff-3645ceca5665-image.png

From a logical perspective, this makes much more sense because as you wrote above and after I've been thinking about it, I think it's weird that I can bridge a NIC that has been passed through to proxmox and still get the behaviour that I wanted - but after my improved understanding and after reading your comment, now I wouldn't expect this to work any longer, but it still does... Very weird, it can bridge the NIC when passed through, apparently without internet/network problems!

So to access Proxmox in case of emergency, you have only to assign a static IP within the same subnet to a computer and connect it to the appropriate network port. Then you can access Proxmox independently from the state of pfSense.

It makes completely sense what you're writing and probably the solution could be that I should have two VMBR-interfaces:

One for emergencies, if pfSense does not respond or boot up correctly so I can plugin a network cable and ssh directly into Proxmox and One on subnet 100, such that I can isolate all the VMs from the management VLAN and do experiments without any fear...

Is it really that bad if I put vmbr0 in the VLAN 100-subnet so the proxmox interfaces can be access on two different subnets? Because I've been testing and it seems to work completely fine on two different subnets - although perhaps I would like to later block VLAN 100 from accessing the Proxmox-interface and I can do that by adding a firewall-rule using the pfSense-interface, isn't that right?

Appreciate your comments a lot, thanks!

@Pablomdli said in OpenVPN site to site not working both ways:

The only weird things is that it gives the ip 10.0.8.0 to de office#2 openvpn client

So I'd suspect, that you stated this IP in the CSO.
You should enter an IP out of the tunnel network there, but it have to be one from the second upwards.

@atlantakid I found how to add my URL but it is not reading it with "Update or Reload" from my local server, I can tell since I am watching the apache2 logs and there is not entry for reading that page!!,

I had to go to the Firewall / pfBlockerNG / IP / IPv4, click on PRI3 and at then I can add to the bottom of the list.

Looks like it can only pfsense can only look outside on open internet for the LIST and I have to figure out how to NAT that server request inward onto the LAN, I am getting this Error
Failed to connect to 192.168.3.31 port 80 after 15017 ms: Timeout was reached Retry [2] in 5 seconds...

@dogfight76 kannst du doch mal bitte einen RICHTIGEN grafischen netzwerkplan posten, leider verstehe ich deine Schilderung nicht.

wie genau kommst du ins internet, nutzt du Kabelinternet, ist die 6660 deine provider box? leider verstehe ich nicht warum dein dekstop PC pfSense macht, dann hast du doch keinen Browser nmit dem du surfen kannst?

hier mal wie ich mein netzt aufgebaut habe

┌──────────────────────────┐ │ │ │ WAN / Internet (PPPoE) │ │ Willy.tel │ │ 1000/250Mbit/s Glasfaser │ │ │ └─────────────┬────────────┘ ─ ─ ─ ─ ─ ─ ─ ─WAN─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ WAN ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ │ ┌────────────────┐ ┌────────────────┐ ╔═════════════╩═════════ pfSense+ ════════╗ │ │ │ Switch │ ║ Netgate 6100║ Stand: ─ ─ ┐ │ TrueNAS ├───┤ USW-Flex-XG ├────╣ LAN: 192.168.3.0/24║ │ │ │ │ │ ║ Gäste (W)LAN (VLAN33): 192.168.33.0/24║ 07.09.2024 │ └────────────────┘ └───┬────┬───────┘ ║ IoT WLAN (VLAN34): 192.168.34.0/24║ │ ┌────────────────┐ │ │ ║ DynDNS über deSEC.io mit eigener Domain║ ─ ─ ─ ─ ─ ─ ┘ │ UBNT │ │ │ ║ VPN's:║ │UniFI AP AC Pro ├───────┘ │ ║ 1 x Fritzbox 7490) IPSec║ │ │ │ ║ 1 x S2S WireGuard Fritz 6591║ └────────────────┘ │ ║ 1 x pfSense S2S (Netgate 6100) IPSec║ │ ║ 1 x OpenVPN Road Warrior DCO║ │ ║ (172.16.3.0/24)║ │ ║ 1 x WireGuard Road Warrior║ │ ║ (172.16.33.0/24)║ │ ║ ║ │ ╚═════════════════════════════════════════╝ │ ┌────────────────┐ ┌────────┴───────┐ ┌────────────────────┐ ┌────────────────┐ │ Fritzbox 7490 │ │ Switch │ │ UBNT │ │ 1 x UBNT │ │ IPClient ├───┤ USW-Flex-XG ├─┤USW-ENTERPRISE-8-POE├─┤UniFi AP-Flex-HD│ │ (Nur VoIP) │ │ │ │ │ │ │ └────────────────┘ └────┬───────────┘ └──────┬─────────────┘ └────────────────┘ ┌────────────────┐ │ │ ┌───────────┐ │ UBNT │ │ │ │ │ │UniFI AP AC Pro ├────────┘ └────┤ Clients │ │ │ │ │ └────────────────┘ └───────────┘

@stephenw10 Yes, You are right.

Only few items were left in the partition.

root@:~ # mount /dev/ada0p2 /mnt
root@:~ # ls
.k5login .profile .shrc recover_configxml.sh
root@:~ # cd /mnt
root@:/mnt # ls
.cshrc .profile .rnd .snap .sujournal dev lib libexec sbin usr var
root@:/mnt #

@stephenw10
I dunno.... no clue, I rebuilt the 2 hyper-v adapters on the pfsense vm, the external and internal... and of course now it works. Oh well...

Thanks for responding to my question!!!

@stephenw10

Thank you so much.

@felipefonsecabh said in Access service in device connected via IPSEC trought public IP:

I have change local network to Any to carry traffic from any external IP?

Yes, if you are using policy based IPSec and need to keep using that. The policy has to match that traffic and the source IP could be any IP.

But if you do that it will match traffic at the other end for 'any' destination. All traffic from site1 will go over the IPSec tunnel. Which you probably don't want.

A route based VPN tunnel of some sort would give you more options.

@luanks01 said in configurar acesso remoto:

Tentei com e sem https e sem a porta também

Mostre como ficou a sua regra, pode ser que seu provedor não permita conexões na porta 443 de entrada, o que é muito comum em planos residenciais. Inclusive outras portas também são bloqueadas.

Caso esse seja o caso, tente alterar a sua porta dessa forma:

62b92a87-263b-4e08-910d-6bad7892887a-image.png

No campo TCP port, ponha uma porta alta qualquer, como por exemplo 4443, depois altere a regra que você criou anteriormente para permitir conexões na porta que você escolheu, no exemplo aqui desse post seria a 4443.

Lembrando que agora a gerência do firewall será nessa nova porta.

@felipefonsecabh said in Make a Túnnel trought IPSSEC and OpenVPN using PFSense:

Router of External Access can ping DVC1

What source IP does it use for that?
To pass the IPSec tunnel it must be in he 192.168.15.0/24 subnet.
In which case it can only be the External Access router blocking traffic clients on it's LAN. Or potentially redirecting traffic past the IPSec tunnel?
What is that device?

Steve

@BadMan
Не осилить азы и делать выводы, что ПО - дерьмо?
Такое себе.
Ссылка выше - иди читай.
Пока БЕСПЛАТНО делюсь.

@jbannister

SLAAC .... NPT ....
Never used these, as they are 'not needed' ( ? )

I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years.

I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT.
This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices.

I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing.
And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.

@rcoleman-netgate Ticket 1418760708 submitted.

Thanks!!

@cxcx_avjj

Hummm.

After a success login, I simply redirect the user to the known :

95300287-8e35-4a7f-823b-a26585729c92-image.png

as that would make the user understand he is 'online'.

But I could also redirect to a "home made", locally available web page, like the portal login page.
This file should be uploaded with the Services>Captive Portal>CPZONE>File Manager
Be aware : the prefix "captiveporal-" will get prefixed.

Take a look at what this button shows you :

c3c27d9a-d1d4-4fb1-9c2d-c7c7bc0515fc-image.png

You will see the login page.
And more important : the URL used, with the port number, as it is not port 80 (http) or 443 (https). Probably a 800x port.
And the zone ID used with a parameter called 'zone'.

So, this is posisbile :
ec125b9e-23a2-4703-86f7-640e3760853a-image.png

Where :
https://portal.yourzone.tld = your captive portal URL - I'm a https access
:8003/ The port of this 'cpzone1 ID access
captiveportal-recap.html My home made file called 'recap.html'
?zone=cpzone1 My zone ID of this portal zone

The "recap.html" html can have use PHP !
And because you can use PHP, and the recap.html is called with the "?zone=cpzone" parameter, you can now access whatever you want !

Take /usr/local/captiveportal/index.php as an example. You'll see how it extract the zone argument.
If, for example, you use vouchers, you can test vouchers for time left : Status > Captive Portal > CPZONE > Test Vouchers
Just take a look at /usr/local/www/status_captiveportal_test.php and you'll know how to extract the time from a given voucher.

How do you know what voucher is used ?
Well, your 'recap.html' can obtain the IP your device is using.
With this IP, and the "connected users database" (see /etc/inc/captiveportal.inc - this file is a must-read-and-understand) you can get the user login code, which is the voucher code.
With the voucher code you can obtain the time left.

Want to know what the default popup logout window does - or how to log out a user?
Again, go have a look at /etc/inc/captiveportal.inc

So, yes, the sky is the limit.
An yes, this goes beyond what you can find in the GUI.

And that worked?

If not then check for blocked traffic. Check the state table at both sites make sure traffic is going where you think it should.

Steve

@viragomann it's ok problem solved i can ping Local machine on LAN network after configuring check box redirect gratway