Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Dave R

Pages: [1] 2
1
Just a follow up - I found the `pfSense-upgrade` command and noticed these packages queued:

Installed packages to be UPGRADED:
   squid: 3.5.27 -> 3.5.27_3 [pfSense]
   redis: 3.2.10 -> 3.2.11 [pfSense]
   pfSense-pkg-suricata: 4.0.3_1 -> 4.0.4_1 [pfSense]
   pfSense-pkg-squid: 0.4.43 -> 0.4.43_1 [pfSense]
   pfSense-pkg-pfBlockerNG: 2.1.2_2 -> 2.1.2_3 [pfSense]
   pfSense-pkg-ntopng: 0.8.11 -> 0.8.12 [pfSense]
   pfSense-default-config: 2.4.2_1 -> 2.4.3 [pfSense-core]
   pfSense-base: 2.4.2_1 -> 2.4.3 [pfSense-core]
   pfSense: 2.4.2_1 -> 2.4.3 [pfSense]
   pecl-intl: 3.0.0_10 -> 3.0.0_11 [pfSense]
   lighttpd: 1.4.47_1 -> 1.4.48_1 [pfSense]
   freetype2: 2.8 -> 2.8_1 [pfSense]
   clamav: 0.99.2_5 -> 0.99.4 [pfSense]


On a hunch, I tried installing the pecl-intl package by hand. This fixed the error message
"Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20131226/intl.so' - Shared object "libicui18n.so.59" not found, required by "intl.so" in Unknown on line 0"

After that, I installed freetype and clamav, squid an redis. No errors so I let fly:

[2.4.2-RELEASE][admin@mobeer.localdomain]/usr/local/lib: pfSense-upgrade -d
>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.

The following 8 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   pfSense-pkg-suricata: 4.0.3_1 -> 4.0.4_1 [pfSense]
   pfSense-pkg-squid: 0.4.43 -> 0.4.43_1 [pfSense]
   pfSense-pkg-pfBlockerNG: 2.1.2_2 -> 2.1.2_3 [pfSense]
   pfSense-pkg-ntopng: 0.8.11 -> 0.8.12 [pfSense]
   pfSense-default-config: 2.4.2_1 -> 2.4.3 [pfSense-core]
   pfSense-base: 2.4.2_1 -> 2.4.3 [pfSense-core]
   pfSense: 2.4.2_1 -> 2.4.3 [pfSense]
   lighttpd: 1.4.47_1 -> 1.4.48_1 [pfSense]

Number of packages to be upgraded: 8

188 KiB to be downloaded.

**** WARNING ****
Reboot will be required!!
Proceed with upgrade? (y/N) y
>>> Downloading upgrade packages...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (8 candidates): ........ done
Processing candidates (8 candidates): ........ done
The following 8 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   pfSense-pkg-suricata: 4.0.3_1 -> 4.0.4_1 [pfSense]
   pfSense-pkg-squid: 0.4.43 -> 0.4.43_1 [pfSense]
   pfSense-pkg-pfBlockerNG: 2.1.2_2 -> 2.1.2_3 [pfSense]
   pfSense-pkg-ntopng: 0.8.11 -> 0.8.12 [pfSense]
   pfSense-default-config: 2.4.2_1 -> 2.4.3 [pfSense-core]
   pfSense-base: 2.4.2_1 -> 2.4.3 [pfSense-core]
   pfSense: 2.4.2_1 -> 2.4.3 [pfSense]
   lighttpd: 1.4.47_1 -> 1.4.48_1 [pfSense]

Number of packages to be upgraded: 8

188 KiB to be downloaded.
[1/8] Fetching pfSense-pkg-squid-0.4.43_1.txz: ........ done
[2/8] Fetching pfSense-pkg-pfBlockerNG-2.1.2_3.txz: .......... done
[3/8] Fetching pfSense-pkg-ntopng-0.8.12.txz: .. done
Checking integrity... done (0 conflicting)
Upgrade is complete.  Rebooting in 10 seconds.
                                                                               
Broadcast Message from admin@mobeer.localdomain                               
        (/dev/pts/0) at 10:07 CDT...                                           
                                                                               
Upgrade is complete.  Rebooting in 10 seconds. 


The box dumped my ssh connection after 10 seconds, but it was still up. Hard drive light blinking like crazy.  I hooked a monitor up to the 1U and it said it was "upgrading packages" so decided to let it go this time.  After 5 minutes the HD was still cranking so went off and did some woodworking. 20 mins later I heard the reboot tune play. That's actually quite impressive considering I hit the power during the upgrade - twice mind you! I've proved the upgrade is quite idiot proof if nothing else.

So far it looks good. Thanks for all the support!:


2
Ok, so does  Diagnostics > Backup & Restore > Backup & Restore> Download configuration as XML grab *everything* that is configured? eg: vpn interface, NAT rules, Firewall Aliases, Whitelists, etc?

Is there any way to tell what went wrong so I don't do it again? It would be nice to have some logfile to tail or something so I can at least see what it's doing. Even the PHP errors would have been nice to have as some indication that it's not just sitting at a kernel panic or something.

3
Nah, this is a bare metal 1U supermicro. I don't typically put everything on a slash partition but that seems to be the trend these days so whatever was default, I went with it.

I do have a VPN interface for egress with a bunch of egress rules so Netflix will work, but this was all done in the GUI. No CLI shenanigans. Speaking of shenangins, is there a way to maybe clean up this mess from the CLI? Or at least find out why it won't finish the upgrade correctly?

I just found this log this morning under "pfSense has detected a crash report or programming bug. Click here for more information."  It's displayed as gray text on a gray background  so didn't look like anything was there when I clicked on it yesterday.  Anything useful?

The error repeats every 5 minutes (cron job maybe?) I removed all the repeated lines in between:

   
Code: [Select]
Crash report begins.  Anonymous machine information:

amd64
11.1-RELEASE-p7
FreeBSD 11.1-RELEASE-p7 #10 r313908+986837ba7e9(RELENG_2_4): Mon Mar 26 18:08:25 CDT 2018     root@buildbot2.netgate.com:/builder/ce-243/tmp/obj/builder/ce-243/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[05-Apr-2018 05:06:28 America/Chicago] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20131226/intl.so' - Shared object "libicui18n.so.59" not found, required by "intl.so" in Unknown on line 0
...
[06-Apr-2018 03:48:35 America/Chicago] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20131226/intl.so' - Shared object "libicui18n.so.59" not found, required by "intl.so" in Unknown on line 0


No FreeBSD crash data found.



4
Looks like there is 182G free. Is this not enough for the upgrade?  Clean install? C'mon... this isn't Windows.

Code: [Select]
[2.4.2-RELEASE]/root: df -mh
Filesystem                     Size    Used   Avail Capacity  Mounted on
/dev/ufsid/592808b62c015801    210G     11G    182G     6%    /
devfs                          1.0K    1.0K      0B   100%    /dev
/dev/md0                       3.4M    120K    3.0M     4%    /var/run
devfs                          1.0K    1.0K      0B   100%    /var/dhcpd/dev

5
Installation and Upgrades / The process will require 8 MiB more space.
« on: April 05, 2018, 05:27:21 am »
Hi,
I tried upgrading my pfsense install this morning from the gui. After the upgrade, it sat at the screen "trying again in 20 seconds" for about 15 minutes.

I went over to the rack and plugged a monitor in. There was output on the screen from the upgrade yet. The box still hadn't rebooted. so hit the power button and it shut down.

Rebooted OK, but said Iwas still on 2.4.2_p1 and there was an upgrade to 2.4.3.

Logged into the CLI menu and tried the upgrade from there. It all looked good until the end:

Code: [Select]
The process will require 8 MiB more space.
Upgrade is complete.  Rebooting in 10 seconds.
                                                                               
 

It tried to reboot after 10 seconds but became unresponsive. I waited a few minutes and still no reboot so hit the power button again (it triggered a shutdown on the screen).

This is now on the admin console:
Code: [Select]
2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p7

The system is on a later version than official release.
Version information updated at Thu Apr 5 5:06:29 CDT 2018 

I don't know what to do at this point. 

How do I know which filesystem need 8M of free space and how do I change that?
Can I re-apply the upgrade by hand somehow to fix this?

Output from console is below:
Code: [Select]
$ ssh pfsensebox
X11 forwarding request failed on channel 0
pfSense - Serial: 0123456789 - Netgate Device ID: xxxxxxxxxxxxxx

*** Welcome to pfSense 2.4.2-RELEASE-p1 (amd64) on pfsensebox ***

 WAN (wan)       -> em0        -> v4/DHCP4: xxx.xxx.xxx.xxx/22
 LAN (lan)       -> em1        -> v4: 10.10.10.250/24
 SHC_VPN4096 (opt1) -> ovpnc1     -> v4: 10.8.1.2/32

 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 13

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.

The following 89 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
devcpu-data: 1.16 [pfSense]
py27-ply: 3.10_1 [pfSense]
py27-setuptools: 36.5.0 [pfSense]

Installed packages to be UPGRADED:
webp: 0.6.0_4 -> 0.6.1 [pfSense]
unbound: 1.6.6 -> 1.6.8 [pfSense]
tiff: 4.0.8 -> 4.0.9_1 [pfSense]
suricata: 4.0.3 -> 4.0.4 [pfSense]
strongswan: 5.6.0 -> 5.6.2_1 [pfSense]
squid: 3.5.27 -> 3.5.27_3 [pfSense]
sqlite3: 3.20.1_1 -> 3.21.0_1 [pfSense]
smartmontools: 6.5_2 -> 6.6_1 [pfSense]
redis: 3.2.10 -> 3.2.11 [pfSense]
radvd: 2.17_3 -> 2.17_4 [pfSense]
python27: 2.7.14 -> 2.7.14_1 [pfSense]
pkgconf: 1.3.7,1 -> 1.3.10,1 [pfSense]
php56-zlib: 5.6.32 -> 5.6.34 [pfSense]
php56-xmlwriter: 5.6.32 -> 5.6.34 [pfSense]
php56-xmlreader: 5.6.32 -> 5.6.34 [pfSense]
php56-xml: 5.6.32 -> 5.6.34 [pfSense]
php56-tokenizer: 5.6.32 -> 5.6.34 [pfSense]
php56-sysvshm: 5.6.32 -> 5.6.34 [pfSense]
php56-sysvsem: 5.6.32 -> 5.6.34 [pfSense]
php56-sysvmsg: 5.6.32 -> 5.6.34 [pfSense]
php56-sqlite3: 5.6.32 -> 5.6.34 [pfSense]
php56-sockets: 5.6.32 -> 5.6.34 [pfSense]
php56-simplexml: 5.6.32 -> 5.6.34 [pfSense]
php56-shmop: 5.6.32 -> 5.6.34 [pfSense]
php56-session: 5.6.32 -> 5.6.34 [pfSense]
php56-readline: 5.6.32 -> 5.6.34 [pfSense]
php56-posix: 5.6.32 -> 5.6.34 [pfSense]
php56-pfSense-module: 0.57 -> 0.61 [pfSense]
php56-pdo_sqlite: 5.6.32 -> 5.6.34 [pfSense]
php56-pdo: 5.6.32 -> 5.6.34 [pfSense]
php56-pcntl: 5.6.32 -> 5.6.34 [pfSense]
php56-openssl: 5.6.32 -> 5.6.34 [pfSense]
php56-opcache: 5.6.32 -> 5.6.34 [pfSense]
php56-mcrypt: 5.6.32 -> 5.6.34 [pfSense]
php56-mbstring: 5.6.32 -> 5.6.34 [pfSense]
php56-ldap: 5.6.32 -> 5.6.34 [pfSense]
php56-json: 5.6.32 -> 5.6.34 [pfSense]
php56-hash: 5.6.32 -> 5.6.34 [pfSense]
php56-gettext: 5.6.32 -> 5.6.34 [pfSense]
php56-filter: 5.6.32 -> 5.6.34 [pfSense]
php56-dom: 5.6.32 -> 5.6.34 [pfSense]
php56-curl: 5.6.32 -> 5.6.34 [pfSense]
php56-ctype: 5.6.32 -> 5.6.34 [pfSense]
php56-bz2: 5.6.32 -> 5.6.34 [pfSense]
php56-bcmath: 5.6.32 -> 5.6.34 [pfSense]
pfSense-pkg-suricata: 4.0.3_1 -> 4.0.4_1 [pfSense]
pfSense-default-config: 2.4.2_1 -> 2.4.3 [pfSense-core]
pfSense-base: 2.4.2_1 -> 2.4.3 [pfSense-core]
pfSense-Status_Monitoring: 1.7.5 -> 1.7.6 [pfSense]
pfSense: 2.4.2_1 -> 2.4.3 [pfSense]
pecl-intl: 3.0.0_10 -> 3.0.0_11 [pfSense]
pear: 1.10.5 -> 1.10.5_1 [pfSense]
openvpn: 2.4.4 -> 2.4.4_1 [pfSense]
oniguruma6: 6.4.0 -> 6.6.1 [pfSense]
ntp: 4.2.8p10_2 -> 4.2.8p11 [pfSense]
ntopng: 3.0.2017.08.12 -> 3.2.2017.12.06_1 [pfSense]
nss: 3.33_1 -> 3.36 [pfSense]
nspr: 4.17 -> 4.19 [pfSense]
nginx: 1.12.1_2,2 -> 1.12.2_3,2 [pfSense]
nettle: 3.3 -> 3.4 [pfSense]
ndpi: 2.0.2017.05.23_1 -> 2.2.2017.12.05_1 [pfSense]
mysql56-client: 5.6.37_1 -> 5.6.39 [pfSense]
luajit: 2.0.5 -> 2.1.0.b3 [pfSense]
lighttpd: 1.4.47_1 -> 1.4.48_1 [pfSense]
libzmq4: 4.2.2 -> 4.2.2_1 [pfSense]
libunistring: 0.9.7 -> 0.9.8 [pfSense]
libsodium: 1.0.12 -> 1.0.15 [pfSense]
libnghttp2: 1.26.0 -> 1.29.0 [pfSense]
libevent: 2.1.8 -> 2.1.8_1 [pfSense]
json-c: 0.12.1 -> 0.13 [pfSense]
jpeg-turbo: 1.5.2 -> 1.5.3 [pfSense]
isc-dhcp43-server: 4.3.6_1 -> 4.3.6P1 [pfSense]
isc-dhcp43-relay: 4.3.6 -> 4.3.6P1 [pfSense]
isc-dhcp43-client: 4.3.6 -> 4.3.6P1 [pfSense]
idnkit: 1.0_6 -> 1.0_7 [pfSense]
icu: 59.1,1 -> 60.2_1,1 [pfSense]
hyperscan: 4.5.2 -> 4.6.0 [pfSense]
glib: 2.50.2_6,1 -> 2.50.3_1,1 [pfSense]
freetype2: 2.8 -> 2.8_1 [pfSense]
expat: 2.2.1 -> 2.2.5 [pfSense]
curl: 7.57.0 -> 7.58.0 [pfSense]
clamav: 0.99.2_5 -> 0.99.4 [pfSense]
ca_root_nss: 3.32.1 -> 3.36 [pfSense]
bind-tools: 9.11.2 -> 9.11.2P1 [pfSense]
arj: 3.10.22_5 -> 3.10.22_7 [pfSense]

Installed packages to be REINSTALLED:
miniupnpd-1.9.20160113,1 [pfSense] (options changed)

Number of packages to be installed: 3
Number of packages to be upgraded: 85
Number of packages to be reinstalled: 1

The process will require 8 MiB more space.

**** WARNING ****
Reboot will be required!!
Proceed with upgrade? (y/N) y
>>> Downloading upgrade packages...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (86 candidates): .......... done
Processing candidates (86 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 89 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
devcpu-data: 1.16 [pfSense]
py27-ply: 3.10_1 [pfSense]
py27-setuptools: 36.5.0 [pfSense]

Installed packages to be UPGRADED:
webp: 0.6.0_4 -> 0.6.1 [pfSense]
unbound: 1.6.6 -> 1.6.8 [pfSense]
tiff: 4.0.8 -> 4.0.9_1 [pfSense]
suricata: 4.0.3 -> 4.0.4 [pfSense]
strongswan: 5.6.0 -> 5.6.2_1 [pfSense]
squid: 3.5.27 -> 3.5.27_3 [pfSense]
sqlite3: 3.20.1_1 -> 3.21.0_1 [pfSense]
smartmontools: 6.5_2 -> 6.6_1 [pfSense]
redis: 3.2.10 -> 3.2.11 [pfSense]
radvd: 2.17_3 -> 2.17_4 [pfSense]
python27: 2.7.14 -> 2.7.14_1 [pfSense]
pkgconf: 1.3.7,1 -> 1.3.10,1 [pfSense]
php56-zlib: 5.6.32 -> 5.6.34 [pfSense]
php56-xmlwriter: 5.6.32 -> 5.6.34 [pfSense]
php56-xmlreader: 5.6.32 -> 5.6.34 [pfSense]
php56-xml: 5.6.32 -> 5.6.34 [pfSense]
php56-tokenizer: 5.6.32 -> 5.6.34 [pfSense]
php56-sysvshm: 5.6.32 -> 5.6.34 [pfSense]
php56-sysvsem: 5.6.32 -> 5.6.34 [pfSense]
php56-sysvmsg: 5.6.32 -> 5.6.34 [pfSense]
php56-sqlite3: 5.6.32 -> 5.6.34 [pfSense]
php56-sockets: 5.6.32 -> 5.6.34 [pfSense]
php56-simplexml: 5.6.32 -> 5.6.34 [pfSense]
php56-shmop: 5.6.32 -> 5.6.34 [pfSense]
php56-session: 5.6.32 -> 5.6.34 [pfSense]
php56-readline: 5.6.32 -> 5.6.34 [pfSense]
php56-posix: 5.6.32 -> 5.6.34 [pfSense]
php56-pfSense-module: 0.57 -> 0.61 [pfSense]
php56-pdo_sqlite: 5.6.32 -> 5.6.34 [pfSense]
php56-pdo: 5.6.32 -> 5.6.34 [pfSense]
php56-pcntl: 5.6.32 -> 5.6.34 [pfSense]
php56-openssl: 5.6.32 -> 5.6.34 [pfSense]
php56-opcache: 5.6.32 -> 5.6.34 [pfSense]
php56-mcrypt: 5.6.32 -> 5.6.34 [pfSense]
php56-mbstring: 5.6.32 -> 5.6.34 [pfSense]
php56-ldap: 5.6.32 -> 5.6.34 [pfSense]
php56-json: 5.6.32 -> 5.6.34 [pfSense]
php56-hash: 5.6.32 -> 5.6.34 [pfSense]
php56-gettext: 5.6.32 -> 5.6.34 [pfSense]
php56-filter: 5.6.32 -> 5.6.34 [pfSense]
php56-dom: 5.6.32 -> 5.6.34 [pfSense]
php56-curl: 5.6.32 -> 5.6.34 [pfSense]
php56-ctype: 5.6.32 -> 5.6.34 [pfSense]
php56-bz2: 5.6.32 -> 5.6.34 [pfSense]
php56-bcmath: 5.6.32 -> 5.6.34 [pfSense]
pfSense-pkg-suricata: 4.0.3_1 -> 4.0.4_1 [pfSense]
pfSense-default-config: 2.4.2_1 -> 2.4.3 [pfSense-core]
pfSense-base: 2.4.2_1 -> 2.4.3 [pfSense-core]
pfSense-Status_Monitoring: 1.7.5 -> 1.7.6 [pfSense]
pfSense: 2.4.2_1 -> 2.4.3 [pfSense]
pecl-intl: 3.0.0_10 -> 3.0.0_11 [pfSense]
pear: 1.10.5 -> 1.10.5_1 [pfSense]
openvpn: 2.4.4 -> 2.4.4_1 [pfSense]
oniguruma6: 6.4.0 -> 6.6.1 [pfSense]
ntp: 4.2.8p10_2 -> 4.2.8p11 [pfSense]
ntopng: 3.0.2017.08.12 -> 3.2.2017.12.06_1 [pfSense]
nss: 3.33_1 -> 3.36 [pfSense]
nspr: 4.17 -> 4.19 [pfSense]
nginx: 1.12.1_2,2 -> 1.12.2_3,2 [pfSense]
nettle: 3.3 -> 3.4 [pfSense]
ndpi: 2.0.2017.05.23_1 -> 2.2.2017.12.05_1 [pfSense]
mysql56-client: 5.6.37_1 -> 5.6.39 [pfSense]
luajit: 2.0.5 -> 2.1.0.b3 [pfSense]
lighttpd: 1.4.47_1 -> 1.4.48_1 [pfSense]
libzmq4: 4.2.2 -> 4.2.2_1 [pfSense]
libunistring: 0.9.7 -> 0.9.8 [pfSense]
libsodium: 1.0.12 -> 1.0.15 [pfSense]
libnghttp2: 1.26.0 -> 1.29.0 [pfSense]
libevent: 2.1.8 -> 2.1.8_1 [pfSense]
json-c: 0.12.1 -> 0.13 [pfSense]
jpeg-turbo: 1.5.2 -> 1.5.3 [pfSense]
isc-dhcp43-server: 4.3.6_1 -> 4.3.6P1 [pfSense]
isc-dhcp43-relay: 4.3.6 -> 4.3.6P1 [pfSense]
isc-dhcp43-client: 4.3.6 -> 4.3.6P1 [pfSense]
idnkit: 1.0_6 -> 1.0_7 [pfSense]
icu: 59.1,1 -> 60.2_1,1 [pfSense]
hyperscan: 4.5.2 -> 4.6.0 [pfSense]
glib: 2.50.2_6,1 -> 2.50.3_1,1 [pfSense]
bind-tools: 9.11.2 -> 9.11.2P1 [pfSense]
arj: 3.10.22_5 -> 3.10.22_7 [pfSense]

Installed packages to be REINSTALLED:
miniupnpd-1.9.20160113,1 [pfSense] (options changed)

Number of packages to be installed: 3
Number of packages to be upgraded: 85
Number of packages to be reinstalled: 1

The process will require 8 MiB more space.
Upgrade is complete.  Rebooting in 10 seconds.
                                                                               
Broadcast Message from admin@pfsensebox.localdomain                               
        (/dev/pts/0) at 5:00 CDT...                                           
                                                                               
Upgrade is complete.  Rebooting in 10 seconds.             

6
"persist-key" and "persist-tun" are already hard-coded in pfSense's OpenVPN implementation and are redundant if specified here.  They should be left out because all this does is list the directives twice in the config file.

It's worth noting  (and this may have been stated already in the previous 20 pages of thread) that the tutorial in this thread also configures /etc/openvpn-password.txt for the vpn user and password. I've omitted this portion since there is a configuration field in the UI for both of these (I presume earlier versions of pfSense did not have this feature). Either method *does* seem to work but I prefer keeping config items in one place when possible. Not to mention the added potential problems with cleartext files and permissions.

7

so are you saying on the standard PIA instructions your data is not routed correctly on the outgoing interface..?


My setup is a little different than "VPN all the things!" which is the direction given by all the tutorials I've found anyway. Straight off, yes all my traffic was egressing the VPN tunnel as it should but I don't want Steam going over it, and Netflix absolutely refuses to run as well. Fiddling around with splitting the traffic over multiple interfaces is inherently problematic because now I need to use IP addresses, protocol and port to determine what goes where. And that's not always a straightforward thing (Especially for Netflix. I'm a little surpised my setup is working at all with all the Aliases I had to configure.)

That said, I'm continually impressed by pfSense. It's enterprise grade software in features, quality and functionality. I'm very grateful for the tutorial in this thread and all the support from the forum folks. Thanks all.

PS: Um..not sure I follow what you mean about creating a new interface. Isn't it right there in the first post under "Create OpenVPN interface" ?

8
Thanks! Precisely what I was wanting. em0 egress is looking better now.

To fix this, go to System / General Setup and specify a 3rd party DNS resolver of your choosing

I'm assuming the screenshot is correct?

9
If I'm running 'Services > DNS Resolver' on PFsense, It looks like (most?) of my DNS queries are still going out the WAN. Is this because the the source IP is 'LAN net' on my VPN policy (ports 80,443,53) and the Resolver is using my WAN IP for the DNS queries (at least what it looks like from tcpdump)?

10
Good idea. Unfortunately, I have a mix of devices on the LAN which also access Netflix.  For now, I've added around 30+ subnets to my Netflix Alias. It's not great but it keeps the tablets/phones on the VPN for everything but Netflix.

11
180 is the static ip address of my tv

I'm not sure I understand. Are you just filtering by source IP rather than by a zillion Netflix destinations?

12
The rules are working, I think I'm just missing IP ranges. I'm using tcpdump on the PFsense box to see what's egressing the vpn interface. Even after adding a new range, I'll reload Netflix in my web browser and tcpdump shows it still hitting that IP on the vpn. If I wait a minute or so, then it seems to pick it up. Are rule changes only applied to new connections?

13
Thanks. Netflix won't work going over the vpn interface so I've created a hosts Alias containing the IP ranges for AS2906 (netflix) and created a second rule on the LAN to route the Netflix alias destinations over the WAN interface instead of the VPN interface. It doesn't seem to pick up the change though. I've reset under 'diagnostics > states > reset states' but the rule doesn't seem to be working. Tcpdump on the vpn interface shows the Aliased IP addresses still going over that interface. 

The docs say "first match wins" so if I have the Netflix rule at the top, and the VPN rule after that this should be working, correct? I'm assuming I'm missing some IP addresses Netflix is using but want to make sure I understand the rule ordering.

14
Ah, I think that works but only if I specify the VPN gateway in the LAN pass rule (under Advanced).  You mention "pass any without setting a gateway." but where else would I specify the VPN gateway for those ports?

15
Hrm, makes sense I guess. Got a link to something explaining how to route 80/443/53 over the VPN interface while leaving all other traffic egressing the WAN ?

Pages: [1] 2