The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - marvosa

Pages: [1] 2 3 4 5 ... 51
OpenVPN / Re: OpenVPN site-to-site problem
« on: Yesterday at 10:10:54 am »
We need more clarity on the two networks and how they're connected.  Instead of making assumptions, please provide a network map.

Also, post the server1.conf from the server and the client1.conf from the client.

OpenVPN / Re: OpenVPN connecting fine, but only http or ping
« on: December 08, 2017, 09:14:45 pm »
If he can ping or use HTTP via host name, it's not a DNS issue.
You may have meant to say something else, but this statement as written is not entirely accurate.  Pings are used to verify basic IP communication between endpoints, however, pings by themselves can't prove or disprove a DNS issue.   

There are not different DNSs for different protocols.
Agreed.  I never said there was.  My apologies if my words left room for that interpretation.

A DNS maps a host name to IP, no matter what protocol it's going to be used for.
Agreed.  Which is why the OP needs to clarify how he's accessing his resources, so we can advise him according.  If he's accessing his shares or trying to RDP via hostnames, the DNS queries will fail because there are no A records for his hostnames when he's away from his LAN.  Trying to connect to something via hostname will always fail without proper name resolution of some sort... that was my point.

Connecting to a share on his LAN via \\fileserver works because of local DNS resolution.  Without implementing a way to resolve hostnames on a remote network, connecting to \\fileserver over VPN will always fail because the client's DNS server neither has the proper forward lookup zones nor the A records for the hostnames he's trying to connect to.

I recall reading about NetBIOS name resolution, about 20 years ago, when I was at IBM.  There were, IIRC, four methods for resolving a NetBIOS name to IP address.  These were WINS, DNS, /etc/hosts and LMHosts.  Unless they're using different names for NetBIOS vs everything else, normal DNS will work fine.  In fact, given that IP is used for everything, I don't see how relying solely on DNS would fail, if it works for other protocols.
Yes, DNS will work for everything if the correct server is pushed to the client, otherwise, he has no name resolution for the hostnames/domain on his LAN.

OP, basically we need more information in order to offer more targeted troubleshooting.  How are you accessing your resources?  If it's via hostname, you will need to address name resolution over the VPN.  Since you've already stated that you can ping all your devices over the VPN, if you are entering IP's to connect to your resources then you need to start looking at your firewall rules on PFsense, the software firewall on the servers themselves and then verify the services you expect to be running on the server are actually running and listening on the ports/protocols you expect.

OpenVPN / Re: OpenVPN connecting fine, but only http or ping
« on: December 08, 2017, 08:31:35 am »
All of your connections will need to be made via IP unless you implement one of the options above.

Are there any connections over anything other than IP these days?  The old NetBIOS/NetBEUI networks are long obsolete, with even Windows file sharing working over IP.  If he can reach a destination over http or ping, but not another protocol, then it's not a DNS issue.  However, he might not be able to browse Windows shares, as the broadcasts/mulitcasts will not likely be passed over the VPN.

Of course it's an IP network, that's not what I meant.  My comment was suggesting that he's probably trying to connect to his shares via hostname instead of IP....e.g. \\fileserver vs \\, which doesn't work over VPN without one of the solutions I mentioned.

Also, the OP never mentioned accessing his resources via HTTP, so it's important not to make assumptions.  If he's trying to access his resources via hostname, it very well can be a DNS issue because his queries will fail unless a solution is implemented that resolves hostnames for the remote network.

However, he might not be able to browse Windows shares, as the broadcasts/mulitcasts will not likely be passed over the VPN.
The only requirement for Windows file sharing currently is port 445 (TCP), so he very well can browse file shares, but he will have to address name resolution if trying to connect to the server via hostname.

Also, saying "broadcasts/mulitcasts will not likely be passed over the VPN." suggests that there may be a chance that they will which is false.  Broadcasts will NOT traverse the VPN unless a bridged solution is implemented.

OpenVPN / Re: OpenVPN connecting fine, but only http or ping
« on: December 08, 2017, 01:26:07 am »
There are several things that could be happening here, but my guess is... you're trying to use hostnames to connect to your resources over the VPN, which isn't going to work without exporting DNS or enabling NetBIOS over TCP/IP and configuring a WINS server.

All of your connections will need to be made via IP unless you implement one of the options above.

General Questions / Re: Help me further understand my vlan setup needs
« on: December 08, 2017, 01:12:36 am »
I want to setup my ubuntu server on a vlan that can talk to the internet and use the vlan i created. Can i do this or do I need to install another NIC inside my pfsense box to achieve this
Can you do it?  Yes.  Can you do it with the hardware you currently have?  No. 

If you want to implement VLANs on your network, you will need to replace your unmanaged switch with a managed switch that supports VLANs.

At a high level, you would need to push each LAN you want to access to out to your clients and then enter the remote access tunnel network in the config of each remote location.

You also don't need to create interfaces unless you're doing policy routing.

OpenVPN / Re: no traffic through client vpn once interface is attached
« on: November 05, 2017, 10:27:38 am »
The gotcha I've read over the years is that after you assign a VPN to an interface, you then need to bounce the tunnel.  Was this done?

« on: November 05, 2017, 10:24:09 am »
Let's first identify the issue.  You stated:

i have created a OPENVPN site to SITE between two office using 2.4.1 version.
however the tunnel is coming up and don't know why !!!

So, is the tunnel up, but not passing traffic or are you having trouble getting the tunnel up?

Post the server1.conf and config1.conf from the server and client respectively.

Is PFsense the edge firewall/router at both sites?  If not, post a network map.

General Questions / Re: pfsense is not making sense
« on: November 05, 2017, 09:36:44 am »
I'm in alignment with roveer's post, your box is underpowered.

Per the PFsense hardware requirements page (, for your bandwidth you should be running:

"No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters."

I would also double your ram at a minimum.

The issue is your VLAN's are terminated on your firewall, which is offering security at the expense of performance because all of your inter-vlan traffic is traversing and being filtered by PFsense.

For performance, create a transit network between PFsense and your switch, then create your vlans on your switch.  This way inter-vlan routing is handled by the switch and it isn't saturating the links to your firewall.

I routinely see ~110 MB/sec transfers between my VLAN's.

General Questions / Re: Updating of new version
« on: October 21, 2017, 12:06:52 am »
We don't have a lot to go on.  From my personal experience, anytime I've gotten the unable to check for updates message it's been a DNS issue.  Make sure your DNS is resolving correctly.

Then, how do you know it failed?  Did you see a "System Update failed!" message and hit the power button?  If so, it didn't actually fail, PFsense just briefly lost connection with the server and then resumed its download and would have finished the upgrade in a few min.

Personally, I would just backup your config, re-install fresh and then restore your config.  By re-installing fresh you can be back up and running in 10 min., which will save time exponentially in the end.

General Questions / Re: Basic VLAN config?
« on: October 20, 2017, 11:56:22 pm »
I understand the need for security, but your description of your new design is unnecessarily complicated.  You're not going to need switch ACL's and/or NAC on a home setup... it's just not necessary.

At a high level, what you're asking is rather straightforward.... You would create vlans on your PFsense LAN interface and trunk that LAN interface to a managed switch.  You would then create the same vlans on your managed switch and assign specific vlans to different ports.  Inter-vlan traffic will traverse PFsense and can be controlled via firewall rules.

The setup is straightforward, but far from child's play.  You should have a decent grasp on networking so you know what you're getting yourself or you'll be pulling your hair out for weeks trying to get this setup working.  The particulars for configuring the switch will vary depending on what switch vendor you go with. 

General Questions / Re: N00b question : multiple networks behind firewall
« on: October 17, 2017, 11:57:26 am »
Post a network map.

Installation and Upgrades / 2.4.0 Upgrade Failed (sort of)
« on: October 14, 2017, 09:32:39 am »
Upon clicking the button to proceed with the v2.4.0 upgrade (from 2.3.4_1), I was almost immediately greeted with a "System Update failed!" message in red.  However, as I kept watching the screen, I noticed the progress bar was still progressing periodically. 

The progress bar got about halfway across and then never moved and I lost internet.  So, I did a few errands around the house and came back several minutes later to my internet back on.  While the seemingly failed upgrade process page was still up, I tried accessing PFsense in a new tab and was greeted with a new login page.  After logging in, the dashboard now reads "2.4.0-RELEASE (amd64)", so I guess I'm good to go?  *shrug*

I haven't noticed any issues since the upgrade.  I'm just wondering what the deal was with that "System update failed!" message and if there's anyone else out there who's had a similar experience.

OpenVPN / Re: Turning off VPN loses internet
« on: August 28, 2017, 05:06:29 pm »
Post a screen shot of the firewall rules on your LAN tab

Pages: [1] 2 3 4 5 ... 51