The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - GruensFroeschli

Pages: [1] 2 3 4 5 ... 383
Wireless / Re: EAPOL Key Timeout
« on: January 18, 2018, 01:53:06 am »
I tend to agree with johnpoz.

If you want to continue to debug this:
Log in via SSH, kill the hostapd process and start it again by hand.
Add -ddd as argument, to get more debug output.

I do know that with multiple virtual interfaces, in certain combination the EAPOL frames are sent on the wrong interface.

Wireless / Re: EAPOL Key Timeout
« on: January 17, 2018, 07:39:55 am »
Since you're on _wlan3, are you using multiple virtual BSSIDs?
Which frequency are you using?
Are you on a DFS channel?

Wireless / Re: EAPOL Key Timeout
« on: January 17, 2018, 07:39:12 am »
Obfuscating MAC addresses?

Wireless / Re: EAPOL Key Timeout
« on: January 17, 2018, 07:10:58 am »
11:11:11:11:11:11 is a multicast address
Don't use this for anything ever unless you know what you are doing.

General Questions / Re: Suggestion: Two Improvements to Pfsense
« on: January 15, 2018, 12:56:47 am »
You may also want to consider setting up the LAN as a bridge by default.  If you have only one LAN port, then the bridge will only have a LAN connection on it.  This will make it an order of magnitude faster to add LAN ports after the fact.

Bridge in pfSense is discouraged, as it is software based and lacks performance in comparision to a switch. So making this a default is quite stupid.

There has to be some way for Pfsense to have the same performance as a switch when the equipment it is installed on has multiple ethernet ports.

You're comparing apples with oranges.
One is a general purpose PC.
The other is an ASIC.

General Questions / Re: Is this ethernet port setup possible?
« on: January 15, 2018, 12:53:03 am »
I assume you're still trying to workaround this:
You'd get better responses if you'd actually described what you want to achieve instead of asking for random nonsense snippets.

Read the link in my signature, and describe your problem accordingly.

Hardware / Re: Off the shelf box < $300
« on: January 14, 2018, 02:21:35 pm »
I can sympathize with OP's challenge. Why do people think that everything needs to be 100% secure when I recon majority of VPN users only actually need a bit of obfuscation or proxy...

As for solution - I have been advised to try something different - wireguard (which pfsense unfortunately doesn't support yet). Your router supports LEDE, so you can try wireguard client on that ( if you can find a server). it's supposedly 4-5 times more perfomant than openvpn...
If you don't need security, then don't use a VPN.
If all you need is a normal tunnel, then use one.

General Questions / Re: Port Forwarding and 802.1X
« on: January 13, 2018, 03:17:29 am »
A port forward needs the frames to be TCP or UDP (ethertype 0x0800 for IPv4, 0x86DD for IPv6).
No other protocol has ports.

EAPOL frames are a L2 protocol with ethertype 0x888E which is NOT based on IP.

Routing and Multi WAN / Re: gateway tier priority backwards?
« on: January 05, 2018, 03:13:38 pm »
As Derelic already pointed out: The Loadbalancer balances connections, not traffic.

How do you know that your clients are actually creating new connections all the time?
Those 2.52/4.18 GiB you see on VPN B#1 could be from a single connection.

General Questions / Re: traceroute not working on linux
« on: January 04, 2018, 05:20:32 pm »
You don't happen to do something strange and created a rule which blocks ICMP?

NAT / Re: mask IP:port pairs as a dummy IP
« on: January 02, 2018, 02:38:25 pm »

In such a scenario i guess you can't use split DNS, thus have to go the NAT reflection route.

I suggest you set up "Method2: split DNS" since it is the cleaner solution to your problem.

As for the port to run the webinterface on:
System --> Advanced
allows you to configure which protocol and which port to run the webinterface.
Best is to set it to https.
If you need port 443 to be forwarded, set the webinterface to something else as well (8443 is a port i often see in such a scenario).

DHCP and DNS / Re: force client get ip with /32 subnet in dhcp server
« on: December 30, 2017, 03:02:32 am »
If your usecase is an AP which doesn't have the option for client isolation, then this will not help you.
All the other clients will still be able to get the traffic you want to isolate.

You're trying to implement an L3 solution for an L2 problem.
The only solution is to get an AP which allows you to configure client isolation.

Hardware / Re: Dell R710 Port Flapping
« on: December 23, 2017, 11:53:05 am »
Well the idea of EEE is to shut the link down when it's "not being used" even if the link is there.
This makes (maybe?) sense in an environment where you have enduser devices like a desktop PC which just burns power when the link is there (PC has standby power, but isn't switched on) but not actually used.
The phy of a gigabit network port draws around 1W of power, no matter if it's used or not (times 2 since there are 2 ends of the link).
In an office environment where you have potentially hundreds of workstations it really makes sense to switch the link off when it's not being used.
Howere since EEE is a feature purely by the PHY it's kind of hard for it to know if the device attached at its {S,R?[G]}MII interface is even switched on, besides counting the time since the last time the tx_en line was active.

I work for a manufacturer of access points and in our experience there are way too many combinations of PHYs which "sometimes" just make a wrong decision and switch the link off even when it shouldn't. (Dell / Atheros is such a combination...)
This doesn't really hurt for a desktop PC where the most you notice is a short hickup.

It makes sense for fix installed backbone/infrastructure links which should never go down, to just disable EEE on the respective ports.

Pages: [1] 2 3 4 5 ... 383