The pfSense Store

Recent Posts

Pages: [1] 2 3 4 5 ... 10
I'm getting this as well. Most of my pfSense are virtual machines running on VMWare ESXi.

I use pfSense for building site-to-site IPSEC tunnels (Blowfish encryption).

In my case it's happening when I see heavy loads across the IPSEC tunnel (this is normally at night, for running backups).

It appears traffic stops completely on the LAN interface. If I look on the console, I see "em0: Watchdog timeout -- resetting" or something to that effect (where em1 is my LAN interface).

For encryption, I use Blowfish 256 bit with a SHA512 Hash Algorithm. DH Group Phase 1 - 8192 bit.

For phase 2, I use ESP with Blowfish 256 bit with a SHA512 Hash Algorithm. PFS key group 18 - 8192 bit.

After reducing the DH Key Group + PFS Key Group to to 14 - 2018 bit I have noted an increase in stability (it hasn't locked in about a week). I've just applied this "workaround" on a few other machines I manage, I will report back on this.
Installation and Upgrades / Thank you
« Last post by esseebee on Today at 07:53:21 pm »
I didn't want to hijack someone else's thread, so I thought I'd make a new post. I wanted to thank the pfSense team for all the work you have done with 2.3 and 2.3_1.  I had no issues with my update from 2.2.6 to 2.3 this weekend, then again this morning from 2.3 to 2.3_1.  I've also noticed that my OpenVPN experience has improved since updating to 2.3.  Cheers.
Captive Portal / Re: Captive Portal Thru Lan -> Wireless AP
« Last post by ghinthsh on Today at 07:44:14 pm »
you're right benpal.

i tried it a while ago, even the client is registered in dhcp it forces to cp authentication page.


Captive Portal / Re: Captive Portal Failed when pfSense Updated to 2.3
« Last post by benpal on Today at 07:39:41 pm »
Thank you sir heper...

It's working now.
DHCP and DNS / Re: No local access to devices with new netmask
« Last post by spudy12 on Today at 07:26:01 pm »
How do you change the mask on a static mapping? I don't see the option for it there.

This is how it looks in the DHCP setting page

If I edit a static mapping there is no option for a mask?

I have restarted the DHCP server several times as well as the pfsense box itself, is this enough to renew the leases?

I forgot to add, all devices can access the internet fine

Uppon taking a closer examination I did noticed that Quagga indeed removes the adjacency and the OSPF table is at it should, but, for some reason, the routes learnt via OSPF and via VLAN 100 neighbor are being treated as kernel routes (just like you speculated, see picture below), thus the router is using them, what could be causing this? so far:

  • There aren't any static routes
  • The routes being treated as kernel routes were all learn via OSPF (and are a lot of routes)
  • Quagga is working as intended, the adjacency is being removed and the topology updated (as well as the routes), I didn't notice this the first time but it's happening like it should
  • Even though the routes were learnt from OSPF and the adjacency with the neighbor selected as next-hop is offline, the routes are kept in the FIB as kernel routes...

The only gateway-group involves the WANs, other than that, the LAN group is in "allow anything" mode.

Here's the routing table:

All those kernel routes are kept always the same, doesn't matter if R1 or R2 is offline (OSPF routes and LSA table on the other hand are updated as they should), I really don't get what's happening here.
IDS/IPS / Re: Suricata / Drop rule
« Last post by bmeeks on Today at 07:17:19 pm »
You can use dns and tls keywords, heres some generic examples

drop dns any any -> any any (msg:"DNS Facebook"; content:"facebook"; classtype:policy-violation; sid:39398144; rev:1;)
drop tls any any -> any any (msg:"SSL Facebook"; tls.subject:"facebook"; classtype:policy-violation; sid:39398145; rev:1;)

For more specific keywords, check Suricata Wiki


Thanks @fsansfil!  I had not thought about those options.  The OP may find this other way will work to some extent.

Local Interface é sua rede local (Selecione sua Interface LAN)
Source Adress Coloque seu IP Publico em qual esta utilizando a regra do PTA. Se ficar em branco o sistema vai usar a WAN Default em Routing, para funcionar tem que ter o NAT para a WAN que vai utilizar.

No meu caso como criei a Regra para um ip diferente do Default eu coloquei o ip em Source Adress
Pessoal, resolvido.

    A solução pode não ser a adequada, mas resolveu meu problema. Como mencionei neste post, estou usando proxy transparente com traffic shaper e o problema que as máquinas pertencentes a cada banda configurada não trafegavam. Loguei via shell e analisei os logs do squid e notei que as máquinas com banda definida não geravam log, ou seja, estavam tentando passar reto, usando tcpdump pude notar que o tráfego não estava chegando ao seu dentino. Por isso optei por  criar um nat puro de redirecionamento de portas semelhante ao PREROUTING do iptable.
   Abaixo as imagens das regras.
   Só gostaria de saber se este problema é bug do pfsense ou seja  traffic shaper com proxy transparente não rolar ou é realmente a minha falta de experiencia com o pfsense ?

grande abraço a todos e obrigado pela ajuda.
DHCP and DNS / Re: No local access to devices with new netmask
« Last post by cmb on Today at 07:04:12 pm »
You have to change the mask on all your static IP devices. And renew the DHCP lease for all the dynamic ones.
Pages: [1] 2 3 4 5 ... 10