Same here. No firewall logs on remote syslog. Local firewall logs, yes.
Other logs (dhcp, dns, system) all fine. I’ve never seen firewall rules make
it to the remote syslog, though I may only have started trying in 2.1.5.
i386, full install on msata SSD, soekris 6501-50.
Set your servername in apache/whatever, you’re all good. The servername needs
to match the cert, the IP doesn’t matter and shouldn’t be handed out anywhere.
On 2015, Mar 7, at 8:44 AM, Tim Hogan t...@hoganzoo.com wrote:
I like your idea with using 1:1 NAT but just one question; If
Bridging will disable firewall and DHCP on modem, this should be expected.
If it works, then you’re using it just fine. I have my DMZ hosts like that on
a separate network on OPT1 with their own IP range and 1:1 nat rules. It feels
more segregated that way to me than the bridging firewall
You may be getting overruled by the self protecting hidden rules of pfsesne.
System - Advanced - [Admin Access] - Anti-lockout
Alternatively, Services - DNS Forwarder - host overrides … could point
internal machines to the DMZ address instead of the outside address when they
lookup the name.
I’m still running 2.1.5 as the 2.2 series has not been happy on my soekris
boxes. Will test again soon.
I’ve also stopped seeing any performance benefit from the hifn encryption card
for any of my uses. Perhaps you see different, but the only supported
encryption on that card (aes-cbc) is no
If you set up CARP, then you don’t manage outages at 4am, you manage them when
you get in to work because no services went out.
If you hate CARP, then just do HA Sync to a running backup VM with the uplink
and downlink disconnected. Then your emergency procedure is to reboot the
FTP is a nasty beast. There’s active, passive, and extended passive
connections. You may need a client that does extended passive (epsv?) to work
properly. Standard passive will hand back the server’s IP data port over the
control connection, so unless PFSense is altering the packets as
Yeah, that sounds like the right path. Original post mentioned DOM, which I
don’t understand. I don’t know that spin-rite has any value on SSD. I would be
inclined to do a fresh OS install and import the configuration to eliminate
data bit rot and hacking of the OS as possible problems. I
10.20.*.* really shouldn’t be on your wan, that’s not routable. Also,
214*256+167=54951, outside the range you say you dictated in the conf
I don’t think PFSense is going to provide you an ftp proxy, both because you’re
not using port 21, and this document:
Limiters work on 2.2.4, I’m using them. But I didn’t upgrade, I created the
limiters on 2.2.4. Are you asking if limiters work? Or are you just noting
that they don’t cleanly upgrade? If you create them through the GUI and link
them in with the firewall rules, do they work now?
> Information Systems
> Decision Sciences International Corporation
> On Sun, Dec 13, 2015 at 5:29 PM, ED Fochler <soek...@liquidbinary.com>
I agree. I typically ssh in as root and tcpdump to get a more interactive view
of the network, but packet capture should give you the same data. You should
be seeing traffic even if it is rejected or dropped by your firewall rules. If
you’re not seeing ping, it’s not showing up at your
There is also extended passive, which is much better than old standard passive
as it is ipv6 friendly and less likely to get wrongly proxied. So different
clients from the same network to the same server may negotiate differently and
present different results.
The next step would be to grab
My experience has been that intel nics are bad in the 10G space, especially
under BSD. I’ve had good luck with Myricom and Chelsio on BSD, though I
haven’t used either specifically on PFSense.
> On 2016, Feb 18, at 1:29 PM, Rainer Duffner wrote:
>> Am 18.02.2016
> On 2016, Feb 19, at 11:54 AM, Giles Davis <gi...@multiplay.co.uk> wrote:
> On 19/02/2016 16:19, ED Fochler wrote:
>> My experience has been that intel nics are bad in the 10G space, especially
>> under BSD. I’ve had good luck with Myricom and Chelsio o
> On 2016, Apr 24, at 7:05 PM, Olivier Mascia wrote:
> Why is there a box to enter the remote system username, when it is useless
> and has to be 'admin' anyway?... :)
It seems to be an incomplete feature upgrade, as the admin user has always been
usable and it was
On a modern intel system, the intel chip itself (or AMD) has AES128 or better
implemented in hardware. I get ~700Mb on sftp on my macbook air 2012 like
that, so those numbers are exactly where I’d expect the CPU to be maxed out
doing AES128 or AES256 encryption. That’s what hardware
> On 2016, May 11, at 1:48 AM, FrancisM wrote:
> Is there any plugins from pfsense to do this kind of configuration just
> like reverse proxy. this is the scenario. I only have 1 public IP address...
> I know I can achieve this using other ports (higher ports) to
Unless your ISP is involved, you’re not going to do link aggregation or BGP.
I’m guessing you’re doing NAT on both of these WAN connections, and not just
routing. In this case I would recommend separating traffic by user, or by
I had a DSL and T1 arrangement a while ago and
There are numerous other similar answers to be found, but here’s mine:
Get away from CF if you can. The modern performance and wear leveling work is
in sata and DOM, those are better devices. Abandon the nano-BSD and just find
the miscellaneous checkbox to put /tmp and /var in
For clarity, that’s just the order in which PF works. It does NAT translation
to incoming traffic as a concept before it applies filter rules. It’s unusual
in the world of firewall mechanisms, but it works just fine. It also allows
you to explicitly allow traffic in to your port-forwarded
I have a similar situation and I solved it with limiters. I'm also a fan of
limiters to ensure fair sharing of uplink bandwidth by internal users. I
haven't tried changing system tunables though, so that solution may be better.
Nothing is sent through the limiter until you create a rule that
I agree with Eero, VLANs are real security. It will require time and
effort and maybe some additional equipment. If it helps you sleep at night,
it's worth it. You might start with just IP groupings and rules though.
I have an admin network that only has a couple of
Mail list logo