PFsense is killing me. SHould I go USG?

I switched from pfsense at my office to untangle a few years ago. Pfsense is a great router distro, but once i tried untangle there was no looking back. Much easier to configure and just as solid. Adblocking is available.

The openvpn support is there even in free version. You can try it out with a full featured trial, and if you'd like the full version for home use, its only 5 bucks a month for the full package. Very reasonable for what you get (and no headaches).
 
r00k said:
I switched from pfsense at my office to untangle a few years ago. Pfsense is a great router distro, but once i tried untangle there was no looking back. Much easier to configure and just as solid. Adblocking is available.

The openvpn support is there even in free version. You can try it out with a full featured trial, and if you'd like the full version for home use, its only 5 bucks a month for the full package. Very reasonable for what you get (and no headaches).
Click to expand...

The last time I used Untangle I remember there being a big difference feature-wise between the free version and pay version. Has that changed in the past 6-8 years? At the time it was clearly small-business grade solution.
 
acascianelli said:
VPN on pfSense can be a bit difficult for someone who isn't familiar with all the nitty gritty details. Somehow through the grace of Krom I was able to get IPSEC working with Apple iOS clients, but now I'm working on switching over to OpenVPN.

Getting pfSense up and running just acting as a basic firewall and gateway should take less than 5 minutes out of the box.
Click to expand...
I got openvpn working without much fuss at all. I've heard it's much easier on opnsense. But, I haven't had the chance to compare them yet.
 
Configuring the VPN in pfsense wasn't too difficult. I believe there's a really clear and concise guide on the PIA site about it. Pfsense has been fantastic in that respect.
 
acascianelli said:
The last time I used Untangle I remember there being a big difference feature-wise between the free version and pay version. Has that changed in the past 6-8 years? At the time it was clearly small-business grade solution.
Click to expand...


Free version does routing, firewall, QoS, OpenVPN, TunnelVPN, basic gateway antivirus (clamwin, iirc), ad blocking, intrusion prevention.

Paid version (business and home are the same features) also has IPSecVPN, Web Cache, load balancing / failover, email filtering, bandwidth control, additional gateway antivirus (bitdefender), content filtering, policy controls, config backup to google drive.

https://www.untangle.com/untangle-ng-firewall/software-packages/
 
acascianelli said:
VPN on pfSense can be a bit difficult for someone who isn't familiar with all the nitty gritty details. Somehow through the grace of Krom I was able to get IPSEC working with Apple iOS clients, but now I'm working on switching over to OpenVPN.

Getting pfSense up and running just acting as a basic firewall and gateway should take less than 5 minutes out of the box.
Click to expand...

Just keep in mind you need to generate separate server and user certificates and then assigned the user certs to the user accounts and if you assign the certs wrong, nothing will connect. It will generate the packages correctly, but nothing will work. Thats what tripped me up.
 
r00k said:
Free version does routing, firewall, QoS, OpenVPN, TunnelVPN, basic gateway antivirus (clamwin, iirc), ad blocking, intrusion prevention.

Paid version (business and home are the same features) also has IPSecVPN, Web Cache, load balancing / failover, email filtering, bandwidth control, additional gateway antivirus (bitdefender), content filtering, policy controls, config backup to google drive.

https://www.untangle.com/untangle-ng-firewall/software-packages/
Click to expand...

I believe they no longer do BitDefender in paid version
 
Biznatch said:
What do the logs say? Pfsense has some decent logging, and it should at least point you in the right direction.

A couple things to check next time you lose internet.
1- Is dns working? Can you resolve a host name? ping a couple sites and see if it returns an IP
2- Try pining an IP directly like the previous poster suggested?
3- During the ping test, filter the logs for packets with that destination IP and see what it's doing
4- Instead of rebooting, go to the Interfaces tab and release/renew the DHCP lease on the WAN. Does that fix it?
5- Before rebooting PFsense, unplug the WAN from your modem and plug directly to a laptop. Do you have internet now?
6- Try just rebooting the modem instead of pfsense and repeat step 5 if it failed
7- Try clearing your states table instead of rebooting pfsense
Click to expand...


It just happened again and I was able to go through this list looking at it on my phone.

1: I can't ping a domain name.
2: I can ping an ip address directly.
3: Which logs should I look at? There are tons of them. I looked at most and didn't really see anything that stood out as pertinent.
4: I went to the WAN tab and disabled it and then re enabled it. This resolved the issue.

5 - 7: I wasn't able to try these as I sorted the issue in #4.


Is this telling of anything? It's pretty clearly a DNS issue even to a networking moron such as myself.


EDIT:

I just found the status/interfaces tab and the ipv6 address discussed previously is listed as the ipv6 link local address. On the WAN tab ipv6 configuration type is set to none.
 
Last edited:
Do you have a DNS forwarder or a DNS resolver enabled?

I have a pfSense ignoring the DNS server it pulls in from the modem and forwarding to CloudFlare.

Also, next time it happens try hard coding a public DNS on your workstation and try domain name resolution.
 
acascianelli said:
Do you have a DNS forwarder or a DNS resolver enabled?

I have a pfSense ignoring the DNS server it pulls in from the modem and forwarding to CloudFlare.

Also, next time it happens try hard coding a public DNS on your workstation and try domain name resolution.
Click to expand...

I have DNS resolver enabled but not DNS forwarder. I have Enable DNSSEC Support checked, system domain local zone type set to transparent and this is custom options:


server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf


Good idea about setting up DNS on my desktop. I'll give that a try next time.
 
If you can ping something external but can't hit google.com, you have a DNS issue.

[This is also a meme: it's almost always DNS...]
 
IdiotInCharge said:
If you can ping something external but can't hit google.com, you have a DNS issue.

[This is also a meme: it's almost always DNS...]
Click to expand...


Yeah. I'm with you. It's a DNS issue. What kind of DNS issue? Why does it only rear it's ugly head from time to time? What's triggering the problem?


Sorry. I'm not up on my memes. Maybe I should spend more time looking at instagram to un-fuck my router?
 
S-F said:
Yeah. I'm with you. It's a DNS issue. What kind of DNS issue? Why does it only rear it's ugly head from time to time? What's triggering the problem?


Sorry. I'm not up on my memes. Maybe I should spend more time looking at instagram to un-fuck my router?
Click to expand...

If we know it's a DNS issue, now check the firewall logs for outbound packets to port 53. Are they going out or being blocked? Delayed? You might have to enable logging on the allow DNS firewall rule.

Try adding a few additional dns providers to your list as well. Google and opendns are a couple good options to have. Can also try disabling dnssec to see if that makes any difference.
 
Biznatch said:
If we know it's a DNS issue, now check the firewall logs for outbound packets to port 53. Are they going out or being blocked? Delayed? You might have to enable logging on the allow DNS firewall rule.

Try adding a few additional dns providers to your list as well. Google and opendns are a couple good options to have. Can also try disabling dnssec to see if that makes any difference.
Click to expand...


OK. It appears to only keep logs from the current day so I can't see anything from yesterday when I had the issue.

I do have alternate DNS providers. I have, in this order, 1.1.1.1, 1.0.0.1, 8.8.8.8 and 4.4.4.4.

Should I disable dnssec now or wait until the issue appears again?

Thanks for the input!
 
As a home user, I've always used NAT. It's pretty cheap too :)

This is an honest question. Are you guarding something that would not be protected by a standard high end router and a good AV package? Or are you doing this for the fun of it and the practice/knowledge (the reason I used to run Windows Servers in my house, but don't any more) ?

If the latter, cool for you. Have fun :)

If the former, my goodness man. Why?
 
TechLarry said:
As a home user, I've always used NAT. It's pretty cheap too :)

This is an honest question. Are you guarding something that would not be protected by a standard high end router and a good AV package? Or are you doing this for the fun of it and the practice/knowledge (the reason I used to run Windows Servers in my house, but don't any more) ?

If the latter, cool for you. Have fun :)

If the former, my goodness man. Why?
Click to expand...


I think that the protection offered by most routers would be sufficient. The reason I went with the hardware I did was because Super Micro has served me well. I've never had any of their hardware die and every single consumer motherboard I've owned has died. I wanted something that could handle the VPN and ad blocking. It's overkill. I was planning on running squid but since most traffic is HTTPs now that turned into a PITA. To be honest I would really love to learn all of the ins and outs of networking, I just don't really have the time at the moment. I am learning a bit through this thread though.

So any router/firewall that could meet these four criteria would work for me: The firewall does it's job, VPN, ad blocking and reliable.

I'm not following you NAT comment.
 
S-F said:
OK. It appears to only keep logs from the current day so I can't see anything from yesterday when I had the issue.

I do have alternate DNS providers. I have, in this order, 1.1.1.1, 1.0.0.1, 8.8.8.8 and 4.4.4.4.

Should I disable dnssec now or wait until the issue appears again?

Thanks for the input!
Click to expand...


You can increase the log retention range in the settings. I believe it just defaults to 24 hours.

I would say it can't hurt to try disabling dnssec temporarily to see if the problem still occurs. The goal is to make minor changes to try an narrow down specifically where the issue is occurring.
 
You must log in or register to reply here.
Back
Top