UPDATE:
Looks like an update from synology did the trick. :-)

There was no issue with HAProxy.
The issue was related with my Apache config, sorry for that.
I'm now using mod_remoteip instead of deprecated mod_rpaf and appropriate log format options.

On HAProxy side, it's only required to select option 'Use "forwardfor" option' in the frontend, as described in below documentation:
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_pass_clientip_to_webserver

Thank you @PiBA. I changed my actions so that they use the ACLs. Works quite nicely.
Regarding IP Filter / Authentication I found this article:
https://hochwald.net/user-authentication-with-haproxy-on-pfsense/
I have not tried it, yet but I really prefer authentication over IP filter since you do not see if the filter works when you come from an authorized IP.
I would have preferred an LDAP user backend but a static user list will suffice for me, too.

@PiBa
Thank you for your reply. That lead me to another interesting thing.
In pfSense's WebGUI the right certificate is chosen. I have a look into /var/etc/haproxy/shared_frontend and did:

And baam, the common name is 'images'. The letsencrypt certificate though had a wrong CN configured so that's what this is.

@watkinsufs said in Bind9 - zone transfers:

thought there would be a listing of the transferred records.

why would you think that?

Its a gui around the config..

@johnpoz first off, I'm dismayed that you are belittling my request for support. If I wanted advice on how to best connect a remote printer, I would have asked that in the appropriate section of the forum.

I've done the research and determined that a VPN is not the best solution. I don't (nor likely will) have any ability to change the network setup on the distant side of the solution. In most cases, they are built using off the shelf products that typically leverage one or two very common Class C network IP ranges. This would require a rather complicated split-tunneling VPN solution a user would need to manually start. I would also add that a proper VPN deployment is much more than running a wizard and dumping out a config file. As I received no such support, I spent hours researching solutions on my own. Here is what I've built, tested, and fielded, for folks out there actually looking for a solution:

Most printers using standard IP printing use port 9100 and the RAW protocol over TCP.

Local Side
pfSense Firewall w/ stunnel add-on installed

pfSense Stunnel Config:
Listen On Port: 9100 (Can be whatever you like, as long as it matches the stunnel config file on the distant side.)
Redirects to IP: XXX.XXX.XXX.XXX (Printer IP attached to the LAN (or better, a DMZ))
Redirects to Port: 9100
Custom Options: PSKsecrets = /conf/stunnel_psk.txt

stunnel_psk.txt contains a list of identities and preshared keys in the format ID:Key. pfSense even provides a handy editor under Diagnostics once the file is created in the conf directory.

Create WAN firewall rule to pass inbound TCP traffic on 9100. (Even better, only allow connections from specific public IPs you need to print from.)

Distant Side
Install standard stunnel from: www.stunnel.org then enable running as Windows service.
Edit stunnel config file:

; encrypt outbound printing
[Remote_Printing_9100]
client = yes
accept = 127.0.0.1:9100
connect = XXX.XXX.XXX.XXX:9100 (Public IP and the "Listen on Port" of pfSense firewall.)
PSKsecrets = psk.txt
PSKidentity = ID

Create psk.txt in the same folder as the config file and past the same ID:Key combination from stunnel_psk.txt and restart the stunnel service.

Then simply change the IP port of the printer to the local host and enjoy!

@Rico OK thanks for your feedback, I guess I just leave them be unless there's some risk involved? I do not need them...

Just to follow up, after moving all my sites to a new VM, speed is as expected. Dunno.

@Gertjan thanks, for the reply.. I'll try your suggestion.

@Peglas

Your welcome ☺

That is just an automatic one that should generate itself for convenience. It is much better to make your own.

@Sefiadem said in Redis needs manual start from shell, to get NTOPNG working:

rm -rf ntopng/

That works for me, maybe was a corrupt file then deleting all structure and the deamon start correctly

I just ran into another FreeRadius question, an found this :

Run it yourself on your system.
Console access or SSH, option 8.

Now, when user logs in, you have it's user name, right ?!
Let say, the user is called "107"

What about this :

Now, take the last line :
clog /var/log/system.log | grep "FreeRADIUS: User 107"

My idea is : when you make your own portal login page
and
portal error page (the page where the red error shows teh somewhat misleading : ""invalid credential"")

Edit this error page, and add some PHP code that executes these shell commands - and if there is some result (read : useful messages).
Show the result on the error page !

Something like :

Now, all you need to do is scripting this together using some PHP and the commands you found above, and put it into the captive portal error page.

I have been using the freerad package on pfsense for years, for sure since May of 2014 when got first unifi AP.. And for sure you had to setup nas client for it to work... I distinctly recall doing testing and having to put that in place.