@chpalmer said in Whom do I need to yell at?: @harvy66 Only a holiday in this country.. :) The company I work for is international and everyone gets paid time off for Thanks Giving. All offices closed early the day before and closed the day of and after. 4th of July is USA only.

At this point the Watchguard X-e boxes have been end of life for around 10 years. Its very probable that your unit is simply bad.. I do have one of these still in operation myself at one customer location with plans to replace very soon. The 2.3 branch of pfSense is now EOL as well and not supported anymore. Just sent 6 of these boxes to the recycler.. most of which had never been upgraded to pfsense. If your proficient with pfsense and know for a fact your not doing anything wrong with configuring things you can pretty well most likely blame bad equipment here.

Cool, it's not a complex config at this site. Glad it's a VM, I'll spin up a replacement! Thanks for the advice.

https://www.netgate.com/docs/pfsense/book/

@pfrickroll , well I understanding, nice to read about, and agreed. Same here my adventures with firewalling world of pfSense began about three years ago and is really cool discovering networking stuffs with simply power of Free BSD and PfSense. I'm loving it. So I know pfSense from 2013 but I'm not remember any specific options for managing many different configs at same time. Maybe if exsist in older Additional Packages software , in older days and maybe it's purged out for missing support I dont'know, but at this time High Avail. Sync can support at least some basics stuffs if you can share between all your different setups like: ** System / High Availability Sync** configuration shows: User manager users and groups Authentication servers (e.g. LDAP, RADIUS) Certificate Authorities, Certificates, and Certificate Revocation Lists Firewall rules Firewall schedules Firewall aliases NAT configuration IPsec configuration OpenVPN configuration DHCP Server settings WoL Server settings Static Route configuration Load Balancer configuration Virtual IPs Traffic Shaper configuration Traffic Shaper Limiters configuration DNS Forwarder and DNS Resolver configurations Captive Portal This is a starting point, for me... I trust here in the Netgate forum some dude hold the answer for sure. I guess a kind of XMLRPC protocol "work" made by a custom php script for a possible approach but I'm not a programmer, I'm only a big fan

openvpn tap would not be the same no.. I personally have never had to deal vxlan drivers on a device since our DCs that we need to do extended vlans across are all connected via dark fiber ;) Clearly some advantages of working with enterprise networks and real budgets - hehehe

Ok, if it's a lot of work I may get another 3100 and retire the 2220.

@randomaustralian Check the compatibility of your desired Hardware with FreeBSD 11.2 and if its compatible then it will work with pfsense.

@jmatz88 said in pfsense keeping securelevel=3 after reboot.: I think they get a head start to use the default credentials before we get our hands on the computers so that might be why they have root access so quickly. Then that defeats the purpose of the competition, doesn't it? If you say your aim is to "defend your network", then you should be the one that get's access. No one worth their pay would install a firewall with access to the WAN/insecure network granted and default credentials still in place (even 2.4.4 gives now very big warnings about that). If they get a head start to "attack" a device with default credentials that is no competition to defend but a cleanup job - and the most secure way would be to kill the box (re-install) and bring it back if it is secured - and doesn't have WAN access at all to the web UI. ;) Just 0.02$ because that sounded more like a kobayashi-maru as a "competition" :)

@rg0s9 said in VPN Tunnel - No Gateway on TUN interface: @viragomann Thanks for your replies here. What seems to have done the trick is creating an opt interface for the VPN. This interface now has the first ip address in the tunnel range, and i can now get to devices on the LAN. What was throwing me was it doesnt seem to be referenced in any material i have viewed. Cheers Yeah that's because normally it isn't required at all. I'm running it on multiple client sites without an interface mapped to it. As @viragomann said, you only need to assign a opt interface to it, if you want to route somehting TO the VPN. As you describe the VPN as dial-in so you can actually maintain some things on their LAN, it's not necessary. Just clicked through the wizard and got a working VPN without any problems, so I think that some other little piece was missing you fixed before assigning the interface. Only thing that changes with the interface are that you get a VPN GW that is visible to the GUI, you get an extra interface tab for that VPN (instead of just using the OpenVPN group interface for your rules) and ... that's probably it ;) Greets

@slimypizza said in What am I missing?: In addition to setting up a VPN server, you might have fun setting up a reverse proxy. I use HAPROXY for this. Good Idea, I am also going to give it a try, to this reverse proxy.

If you can ping router to router, then it's almost certainly an issue with routing or firewall rules, either on the firewalls on either side, or on the devices behind the firewall(s).

@derelict Thanks for the solution. This worked.

OK I will read about transparent client ip, thanks. The source client ip should be used by traefik with a simple LB in TCP mode. I have tried to create an apache server with a simple port forwarding and I can get the client ip using the Remote-Addr headers and set the x-forwarded-for header to pass it through ProxyPass. The app server logs the correct IPs. I will try with the loadblancer tomorrow. After that if it works, there is a traefik miss-configuration/issue ?!!

It will be fine and definitely keep the SSD. Spinning drives offer pretty no advantages in a firewall at this point. Steve

I had a similar issue but thanks for the topic which is discussed in detail. I will read all the discussions and see if it solves my issue.