So I just ended up using one of my extra ports to reconfigure the vlan on it. I deleted all the other instances and redid the firewall rules. It now works. I don't know what the issue was. It's probably cleaner to keep the vlan on it's own port and not shared with my lan port. Thanks for your replies.

Ok thanks.

its not dns broadcasting... It would be the client doing a netbios broadcast for the hostname... Hey who is called somehost.. So your clearly not doing dns redirection. So you want to set it up correctly.. Point your clients to pfsense, or some other local NS that will resolve all your local resources, and will then forward or resolve all your public dns needs. Pointing clients to outside NS is not going to allow you to actually resolve any local resources, nor will it give you the ability to block bad stuff.. You have no control over the dns at all when you tell client to use 8.8.8.8 for their dns.. But if you have them point to something local for dns, say pfsense - you then can control stuff by blocking stuff you don't want them to get to.. You can resolve say www.whatever.com to the local IP its hosted off of, vs getting the public IP for this fqdn and having to use nat reflection. Also pointing clients locally allow you save some bandwidth, because if client A looks up www.something.com, and then client B asks for it its already cached at your local dns, and doesn't have to be looked up again, etc. So fix it already - not really sure why we are stilling having this discussion ;)

Yeah it would be hard to do. Most things like that involve edits to multiple sections. You could maybe diff the configs against default and then apply it as a patch. But you would likely only be able to apply one patch as subsequent patches would not apply cleanly. Steve

@PhlMike said in Looking for syslogs to update my cyberattackmaps website: That is interesting, I have over 100 pfSense firewalls and I use pfmonitor as well, I could probably aggregate something if I can figure out how to automate it and remove anything sensitive. That could be interesting indeed. If you like to give it a try, maybe for just 1 one them, please let me know. If you want to I can also try make a TCP (ssl) port available instead of UDP. But then you will need some customization (syslog-ng forwarding?) in pfsense in order to send to that I believe.

@jvansyoc said in Allowing users to add/remove/modify additional user accounts but not admin accounts.: Using the FreeRadius server package on Pfsense is something I have used as will for MFA on VPN. I'd encourage you to try as - together with OpenVPN - you can actually use FR to implement things you normally would need CSO (client specific overrides) for such as handing out a static ip for specific users or time limits, logout times etc. So for every RAS VPN setup I always encourage our customers to use OVPN+FR together as it provides them more flexibility. I should clarify that I'm looking to allow the end-user access to add and remove VPN users without having to contact me or have system administrator access. The suggestion to use FreeRadius is a great idea and I will get back to this with my testing. Then I'd say go the route and couple OVPN with FR :) It will pay out in multiple ways ;)

Yes, to pfSense the packets are arriving when I try to do for example a ping from DC1. DC1: root@dc1:~# ping xmpp.domain.tld ping: xmpp.domain.tld: Name or service not known pfSense: Diagnostics/Packet Capture Host Address: 10.10.20.2 Protocol: Any Packets Captured 15:56:06.248804 IP 10.10.20.2.60725 > 10.10.20.1.53: UDP, length 51

Few different things, first, the SG-1100 works, we test it, we run it, we know it will update when the time comes. We stand behind our hardware if there is an issue, we will replace it. For another vendor, that make the j1800 when you run into a problem that is hardware based, you are relying on another company for their support. When you purchase from Netgate, you are buying from a small company, you support us.

Yeah. There are many things that someone with access to that box could do and you don't want any of them! I assume speedify give you a private IP when you connect to them so at least you are not directly accessible that way. If it's behind other routers on the WAN connections it may not have a public IP at all which at least reduces the risk. But...

@NogBadTheBad 192.168.1.1 is the IP of the pfSense. 192.168.1.2 is the IP of the wifi router. Everything else is 192.168.1.*