@fr334fr4nk Can you just hard code the IP of the server to use the failover gateway. It's only one. Disregard, I read "doesn't fix it for me"

@skee9679 said in After upgrade, problems loading certain websites: I guess my question is what counts as many? What I know is : When a "new DHCP device" pops up in the network, it request an IP (using DHCP DISCOVER operation). The new lease will be written in a file, that unbound (the Resolver) uses. unbound is not capable of detecting the "file change" and reading it in again, unbound has to be restarted (stopped, and started) so that the new lease is taken in account. That's why I advise you to remove the check for "DHCP Registration". If you want a device to be "known" on your network by it's host name, put in place a Static DHCP mapping on the DHCP server page. This way, unbound case resolve somethining like your-local LAN based printer.your-pfsense.tld to an IP. These devices never change their IP (== they always get the same IP from the DHCP server) so use that method : [image: 1562332099915-026f9511-d5c8-4554-bfed-c7c942bbc3e9-image.png] unbound not starting means also : it's cache becomes actually usefull (and you ask unbound to refresh cache items by itself when they time out - see below). This way the Resolver becomes also a good DNS cache ==> speeding up DNS treatment. DNSSEC : normally, DNSSEC should be totally transparent for you / your device / browser. DNSSEC will (or could, or shall, I don't know) give issues when a DNSSEC info is wrong or missing. If you have a doubt, use this site : http://dnsviz.net to test the domain in question. Btw : I've also set these on the Services => DNS Resolver => Advanced Settings page : [image: 1562334480324-5465154f-d167-4745-864e-e1e4c962b2b5-image.png] The last two options enforce DNSSEC handling, which means (to me) : if DNSSEC is wrong, then I can't visit that site. Not a problem for me, because sites admins that use DNSSEC better have settings correct. If not, their site will dissapaer from the net, for those who use DNSSEC for what it meant to be : getting correct DNS info - or nothing else ("domain not found error"). DNSSEC info is just like classic DNS info, although, because of the much bigger info records, the traffic - DNS requests and/or answers , will go TCP instead of UDP. (you permit DNS over TCP, right ?! DNS isn't only UDP port 53). Option "Prefetch Support" explains itself : it keeps my cache up to date - as I mentioned above. Use this site https://dnssec.vs.uni-due.de/ to test and see if DNSSEC functions correctly for you. This site also mentions other test sites - see bottom of the page.

@stephenw10 Seemingly peering at major IXPs around the USA, but it's a small local ISP. And it's not just a gimmick. The bandwidth is very stable and these routes seem to continue to function even when there's regional internet outages. Of course with enough money, you can get your own fiber, but we're talking about each IX being thousands of miles away and the podunk ISP has ridiculously low prices. Private MPLS comes to mind, but I have always assumed that to be very expensive and reserved for high tech companies like Google or Amazon where latency matters. I do enjoy when situations like "Battle.Net is down for the entire Midwest due to routing issues" and I'm unaffected. And peering disputes seem to be a thing of the past. It seemed like once every few months, some congestion issue between transit providers would occur in some of my routes. But now that most everything is just direct peering and all of the traffic is effectively "tunneled" over from private route, it's been an issue of the past. Even without IX peering. Pick a game server on the west coast 1 <1 ms <1 ms <1 ms pfsense.localdomain [10.255.42.1] 2 <1 ms <1 ms <1 ms 192.168.1.1 3 2 ms 2 ms 2 ms redacted 4 2 ms 2 ms 2 ms redacted 5 3 ms 2 ms 2 ms ISP redacted 6 13 ms 13 ms 13 ms 4.71.102.197 7 62 ms 62 ms 62 ms 4.69.202.241 8 62 ms 62 ms 62 ms 4.28.172.102 9 62 ms 62 ms 61 ms 159.153.68.252 Routes look a lot different to me from just a year ago.

So magically my Hyper-V host now has an IPv6 address and IPv6-test.com seems to work for me 100% from it w/o making any changes, not even a reboot of either the host or FW. I still have the issue where my Win10 laptop performs intermittently, but works if I bounce to another access point and continues to work even if I bounce back. Just weird. At any rate, I have noticed that from all machines the test results list my IPv4 WAN address, but all the IPv6 addresses are machine-specific. Is there a short answer to this or is it just how IPv6 works? The range assigned is not the same as the WAN v6 address. Thanks for any replies.

Hi Derelict, Thanks for the answer. I get a / 64 from my ISP and that is also true when I look in the log you mention. And after I have set these check boxes mention above it is working :-)

Why would anyone here know anything about compatibility with sophos, windows server, Cisco and untangle? You generally get a module compatible with your hardware, not the software. You would need to specify the type of fiber, generally multi- or single-mode. Anything from 10Gtek, fiberstore, addon, etc that matches up with your hardware should work fine. You probably want something intel-specific. Why are you asking about a 10G module then listing 1G hardware?

Nevermind, this was my mistake with testing I was trying out different things with the host file as well. Thank you for your help!

@mikeybs I guess it was the VoIP traffic shaing, I removed it and download speeds are now 10MB/s not sure why....

Your saying stuff behind pfsense doesn't have internet.. Just at a loss to why your vip would be .6? Whenever you setup a carp or hsrp or anything where there is a vip that is moved between 2 devices.. It is almost always in sequence with the actual physical IPs .1 .2 .3 would normally be the vip.. .252 .253 .254 would be the vip etc.. Where did you come up with .6???? and .1 and 3 for your physical??? So if your traffic comes in from some other path and not through the cluster, and your trying to use the cluster as your gateway for the webserver - then again NO shit its not going to work.. What I would suggest you do is get 1 pfsense working... Then graduate to a HA setup.. If your going to use some other path to and from internet or other networks, then this path needs to be connected via a transit network off your pfsense box.. Again I suggest you DRAW!!! your network so we are all clear how you have everything connected.. You understand for port forwards to work you would need them to point to the wan carp VIP!! this looks like you have your pf1 and 2 in line with each other? Traffic hits your wan carp vip, and would be forwarded to your webserver IP. dns load balancer >> pf1 - pf2 >> webservers

Here is a generic guide on how to run any VPN provider as a WAN connection: https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html Jeff

Did you reset the states for that ip address to be blocked? Pre-existing states are not affected by new rules or modifications to current rules.

Again it boils down to LAN security, and it's easy to get hung up on endless onion layers when it might be overkill for your particular environment. Is your LAN used by hostile actors? Or is it a home LAN used by you, the wife and kids? Is the data you're trying to secure that sensitive? These are all questions that need to be answered before you can choose the correct approach.

@anttechs said in I got Hacked By Unlock through my Borrower: I did try squidguard but I couldn't get it to stay running so I'm guessing it was because I didn't install squid? Yes, squidguard relies on squid to be installed first.