https://www.netgate.com/docs/pfsense/book/ read it completely.

You don't need to split into different subnets, you can just Policy Route by source IP. I highly recommend you to check out the great OpenVPN as a WAN hangout (https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html) to give you a general overview what's possible and how it's done. -Rico

Can the tunnel network IP work as like a gateway? Because I have another problem, that I can't reach the site-site vpn from another vpn.

Yes that is a normal behavior when the WAN gets switched. -Rico

@sjady said in Help needed, custom Snort rule prevent me from starting the WAN interface: Good evening everyone Im having an issue where when i add a custom rule to my WAN interface(SNORT), i cant start the interface, not even the simplest ping rules work now despite having worked just fine all day. Trouble started after i started doing some test monitoring of some SMB traffic with the following rule: alert tcp any any -> $HOME_NET[139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Not sure what went wrong, but the rule didnt work, and now my other custom rules dont either(as in they prevent me from starting the interface), awsome sigh.. Anyone who knows what has happend? Your rule given in your post has a syntax error. There should be a space between $HOME_NET and the SMB ports string. Secondly, you are using a SID range that is not guaranteed to be unique. There can only be one unique SID for each rule loaded. You should generally start custom rules at a very high range like 5555 or 9999, etc. Your rule should look like this: alert tcp any any -> $HOME_NET [139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Did you look in the pfSense system log for any error messages? I would expect one to be in there complaining about the rule syntax and/or duplicated SIDs.

@demonclaw said in Need Help Setting Up PF Sense Box For A Game Server On A DMZ And A PC on A Local Lan: I some what under stand how to set up the rules I was just having trouble which interface . Then read the book until you really know how firewall rules work, this will answer your question then.

We had a busy few months with releases of TNSR and pfSense, plus the holidays and the SG-1100 launch, so there wasn't much time to allocate toward them recently. Assuming there is a viable topic to cover this month, the current plan is to have one at the end of January as usual.

If your "wan" is only an intranet - may I ask why your natting? Normally doesn't make a lot of sense to nat rfc1918 to rfc1918 unless you have a overlap in space.. Which its always better to fix the overlap by using different space, etc.

@derelict Fixed the pictures, thanks. And Under Gateways I have 4 interfaces, WAN, LAN, OPT1 and OPT2. I should rename OPT1 to L3_SWITCH and set the IP to 192.168.0.25 (an IP on VLAN 1). And I should static route 192.168.0.0 to L3_SWITCH (192.168.0.25). Would I also have to do this for every other VLAN? EX: VLAN 10: 192.168.10.3 to L3_SWITCH (192.168.0.25) VLAN 20: 192.168.20.3 to L3_SWITCH (192.168.0.25) ETC or do I just need the route for 192.168.0.0? Thanks, MF

I would use VMware ESXi. It's free and best of class.

You mean support wants to look at the printer remotely? That is a freaking HORRIBLE HORRIBLE idea!!! If they need to check out say the interface of the machine, then have them teamviewer your machine or something and you look at the printers interface or your machines issue to why its not printing. But again the printer is going to be no different than any PC connecting to devices outside its own local segment. It needs a gateway to know how to get off its local network. Which it would get via dhcp, unless you set the printer with local static IP and did not set it up correctly. If your other dhcp devices can get to the internet, then the printer should be able to.. Unless your using say a captive portal or proxy that it would need to auth too, etc. If you want to let some remote internet create a unsolicited connection, then you would need to do a port forward to your printer IP on pfsense for the port they need to use.

Not sure where he is running his controller. But easy enough to place it on the same vlan being used for the unifi management vlan no matter where the controller actually runs be it a VM on something, actually on hardware like a PI or their own little cloudkey pi type computer.. If budget is there sure I would get one of their little cloud key boxes to run the controller software on. All mangement vlan is another L2 that all the devices your wanting to "manage" have IP on..

huh? How do you think a router is going to send data to more than one IP? You can not port forward to more than 1 IP behind your router, etc. Why do you not draw up how all of this is connected together, and what your wanting to do exactly and we can work out best solution to your problem.. But if your wan IP is say 1.2.3.4 (public) and your remote devices send data to 1.2.3.4:X where X is the port.. You can forward port X to say 192.168.1.100 behind pfsense, but you can not send it to both .100 and .101

That is well with-in the allowed temps for the MBT-4220, looking over the CPU spec sheet you have a max temp around 90c: https://www.intel.com/content/www/us/en/embedded/products/bay-trail/atom-e3800-family-datasheet.html

@larryf I use FreeBSD syslog. Runs light, on a low memory VM. Easy to install and setup. https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-syslog.html

So you want to policy route out a vpn connection on pfsense.. Then set a rule on that vlan interface to send it out the gateway which is your vpn client connection. But yeah need some details.. If you want any help on what your not doing or doing wrong. IPsec vs OpenVPN would be big part ;) What version of pfsense your using as well for starters.. Screenshots of your config of your vpnconnection, etc.