@johnpoz : I was originally using it as a bridge server, but the second side of that bridge server is not connected anymore and everything is on one side now. I think my best bet at this point is to take a separate computer and a separate switch and connect those to a separate NIC on the Sinology NAS so that I can access the GUI. From there maybe I can rework the network and get it put back together. To recap, when I installed the Netgate, I basically matched all of the networking. I wanted it all to be the same as it was in the sonic wall. Same, WAN, same, LAN, same port forwards. Basically, everything worked out except for the NAS. I crack into it more after the holiday. Thanks for your response.

@viragomann I tried it works great Thank you so much

@nollipfsense that's almost what I was doing anyway, but then that again gets the printer on a different subnet from the PC, which puts the barrier between the UDP communication, which would make the printer not function. That said, I think I may have figured out that the Canon driver potentially is only using UDP broadcast to initially find the printer if it's IP address is changed or it's a new installation. So, if I assign the printer a static IP on its network, and I temporarily move devices that need to print to it to the same network just for the driver install, then I can move the devices back to other subnets on the overall network and maintain functionality. I'll have to test this through a few reboots and several days to confirm it does indeed work, that would suffice for now. I may eventually try to figure out which UDP ports I need to relay to get the Canon drivers to work without having to move devices around between the networks, if it becomes more problematic and this workaround doesn't hold.

Just wanted to post an update. Was able to get this unifi AP working on a different subnet by SSHing into the AP and pointing it with setinform to the controller on the other subnet.

@victor-2 said in Cannot ping pfSense: ASRock A320M-HDV Don't use the Realtek NIC if you have Intel NICs! The Driver support is badly.

@furom you could always put in a feature request over at the pfsense redmine https://redmine.pfsense.org/ edit: not widget but if your on the normal firewall log, you can put in a !WAN for the interface and get all interfaces that are not wan.

@stephenw10 The ping test could have been after ARP expiration. Once the network failures were history, I tried switching to VirtIO, but speed was 35M even with offloading disabled. I set it back to Bridged, and got 250M with 4 CPUs. 2 CPUs in Virtualbox gave me over 500M. Not bad, but still ~50%. Each reboot I would lose connectivity on the i211 LAN and the only way I could get it to work was to switch it promiscuous mode on/off while the VM was running. Crap... I gave up on Virtualbox and moved it over to Hyper-V with 8 CPUs set. I got 30M, researched, and disabled RSC (even though it was already reported as disabled) via PowerShell with these commands: netsh int tcp set global rsc=disabled Get-NetAdapterRsc | Disable-NetAdapterRsc Then I could get a solid 940M in Hyper-V, AND have the luxury of auto-start after host reboot. (Lessons for anyone reading this)

@nar94k the Google router will need to forward either the OpenVPN ports or all ports to pfSense. pfSense can allow access to the OpenVPN server ports on its WAN, or if you set up a dynamic DNS hostname you can allow that hostname.

@jwt @stephenw10 appreciate your feedback here. Truly do.

@stephenw10 Yeah, I read that but it doesn't really give case scenarios. I appreciate the help.

Yup, see: http://files.pfsense.org/jimp/BEGEMOT-PF-MIB.txt

The phase 2 entry for each device should use the IP address they specify in the 'NAT/BINAT translation' and the real address in the 'Local Network' field. See: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html#example You do not need an outbound NAT rule if you can add the route to the OpenVPN tunnel at Site1. Steve

Ryan, I ordered directly from netgate. Thanks all.

Thanks guys. I normally shutdown properly but had an issue with power loss at home which was pretty regular. I have a UPS but it's just my Unraid that's plugged into that but I'll look at getting my pfSense hooked up to it too maybe. Power cuts were down to my Lava Lamp as it happens which I've now stopped using anyway. Interesting stuff though.

@bongo-nations You don’t need a console using only Unifi APs. I setup two U6-Lites in 5 minutes using the Unify Network app from the Apple store on iPhone and iPad. You only need a console to do more than basic setup , which is all I needed. Last week, I upgraded the U6-Lites I used for a year to two U6-Pros since they became available in my area. It took 5 minutes each to setup on the IOS app and they work perfect. They all work flawlessly with Pfsense 2.6 with no changes once setup using the app. However, if you need more than what’s available in the app, such as VLANs, you need a console. I tested the console on a Mac out of curiosity and setup an AP. After playing around I reset the AP and went back to the app. It’s all surprisingly easy. A tip which has nothing to do with getting them to work but may help: I recently got 1.2Gig from Comcast and upgraded the modem to S33 and U6-Lites to U6-Pros (I will upgrade my Protecli FW6A and HP 2520-24 switch eventually). But wifi topped about 475-500, the trick was to bump the 5Gz channel width from 40Mhz to 80Mhz in the IOS app and bingo, I got 899 on my iPad Pro 11 connected to one of the U6 Pros. Not bad considering my best wired speed is 937.

@jknott I agree, this opens a can of worms for cyber security, just one website and one wrong web cookie could direct DoH DNS requests to a another server, I just noticed you can disable it in Chrome and on the OS side. I use Squidguard and block a list of DoH domains, many servers are in different countries. I just started looking into this with one.one.one.one and other cloudflare DoH servers. https://forum.netgate.com/topic/176693/dns-over-443?_=1672162126374 Another post with lists of DoH servers. Combined DoH servers list if you want to create a block list. Positive when it is turned off in the OS I do not see any requests on the proxy anymore. So you can block it that way. 1672081401354-combineddohlist.txt

The example on TrueNAS is auto-decrypting the data drives but not the boot drive as see it. So it's probably not directly applicable here. To do the same with an encrypted boot drive it pretty much has to be in the bootloader I would think. Maybe moving the config file onto USB would suffice? pfSense would still boot but would be useless without the config. Many years ago m0n0wall had that option. It would require some work in current pfSense. Steve

@lexxai Answer by himself. I do test dd if=/dev/zero of=/var/db/testets.db bs=1M count=100 dd if=/dev/zero of=/var/log/testets.db bs=1M count=100 Used space only on RAM disk, so ZFS not used. Question closed. [image: 1672098759423-screenshot_20221227_015132.png]