Sorry - my fault. I looked for it and could not find it and saw other thread saying, there was none (apparently outdated). Thanks

Lan rules have NOTHING to do with unsolicited traffic TO the server.. Since the server is not creating the connection. Rules are evaluated as the traffic enters an interface from the network the interface is connected too, towards pfsense. If your vpn can talk to everything on this lan network, except this server I would look to as already mentioned firewall on this server.

Those FreeBSD tunables (such as net.inet.tcp.msl) are for connections to the firewall itself (like to a web server) and have nothing to do with state timeouts in pf and connections through the firewall. The pf timeouts are in System > Advanced, Firewall & NAT.

Right. you have to upgrade CE to 2.4.3-p1. I don't think this info has been refreshed on the new forum yet. There are other threads on it. Here are the basics for what you need to do for the PV NICs: Install it, shut it down. Add the NICs you want, then in XenServer: Get the VM's uuid # xe vm-list name-label="pfSense B" | grep "^uuid" | awk '{print $NF}' 43fdd0da-73ca-22c0-97f6-0ac47ae82360 Get the UUIDs for the NICs # xe vif-list vm-uuid="43fdd0da-73ca-22c0-97f6-0ac47ae82360" | grep "^uuid" | awk '{print $NF}' 6c9cb724-705a-0449-2176-505dd332431d a4c4ec8f-de68-eab3-69c7-d5b6c8be7b53 25e0d1b6-6d9a-6480-4612-e5aca876a922 71919d5a-000c-b9b3-31ed-21fa1674ba4e 1bf1eaf3-50fe-4a12-c3fa-1341766cee08 7b50e7fd-d6ec-598d-8dd6-6068d5f2765b Turn off the checksum checking in the NICs. Run this for all of them: # xe vif-param-set uuid=6c9cb724-705a-0449-2176-505dd332431d other-config:ethtool-tx="off" Boot the VM and the traffic in should flow through fine on the PV NICs. The other major caveat is the HV NICs (reX) support altq shaping. The PV NICs (xnX) don't.

Thank you, its done. As you know it pretty much imported everything so had to make the port change and that was it. I’m able to remote in going over a VPN service here locally but pretty sure it should work from an outside network. Thank you again, your help was greatly appreciated!!!!! update: tested from outside network and working perfectly

no clue why it isnt showing up, but be careful for the order mess you'll get into when adding vmx4 https://forum.netgate.com/topic/132933/vmx-nic-ordering-for-pfsense-on-vsphere-5-5

Managed to make this work for some reason i used <shellcmd> instead of <earlyshellcmd>

Assume for the moment that the error message is actually correct. Check all the existing DHCP Lease information to see if that IP address, MAC, or hostname was already assigned. DHCP can hold inactive lease information for a while. Also check Diagnostics->ARP Table, to see if that IP address is already listed to a different MAC address. It's possible that the address was used in a local static assignment already, not involving DHCP. You should do this shortly after trying to assign the static mapping as ARP entries will expire from the cache. Note: if DHCP relaying is involved you'll need to check this on a box attached to the subnet in question, using "arp -a" (works on *nix and Windows). Originally I thought that it could have been you were trying to make permanent the IP address it got dynamically from the DHCP Pool, but that yields a very specific error message to that effect. At least in version 2.4.3.

@johnpoz said in Question re: security and physical access: So changing your username and redoing certs is fine from actual security stance.. Completely agree these are good steps. Prudent and low cost risk mitigation. Appropriate for OP's home network. But do you honestly think that either the postal company or netgate or employee of said companies compromised your stuff? Not the OP's case, but if you deal with "high value" data, that risk has to be considered. However in that case you'd not have returned any non-volatile storage to any vendor to begin with. You eat the costs of those parts when they fail, because it's less expensive than risking your data. But all the tradeoffs in risks and security could fill a book, several actually. If interested, recommend looking at an outline for Security+, CISSP, or similar certification, just to see the topics. Or go find the scripts and videos of the DNSSEC root key signing key "ceremonies". They not only need to be secure, but completely transparent, got to be twice as stressful. Can't see them shipping those laptops out for repair.

Thank you all for answering me. You´re completely right. I forgot there is a any any rule per default. What i meant was if there is NO rule anything is blocked. Sorry for misunderstanding.

@_neok Yes, old backup works. ;)

Solved it, it wasn't the network. It was pfSense itself. I tried another box and everything got back to normal. I guess some code was misbehaving within pfSense itself. I was this close *makingfingersabouttotouchhandgesture* to dust off my license for Mikrotik's CHR to see if with its complicated management at least it got some insights to match. Glad I didn't, I needed to sleep already! :)

@cmdias said in Simplest way to LOG all URL that users browse to: I was actually just downloading untangle last night ... can you give me more information about the "bridge mode" between PF and Untangle ? Back in the days i was using SONIC WALL + WEBSENSE and it as super simple to setup..... miss those days! lol Take a look at step 3 here -> https://www.untangle.com/untangle-ng-firewall/resources/how-to-deploy/ Here's some info on a bridge mode deployment: In Bridge mode, NG Firewall is set between your existing firewall and main switch. When in Bridge mode NG Firewall is transparent, meaning you won’t need to change the default gateway of the computers on your network or the routes on your firewall – just put NG Firewall between your firewall and main switch and… that’s it! You’ll need to give NG Firewall’s External interface an IP in the subnet of the firewall, set the Internal interface to bridge and bridge it to External. To get a better idea of what you'll have access to, check out their live demo here -> http://demo.untangle.com

In this case it's the key exchange protocol PuTTY can't use, not the keys themselves.

@tdcockers said in Slow Download speed behind pfSense: If you are running pfSense virtualised (I'm using xcp-ng) then you may need to disable tcp offloading on the VM. Fixed my problems when I had slow downloads and some inaccessible websites, while uploads appeared to be fine. If CPU usage is appears high for the amount of traffic you are moving, that's probably your culprit. @tdcockers I'm thinking of using xcp-ng here shortly once my employers main server is decommissioned and they donate it to me. Anything I should know ahead of time? I have never worked with any virtualization, just something to try in my homelab.

Hello, thank you, and yes, this was the only workaround I found: export the current config, remove the menu entry and reload the config. But since this leads to a re-installation of all installed packages, I was hoping for a more direct approach to simply correct the running system. So long, Marc