I do have all network traffic exiting out my ExpressVPN gateway on each subnet/interface. I still need to test remotely but I think I found the issue, I had the wrong gateway set in one of the Roadwarrior VPN firewall rules. Testing locally I can now connect to OpenVPN using the client and I still have internet at the same time. I'll report back once I get a chance to test this remotely.

Great, Thank you so much for your reply.

That is correct.

You're welcome glad you got it solved

@victorhooi said in VLAN traffic not getting recognised correctly by DHCP server?: The traffic is coming into the pfSense router on igb3, and from my packet capture it appears to have VLAN ID 35 - based on that, should it not go to the MM_LAN (VLAN ID 35) interface automatically, and get an address in the 10.0.35.0/24 range? Yes. Know that the DHCP server has no concept of a VLAN. That's all handled in the FreeBSD interface code. The DHCP server will either be listening on igb3 (untagged) or igb3.35 (35 tagged traffic)

Yes only after enabling the outbound option

Thanks Derelict :)

Does your son have access to your Pfsense box? Dumb question I know :D

For things like firewall rules, NAT, and Aliases /tmp/rules.debug is probably the most concise representation immediately available.

Just for being thorough , there was some issue couple years back where widget was showing client. Here is one of the threads where it came up https://forum.netgate.com/topic/109365/ntp-is-wrong-by-almost-3-minutes/28

You can create a user group in pfSense that has only that page assigned to it. If auth against AD returns users are members of that group (group name matches exactly) they will inherit the permissions from the group. https://www.netgate.com/docs/pfsense/usermanager/user-authentication-servers.html Steve

Hmm, that's the first time I've ever seen that. If that's a common problem we need to fix it. How exactly were you getting the config file from the APU? Steve

Which parts of that other thread did you follow exactly? Please retail what you have done. Steve

@derelict said in Multi-tenant Managed Firewall: The permissions system in pfSense is likely not going to work for that. There is nothing resembling a multi-instance pfSense. Thanks for answer. Best regards, Alexandre

Hello @siil-it, you can monitor the general pfSense state with SNMP within your classic monitoring. For the snort alert you have to configure a syslog server and handle the messages from snort on your syslog server. Kind regards

[image: 1531304306751-ca.png] [image: 1531304311927-ca2-resized.png] [image: 1531304316711-ca3-resized.png] [image: 1531304321798-ca4-resized.png] [image: 1531304332920-interfaces-resized.png] [image: 1531304338315-ldap-resized.png] [image: 1531304345014-ldap2-resized.png] [image: 1531304351224-nasclient-resized.png] [image: 1531304355158-settings-resized.png] [image: 1531304361954-settings2-resized.png] [image: 1531304366689-settings3-resized.png]

I have assigned this privileges. Seems ok for me. If there are other recommendation, let me know [image: 1531252316765-pfsense-operator-assigned-privilidges-resized.jpg]

I don't know much about DD-WRT but we have run into instances with lower end routers not handling lots of connections. I think some just have a fixed size state table. The first was a LONG time ago when we starting having our clients' PCs connect in to our management service. We switched to m0n0wall (and then later to pfSense) on an old/spare PC and it cleared right up. A couple years ago we ran into it again at a client with a mid range (for D-Link) D-Link router who had about 5 PCs and 10 phones...the router would just stop passing traffic and you couldn't connect to its web interface. We've since just given up on D-Link type hardware for more than about 5-10 PCs/devices. Currently our traffic goes through an SG-3100 for our building an then an old cast off PC we use that runs Suricata. My point is the hardware is likely not limiting your connections and you should NOT need shiny new hardware for pfSense...most likely some sort of limitation in DD-WRT. The only limitation for pfSense moving forward is that v2.5 will require AES-NI CPU support...so about 2012 or later CPUs if I recall correctly.

Thanks. Hopefully, that will keep NTP running, too. EDIT: Never mind this paragraph. I found the log entry about states being killed. OP: As far as I can tell, pfSense killed the states on the former IP address when it noticed the first change to the wanip. But, I don't see it killing them when the wanip changed to a valid one. It's possible I'm missing it in the logs, but shouldn't it have done so?

@tbbz8x8 said in Port aggregation: I have absolutely no use for more vlans as I only have one device that uses Ethernet @jknott said in Port aggregation: Unless it's over 1 Gb, aggregation won't accomplish much Even if over 1 gig, wouldn't matter lagg is not going to allow 1 device to use more than 1 physical path.. From the OP statements - other than a failover for failed port.. I don't see any use to setting up a lag.. And what switch is he using? Most likely since he doesn't have any vlans, just the 1 lan connection more than likely doesn't even have as smart switch capable of lagg, etc.