@AndroBourne: @johnpoz: Or just use unbound and let it resolve vs forward.  Now you have dnssec for sure and doesn't matter how shitty your isp dns is ;)… ...Your talking .6 of a sec vs .1 of second - doesn't make much a difference either way... It does matter, especially if his ISP DNS is having issues…. No it doesn't, resolver doesn't use his ISP's DNS at all, for anything.

@silverberg: Hi, did your find a solution for this? I've been having this issue for about a month but can't find a solution. I've even changed hardware What have you tried and exactly what behaviour are you experiencing? As per my last post, the combination of changing monitoring IP and the Gateway Action have sorted it for me.

would suggest you use Squid and Squidguard/Dansguardian. PFS on it's own can't block addresses using aliases in firewall rules. And on top of this you may combine this with an OpenDNS account too!

I would personally set up a DMZ if I have servers that need Internet a permanent connection or IoT devices that are sniffing my network and then snitching all home to the vendor server. It could be also a nice place for smart TV, game consoles and/or internet radios or many IoT devices, for sure that can be also done with an extra multimedia VLAN for sure, so nothing wrong with it if they are all not disturbing the rest of the LAN. I would the entire local area network divide into several VLANs and this by using a small switch either Layer3 or Layer2, likes needed and/or wished. Cisco SG220/SG250 or SG350 series are here one of the best you can get your hands on, they are starting with 10 Ports and ending up with 48 port models, likes you need it. This is based on my own opinion and nature and surely not a must be. If you need a switch you may get also the benefit from that, if your entire network load is to high, based on what ever, the switch is saturated and if this all will be connected to your firewall directly this one will be freezing! I would set up: pfSense 192.168.1.0/24 VLAN1 - management VLAN - 192.168.1.0/24 VLAN10 - IoT devices - 192.168.3.0/24 VLAN20 - private wired devices - 192.168.4.0/24 VLAN30 - office - 192.168.0.5/24 VLAN40 - WiFi guest - 192.168.6.0/24 VLAN50 - WiFi private - 192.168.7.0/24 VLAN60 - children (each) - 192.168.8.0/24 ect…... wired devices over OpenLDAP on a small MinnowTurBot or Raspberry PI 3.0 with Debian Linux or TurnKey Linux wireless devices (guests) over the Captive Portal w/ voucher system wireless devices (private) over FreeRadius Server 3.0 w/ certificates OpenDNS Account if children are in that house hold and then matching to their age pfBlockerNG & DNSBL + TLD might be also nice to use, but a Squid Proxy with user auth. might be better together with SquidGuard & SARGE to get knowledge who is surfing where! (Children)

The Vlan will be untagged at the Unify AccessPoint with 2 SSID. WiFi AP with one SSID is untagged and a WiFi AP with multi-SSID support must be tagged running. I would try out to secure the Guest WiFi named "Student" with the Captive Portal and vouchers divided in several different groups and the other WiFi network named "Staff" I would try out to secure with a Radius Server working with certificates. So the staff has its own WiFi (VLAN10) and security and the Guest WiFi (VLAN20) will be separated from that one.

I agree with Blue. This is pretty much what DMZs are made for. Another thing you could do is. Created the DMZ. Put all your devices on the DMZ interface then make a policy to block PFSense Web UI on the DMZ. (best to put web ui on a custom port and just block that port on the DMZ) This should block PFSense Web UI from the DMZ side but with rules, you should be able to allow it on the local LAN only, at which point I'd do as you laid out earlier and create a management interface for that traffic. Another option would be leave it enabled but force HTTPS and change the port number to something totally out of the norm. While it would still be enabled. It would be very difficult for someone to figure out what port it is on and pull it up. Just a thought.

That pretty much sums it up. [image: beer-793x526.jpg] [image: beer-793x526.jpg_thumb]

If you are still having issues, login to the portal and open a support ticket and someone can take a deeper look with you. Even though Gold does not include support access, if you have a problem with AutoConfigBackup they can help you get it working.

If you want to confirm that definitively, then you can always check which library versions both haproxy and the openssl command you run link against, such as: [2.4.0-BETA][root@master.dw.example.com]/var/etc: ldd `which haproxy` /usr/local/sbin/haproxy: libcrypt.so.5 => /lib/libcrypt.so.5 (0x800995000) libz.so.6 => /lib/libz.so.6 (0x800bb4000) libssl.so.8 => /usr/lib/libssl.so.8 (0x800dcb000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x801200000) liblua-5.3.so => /usr/local/lib/liblua-5.3.so (0x80166d000) libm.so.5 => /lib/libm.so.5 (0x8018a8000) libc.so.7 => /lib/libc.so.7 (0x801ad3000) libthr.so.3 => /lib/libthr.so.3 (0x801e6f000) [2.4.0-BETA][root@master.dw.example.com]/var/etc: ldd `which openssl` /usr/bin/openssl: libssl.so.8 => /usr/lib/libssl.so.8 (0x8008a2000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800c00000) libc.so.7 => /lib/libc.so.7 (0x80106d000) [2.4.0-BETA][root@master.dw.example.com]/var/etc: openssl version OpenSSL 1.0.2k-freebsd  26 Jan 2017

Well, I just realized when my dhcp server machine went down, that I have a lot of services redundant or in failover mode, but unfortunately not dhcp. So I was looking for an easy way to do it, and one option was the pfSense machine (where I quickly put up a dhcp server with another address range as a quick fix). Since I had that running, I wondered if I couldn't just use it on a more permanent basis. I understand from your reply, however, that the pfSense implementation was not meant for this. So I'll probably just take some other machine already running here. Yes, it's something you shouldn't need for a home setup. Unless you are the only one who can fix such things in a family, and if you're at the same time away frequently for days or weeks even. And leaving the family with no working IT is not always something they appreciate.

I'm a moron. There is a 64 bit version available here: fetch -o /conf https://sites.google.com/site/pfsensefirebox/home/WGXepc64 This should fix any issues in case someone Googles this.

1: You should search the forum vigorously - this setup is discussed for more then decade literally 2: you wire your WAN to the switch, changing this port to some separate VLAN (so packets from ISP are marked with this VLAN), and on the port on which you connect your pfsense you should add this VLAN to tagged list.

Problem found! netstat -r revealed that an openvpn P2P tunnel was inserting some routes when it refreshed, and the static routes were getting overwritten.  Only affected the secondary.

OK, Stupid mistake. SOLVED #1 enumerating"memberOf=CN=pfSense_admins,OU=Service-Groups,DC=example,DC=com" is NOT necessary #2 you need to set Search Scope to "Entire Subtree"

Yes I got the dashboard working as advertised. I just had to refresh a few things and reimport the visualizations Jason are some files were successfully parsed and it worked! Check out my linked post, it says more specifically the steps I took.

You could try out to set up all in VLANs and then you may configure it out with switch ACLs if a managed switch will be there in use.

Not the main topic but i don't want to open a new thread. I did build a DCF77 radio receiver for a view bucks with a Arduino. It is now connected to the motherboards serial port of my Hyper-V 2016 server. I did install the Meinberg Driver and there NTP package on the Hyper-V 2016 server. On the other windows PCs I use the NTP package. I have in pfSense now 10.1.0.2 + Prefer. Is there something in Services > NTP > ACLs i need to set if i don't want do use pfSense as timeserver? Does "Service - Disable all except ntpq and ntpdc queries (noserve)" disable the timeserver? Some images in the attachment if somebody want to see it. [image: Hyper-V.jpg] [image: Hyper-V.jpg_thumb] [image: Workstation.jpg] [image: Workstation.jpg_thumb] [image: pfSense.jpg] [image: pfSense.jpg_thumb]