What is your pfSense hardware setup?

I'm using a ASRock J3455-ITX as my main W10 system.

And pfsense is on a Celeron N2930 (4x1.83GHz).
One core goes to 50% when I download with 250mbit/s (NAT only, no packages installed).

Good idea to use Intel nics… the Realtek ones won't make you happy.

I resolved this issue.

Anyone else come accross this the way i resolved was to install PFBLOCKERNG and update, then the error was cleared.

I then reinstalled the packages that were given me errors OPENVPN and it installed fine, error now gone.

Again - dig/drill is your friend.

Also, if you are using DNS Resolver in forwarding mode, disable DNSSEC. You are relying on it being properly implemented and configured on the DNS forwarders which is not always the case.

Install the sudo package and use sudo. That's what everyone does, instead of creating another root.

@Steve_B:

You can change the login screen color (to gray if you prefer) in the general setup page.

The new logos are here to stay. The old ones are dead. You'll get used to them :)

Well that is great for the login screen :).

So the logos can no longer be changed like before :(.

EDIT: Found it :).

Seriously though, I would seriously change them back if I were you guys. Brand recognization is a major deal for any software or product, you had it and had it well the logo was cool. The new one is blamd and looks like alot of other bland logos. It doesn't stand out or instill in memory just saying. It honestly looks like something those 100 dollar logo services would make.

Makes it 10x worse when the forum still uses the old logo.

Well I've not solved the problem. but i have a temporary fix. I've replaced the PC it was running on. Restored it with my backup file and runs fine getting correct speeds on all nics

@sls:

My public IP is 170.x.x.x.

Why do you think so?
If you will connect your PC directly to your modem - will you see that address on your Ethernet adapter status page?

+1 for Zabbix.  $0 per year.

I'm guessing you have access via the console port ?

Do you see any blocks when selecting menu option 10 Filter logs via the console port when trying to connect via ssh or https ?

I pushed a fix yesterday to make it build the entire chain automatically.

Assuming you have all of the CA certs and intermediates imported, you can select the bottom intermediate as the LDAP CA and it will figure out the rest.

So I found https://github.com/TKCERT/pfFocus and whipped up a bbcode formatter …

Here's what I actually have configured.  (I need to submit the bbcode formatter to the author.)

☱ Outputting to stdout ...
pfSense
Version 15.8

System

| Option | Value |
| –---- | –--- |
| hostname | pfSense |
| domain | private.xxx.xxx |
| timeservers | 0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org 3.pfsense.pool.ntp.org |
| timezone | America/Los_Angeles |
| language | en_US |
| dnsserver | |

Interfaces

| Name | Enabled | Description | Interface | Address | Subnet |
| –-- | –----- | –--------- | –------- | –----- | –---- |
| lan | x | PRIVATE | igb1 | 10.20.20.1 | 24 |
| opt1 | x | GUEST | igb1_vlan1000 | 10.10.10.1 | 24 |
| wan | x | WAN_COMCAST | igb0 | dhcp | |

VLANs

| Name | Tag | Interface | Description |
| –-- | –- | –------- | –--------- |
| igb1_vlan1000 | 1000 | igb1 | |

DHCP ranges
DHCPd configuration for {lan}(#interfaces "PRIVATE")

| Option | Value |
| –---- | –--- |
| enable | x |
| defaultleasetime | |
| maxleasetime | |

Ranges

| From | To |
| –-- | – |
| 10.20.20.101 | 10.20.20.254 |

Static mappings

| MAC | Address | Hostname |
| –- | –----- | –------ |
| 00:1c:2a:00:4c:64 | 10.20.20.2 | envisalink |
| 80:2a:a8:4f:98:0a | 10.20.20.97 | unifi |
| 90:02:a9:92:7b:42 | 10.20.20.98 | dvr |
| 00:1d:c0:62:01:c0 | 10.20.20.99 | envoy |
| 0c:c4:7a:30:17:f2 | 10.20.20.100 | tendo |

DHCPd configuration for {opt1}(#interfaces "GUEST")

| Option | Value |
| –---- | –--- |
| enable | x |
| defaultleasetime | |
| maxleasetime | |

Ranges

| From | To |
| –-- | – |
| 10.10.10.2 | 10.10.10.254 |

NAT rules

| Disabled | Interface | Source | Destination | Protocol | Target | Local port | Description |
| –------ | –------- | –---- | –--------- | –------ | –---- | –-------- | –--------- |
| x | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):25565-25566 | tcp | 10.20.20.100 | 25565 | Port Foward Minecraft |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):9418 | tcp | 10.20.20.100 | 9418 | Port Foward 9418 (git) to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):867 | tcp | 10.20.20.100 | 22 | Port Forward 867 to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):443 | tcp | 10.20.20.100 | 443 | Port Forward HTTPS |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):80 | tcp | 10.20.20.100 | 80 | Port Forward HTTP |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):993 | tcp | 10.20.20.100 | 993 | Port Foward IMAPS |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):1587 | tcp | 10.20.20.100 | 1587 | Port Forward SMTP Auth |
| | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):2525 | tcp | 10.20.20.100 | 2525 | Port Forward SMTP for EasyDNS |

Filter rules

| Disabled | Interface | Type | IP | Protocol | Source | Destination | Description |
| –------ | –------- | –-- | – | –------ | –---- | –--------- | –--------- |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:9418 | NAT Port Foward 9418 (git) to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:22 | NAT Port Forward 867 to ssh |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:993 | NAT Port Foward IMAPS |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:1587 | NAT Port Forward SMTP Auth |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:2525 | NAT Port Forward SMTP for EasyDNS |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:80 | NAT Port Forward HTTP |
| | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:443 | NAT Port Forward HTTPS |
| x | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:25565-25566 | NAT Port Foward Minecraft |
| | {lan}(#interfaces "PRIVATE") | reject | inet46 | | any | {opt1}(#interfaces "GUEST") | |
| | {lan}(#interfaces "PRIVATE") | pass | inet | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN to any rule |
| | {lan}(#interfaces "PRIVATE") | pass | inet6 | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN IPv6 to any rule |
| | {opt1}(#interfaces "GUEST") | reject | inet46 | | any | {lan}(#interfaces "PRIVATE") | |
| | {opt1}(#interfaces "GUEST") | pass | inet | | any | any | |
| | {opt1}(#interfaces "GUEST") | pass | inet6 | | any | any | |

Syslog configuration

| Option | Value |
| –---- | –--- |
| enable | x |
| logall | x |
| logfilesize | 1048576 |
| nentries | 100 |
| remoteserver | 10.20.20.100 |
| remoteserver2 | |
| remoteserver3 | |
| sourceip | |
| ipproto | ipv4 |

☰ Successfully outputted pfSense config as bbcode.

Many thanks for all this additional information!
And apologies for not responding earlier. Had some account issues and my access has just been restored.

I think I will try a hybrid model:
Use some VLANs on the LAN port
Setup the guest network on an OPT port. This will also allow me to play a bit with Squid and SquidGuard.
If all goes well then I'll move some VLANs on their own OPT port.

Again thanks for all the feedback

This looks like it might be a solution for you.

https://superuser.com/questions/85536/securing-freebsd-in-single-user-mode

I haven't checked that directory on pfSense myself but being freebsd based its worth checking out.

Change the console line in /etc/ttys to "insecure" to signify that the machine is in a physically insecure location and require a password to enter single user mode.

@deddric:

So what´s opinion on exposing webgui (other port then default) to internet?

Never in a million years would I do that or suggest that to anyone..  If you "must" do it then it would need to be locked to so specific source IP that is in your control.

@Jailer:

If you have it set up with a domain name then you won't be able to access it locally without NAT reflection.  Wordpress is rather finicky about that.

I misunderstood your post and thought you had it running locally on your LAN and not exposed to the internet. Your port forward needs a little work. Change the destination to WAN address and your redirect target IP should be the local IP of your wordpress installation. Do the same for HTTPS and you should be all set.

You sir… are a magician.
Now my main site works!!!!!!!
i just have to figure out why my 2nd site doesn't work.. since it's just the same link with "wedding" as the host name. I'll have to see what else i need to change.

There is a problem like this.