I agree with Blue. This is pretty much what DMZs are made for.

Another thing you could do is.

Created the DMZ.

Put all your devices on the DMZ interface then make a policy to block PFSense Web UI on the DMZ. (best to put web ui on a custom port and just block that port on the DMZ)

This should block PFSense Web UI from the DMZ side but with rules, you should be able to allow it on the local LAN only, at which point I'd do as you laid out earlier and create a management interface for that traffic.

Another option would be leave it enabled but force HTTPS and change the port number to something totally out of the norm. While it would still be enabled. It would be very difficult for someone to figure out what port it is on and pull it up.

Just a thought.

That pretty much sums it up.

beer-793x526.jpg
beer-793x526.jpg_thumb

If you are still having issues, login to the portal and open a support ticket and someone can take a deeper look with you. Even though Gold does not include support access, if you have a problem with AutoConfigBackup they can help you get it working.

If you want to confirm that definitively, then you can always check which library versions both haproxy and the openssl command you run link against, such as:

[2.4.0-BETA][root@master.dw.example.com]/var/etc: ldd `which haproxy` /usr/local/sbin/haproxy: libcrypt.so.5 => /lib/libcrypt.so.5 (0x800995000) libz.so.6 => /lib/libz.so.6 (0x800bb4000) libssl.so.8 => /usr/lib/libssl.so.8 (0x800dcb000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x801200000) liblua-5.3.so => /usr/local/lib/liblua-5.3.so (0x80166d000) libm.so.5 => /lib/libm.so.5 (0x8018a8000) libc.so.7 => /lib/libc.so.7 (0x801ad3000) libthr.so.3 => /lib/libthr.so.3 (0x801e6f000) [2.4.0-BETA][root@master.dw.example.com]/var/etc: ldd `which openssl` /usr/bin/openssl: libssl.so.8 => /usr/lib/libssl.so.8 (0x8008a2000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800c00000) libc.so.7 => /lib/libc.so.7 (0x80106d000) [2.4.0-BETA][root@master.dw.example.com]/var/etc: openssl version OpenSSL 1.0.2k-freebsd  26 Jan 2017

Well, I just realized when my dhcp server machine went down, that I have a lot of services redundant or in failover mode, but unfortunately not dhcp. So I was looking for an easy way to do it, and one option was the pfSense machine (where I quickly put up a dhcp server with another address range as a quick fix).

Since I had that running, I wondered if I couldn't just use it on a more permanent basis. I understand from your reply, however, that the pfSense implementation was not meant for this. So I'll probably just take some other machine already running here.

Yes, it's something you shouldn't need for a home setup. Unless you are the only one who can fix such things in a family, and if you're at the same time away frequently for days or weeks even. And leaving the family with no working IT is not always something they appreciate.

I'm a moron. There is a 64 bit version available here: fetch -o /conf https://sites.google.com/site/pfsensefirebox/home/WGXepc64

This should fix any issues in case someone Googles this.

1: You should search the forum vigorously - this setup is discussed for more then decade literally
2: you wire your WAN to the switch, changing this port to some separate VLAN (so packets from ISP are marked with this VLAN), and on the port on which you connect your pfsense you should add this VLAN to tagged list.

Problem found!

netstat -r

revealed that an openvpn P2P tunnel was inserting some routes when it refreshed, and the static routes were getting overwritten.  Only affected the secondary.

OK, Stupid mistake. SOLVED

#1 enumerating"memberOf=CN=pfSense_admins,OU=Service-Groups,DC=example,DC=com" is NOT necessary

#2 you need to set Search Scope to "Entire Subtree"

Yes I got the dashboard working as advertised. I just had to refresh a few things and reimport the visualizations Jason are some files were successfully parsed and it worked! Check out my linked post, it says more specifically the steps I took.

You could try out to set up all in VLANs and then you may configure it out with switch ACLs if a managed switch will be there in use.

Not the main topic but i don't want to open a new thread.

I did build a DCF77 radio receiver for a view bucks with a Arduino.
It is now connected to the motherboards serial port of my Hyper-V 2016 server.

I did install the Meinberg Driver and there NTP package on the Hyper-V 2016 server.
On the other windows PCs I use the NTP package.

I have in pfSense now 10.1.0.2 + Prefer.

Is there something in Services > NTP > ACLs i need to set if i don't want do use pfSense as timeserver?
Does "Service - Disable all except ntpq and ntpdc queries (noserve)" disable the timeserver?

Some images in the attachment if somebody want to see it.

Hyper-V.jpg
Hyper-V.jpg_thumb
Workstation.jpg
Workstation.jpg_thumb
pfSense.jpg
pfSense.jpg_thumb

The corresponding port on pfSense could also be considered a VLAN "trunk." It would look something like this:


I think you're on target there buddy.
Assign VLANS via PFsense, and configure switch trunk ports and access ports as you desire.

As far as I can see, you're golden.

Good luck.

Take your time, and as a rule, if it does not appear to be working after you configure, as a first step, reboot / restart.

^ exactly.. But I would suggest you move to current vs 2.3.2 - current is 2.3.4..

Thank you for your explanations.
I think my way of thinking is still to much connected to terms like NAT where the IP of you wan interface is probably the most important one.
Will take some time for me to change that way of thinking i guess. ^^

Thank you.
Dennis