I am not sure this is the correct answer but I would test:

Define a DMZ with the public pool.
Add a gateway with  185.81.117.97 in pfsense
in the rules allowing outbound traffic from the DMZ select in the advance option the gateway you have defined above.

It should work but it might not be the best answer.

no.. i don't want assign a public ip behind the pfsense .
i want simulate isp's reaction  how i assign an ip block over a line with a pfsense (isp simulator). there is end of this line my pfsense fw simulater (and then it is going to use 1:1 nat - this part is not problem , i will handle)
the problem is how can i simulate isp's reaction (assign an ip block to my customer :) )

Wow. I don't know what is wrong. I spent several hours trying to get the CD to work for rebuilding the firewall and nothing worked. I used a USB CD Drive to burn and read, but the boot up took forever. I transferred the ISO to my main computer and burned it on the internal CD Drive. This made it better. The firewall doesn't have a CD-ROM, but it is a computer so I hooked one up to the SATA port and it would not load the CD. So I went back to the USB CD-ROM and it booted, right up until it detected the USB CD-ROM then errors with mount issues (error 19 or 16, don't remember). I don't remember it being this hard to install pfSense. I had several issues just getting a working copy of the software from the sites (ended up downloading it on my Linux laptop and the hashes matched finally).

In case you want to try calling me stupid or something for not using the USB installer, I already tried that. It was my first set of attempts before going to the CD-ROM. The BIOS doesn't detect the USB Boot Drive.

Ok 'default_backend majesty' is probably the reason it ends up there.. could be that none of the acl's matched..

The current acl might not always match.:
acl        OWA  req.ssl_sni -i mail.mydomian.com
Could you add also a:
acl        OWA  req.ssl_sni -i mail.mydomian.com:443

So including the port? that might solve something..

p.s. it seems you have to many 'default_backend' configured anyhow. but if the acl's pick up the traffic you shouldnt end up on majesty. (when requesting mail.mydomian.com)

I'm using a Jetway device for my build as well. I forgot the model number but its a fanless build with celeron quadcore and 4GB of ram. More then enough for PFsense and some decent packages.

I've been running it at my house for 6 months now. Solid as a rock! I paid about $300 for the unit.

Since this is a home network, you don't need to go crazy on a switch. I personally use two dummy Netgear switches. One for my main production network on subnet 192.168.1.x Eth1, and my second switch is plugged into Opt1 interface on a 10.10.10.x subnet where I host my servers. I have an old Linksys router configured to be used as an AP connected to it as well.

Unless you want the experience of playing with vlans or something. I don't see a real reason to need a nice fancy switch. Two unmanaged named brand switches will work just fine. (you could get something like a 6-8 port for your OPT network and a larger one for your production etc… all depends on your needs).

That is how I would start. Keep it on the cheap and expand in the future as needed.

Now if you want to go fancy because you have the cash and want the learning experience. I'd do the following.

Get something like a Cisco SG200\300 (you can get a 48 port for like $180). You could even get one with 4x POE ports for your WAPS on this switch. This is a great switch for playing with vlaning and has great support from the vendor and security.

For WAPs. The UniFI AP-LR WAPs are awesome as hell. They are easily managed by Unifi software and can support vlans along with seemless automatic wifi jumps between waps. They also last ages, I've had mine for years and sturdy as hell still.

Just an idea.

I deal with this pain on a daily bases as a network engineer. It's really annoying when the ISP doesn't really do any testing other then using their built in software to perform a 5 second test…

How important is this connection? Are you doing duel WAN for balancing load or for failover?

What I would do is disconnect that connection that is dropping packets. Connect it to a laptop and configure your laptops NIC to the static IP settings. Then perform a continuous ping or use a network monitoring tool to capture packet loses.

If you lose packets then, it is for sure the ISP. If you do not, it is for sure your device.

This is the only sure fire way to rule out ISP equipment from your own.

It's a pain but it is pure proof that they can not disagree with.

You might consider separate vlans and put your kids device in 1 of the created vlans. Then set rules that shut down internet access at a certain time(schedule feature in pfsense), https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

Then consider using Opendns parental control ips for that vlan interface: 208.67.222.123
208.67.220.123…see opendns website for more details: https://www.opendns.com/about/press-releases/introducing-familyshield-parental-controls-the-easiest-way-to-keep-kids-safe-online/

Keep in mind this is coming from a non experts.

Thank you, I appreciate the responses. I am presently on travel but will give the provided instructions a shot at earliest possibility.

It doesn't prevent you from using those, it's not recommended, however. That means it's missing some property that the cert manager expects to see in a server certificate.

That said you DO NOT want to use a "real" trusted certificate for OpenVPN. That would let ANYONE with a certificate from that CA connect to your VPN, not just you. Which undoubtedly is NOT what you want. There is no advantage to using anything other than a self-signed CA/Cert structure for OpenVPN.

That isn't content that should have ever been in extensions.ini. Not sure where that came form, looks like source from some other program.

You can rm /usr/local/etc/php/extensions.ini and then from the console menu use option 16. If anything is needed for PHP to run, that will fix it up.

"That result is for a CMS called phpWebSite, not pfSense"

They prob scanned the wrong IP ;)

The secret to getting it to work was to change the following items.

Base DN: DC=MyDomain,DC=com
Authentication containers: OU=Customers,DC=MyDomain,DC=com
Group member attribute : memberOf=cn=VPN,OU=Customers,DC=MyDomain,DC=com

You can't get twice the bandwidth (meaning one stream/connection will get 2Gbit/sec) but you can LACP to your switch and it will put some traffic on one and some on another so if there are lots of hosts/states it will use both links effectively.

But that will only affect connections to the firewall. LAN-to-LAN connections through the switch will still be at switch speed and, thus, unaffected.

If you don't have gigabit+ WAN you're probably not going to see any benefit for the added complexity other than link redundancy to the firewall.

perhaps an mtu or related issue ?

I believe that the issue may be solved.  Time will tell when the cable modem blips again.

If you look at my gateways.png screenshot the WAN_DHCP gateway did not have the "(Default)"  the Wan_DHCP6 and testvlangw only had the "(Default)" set.  Once I added the default to the WAN_DHCP  my tests recovered.  I unplugged the modem for 30 minutes and when i plugged back in and had success.

I also swapped the nic for the wlan to a broadcomm that I had, since the chipset was on the official HCL.  But, I noticed it didn't resolve the issue.  Interesting enough after I swapped the nic in the PFSense GUI the routes still shown the old nic as the gateway interface until I rebooted.

I also thought it strange that a reboot gave the Wan_DHCP a default entry in the routing table.

@irs:

I can not ping to the server 10.1.9.42 from any computer 10.1.9.0/24

Though win server can access the internet and ping pfsense but other computers can not ping that server.

before deploying pfsense it was working fine.
….

All windows systems behave this way : you've entered them in a 'new' network, and the system would gave asked : Public or Private network ? Your server has probably decided to enter the 'Public' mode so it won't reply on any local communication, and uses only the gateway to access the Internet.
Check out your server.

@johnpoz:

these are hosted off different IPs, so sure rules could be up while emergingthreats could be down.

I would think you should check with them on why their sites down - did a quick look at their twitter feed and didn't see any mention of issues.

I thought maybe you just had bad url, but on their twitter account they link to their site with same just domain.tld..

Pleased to see its not just me good idea about getting in touch will see if I can find the Twitter account

@madivad:

@biggsy:

This might help.

Considering i have the space, are there any issues with me having large log files?
Cheers!

Probably not but it might be better, if you have another system sitting around, to set up a syslog server and forward the logs to that.  It opens up a whole bunch of options for analysis.  I use nxLog to capture the logs and Splunk (free) for analysis - both running in a Windows VM.  I used the free version of Kiwi syslog for about 15 years but its performance is very limited and it's passed its prime - a bit like me :)