@Kartoff: Hello again, I have little question i cant find an appropriate answer in search… I have pfsense with NAT and port forward active and i bought a domain... When i type "x.x.x.x:port" i end up where is supposed to go behind a NAT and it also work with "something.net:port" But i want "x.x.x.x:port" to be resolved as "something.domain.net" so when i type "something.domain.net" to reach target machine behind NAT... Can this be done ? Thank you :) So for example, you might have a webserver or other similar site you are trying to host but your ISP blocks port 80… so you set up pfSense with a NAT to forward port 8888 (for example) to your internal web server's port 80... and now you want www.mydomain.com to resolve to your WAN xxx.xxx.xxx.xxx:8888?? When you type www.mydomain.com:8888 the website resolves however when you type www.mydomain.com[without a port number] it does not resolve? This is because without specifying a port basic http protocol uses port 80 and it seems that you or your ISP do not allow access to port 80. I think that's going to be at your external DNS provider. I know that freeDNS does not offer that service however some paid services do. I believe that this is something outside of pfSense. OR You could get a business class connection with static IP that has no ports blocked to you. Call your ISP. I would bet they tell you that the port you are trying to use is blocked to retail customers.

https://forum.pfsense.org/index.php?topic=87700.msg482549#msg482549

you'll have to change the pfsense webgui to different ports if you wish to portforward 80/443

High end switches support multi-pathing for the layer 2 and can fail an interface when errors start to happen. The original question asked how to fail over "like the WAN". The issue is easier on the WAN because you just say "This route is bad, fail over to another route". The problem with the LAN side is you have only one route. Clients have only one gateway, that is one route. That is a layer 3 issue. LAN failures is a layer 2 issue. It's best to handle it at the Layer 2, which is the switch. I'm wondering why an interface would have loss and why failing over would fix the issue. There is a "raid 1" for Ethernet. I forget the protocol name, but packets are duplicated on all interfaces in a group.

on most firewalls this is called vpn passthrough. any ideas? Thank you!

Thank you so much for your kind and helpful response. No CD or DVD in the drive so I shall ignore the warnings as you suggest. Btw, I just love pfSense.  :)

We don't have that capability in pfSense, but if you send the syslog messages to a remote server, there are likely other dedicated monitoring packages that do support such notifications.

You could use rsync to copy the file(s) from firewall to firewall, assuming you have the right ports open across the back of all the systems: https://www.freebsd.org/doc/en/articles/hubs/index.html

@cmb: The routes are handled by each side on its own with shared key, fill in the "remote network" on each end accordingly. With SSL/TLS, the server side can push route(s) to the client but they're still required on the server side. Ah, I see. All working now. Thanks!

Thanks so much for your reply heper.  I am going to try that out and let you know if it works. Much appreciated.

have you set your interface rules for the wifi network?

Are you using proxy?  Are you using portal?  Do you have snort installed?  is your wireless part of pfsene or a stand alone AP connected to pfsense on its own segment or same segment as your lan? I can tell you have 2 iphones, 5c and 5s and ipad none of which have any problems grabbing new apps from the store, or updating existing apps, etc..

https://doc.pfsense.org/index.php/FTP_without_a_Proxy

If you are willing to switch to haproxy-devel (1.5) it should be able to do both ssl-offloading and transparent-clientip. Also in the background it will create the needed ipfw rules. How good of a job it will do for pop3s / imaps / smtps.. i have no experience there.

"but it would be useful if it could default to a common subnet mask imo." And who says what is common.. is /24 common?  Maybe to you - but to others maybe they always use /25 when bringing up a new segment..  You have no idea what a user might be creating a interface for..  To assume /24 solves nothing - if the user doesn't understand what the mask is in the first place.. Put in a feature request if you would like the drop down to start on /24 for new interfaces for ipv4, and /64 for ipv6 since drop down on that one is /128

Check the Packets RRD graphs, it's likely more or less in line with the search rate. There isn't a "you must have X rate of searches given Y rate of insertions/deletions", an average setup will be roughly along the lines of the numbers I posted previously, but that's dependent on what's happening on your network and can vary widely depending on the typical load your system is under. It sounds like you have many packets going through a small number of connections.