https://blog.pfsense.org/?p=2090

sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1 works like a charm so apparently pfsense2 receives the packets returning from 192.168.1.23 and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place not nice but efficient :-) also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out) thanks for your wonderfull support everyone

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense Or if you prefer video tutorials: https://www.youtube.com/watch?v=28dmUzOGI50

Thank you!

yes /27 in a firewall would match those IPs..  If your network was actually a /24 and you used 10.11.193.0/27 in a firewall rule - that rule would trigger on IP .1 to 31 If you used .32/27 it would trigger on .32 to .63, etc..  Yes you can use cidr in your firewall rules and they can be subnets of your actual network..  So sure if you always set your infrastructure IPs .1 to .31 on that network then you could use x.x.x.0/27 as a firewall rule to trigger on those IPs This is very common practice to use specific IPs in a segment for specific sorts of things, which then yes makes creating firewall rules that match on those IPs easy to do with cidr..  Depends on the location but many will reserve the first part of a new IP range for static and the end as well.  And only use the middle ranges for normal dynamic clients in that segment, etc. If you break at common subnet blocks then yes it makes easy to write firewall rules based on those borders.

In 2.3 and newer versions, the update system is pkg-based, changing the available update methods. Upgrades are performed either under System > Update in the webGUI, or option 13 at the console. Manual updates are no longer available, and systems must be Internet-connected to update. https://doc.pfsense.org/index.php/Firmware_Updates#Version_2.3_and_newer

Ok well this work first enable watchdog and select the services to notifice late go to System – Advance -- Notifications and in E-Mail put your direction and this is all. done.

Thanks this work for me too.

I think I have found the issue. It was rather simple. I have mistakenly assigned VLAN20 to the LAN interface and not to the opt1 interface. [image: pfsense_int_vlan.png] Once I assigned the vlan20 to opt1 the windows machine received its ip address from pfsense

@KOM: If he was the victim of a DNS-AMP attack, nothing would change just because he changed DNS on his gateway or client, and any of his LAN clients doing excessive lookups also wouldn't care which DNS server was selected for use by pfSense.  There was something weird going on but I doubt it was a DoS attack. That's the "stopped just by coincidence, but that's unlikely" part. Given that, it's more likely some client on his network is issuing queries that cause some remote server being targeted to send or receive a large amount of traffic. TWC's DNS server takes part, Google's much better than most if not all ISPs at limiting the impact of or blocking DNS amplification.

Glad that worked.

@extacy1: Thanks to this post https://forum.pfsense.org/index.php?topic=31580.0 That post was dated "2010". Google - gmail - did change some - if not all - procedures. @extacy1: Basically changed email server from smtp.gmail.com to alt1.gmail-smtp-in.l.google.com and set the port to 25 E-mail Server:alt1.gmail-smtp-in.l.google.com SMTP Port of E-Mail server:25 Uncheck  "Enable SMTP over SSL/TLS" or "Enable STARTTLS" I used this : https://support.google.com/a/answer/176600?hl=en (the original, up to date doc from gmail about gmail :) ) Works great using port 465 - SSL on, etc. ( Secure SMTP Connection Enable SMTP over SSL/TLS ) and "smtp.gmail.com" as the smtp server address. I also entered my gmail login and password. Of course, if gmail doesn't know about "pfsense" or the IP your are 'sending' from, you might run into th" "was this you ?" gmail protections schemes. But that's nothing new. I guess, if you need to use "alt1.gmail-smtp-in.l.google.com" you have some DNS issues.

It looks like this was caused by a route push from my OpenVPN Client. I set "don't pull routes" and that resolved it. I have a DNS leak I still need to fix now but I'll raise a new thread for that in the appropriate forum :)

Given that there is no "UserParameter=" tags in the installed zabbix_agentd.conf I have to assume there would be no magic template to do this unless the agent has been specifically compiled with added sources to accomplish something above and beyond what the standard FreeBSD agent provides, meaning that there probably isn't anything discoverable beyond the regular "Template OS FreeBSD" that comes with a Zabbix Server install. So then, the other question would be, does the zabbix_agentd.conf file or more importantly, I guess, the entire /usr/local/etc/zabbix22 directory survive a significant version upgrade?

@NOYB: Think you are in luck.  I have done this dual router (pfSense and FiOS provided router) before.  Here are a couple possible methods.  I have successfully used both of them.  It's a bit complex, but it can be done.  Both  methods outlined below require FiOS Ethernet service rather than MoCA (COAX).  By the way is this for Verizon FiOS or Frontier FiOS? Method 1:  The most desirable (IMO) Configure a switch as follows. Port 8: PVID 99, Member VLAN 99, Un-Tagged; Member VLAN 98, Un-Tagged, connect to ISP WAN Ethernet Port 7: PVID 98, Member VLAN 99, Un-Tagged, connect to FiOS router WAN port Port 6: PVID 99, Member VLAN 99, Tagged, connect to pfSense WAN port Ports 1-5: Default (optionally 98 can instead be 99 also) Method 2: How Can I Run Multiple Parallel Routers https://www.dslreports.com/faq/16949 https://www.dslreports.com/forum/r27210694-FiOS-Dual-Router-Separated-Computer-TV-Service-Networks Use pfSense WAN DHCP Advanced configuration options to impersonate the FiOS router's DHCP.  Also clone the MAC address so pfSence has the same MAC address as the FiOS router. Does remote DVR work with both of these methods (granted I know I need to forward the correct ports)? Also, for method 1, do I need a switch that supports VLAN Trunking? I bought a Dell PowerConnect 2716 switch, but I dont think it supports trunking. Can you confirm if this managed switch will work? Thanks!

@kpa: The LAN interface works just like it would without the VLANs. The VLANs are transmitted on the same wire but the ethernet frames have the appropriate VLAN tags in them. I'm not sure what you mean by "trunking" though. Cisco (and a few other vendors) uses the term "trunking" to refer to an interface that carries VLAN tagged frames from multiple VLANs, which I think is were the confusion is coming from.

@Derelict: I don't see how the release of a bunch of email addresses has anything to do with the fact that it was letsencrypt that did it. It's less damaging than, say, adultfriendfinder. Was a rookie mistake though. I do hope they are more careful with their signing keys. This is really all I was attempting to say.  They need to get a lot better at operations (including opsec) before they're to be fully trusted with what they're attempting.

I have a rule in LAN, TCP/UDP with limiters. In traffic shaping -> limiters, i have a limiter with 2mbits and mask in "source addresses", and /32… i attach jpg image with my config. Not found, no apply for per host, apply limiter to all network :( [image: limiter.JPG] [image: limiter.JPG_thumb] [image: rule1.JPG] [image: rule1.JPG_thumb] [image: rule1.1.JPG] [image: rule1.1.JPG_thumb]