It's not the firewall, as you say. Both the client and server are in the same subnet so traffic goes between them directly through switch 1. pfSense never sees that traffic at all. Check for a bad subnet mask on something. It would have to be a very small mask though to include, for example, the server and gateway but not the client. It sounds like you have some asymmetric traffic. When you start pinging you get an ICMP redirect sent that then allows replies until it expires. Steve

Like any rule; match the traffic you need, traffic to not NAT here, then set the 'do not NAT' option. https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#disabling-outbound-nat Here you probably don't want to NAT anything leaving the LAN so your rule can be source: any, destination: LANnet or similar. Steve

@viktor_g Thanks! It works.

@bingo600 OK, I iwll try that - thanks

There is no way to do that in the GUI. You would probably have to manually edit the config file which would be easy to get wrong. You would have to completely replace the users and certs sections. The webgui cert would need to be changed to use the imported one. You might set the gui to http while you do it to avoid problems there. Steve

@stephenw10 Thank you ! safed me from doin some trail and error ... now i got some time to get a vlan over the 2nd port of a unifi ap ac pro there are things in networks no one gonna need ;)

@stephenw10 That's good to know. I'll be installing on a new computer shortly and have the config.xml file saved. I'll get it installed & running, before copying over the config. I didn't copy the DUID, as it's all new hardware, with different MAC addresses, so I expect I'll be getting a new prefix.

echo | openssl s_client -servername domain.tld -connect domain.tld:443 | openssl x509 -noout -enddate | grep 'notAfter' > date.txt The file date.txt should contain a date and time in the future : notAfter=Apr 3 01:17:16 2021 GMT

@stephenw10 yes but I missed the link to Denon's website. I'll have another look on there and see what it says.

@stephenw10 thats weird indeed. connecting to the same proton free server straight from my computer will show all hops. i guess theres not much i can do thanks!

Nothing immediately familiar: db:0:kdb.enter.default> bt Tracing pid 12 tid 100094 td 0xfffff800057c7740 kdb_enter() at kdb_enter+0x37/frame 0xfffffe00005fc6f0 vpanic() at vpanic+0x197/frame 0xfffffe00005fc740 panic() at panic+0x43/frame 0xfffffe00005fc7a0 trap_fatal() at trap_fatal+0x391/frame 0xfffffe00005fc800 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00005fc850 trap() at trap+0x286/frame 0xfffffe00005fc960 calltrap() at calltrap+0x8/frame 0xfffffe00005fc960 --- trap 0xc, rip = 0xffffffff810a6486, rsp = 0xfffffe00005fca30, rbp = 0xfffffe00005fca50 --- pfsync_state_export() at pfsync_state_export+0x26/frame 0xfffffe00005fca50 pfsync_sendout() at pfsync_sendout+0x280/frame 0xfffffe00005fcb00 pfsyncintr() at pfsyncintr+0xd1/frame 0xfffffe00005fcb50 ithread_loop() at ithread_loop+0x23c/frame 0xfffffe00005fcbb0 fork_exit() at fork_exit+0x7e/frame 0xfffffe00005fcbf0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00005fcbf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- Looks exactly like this though: https://forum.netgate.com/topic/146256/regular-crash-dumps And this: https://forum.netgate.com/topic/136195/bugs-report Not much help there either.

I do this on my work network: pfsense SG-8860, a combination of Netgear and Cisco managed switches, and finally 6 UniFi AP's and 1 onsite UniFi controller. The network is setup with 2 networks - LAN and GUEST. The AP's are setup to run 1 VLAN, the GUEST VLAN. The LAN network is also on these access points, but not VLAN'ed. Both of these networks run on the same physical port on pfsense. It took some reading and research, but I got it all working just fine. Firewall rules keep both of these networks from talking to each other. If you want to do something similar, and from reading your post it looks like you are pretty close, you're gonna need a smart/managed switch. Some 5 to 8 port switch models run about $40 to $45 USD, check out Amazon. The OPT network that runs over to the tenant's apartment is fine on it's own pfsense port, run it directly into there and give it the proper settings. It doesn't need to go thru any of your switches. The other stuff that's "in your own place" should run thru the smart/managed switch, then into a single pfsense port, with VLAN's. Jeff

But not sending .118 down the vpn, shouldn't send it to your gateway.. Try splitting the whole local network 192.168.80.0/24 Also when you do that - take a look at the route table route print from a cmd line

@kurisuchan Okay never mind I solved it. Apparently when i created the CA I did not fill out all the optional fields. So I created a new CA with all fields filled in, also created a new server certificate and also filled in all the fields and now it works.

@gertjan This is a all in VMWare on my home PC. I do have a DHCP server at my house. This is where the 192.168.1.68 for my WAN interface is coming from. Thanks for the information on SSL/TSL. I picked 80 because it is just a internal VM and it was easy to setup by installing IIS on one of those VMs.

ClamAV only sees proxied traffic so, no, you can't do that. Steve

@draand28 Glad that you got it to work. Thank you for reporting back

Well I think that was it! I disabled 'Log packets blocked by Block Bogon Networks rules' at 14:05 today. I just checked the filter log file and the last RTALERT and PADN entry occurred exactly at 14:06:01. Nothing but valid firewall events after that... Up until that point it was logging about 230 of those offending messages per hour. The funny thing is, I've always had that Bogon logging option enabled and never had a problem until now.. My ISP is Comcast and like the mention in bug report #3494, Comcast appears to send ICMP6 Multicast Listener Report messages out on their system which get flagged as Bogon traffic by pfSense. I guess Comcast must have made some changes recently that increased the flow of this type of traffic... Anyway, glad we got to the bottom of it. Thanks again for all the help! No way I could have figured this out on my own...

@johnpoz hello I have 2 pfsense with bind connected via site to site openvpn :) I need my site 1 to be the master and site 2 to be the secondary I need site 1 to have all the zones on site 1 and site 2 as master zones The point is to add hosts only on site 1 witch is the master and those entry to be synced to site 2 so I don't have to enter them on site 2 also to be able to resolve them there as well. Like the build in resolver on pfsense (if I want to resolve host on site witch is actually host on site 2 I have to put entry into the resolver on site 1) Right. :) and ... the rules witch are confusing me What rules should I set so both sites can sync with this function or in any other way [image: 1611679402213-bind-xmlrpc-sync-resized.jpg]