Does it always fail for that cert? You have something unresolvable set there? Failing after 60s seems reasonable I doubt increasing that value will help. Steve

@jknott Good to know. I appreciate all your help so far. Once (if) I decide to proceed with this, I might have to come back to get more assistance...

The limit is set by pfSense, I am not aware of a limit in mpd. But again, it hasn't been tested so you're pretty much on your own there. It isn't intended for that many users, but it may work.

You can try filtering it in DNS but I'm not sure if Facebook Messenger will work without being able to resolve facebook.com. Steve

Are the URLs in question resolving? Do you have any other packages installed besides pfBlocker? What error do you see when you try to visit one of these URLs? Steve

Ah, yes, if it tries to boot and finds the assigned interface missing then you will see problems. I would not normally expect a panic though. An Ethernet connected external modem will give far better results pretty much every time. Steve

@stephenw10 If I call the URL from another PC on another network in another city, the problem is not there. And it doesn't even exist if I call the URL from a smartphone. I only have it from multiple PCs in THIS network, under pfSense. So that's something here in this office. I don't know where, but it's here. OK, I close the thread. I try to reinstall everything.

@leungda said in Secondary DNS Server: Why not using the pfsense as a SLAVE server. Because https://forum.netgate.com/topic/133593/bind-setup-pfsense-as-slave-dns-server/8?_=1607327341512 I'll add a why not more : bind, as any other daemon type process, bind uses config files. And like servers daemons like apache2, nginx, postfix etc : it's close to impossible to build a GUI around them. You wind up doing what's been done for the last 3 or 4 decades : edit the config files with a text editor. Typically, you'll be needing 3 SSH open during editing : One where you edit the config files - bind has config many files, zone files. One to restart or reload bind9, and one where you 'tail' the bind log file(s). Typically, these log files are split in debug, xfer, dnsssec, debug, query, etc. Ones set up correctly, you'll be fine for some time. You have two choices : bind does everything for your pfSense, working as a resolver for pfSense, and your LAN's and slave DNS name server for your domain name. Or you make a mix : unboud listens only to the LANs and pfsense local host, and have bind bind to the WAN IP, port 53. I guess it is possible - with actually ONE restriction : you have to know bind. My own slaves run on a VPS that exists for only that reason : for DNS and mail backup server. I've been using https://freedns.afraid.org/ a long time as a second (third, actually) but had to remove them : as I'm using Letsencrypt, freedns.afraid.org is to slow to update (execute the XFER upon NOTIFY) so acme failed to renew my certs. What happens is that I ask mostly for wild card certs, which implies two records being pushed (using nsupdate) to the master DNS. When this happens, the master sends out after each record update a NOTIFY to the slaves. The first XFER initiated by the salves happens quickly, but then - @freedns - some rate limiting kicks in, the second records gets XFERred much kater, making the Letsencryptcheck fail. In the past, Letsencryptchecked just one name server, which could be the master answering, or the slave, making the chance bigger to succeed. These days, master and all the slaves are checked.

@bla said in Very slow login to dashboard++: that one of the DNS servers being used Keep in mind : you don't have to enter during setup any DNS server. The resolver already knows where the 13 original main 'root' servers are, as these are build into the code. No need to pas on your DNS info elsewhere.

@jwj I don't think the Unifi kit support 802.1x and any form of WPA on the same network segment even if the SSID is different. I'm with @johnpoz on the guest WiFi and QR codes.

@pagger i disable my WAN ipv6 and everything is solved .

Yeah knew that was going to happen.. Could tell from the IP.. I don't think we have 1 legit user from there.. It's just spam.. Your googlefu in finding the threads they are coping from is better than mine - I searched and could not find where they had copy pasted from.

Hmm, odd. That should be identical to re-assigning it as WAN.

@heper I see. Interesting. I'll see if I can find the poll. I mean if folks are willing to pay a premium for Unifi gear, you'd think they'd be willing to buy cheaper (but just as good) gear and pay more for pfSense. I know I would. Interesting.

@johnpoz Hello and thanks Yes I only had TCP port 443 outbound from my work VLAN and after adding UDP all is better. I'll VPN into work and update that wiki page

@gertjan noted with. Thanks!

The client only needs to generate a key pair if you want to authenticate using the key. The server always needs a key pair. All SSH servers do. SSH depends on public/private key cryptography. https://tools.ietf.org/html/rfc4251 Steve

It's ugly (triple NAT!) but you can port-forward in Google WIFI: https://support.google.com/wifi/answer/6274503?hl=en-GB This will work if you have all three port forwards setup correctly. The fact you were seeing blocked traffic in pfSense shows at least one port forward is wrong. See my comments above. Steve