@kiokoman thanks for the reply! I have it working perfectly from LAN to LAN. When I place the same server directly on a WAN IP address, with UFW disabled on the NFS server, I cannot mount it from my ESXi host which is on the LAN. -J

It should install as an additional tab in VPN > OpenVPN. I assume you found it?

@justice41 said in VLAN subnetting: considering only few hosts would take one network, seems its better just to make subnets. True.. I applaud your wanting to use appropriate sized networks. Then again rfc1918 is HUGE.. For any single location.. So what does it matter ;) Unless for some reason your limited to this 10.10.11/24 for some reason. You can chunk up your /24 anyway you like in whatever sizes you want.. You could break them up into /30s if you so desire.. But you need to chunk them up so that your subnets don't overlap ;)

@negate1 Are you referring to WiFi? This is somewhat a large network, with almost a thousand clients connected to Pfsense. Pf is acting as an edge network loadbalancing 4 WANs. Behind Pfsense is an OSPF network with several subnets. An IP in one of the subnets need to follow a schedule where there are times in a day that we need to block from accessing Internet. It is just a simple block rule with a schedule. After we applied the rule, Pf is disconnecting all clients in all subnets every 15min but reconnects them immediately. This is unnoticeable in most internet activities except games and voip. We disabled the rule and everything is back to normal. Is this something a cron job not doing as intended?

@johnpoz Thank you for the clarification

@stephenw10 said in Can't no access to some websites: Because it's statically routed so it may behave differently to a random IP. ok :)

Now my ATV4 has "Fallen in love with 192.168.1.14 TCP:7000" Well i have had it ... Made a deny rule targeting ATV4 -> 192.168.1.0/24 (I dont have that range) , and disabled logging. /Bingo

@viragomann said in Running pfSense 2.4.4 over a KVM VM in PROXMOX 6.1.5.: You will get the best benefits of the processor features, when using host type. This passes all the features of the processor through to the VM, while KVM64 provides only a small amount of common features. For instance, KVM64 doesn't make use of AES-NI, even if your host CPU supports it. with kvm64 you can set extra cpu flags though, including AES. All via proxmox gui.

You could block Facebook using pfBlicker-NG by creating an alias using the ASN for Facebook. YMMV with other Social networks. Or maybe Snort with the openappid-social_networking.rules enabled. [image: 1604395622043-screenshot-2020-11-03-at-09.24.13.png]

@JKnott I was trying to agree with you... :)

I don't think you should create 5 frontends just to access 1 backend webserver, instead you might point the 'internal' DNS to the same public ip where haproxy is already listening.? Or perhaps just point them all to the same LAN1-IP ? Other option might be to create a 5th subnet with a 'virtual' ip-alias 192.168.40.1/24 on the lo0 loopback interface to listen on? That might make your firewall rules a bit simpler..

Hi, now it is working. the second reset as fixed the issue. Thanks

It may simply not be compatible with that utilty then.

yes, now you have an idea of what you need to do, maybe wait for someone with a Draytek that can tell you how to configure it. internet---pppoe ----| ............... modem --- pfsense ---lan

@leadwolf31 , Assalamu alaikum, Shalom, Namaste. Yes you can. I use Pfsense CE (free) with IBM Qradar CE (free). I can even tracked the apps that intruders used. IBM QRadar [image: qradarce-dashboard.png] [image: pfsense-logactivity.png]

Normally very difficult to have any unsolicited inbound traffic. Unless your ISP has setup ports to be sent to your 100.64.x.x IP, or allows for you to request them. Its pretty much the same as your IPs behind your nat router not seeing inbound traffic unless you create a port forward on your router. If you have no need for inbound traffic - say you running a plex server, or hosting httpd, or whatever then not you prob won't have any problems. But if your wanting to say host some online games or something... Then yeah it can be a problem. if you would like to say vpn into your home while your on the road with your phone or laptop or something - then yeah problematic for sure. Do you also have IPv6? If you have IPv6 you could leverage that for the services you want to host off your connection. Problem there is not everyone has IPv6, nor all locations.. Say your on some hotspot at a coffee shop or something and want to vpn to your home - the coffee shop might not have ipv6 for you to use. edit: upon looking I do see you connecting a few times with IPv6 to the forum.. So I would assume you have it - but that could of been off your phone (not using wifi) or something? For example t-mobile, atleast in my region has gone full ipv6 on their data connections. Your phone never gets an IPv4 address other than via wifi. When you want to talk to an IPv4 address you use a NAT64 gateway they have setup.

So you're basically saying Chrome is auto-filling hidden password fields creating the input validation error? That should be fixed in 2.4.5p1 by this: https://redmine.pfsense.org/issues/9864 So, yeah, upgrade! Steve

There is a reason that bridging all your interfaces is not a one check-box type setup in pfSense. Doing that is generally a bad idea! Bridging interfaces makes it behave somewhat like a switch but it is not a switch and if what you want there is a switch then you should just use a switch. Most SOHO routers that use that type of setup are in fact using switch internally. Some of our own appliances have an internal switch and can also be used like that. That aside..... if you are going to the dhcp server setup and there is no tab for br0 it's because br0 isn't assigned with a static IPv4 subnet a dhcp server can be added to. I note also that guide does not mention chnaging the sysctls to filter on the bridge interface rather than it's members which most people would want for this sort of setup. See: https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html Steve

Mmm, weird. Thanks for following up though. Yeah it would be good to know what it was but that's probably not possible at this point. Steve

@user2 , I think you are overly worried, but then again that's your right. Anyway the IP address that you mentioned is related to these IP addresses: IPV4 24.227.211.0/24 64.17.0.0/20 64.20.224.0/19 64.20.224.0/20 66.219.32.0/19 96.47.208.0/20 96.47.209.0/24 192.188.253.0/24 198.252.182.0/24 208.67.240.0/21 208.123.64.0/19 208.123.73.0/24 216.1.112.0/22 IPV6 2610:160::/32