Nice catch.

Mmm, that's fun!

@nds2k said in Torrent kills PFSense DELL R210II Box: I shall try that when once other family members are not using the network. If you know what device is using the torrent, and you have a ISP router in front of your pfSEnse, you could hook up that device only without taking your network down. @nds2k said in Torrent kills PFSense DELL R210II Box: Noted! You didn't know that most ISP's do not like at all the usage of P2P protocols as they are used for distributing very legal info like Windows updates and the like, and also less legal files like ripped DVD etc ? If the destination IP is from these "Windows updates" servers, then the content isn't blocked, of course.

@diegus83 said in Automatic Backups from previous owner: I decided "I should try that now while it is not an emergency instead of when I break something and the internet stops working" I approve of this decision.

Yes, unless you have outbound NAT configured on that interface. Check the state table for that states on that interface. Steve

Yes exporting syslog and netflow data is the way to go for that. Long term data is not intended to be held in pfSense directly.

@stephenw10 yeah. let's say i have an openvpn user that comes from ad. can i utilize the freeradius to add mfa to it?

Do you see it being routed in packet captures or the state table when you try to reach 1.1.1.1? Where does it fail?

Got it working finally. For this I reset everything to default and started again from scratch. And both options now works. If I do it via NAT it works. And if I change this to a static route in the destination network (so without NAT) it also works. I think I have the same configured as before. But apparently something was wrong before, because now it works. Thank you all for your input and suggestions.

@imthenachoman said in hide false positive blocked/rejected firewall entries: My FW rules are very prescriptive. My last FW rule rejects everything that a previous rule doesn't allow. I was talking about your WAN rules, your screenshot is the LAN or one of the LAN interfaces isn't it as you're doing DNS redirects to the firewall. If you really want to understand whats hitting the firewall send the logs to a syslog server, then look at the data, I send mine to my Synology NAS and can export out if needed to Excel.

@tabmow It's really easy to use, which is why i opted to use it myself, i also don't need another VM or Docker container running when the PfSense box can do this along with the LE certs Do keep in mind HA only works at TCP level, so if you wanted to proxy anything non HTTPS, you might have issues

@stephenw10 Although not ideal, after getting login credentials to the ISP provided router, I moved everything behind their device (which is a calix gigacenter 844e-1 which is actually not a bad device) and speeds are running normal with no weird latency when upload was seemingly capped. Their device provides the option to place my pfsense box in a DMZ, so this allows me to open ports (ie 443) and route things like I need to. I really wanted to figure out why it was acting the way it was directly connecting the the ONT box, but I'll roll with this for now as it seems there is something upstream that is hampering devices that aren't isp devices. Thanks for the information from both of you guys.

As always is the case, I resolved this minutes after posting. It's quite an obscure setting but I needed to also enable Security --> Forged Transmits in the vSwitch. https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html

@johnpoz Nope, but I will check those out to see if they could be of help in the future. TYVM for the reply. Happy new year!

Glad to point you in the right direction. :-) -Rico

@chpalmer Thanks for the quick check! I don't have enough hardware to spin up 2.5 yet, but this may prompt me to throw something together.

Hello Miguel, Are you still sharing your configs? I would be very happy if you could share them so I can properly configure my MEO network with pfSense. Thank you

I'm reminded here of the famous saying (often found in project management): "Good, Fast, or Cheap? Pick any two". In this case we are all getting something good and cheap (free), ergo it won't necessarily be _________. That being said, I'm looking forward with anticipation to 2.5 as well...when it's ready.

If it was managed you might have some logged error to go on. Also managed switches tend to be better made and more resilient. Mostly! If a new replacement failed in exactly the same way though I would start suspecting something in environment. Not necessarily a network problem, maybe a power issue? You swapped the PSU at the same time I assume? If you move one of those 'bad' switches to somewhere else and test it does it still fail? Steve

Thanks for the hint. I didn't realize the traffic wouldn't pass the WAN interface. I'd forgotten that pfsense sort of acts like a router between interfaces by default. I blocked traffic between LAN & VLAN DMZ except for SMTP on the web server and set up a record in my hosts file so email could then be addressed to the mail host directly.