My configuration is pretty basic. Just VLAN interfaces set as downstream so that pfsense acts as the IGMP Snooping querier for the switches. I don't actually require mcast routing. Anyways, I manually copied over the config file from a 2.4. 4-RELEASE-p3 box and started IGMP proxy from the CLI. Since then its been working fine and I can make changes from the GUI.

Yeah, you need NAT to reach anything from an internal non-routable IP as you found. Try running at the command line: pkg -d update What error does it report? Steve

Did you actually see a crash report? Normally indicated by an alert i the GUI after you reboot. If not what exactly happened? pfSense became unresponsive? Even at the console? Torrents typically cause problems because the open a lot of states. That can exhaust something on smaller pfSense boxes though just one torrent client is not normally anywhere near doing that. Check the monitoring graphs (Status > Monitoring), look at the state usage in the time leading up to the incident. Steve

I no issues with either of those. There will be some variation in your own switch. Just remember that you are removing pfSense as the filter between the VLANs. Any filtering you need there now has to be done using ACLs in the switch. That also means you now have two places to check for filtering rules when troubleshooting so be aware of that. Steve

FYI...Turned out that my 24-port switch was bad. New switch = No Problems!

You can set an expiry date for local users sure. https://docs.netgate.com/pfsense/en/latest/book/usermanager/user-management.html#adding-editing-users

@OpenWifi said in Do i need to to Turn Off NAT on my Mikrotik router,while Pfsense hanfout Leases: pfsense has so many great features that Mikrotik doesn't That's why I prefer pfSense at the edge. @OpenWifi said in Do i need to to Turn Off NAT on my Mikrotik router,while Pfsense hanfout Leases: Ntopng lets me see what traffic is going through my network For this you would need to disable NAT on the Mikrotik else all traffic would be coming from 192.168.1.100 @OpenWifi said in Do i need to to Turn Off NAT on my Mikrotik router,while Pfsense hanfout Leases: I dont have to go to each and every of my client to set the static lease, the way Mikrotik does. In Mikrotik, go to IP > DHCP Server > Lease ... if you click on the lease you'll see an interface tab like below ... notice one arrow points to "D" dynamic lease that you can "make static." [image: 1595691311473-screen-shot-2020-07-24-at-10.26.59-pm.png]

@feedyourtv Most probably a hardware issue. The fault will propagate sooner or later. Usually is due to faulty decoupling capacitors on the motherboard. To say that ashrock boards are problematic is as invalid as by saying that windows never blue screen. If it was a software issue, this board would be full of complaints, rest assured. Have fun, as long as it works out for you this way :)

@jim82 said in WAN looses connection randomly with 24-36 hours - tried everything: 14 days after and my connection is rock solid. Thanks for your help.

@netblues One other thing, that current IP changes daily when SLAAC and privacy addresses are used. I agree firewalls should be used, but there are some things in IPv6 that make it safer than IPv4. Also, IIRC, pfSense and just about every other firewall defaults to deny all, so unless the OP actually did something to leave it wide open, he should be OK.

Ive been running a clean install (i.e not an upgrade of 2.4.4p3) of 2.4.5p1 with a minimal restore of config (too many rules to recreate from total scratch) for a few days now and gradually things have worsened. The culprit is pfctl which can be seen consuming 100% of CPU in System Activity. I have pfBlocker installed but have it set to run cron once per day at 3am and it doesnt appear to cause the load. I did notice on day 1 of running a clean install that the increase in latency occurred at exactly the precise time /usr/bin/nice -n20 /etc/rc.update_urltables was scheduled to run. Rebooting seems to reset things to some degree but at this point I suspect I have to roll back to 2.4.4p3 as this latency is making video conferencing virtually impossible. [image: 1595548302670-overview.png] [image: 1595548313617-states.png] [image: 1595548322199-notraffic.png] [image: 1595548331939-memory.png] [image: 1595548338756-cpuload.png]

Hi, Please don' t bother it , I have managed to fixed it :) thing seems just simpler than I thought , no need to bridge anything , just plugin my router into the LAN port ,reset my router , that's it. Thanks again Best regards,

@klausneil said in PROXY NOT WORKING: I put the proxy data in the browser http traffic basically appears in the squid access table (in transparent mode) (if not, there is a configuration issue and the request does not reach Squid) https content becomes visible (table) only by inserting the Squid intermediate certificate into browsers (will appear in this form in the table - domain.xyz:443) or you can use WPAD and / or PAC solutions, yet

thanks @netblues and @JKnott for your feedback. I focused on the vm host (XCP-NG) network config and found resources for enabling vlan interfaces in xen..I can now see vlan capable interfaces when creating vlans in PFsense. Enable Vlan interfaces: http://think-brick.blogspot.com/2016/02/pfsense-on-xenserver-enable-vlan.html XCP Trunking: https://xcp-ng.org/docs/guides.html#vlan-trunking-in-a-vm now time to get this vlan routing setup..

Yeah you need to enable powerd to see the Speedstep freqs used. Though in reality modern CPUs don't save much by using P-states. The savings from C-states are much larger in my experience. It all helps though. Steve

No. Adding the CA cert to Mikrotik would allow connection from the Mikrotik itself but would not do anything for connections from phones (or other hosts) behind it. It would onyl help if the clients are already using the Mikrotik to proxy traffic. Steve

@raviktiwari said in Sending and Recieving emails...: As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfSense ... That's totally normal. If you have a to serve port Xx, you'll be needing an server type application that you should (totally) trust, it should be set up to 'listen' to that port, and that port should be reachable by the public that could have to use that port Xx. This actually means that anybody on planet earth can connect to 'your' server. ( people tend to use firewalls on server type devices to lock down non-served ports. Think about this for a minute or so. If your laughing right now , then ok, perfect. You got it. A firewall on a server is ... quiet useless - There is no reasons to 'close' non served ports, because they are black holes by nature. This reasoning is valid if the admin admins his server. That is : that he controls what executes,a nd when, on his server - and how it is executed. When the looses control, well, the first thing that would fall is the firewall - so start with not using a firewall on a server => one thing less to 'admin ;) and one thing less to mess up l. Like Apache2, nginx will be listening to port 80 and or 443. postfix will be listing to 25 TCP and probably also 465 TCP and 587 TCP (now out phasing) postfix will show / produce huge logs daily ****, filled up connection attempt from 'other' devices on the Internet connecting to your IP:port to try to 'dump' their rubbish. That normal, and you should consider it as simple back ground noise. Important to know : postfix, as worlds most used mail server, is pretty darn good to take care of the rela mails 'for you' and discarding the rest. But : postfx is as good as the admin maintaining it. The setup of a postfix server is ..... huge. And, IMHO, its totally impossible to encapsulate the settings with some sort of GUI like VirtualMin or others. You have to master - with your head - the master.cf and main.cf files. This is my opinion of course, as I needed a multi domain, multi IPv4, multi IPv6 with added IMAP/POP mailbox support. It should work with Outlook Express (back then) - all Thunderbird version, as up to the latest "Office 365". For me, it all started here (I guess) : http://www.postfix.org/SMTPD_ACCESS_README.html This is gold : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt is still actual as of today !! A firewall can't help you here "with some rules". *** What really helps to get out the 'door knockers' is a tools like fail2ban. It parses the postfix logs, searches for known - non accepted by postfix - incoming connections, and if they repeat themselves, or come back to often, the firewall gets loaded with a block rule for that IP. Se it here in action. fail2ban parses also ssh logs, web server logs, teamspeak logs, etc, and acts if it finds something suspect. *** most traffic, even mail traffic, is SSL encoded, so a firewall hasn't even access to the payload, it would see the source IP, and that's it. **** you'll meet up with logrotate for log file management. edit : sorry for losing the subject. edit 2 : I'm not running postfix on or after pfSEnse postfix of course (@work) . ISP lines are mostly big mega f*ck to host mail servers, as they are listed as such. It's a typical VPS usage, or what I use : a pair of https://www.ovh.com/ca/en/dedicated-servers/ which includes all the IP's needed, and, hopefully I never need it : a huge DOSS protection - on a naked (no GUI) Debian 9/10 install. When you start to run postfix yourself, bind (named) wiill follow as a master DNS server for your domains, and a web server will follow. Some Squirrel (old ... I know)/Roundcube instances, a MariaDB (ex. MySQL) for housekeeping etc etc. Btw : the "rock science" used by the big ones has nothing to do with what I / you do. They will not tell how they do it for - logical - security issues. But English/German/Belguim/French/Spanish biggest ISP did this : they took a copy of postfix, as it is 'free ware' (somewhat), and adapted it to it scales up on a pure maddens level. They ware using qmail back then .... they all paid the price. And no, no 'Exchange' for them.

In Linux (mint) is set both IP4 and IP6 to nothing for WAN Now Linux doesn't get any WAN traffic It goes to pfsense first and comes back to LAN This works but I think I'm creating a mess

With policy based IPSec you will need phase 2 policies carry the traffic he is sending and you probably don't right now. For example if his subnet is 10.130.100.0/24 he probably has a P2 on his tunnel that is: 10.130.100.0/24 to 10.128.0.0/16 That will grab any traffic coming from hos local subnet destined for you office networks and send it over the tunnel. But if he tries to access another remote site, say 10.130.200.0/24, that traffic will be ignored as it's not covered by the policy. To connect between spokes in a hub and spoke design like that you need P2 policies on each tunnel to carry it. So for that example the remote worker would need a P2 on his tunnel: 10.130.100.0/24 to 10.130.200.0/24 And the remote site he'd connecting to would need: 10.130.200.0/24 to 10.130.100.0/24 That escalates quickly if you need to connect between a lot of sites. It's much easier if you have route a based VPN like OpenVPN or VTI (route based IPSec). But that would require changing all the tunnels. You could proxy the traffic on your office network somehow so his traffic appears to be coming from there. You could setup an OpenVPN server for this one worker (or more remote support staff). If you choose a tunnel subnet that is inside 10.128.0.0/16 then the existing IPSec tunnels will already carry that traffic. Steve