Diagnostics > Backup & Restore > Download configuration as XML

It looks like you have something configured using 192.168/16 somewhere that is conflicting. It's not in the routing table though. I would open your config file and search it for 192.168 and see what pops out at this point. There will be a lot of entries since you're using that for LAN. Steve

@tkohhh said in User account - need permission to run scripts via SSH: why is logging on as root considered insecure? Root has absolute power and can do a lot of damage. Mere mortals cannot damage anything out of their own area. If you only have local access and no one else can log in with the root ID, then you're okay. One common practice is to require those with root access to log in with their own ID, then su to root. This creates a log entry to show who assumed root access. Of course, never allow root login via anywhere beyond the local LAN. If I want to connect remotely, then I have to fist connect to my main system and then connect to my firewall from there. You can also enable passwordless connections, which use a public/private key pair, to ensure connections only from that one computer.

@stephenw10 Good call - I'll start here next time pfsense is in this state and see if those requests are making it out of the firewall. I ended up rebooting pfsense last night and everything came back up fully functional. I have no doubt this situation will happen again, and I usually have a chunk of time to mess around with it. If this indeed only happens during a power outage or loss of provider, I can at least know to reboot the system when the automated alerts tell me things have come back up - that alone is a big win. I can't confirm as I didn't think to check the uptime in the past, but it seems as good a theory as any right now. I'll keep an eye on this post for any new comments, and I truly appreciate everyone's time and assistance in helping me resolve this issue.

What happened? How could I have diagnosed further before resorting to a reboot? Probably packet captures to see what was actually going out WAN. Evaluating the routing table to see what the state of the network was at the time.

Yes, this should be two IPs. Two interfaces in the same subnet is not valid. If you really want them completely separate and it's running in ESXi then you could just use two pfSense VMs. Though I notice you have the firewall labelled as "pfSense LB", is it running as a load-balancer? Steve

Yes, you can just set a pass firewall rule for he Plex device as source above the load-balancing rule and specify a single gateway. You should not have to though. The port forward coming in is independent of the load-balancing of outbound connections. It might be affected if the Plex detects the external IP and advertises that somewhere. Steve

You can put a schedule on a firewall rule: https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-schedules.html But that would require scheduling it enabled too and it doesn't sound like that would fit your usage. You might be able to just set the rule as disabled using a php shell command/script. Then call that from a cronjob. https://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html Steve

Where are you testing from? Because I'm not seeing hits on any of those rules. The first thing I would do is re-verify that your access ports are in the correct VLAN. Then, If you only want MUSTERI to access WDSPAYLASIM and nothing else, then remove everything you have and configure an explicit pass rule for: Source = MUSTERI net Destination = WDSPAYLASIM net and be done. Everything else will get blocked by the implicit deny.

@JKnott - Thanks. I will check to be sure the coax is still grounded and that my modem power supply hasn't gone wonky.

@stephenw10 said in how to access a dmz servers from LAN?: Er I think there's some confusion here Yeah for sure!!!! Whoever put up that drawing has ZERO!!! understanding of how networking works.. if that is some teacher??? Then just shoot me!!! Our future is failed - we should just give up.. I really do not get how that could be any sort of class - there is zero possible how that someone that is a teacher of networking could put up such a drawing.. If so we are just failed!!!! WTF???? Really - if someone put that up as some sort of test, other than what is F'ing wrong with this drawing... We are all is serious trouble for the future!!!

Assign the parent NIC as a new interface. Enable it, spoof the MAC, leave the IP types set as none.

@johnpoz Thanks for answering. Just a couple of minutes ago I checked with my ISP and it seems they have an option to request unlocking this port. I didn't expect this, as in the past they blocked only port 25. I expect it was this after all.

What would of been creating a source port 0 traffic? That is borked!

I think maybe you would have better discussion in your native language section.. Proxy is just an application/service just like any other be it dhcp, dns, ssh, httpd... it listens on an IP, and then does something with something that talks to it on the port its listening on.. Proxy normally listens on 3128... So client can directly send traffic to the proxy. Or you can do transparent mode where firewall listens for traffic on say port 80, and then sends it to the proxy port.. Pfsense is not a hardware firewall/router running a very limited IOS sort of OS, like a cisco or juniper or something... It is customized version of freebsd OS, to be easy to use/manage firewall/router - and yes is can provide other services like IDS, dns, dhcp, Proxy, etc.

Editing the config is what I would do there. But I have edited a large number of configs as you might imagine. You need to include the <switches> and <vlans> sections from the 1100 config in the imported 4860 config as well as renaming the interfaces. Steve

Set up a site-to-site OpenVPN connection. Assign the interfaces so that you get reply-to and route-to fucntionality. Make sure firewall rules that pass the traffic are on the assigned interfaces and NOT on the main OpenVPN tab. If it's passed on the main tab it does not get tagged reply-to. Add the port forward on the WAN at site A to the LAN IP at site B. High-5 whoever might be next to you! Steve

@stephenw10 currently I only have a need for one public ip at the moment. I honestly don’t foresee needing other workstations on my network to have public IP addresses.

The config is different? Or are you actually restoring the config onto both machines? I would bet it's different. Steve

You probably need some include files there for the functions involved.