There's no 100% safe way to do this, whatever you choose to run is untested and might have introduced issues. Only you will be able to test and fix that. Installing pkgs from other repos may replace a package we modify for pfSense with unexpected results. If you really have to do this the safest way is probably to use bhyve. Otherwise run pfSense and whatever else you need both as VMs in some other hypervisor. Steve

Unless the ISP is routing the complete subnet to you, via some other IP, it's better to use individual VIPs. Port forwarding is not necessarily any safer. By default it will add a linked firewall rule to pass the traffic defined in the forward. 1:1 NAT rules do not, you need to add firewall rules for the ports you need. So add only one port and the result is similar. 1:1 NAT also NATs traffic from the target outbound so if you need that internal host to appear to use that public IP for connection it initiates it can be the better option. You can also do that with a manual outbound NAT rule + a port forward. Steve

Two main reasons besides simply; java : You are increasing the attack surface of the firewall by running whatever that is you're running. Almost nobody else will be running that so any cracks it opens will be yours to find and fix. That is not hosted on our repo so to install it you will be pulling packages from the main FreeBSD repo or worse some unknown 3rd party repo. Those may overwrite default packages with unintended consequences. Will it upgrade to a new pfSense version? Who knows it will be completely untested. As you say it's FreeBSD so you probably can do that but I wouldn't unless there was really no alternative. And there are alternatives. Steve

It took a while, but I managed to make freeradius work, thank you all.

Netflix has asn of 2906 40029 55059 136292 and so on you can find it in .. then after that you can do the needed for that

@johnpoz Given the steps required to install it, there's no way it could have been accidental and it's also not the first time it happened. There was another package that I hadn't installed for my UPS, IIRC. I also posted about that here.

Thank you. So many open items. Is it safe to assume that a production release will not be coming within the next six months?

I must apologize to everyone who replied to this thread for being absent. The XG-7100 just stopped responding via web on all interfaces one Sunday and I just had to take care of that issue first before proceeding to this thread. fyi, the XG-7100 was throwing filesystem full messages via console and everything slowed down to a crawl. I was able to do a reset to factory, restore from backup and all is well again but under observation. this is for another thread. Yes, the XG-7100 is connected to Unmanagedswitch1 via LAN (port2). Okay, i'll try that switch config in a bit and report back. Thanks for moving this to the proper area, Steve.

The short answer is yes, although, more specifically... on a fresh install, PFsense allows all outbound traffic sourced from the subnet assigned to the LAN interface by default. However, there's an implicit deny on all OPT interfaces until firewall rules are added.

Darkstat package might be better for you wanting to track something down that is happening now.. You can turn it on and off easy enough.

Thanks for the clarification and updating the target version. I thought I had included the issue number in the clip but missed it. I was not as focused on this particular issue, but more generally.

As @stephenw10 mentioned, using Reject internally is one good reason, but there are also other reasons someone might want explicit block/reject rules, such as: To fine-tune which blocked traffic gets logged / not logged In combination with policy routing rules and the "Skip rules when gateway is down" option so that policy routed traffic will fall through to specific block rules if a gateway is offline To make the ruleset easier to read for less experienced admins who are not familiar with the default block behavior

@stephenw10 Thank you very much for guiding me. Steve Best Regards. SMR

I've done this using a selfmade captive portal page, but thanks anyway for your hints.

That looks to be working fine, it pulls an IP and then renews it every hour. Was it not working at that point?

pfSense is also an enterprise-capable firewall. I don't think you'd want to bet your real business on a Linksys or Asus from Walmart. Looking at it this way, you are getting enterprise-level performance and security for your home net at no required expense except what it takes to learn to manage it. Of course, being open source, you can always get creative and roll your own: https://github.com/pfsense/

Hi, Sagardawa! I do not mean to bother you but the files you uploaded seem to be removed. I am now trying to settle my PPPoE server with a service name so that the clients would not connect to the undesired server. Could you kindly send the files again?

Right but it will be limited to "converting" the media on the other side, which 1Gbit fiber. Not the same thing. If you want the same thing, use a switch to "convert" from fiber to copper.