@stephenw10, that sounds like it may be the problem. I have the LAGG bridged with the WLAN. I'm going to try and set the bridge's MAC to whatever it happens to be right now and see if that resolves the issue. Thanks for the insight. Best, Chuck

Thanks all for your input. Very helpful. I forgot for a moment that this is enterprise class software/hardware that I am using at home/small business. That being said, @johnpoz your at home case makes a lot of sense too! I followed another post with some PHP that should check and email me about updates (albeit is not working yet - weekend troubleshooting). Will use that and not auto update. Appreciate the education!

Yes indeed... very impressed with HAProxy in pfsense.. My only slight complaint, is that I would like to use a port alias to simplify my configurations but it seems HAProxy doesn't currently support that. So for a web site hosting 80 and 443 connections I need to duplicate everything once for port 80 and once for port 443.

Not sure where you got that idea.. Look again on ISE https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html?referring_site=RE&pos=2&page=https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/compatibility/ise_sdt.html Cisco Identity Services Engine Network Component Compatibility, Release 2.6 Again what is the scope of devices your wanting to auth?

yet nobody reported it ;) Its gone now..

@johnpoz Actually, I do. I am using the unbound DNS Resolver with forwarding mode. I got that after you pointed out my mistake and some digging. Look. I am thankful for the help. I really am, but please do not be aggressive. There are some noobs like me who try to understand things by making mistakes and learning from them. We all start from scratch, isn't it?

@zanahoria13 said in Help with simple configuration: How can I set routing from NAT subnet to the internet without hitting home network with the outgoing and incoming traffic? You don't want to set a route for that. Instead set a block firewall rule on that interface in pfSense above any pass rules to deny access to the WAN subnet. That way clients will only be able to access either public IPs or other local subnets. You can also simply omit a pass rule for it. Steve

@johnpoz Thanks for responding. I was inquiring about MFA and not just 2FA. The admin password is secure and not the default or some variation of P@55w0rd. Switch ports on the Cisco switches are protected and therefore plugging in the laptop won't give necessary access. More than anything, I was just curious about pfSense & it's support for MFA/2FA. Thanks -r

You have two sites with two public IPs right? You can only have one VM at each so if you need pfSense to accept traffic on the IP the server is using currently it would easier to just put pfSense there and have it filter and forward requests to the other site where you can host the server. It's not a great option but it's the only way I could see it working realistically. Steve

Sadly it's my fault. I hit TEST on the Advanced>Notification screen but I never hit save... definitely works now when mail.php is called from the shell. I did start using Node RED as my email middleman with curl being called from pfSense... that also worked well. However, generic mail.php is obviously much simpler. This is the piece I'm trying to automate notifications for: https://forum.netgate.com/topic/118401/openvpn-server-notification-on-connect Thanks for the input, thread can be closed...

@patelsaheb said in access local server via wan ip: Is there any way that i can access wan ip from my local network Why would you need to do that, just access the local IP.. setup a host override to resolve whatever fqdn you want to the local IP vs doing nat reflection. If you insist on doing such nonsense - then you have to enable and setup nat reflection.

@Rico yes working fine. thank you.....

Your best bet is likely to open a ticket at https://go.netgate.com/

@stephenw10 I went ahead and checked the "disable hardware checksum offload" option, then rebooted the firewall. I was still unable to provision the phone after rebooting (phone never pulls the TFTP files) so I went ahead and reverted back to the original setting, then rebooted again. I think I may end up setting up a test FreePBX and PFsense box at my office to try and replicate the issue. At this point the client's phones are functioning; the only issue being I have to manually provision them (which really isnt a big deal since they only have a few phones).

Yeah I would put money on one of your neighbours having connected their router incorrectly and it's handing out 192.168.1.X IPs. Whoever is admin on that network should be looking for them with a big stick but... Steve

I also think that PGP signature for sums or ISO image are needed. It will also allow to verify locally the integrity and authenticity of install images, stored in the environment without access to the Internet. And I think that efforts required to implement this is not so high to discard this idea. Many users who put security at the forefront, will be grateful.

For some reason the lastpfSbackup file wasn't appearing for some units. Somehow it's working now. I was banging my head and now it's suddenly working. I did learn a bit about how it works in the process though and documented in my notes. If it comes back I have more information and I'll update this .