@ashima said in OpenVPN tun mode with LAN IP: Are there any security caveats in doing so ? The rule as suggested above led the server believe that the access is coming from within its subnet, exactly from pfSense and it works only if the the source is one of your vpn clients and if you additionally specified the destination port, only for that one application. So if you say, your vpn clients should have access to it anyway, there are no security drawbacks. You also may further restrict access by a firewall rule.

When you add a domain override to some internal NS, that is going to return rfc1918 space - you will need to either turn off rebind protection completely or setup whatever domain you overrid as a private domain.. Or you not going to get any responses because of rebind protection. https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html As to your host override.. It would need to be fully qualified.. If you put in www.example.com where www is the host and example.com is the domain, and then an alias for mail.example.com if you resolve ftp.example.com it wouldn't resolve to your override. You can not do wildcards in the gui, if you want a wildcard you need to do it in the options box on the resolver gui.. server: local-zone: "example.com" redirect local-data: "example.com 86400 IN A 192.168.1.54" https://docs.netgate.com/pfsense/en/latest/services/dns/wildcards.html

@bmeeks im with you, i think the IP spam and the reboot are not related and there may have been a temporary misconfiguration. The M.2 drive I installed two weeks ago could have faulted and it's just a coincidences both of these anomalies occurred at the same time. I'm not sure there's much that can be done at this point unless the issue returns in the same facet.

@sr10977 said in Automatic VLAN assignment: Where do I start? i guess by redesigning your network ? unless i'm misunderstanding something ofcourse

I would like to get the practice with the Cisco switch, in a kind of enterprise environment. I do want the lab to be able to reach the internet for updates and downloads and such but don’t want the lab to be able to reach any other networks. I currently have 4 VLANS on the PfSense, through the Ubiquity switch, one VLAN for my stuff, one for IoT stuff, one for the kids and one other. I may set up VLANS on the Cisco switch as I will have some VMs on the servers in the home lab...one kali machine, one metasploitable machine, one for a SIEM, and probably a Windows server and Ubuntu server. I will want to set up one for active directory as well. I basically want the lab to be its own network, with internet access through the PfSense box.

You could try running that cronjob manually without the '&' and see what output it gives you.

you should test from one device on the wan to one device to the Lan (and vice versa) and not to pfSense. pfSense is a firewall/route and not optimized to work as a client system/advanced/networking Disable hardware checksum offload Disable hardware TCP segmentation offload Disable Hardware Large Receive Offloading reboot and try again any additional package like ntopng / darkstat / suricata / snort ?

We deactivated all VLANs, also pfBlocker. Still sometimes websites timeout. During this timeout the client is still able to ping the website, also other websites work just fine. After some minutes everything starts responding again. Most of the time this happens if multiple pupils connect to the same website - in that case it seems that also more clients are affected by this misbehavior. I know, it's hard to troubleshoot this kind of problem, but help would really be appreciated. Where can I look next, what tests would you propose to narrow down the problem? Thank you again, elko_sc

kiokoman@nanto:/$ sudo mount -t nfs -o user=laboratorio 172.16.0.100:/tftp /mnt kiokoman@nanto:/$ ls /mnt ldlinux.c32 menu.c32 I would say nothing special is needed, but we don't know what you have configured maybe firewall rules, I see port tcp/udp 111 and 2049 on my server

@kiokoman Thank you for the reply the bxe1 is not being used only bxe0 for my fibre connection ix0 is a straight 10gb connection to my pc...

For the next guy/gal: to retain (the illusion of) bash as the login shell across reboots, I did the following: I installed the shellcmd package via the webui. I added the following "command line" as a "shellcmd": test -x /usr/local/bin/bash && for u in root nu; do chsh -s /usr/local/bin/bash $u; done I don't touch the default shells /bin/sh and /bin/tcsh. I think the one-liner above is executed by /bin/sh which is very similar to bash (except for differences, which I've never memorized). The one-liner is tested (I did a reboot). According to the documentation, I could have created something like /usr/local/etc/rc.d/bash-again.sh, made it executable and it would execute on boot. I'm pretty sure I'll go there next, since I want to re-establish other things on boot. In particular, I dislike that ~{root,nu}/.profile seems to be overwritten on startup. I'll be reverting my changes back, ty very much. If this reads a little hacky to you, well, yes, yes it is. Being new to pfsense, I guess there are some good reasons (control, repeatability) to change the login scripts. I realize this a "router appliance" first and a FreeBSD box second, regardless of my insistence to make it more like the later. But it also surprised the heck out of me. So indulge the noob for talking out of school and bloviating about his hopes and dreams.

Thanks will check

@kiokoman said in Error message in System log: ip address of network ? is it a public ip? there is no reason to hide a private address anyway Ignore it as it's harmless. it's basically saying "I can't remove that address from the ARP table because it isn't in the ARP table". It’s a private ip address, was just being careful If the error message means nothing bad I can live with seeing it in the logs

@johnpoz Ha, that took a while.

@johnpoz 2.4.5 sp1. Thank you

Thanks, @stephenw10 Yes, we are planning the upgrade to 2.4.5 but will take some more days as we need to get a downtime approved from our users.

i've tested again, here are my stats. 1GB down @ Comcrap. I'm happy with this throughput considering suricata/extensive pfblocker lists. [image: 1602482981356-52a984fe-fe15-4ae7-8d16-05117685f590-image.png] [image: 1602483010084-0af8c970-3f1f-4b94-99cf-deaeb7ef953a-image.png] [image: 1602483070869-2f696e8a-bd99-4b0f-b419-d60bbc2a9695-image.png]