Yup that^. Pretty much no place for a 32bit appliance currently. Definitely not running pfSense. Steve

Ouch! Hard to see why that would have caused such problems for Unbound though whilst other traffic was passing. If it loses connection entirely Unbound might use significant CPU trying to connect, though that still looks high. If the card is failing though it could fail in interesting ways, almost anything could happen! Steve

@Vlee said in Locking down web browsing activities: @NollipfSense Thanks! You're welcome! Just so you know; you'll need to disable transparent proxy when you install pfBlockerNG-dev as they will conflict.

Adding a client machine to my test network generates some writes on my test installation, which confirms it is related to the existence of client machines. Since it's unlikely related to traffic (as most of that is logged in RAM), I guessed it maybe something related to DHCP leases. I used a modified version of the find command listed by BlueScreenOfTOM above to identify some files being written to, and it seems like /etc/hosts is being written to quite regularly. I looked at the contents and it seems to be related to the DHCP leases getting written to the /etc/hosts files I believe this is caused by "Register DHCP leases in the DNS Resolver" being selected in the DHCP server settings, so I have removed that for now. Given my hostname is not really legit, these are pretty much pointless anyway. So far, disabling that has reduced the writes to zero. [image: 1579884239319-6cf5ea10-5535-45c3-9d71-535d270fbd11-image.png] So perhaps the mystery is solved? :)

Ah, OK. Well since I can't replicate it in 2.4.4 it's probably something that has been fixed since 2.3.2 was released in 2016. You should upgrade for many reasons but an additional one is to retest this on that hardware/network in 2.4.4. Steve

Run a packet capture on the internal interface do you see the ping requests or replies there? Check the state table for open states using the .25 IP. Make sure you can ping out from the .25 IP in Diag > Ping. Steve

I followed the advice of bmeeks and have the VLAN routing done by pfSense. As my main goal was to ensure high throughput between my Server and domain joined clients (all on the same VLAN) and all of those devices are wired to the Netgear M4300-28G-PoE+ switch, the data is handled at L2 level by the switch and does therefore (to my understanding) not pass via the pfSense box. In the end, I also ditched the ISP Fritzbox because I didn't manage to get PPPoE passthrough working; my ISP gave me a fiber to ethernet converter instead. Everything has been working great ever since.

https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html

Yep, right here (see attachment) under the Interfaces tab. [image: 1579800525307-screen-shot-2020-01-23-at-11.27.08-am.png] Your new LAN can either be an actual network port if you have an open port on your pfsense box, or it can be virtual (VLAN) if you want to do it that way. Then see here for some setup instructions for this new interface: https://docs.netgate.com/pfsense/en/latest/interfaces/interface-settings.html Jeff

I've couldn't detect what is not working, after upper comment the ISP installed additional router between pfsense and radiolink switch. Now we're using 176.xx IP for the WAN Interface. Thanks for all comments.

secondary [image: 1579702991761-screenshot-2020-01-22-at-14.16.18.png] [image: 1579702995562-screenshot-2020-01-22-at-14.16.45.png] [image: 1579703009108-screenshot-2020-01-22-at-14.16.52.png]

@johnpoz said in Creating a backup of /Root etc.: Why would you want to do this? Just back up the config, have some install media around... Worse case you install pfsense clean and restore you backup. You can just use the ACB as well https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html @johnpoz thanks for the input - here's what I'm trying to accomplish. I have some custom stuff that I would like to backup to a flash drive and be able to restore without depending on the network or another computer (just the pfSense box). Most of it is in root, and I have also created a user CUSTOM which is under /home/custom - I hope that I won't have to use it, but just in case something gets lost I want a fallback. Also note that as it stands the backup plugin can not backup root (see note above) - I don't know if Netgate is the maintainer or if it is someone else. As for the autoconfigbackup, I would love to use it, but I would rather have it point to a box inside my firewall - call me paranoid, but I keep finding out that things we thought were secure, aren't because of error or improvements in hacking tools. If it is never in the cloud, then it can't get stolen from the cloud. @johnpoz as an aside ". Worse case you install pfsense clean and restore you backup." - I it was just the base pfSense, I would agree with you completely .... but what about a use case where there are a lot of plugins? How does one make sure none of them have changed since they were installed/disappeared from the plugin repo? I had a problems several years back where I couldn't get the config to restore properly without connectivity, and I couldn't get connectivity with a working pfSense. I think that some changes have been made since then, but it is so long ago all I can remember is that I had a very uncomfortable several hours trying to get things back up.

Yeah it's like I said you can bridge the VLAN the server is on to the WAN. So: Edit the server VLAN interface and set it to v4 type none. Create a new bridge in Intercaces > Assignments > Bridges and add the WAN and the server vlan interface to it. Set the server to be a dhcp client. Make sure you have firewall rules on the server VLAN interface to allow the dhcp client traffic. And any other traffic you may need. Be aware that rules use 'Server net' will no longer be valid since that interface no longer has an IP or subnet. Add rules to WAN to allow whatever traffic you need to reach the VoIP server. Steve

You may need a route to 10.233.2.0/24 if that is not accessible via the default route but only then. I assume you can access the pfSense webgui from 10.233.2.4? Otherwise you would only need those routes to establish connections over the VPN from the firewall itself rather than from hosts behind it. Your screenshot where you have 10.233.2.0/24 in the P2, which is required, shows 0 packets in or out on it but it also shows as established for 0 seconds. If you have that up, or both P2s there, and send traffic from either end do you see the packet counter increase in either direction? Steve

@jimp Thanks, fixed. [image: 1579540700839-annotation-2020-01-20-121352.png]

Hmm, well hard to say without more logs etc from the time. Unbound was not responding for some reason. Neither was any other DNS server configured for the system. Without anything in System > General that could only be servers handed to pfSense by the ISP via DHCP on WAN.

You're right. [image: 1579535662308-6743f69d-639a-4060-a514-af60c52ee008-image.png] Test : [image: 1579535697563-d0ba3ebe-8738-4385-ad29-69e89e3e05c5-image.png] which is correct.

@stephenw10 thank you works great (:

It's clearly maxing out something. You should definitely test over a wired connection first though you could just be seeing wifi issues. Steve