@MakOwner said in Suggestions for linking two pfsense setups: So, I thought since I have sort of got this working well enough thanks to all your help, I'd share what I have done -- so far anyway. Thanks for all the help! I have had to revert to 2.4.4-p3 on both ends. 2.4.5 doesn't seem to play well at this point. Gateway monitoring seem to be the downfall for some reason. I'll wait for another update before trying again. Why does GW monitoring pose a problem ? It's usually just a "Ping of the GW". DHCP servers are active with very limited ranges on each interface. The office interface handles the DHCP interface handles the .30/24 on the link between buildings and provides the addresses for the management interfaces on the two switches. Each DHCP server is configured to serve addresses within a specified range and each /24 has a different range just for conveniance. .10/24 uses .110-.120, .20/24 uses .120-.130, .30/24 uses .130-.140 for example. Not a single DHCP collision or bomb - yet, anyway. All active physical systems use static DHCP assignment outside the assignment range so that it becomes very obvious if anything goes south. Special way to "reckognize" which DHCP server hands out the ip. But if it works for you ..... Once you trust DHCP , you could move to something more "default". I usually let my dhcp start at .129 .. 250 And uses 25..125 for static assignments (1..24) are for infrastructure like routers , switches etc. I added the .30/24 interface of the opposite system as a gateway on each pfsense. I added static routes to .10/24 and .20/24 networks as appropriate. Great ... Do you understand why you have to do that now ? Tell one pfSense how to "reach" a remote lan on the "other". On the .30/24 interface on each pfsense I added an any-to-any firewall rule. That is "fine" , basically making the "Connect net" transparent. You could fine tune that , later if ever needed. The .30/24 rules , are like all other "normal" pfSense interface rules "Enter" rules : See it as: "This permitted traffic" is allowed to "enter" the pfSense-box via "this interface" , everything not permitted is blocked , and will NOT enter the receiving pfSense box. From there I began working on DNS. The DNS resolver in 2.4.4 doesn't quite behave as I expected. What is your issue ? Still Unbound crashes ? Did you try the service watchdog ? After DNS is working like I expect I'll move on to configuring the direct link. ??? Remember when making changes to : Backup pfSense configs often. Don't make 10 changes at the same time. All in all a nice excersise , you certainly got your hands dirty. Well done , especially for not giving up. /Bingo Ps: If you ever want to "do it right" more flexible , you we should enable multi-vlan on ALL your switches. That would give you the flexibility to make ANY switchport in any building , a member of "ANY vlan". Ie. a server in building-1 , would be seen as a member of the building-2 Lan. But that would require that you are reading up on "tagging" on all your switches , including the old "access" switches you use. And start playing a little with vlans & tagging , before starting that up.

@maxxer Check previous discussion about similar issue and how to troubleshoot here: https://forum.netgate.com/topic/145578/ldaps-ad-bind

Yes, unless you are saturating the connection you should not be seeing packet loss. Steve

Just for the record, I've managed my case by placing static routes as I only needed Cloudflare routed to VPN. Why routing Cloudflare? Extensive threats against my clients, abusing CL as a way to evade detection by filtering either Country or VPNs.

Yup. If you know who you need to allow access to you could also use pfBlocker to generate Geo IP aliases, then allow access from only those you need. Or block block access from lists of known bad actors etc. You might also consider running Snort/Suricata to check that traffic. That quite a complex setup though, I would not add that immediately. Steve

If you don't have a gateway defined in a rule traffic will be routing according to the system routing table. That means it will go via the default gateway for an external destination but for a local subnet, LAN 2 here, it will be routed directly. You need a firewall rule on LAN1 that allows traffic from the LAN1 subnet to the server IP in LAN2 above the policy routing rule there. Steve

Yup could be something to do with policy routing IPSec over OpenVPN. Your Outbound NAT rules look correct though. Assuming your client is in the 192.168.86.0/24 subnet you have a rule with static source ports for port 500. Steve

@kiokoman said in "syslogd sendto: Host is down" error?: Status / System Logs / Settings Remote log servers you put something there I sure did, thx !

Ah, I haven't tried starting one of the options by default, without selecting something. I'm not sure how that would work if there wasn't actually a console attached. But it's just a shell script, you can have it do whatever you can code it to. Steve

Never use VLAN1. You can't be sure what switches will do with it. Here it look like you probably can't actually tag VLAN1 leaving the switch ports. It's quite surprising that it allows you to try. Most switches would not. pfSense allows you to use it because technically it's valid but: https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan1 Steve

OK, thanks a lot. I will reduce the RAM size.

Mmm, OK reviewing that I guess that even though you have not set static source ports specifically you have set the source port to match and the translated source port to the same value which will effectively make it static. That's the wrong way to do it though. Setting the source IP as any will catch traffic that should not be NAT'd and break things. You should set OBN to hybrid mode and then add one rule only with the source IP as the internal phone and static source set. Steve

@stephenw10 said in Switching providers and pfSense configuration: Draytek has a g.fast modem coming out that will likely be cheaper and better since the MT992 is locked down. No diag info. If they are actually offering FTTH in your area it's a whole different ball game though. Steve I'll have a look at that option. Thank you once again!

Packet captures generally don't lie.

Thank you for the explanation; makes sense. In essence the RAM disk allocation has moved from a "thin" provision to a "thick" provision. And yes, I know the disks are considerably larger than I need, especially since I send everything to a remote syslog, and the local logs are capped. I did it because I have a lot more RAM in the system than I really need, and was still wondering what extra data and/or graphs I could capture. If I ever find a need to run something that needs RAM I will reduce these values as needed.

Then you don't have the proper provisioning to route the subnets to interfaces behind a router. https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#multiple-ip-subnets It doesn't sound like you are 100% on what it is you have there. I would read that first link in its entirety.

There is no setting for that in the GUI because generally speaking it's a terrible idea. There are a few threads here on the forum discussing it but highhly recommend you don't read them! Automatically updating without reading the release notes etc opens you up to the possibility of the firewall updating and rebooting at some inconvenient point. And at worst failing to reboot because of some required manual step that didn't happen. Now imagine how bad that might be is you're remote from the firewall and using it for VPN etc.... Subscribe or check the blog to get update announcements: https://www.netgate.com/blog/ Steve

@stephenw10 said in pfSense for 2 LANs: Yup, you can't do that in pfSense. Then I would setup pfSense between the switch and CentOS and configure is as routed only, no NAT, do CentOS can see the real source IP of clients. And to avoid double NAT which is bad in general. Steve Yea, that's what @viragomann suggested me. Next week I'll buy a new switch VLAN capable and do this. Thanks for now.

VBox on a desktop works well for a test like this. I used it for years until I got Proxmox setup. Steve