If you want to use Netflows to view that then you need a netflow collector to export the data to. If you only need an instantaneous reading you could use something like wireshark that can graph traffic from a packet capture. https://docs.netgate.com/pfsense/en/latest/monitoring/monitoring-bandwidth-usage.html Steve

You don't need proxy+nat if your using host override. You don't need any nat reflection!

Yes, it was added in the change set referenced there.

@stephenw10 Now i get it. I just enabled ipv6 in networking and logging in firewall settings and created rules to block ipv6 totally without any logging. Now logs look much better. Those logs are great learning tool. Thank you kindly ALL for clarification.

Are you tracerouting from Windows (ICMP) or Linux/FreeBSD/OSX (udp by default)? If you traceroute to something through the VPN that's not the firewall does that succeed? Steve

That should not apply in this situation as 172.16.0.1 is the internal IP of the outer firewall so, presumably, does not have a gateway and hence also wouldn't have those rules. It doesn't apply to the inner firewall as that is outbound traffic from a device on the 192.168.9.X subnet which is always allowed. I assume you are NATing the outbound traffic in the inner firewall, the default configuration? I would run a packet capture first on the WAN interface of the inner firewall. Filter by host IP 172.16.0.1 and try to access the outer firewall from a client on the 192.168.9.X subnet. If you see traffic there try the same thing on the outer firewall LAN interface. Either the outer firewall is blocking that traffic deliberately or it has some touting problem that means it cannot reply. For example perhaps that traffic is not being NAT'd for some reason so it has no route back to 192.168.9.X. The packet cap should show what's happening. Steve

@steve973 said in Questions about using pfsense to restrict internet content for my kids: @akuma1x The family shield servers. Ok, since it's the family shield servers, you can set the kids VLAN to use a DHCP server, and then use the Family Shield DNS servers as the main DNS for that subnet/network. That will lock it up pretty good. That's how I set it at my house, with the kid network. Jeff

Mmm, it's OpenVPN it should just route between the ends like any other subnet. The only possible way I could see that doing anything is if you have NAT reflection enabled (on that rule or globally) and the printer in trying to hit port 587 on the public WAN IP. In that situation it would be reflected back to the mail server over the tunnel. But that would be a misconfiguration on the printer. Steve

Well, I have some interesting things happening with my routing that I can't explain. I will have to come up with a diagram to show the design and routes to explain the issue.

You can see what can be done in that video hangout at this point: https://youtu.be/xm_wEezrWf4?t=935 If you were set to splice whitelist and bump everything else I would expect any https not in the whitelist to fail unless you have installed the Squid CA on all the clients. Steve

@kartoff Sure, if you can reproduce the problem.

The public IP is assigned to a client inside the firewall? On an internal interface? Are you passing that traffic to it? If you have allow rules on WAN and enable logging on those rules you will see traffic passed in the firewall log. There is nothing in pfSense that ever listens on port 110 so either that traffic is being forwarded to something else or you are testing against something else accidentally. A diagram of how you're testing might help here. Steve

The first thing do here is make sure you actually need one single layer 2. If a smart TV and media server is indeed what you're using make sure that you can't just enter the IP address directly in the TV. Some can and that would allow you to have two subnets and route between them which would be better for everything else. Using 1:1 NAT would allow you to keep the same subnet at each end but still route. But the subnets would 'appear' to be different to clients at each end so the auto discover scenario would still fail. Otherwise you would need to run a single subnet and TAP connection between the sites. Steve

Where I come from, there is a difference between "insecure" and "potentially less secure"! If someone (magically) exploited this, he would get access to my network anyway, no matter if I run this on my PC, NAS or pfSense device. At least the pfSense device doesn't hold any data that I would consider sensitive. Anyway... I think this is going nowhere. I appreciate your concern, but I don't see anyone exploiting this.

Edit: I replaced The Dell Optiplex 790 completely with a known good one and same crashes, same error message to the letter. The only piece of hardware that was the same was an Intel Pro 1000 NIC. After replacing the NIC the issue is no longer present. I was incorrect in believing this issue was related to PFSense. PFSense assisted me in discovering bad hardware as did Jimp. MCA: Bank 3, Status 0xfe00000000800400 MCA: Global Cap 0x0000000000000c09, Status 0x0000000000000004 MCA: Vendor "GenuineIntel", ID 0x206a7, APIC ID 0 MCA: CPU 0 UNCOR PCC OVER internal timer error MCA: Address 0x3fff805ea790 MCA: Misc 0x3ffff panic: Unrecoverable machine check exception cpuid = 0 KDB: enter: panic

You would normally have both private subnets as internal interfaces on pfSense but here you have pfSense inside your network presumably behind some other router for some reason. Check for blocked traffic when you're using RDP in the firewall log. Do you have the WAN firewall rules open for all the appropriate ports and destination? Steve

Single user mode gets you to a shell prompt with far fewer things running/loaded/mounted. So if you have an issue with some component you might be able boot single user mode when the normal boot fails. Are you able to boot to the prompt by pressing 2 at that menu? Usually it boots the default selection, which is 1, after a few seocnds there. You should not have to press anything to boot normally. Steve

Zabbix. There are several agents in the repository.