@jimp Yea I thought about it but I'd like to keep it minimal for now. Just wanted to post the solution here, took me a while to find it. Wasn't obvious to me

Are you running some soft of vpn client setup? Here is the thing out of the box rules on lan are any any... And pfsense will nat all from its lan to its wan IP. So if your WAN network is 10.1.1.0/24 with pfsense wan IP being 10.1.1.1 And your lan network is 10.1.2/24 then all clients will look like they are 10.1.1.1 when they talk to your wan network, ie pfsense wan IP. If I had to "GUESS" to your problem your forcing traffic out some vpn gateway on your lan rules - which we would know if you could post a simple screenshot vs making gifs with zero information in them. Other guess would be you have the wrong mask on your clients and they think that 10.1.1 is the same network as 10.1.2 say example a /8 which is what windows would default mask too, etc. etc. So how about you post up a config of your clients.. Show a traceroute to say 10.1.1.1 and one to 8.8.8.8 And post up a picture of your lan rules - and validate your not using any sort of vpn, and or is your clients pointing to any sort of proxy or using their own vpn client.

Why would you daily reboot your pfSense? -Rico

Thank you, that's actually the way we are currently using it (not with pfsense though) , but because of the quantity of the modems it gets really expensive to have a 4G router for each modem. I love the fact that pfsense is so easy to configure and just works out of the box with 4G modems, just the reboots are giving me headaches now )

I haven't used cacti in years but I seem to recall a FreeBSD+pf or pfSense template around that hit the pf MIBs to track some things like that. If nothing turns up here, search on the Cacti forum.

Well if you dig deep enough you can do whatever you want. You could potentially add a line to the gateway down script that restarts the PPPoE link. It would likely take some trying to get it working as you want though. Steve

You want to be able to decrypt random SSL/TLS TCP traffic, inspect the packet contents and filter based on that? No, you can't do that, short answer. If you proxied the traffic in pfSense you might be bale to do it using custom rules in Snort/Suricata. I've never seen anyone do that though. Steve

It depends on the switches, cables, network load, etc. No you shouldn't lose that amount in your switches.

There is a whole section of the forum related to using the proxy if you have questions https://forum.netgate.com/category/52/cache-proxy It includes squid proxy and such but any questions you have about haproxy would go there as well. Here is some more info on the package https://www.netgate.com/docs/pfsense/packages/haproxy-package.html

I edited the title. Not sure if you can or not, I think that might be time limited. Anyway glad I could help. Steve

working now I have DNS Forwarder enabled not DNS resolver I removed 10.4.0.1 from DHCP Server DNS, and in general / system setup I kept adding the open dns thee under dNS Servers but changing the interface to AirVPN_WAN - opt2 . When I removed this and left both interfaces as WAN the Open DNS works

They don't give you any sort of gateway IP at all? In a point to point connection technically they don't have to but it would be very unusual. So do they give you the expected static IP via PPP or something random? Who are your ISP? Someone else must have hit this is they are reasonably big. You can try just setting any gateway IP and see what happens. As long as it's outside the WAN subnet it won't try to ARP for it. Steve

Ok, well at 100Mbps a VPN can potentially completely saturate that without huge processing power. Our SG-3100 will pass close to that with OpenVPN and much more than that with IPSec. The SG-5100 would give you plenty in hand for a WAN upgrade later. Both will pass 1Gbps between internal interfaces. One thing you can do here is just try it on any random hardware you might have with two NICs. Just use all VLANs internally. That will give you a good feel for what is required before you purchase dedicated hardware. Steve

@jimp It's there, just 0 bytes. Looking in /conf/backup I see backups from the day it went down and the previous day. All the backups are 244K up until the reboot it seems. 9:00 244K 10:00 244K 10:35 128K 10:35 0B Edit. I copied the last full config file into place and the unit booted up normally so it's running. I'm just concerned about what would cause that. This is the second device at this site that has had a corrupted config file. Once last summer and now this time. 2 different pieces of hardware and there's really nothing spectacular about them. WAN is DHCP. LAN is just 192.168.1.1 with a DHCP pool of 100-150. pfBlocker, Suricata and Squid are running. That's about it. Last device was 2.3.2. This one is 2.4.4 (which I'll update before putting it back into production). It's a little concerning.

Let's just say that if anyone is imagining: #Switch to layer 7 filtering - firewall_layer=3 + firewall_layer=7 ...then unfortunately they are very very wrong! Steve

Yes, absolutely. Thank you for pointing that out. From the reference: https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html In a remote log, the fifth field is: <tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug I need to figure out how to use that number from my syslog server, to lookup the rule description. So far, I'm closer, now using splunk to run a script: | script pfsenselookup 1000000105 where pfsenselookup.py is import sys import os matchstring=str(' '.join(sys.argv[1:])) os.system("ssh user@192.168.1.1 pfctl -vvsr | grep '^@' | grep '{matchstring}'".format(matchstring=matchstring)) For example, results : @11(1000000105) block drop in log inet6 all label "Default deny rule IPv6"

oh ok cool.. ill give that a shot too well ill tell her or ill practice it when she gives me her faulty hard drive... I did the conf folder and copied my older pfsense setup so hard drive is ready for her just to slide in the hot swap... but ill defently try that step too... I really appreciate the help great stuff (:

@konstanti said in Pass specific IP through to LAN, port forwarding, firewall rules: @akjim 64.4.23.126 !!!!!!! - port forwarding rule 64.4.231.126 - block !!!!! I am an idiot!!! I see that now, and after making the address correction it is working properly. THANK YOU so much for your guidance and assistance!!!