That looks correct. You can't route over policy based IPSec. But if you NAT the subnets you can make the traffic match an existing policy. Steve

@zacha Thank you! you're a Hero!! Your solution helped me. And i confess, i've already seen it!

You'd have to set up the firewall rules to block traffic between the VLANs and also allow it out the VPN

@jknott @bfeitell thanks a lot! After setting as DHCP, internet works under bridge mode. Will spend some time to explore IPv6.

Here's what I finally worked out- BACKUP_HOST=<gateway_IP> BACKUP_USER=<user_name> BACKUP_PASSWORD=<user_password> # Create config file directory if it doesn't exist [ -d files/ ] || mkdir files # Fetch the login form and save the cookies and CSRF token: wget -qO- --keep-session-cookies --save-cookies cookies.txt \ --no-check-certificate https://${BACKUP_HOST}/diag_backup.php \ | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt # Submit the login form along with the first CSRF token and save the second CSRF token (can’t reuse the same file) – now the script is logged in and can take action: wget -qO- --keep-session-cookies --load-cookies cookies.txt \ --save-cookies cookies.txt --no-check-certificate \ --post-data "login=Login&usernamefld=${BACKUP_USER}&passwordfld=${BACKUP_PASSWORD}&__csrf_magic=$(cat csrf.txt)" \ https://${BACKUP_HOST}/diag_backup.php | grep "name='__csrf_magic'" \ | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt # Submit the download form along with the second CSRF token to save a copy of config.xml: wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \ --post-data "download=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" \ https://${BACKUP_HOST}/diag_backup.php -O ./files/config_${BACKUP_HOST}_$(date +%Y-%m-%d-%H-%M-%S).xml 2>/dev/null # Clean up rm cookies.txt csrf.txt csrf2.txt unset BACKUP_HOST BACKUP_USER BACKUP_PASSWORD # Remove files older than 100 days find /mnt/user/odin_backup/OdinBackUp/files/ -type f -name '*.xml' -mtime +100 -exec rm {} \; I did have to change permissions for the backup user though. Even when I used the code in the link that @Gertjan provided and just substituted the correct IP, user and password I would still get the error shown in my first post. Once I added "all pages" to the backup user's permissions the errors went away. I think that the default code in the link didn't generate an error because it uses the default admin/pfsense user which has full privileges IIRC. Just a guess. @Gertjan and @stephenw10 Thanks again for your help. Very much appreciate it.

Just looked in the logs as per my bold text, it wasn't hitting the sftp host but the dmz interface.

You could bridge the WAN to an internal interface and have clients there pull IPs directly from your ISP. You can still filter the traffic across the bridge. Steve

Thanks jimp. I went back to the General System Settings and re-selected the correct timezone location, saved then rebooted and all seems good.

Thanks for the fast answer. It's a shell script I wrote so the only requirement for the method is that I can do it via command line. I installed pfSense-pkg-arpwatch and tried successfully via: echo "test" | sendmail recipient@email.com The only downside is that the sender is "Arpwatch Notification" but since that's only cosmetic I will stick to this approach. Thank you Edit: As it turns out there's a mail.php that I can utilize, without the need to install arpwatch package and without the cosmetic flaws. echo "test" | mail.php -s"subject" recipient@email.com

Ok, now that we found the cause you need to make sure your rules on the WIFI net are right. If you don't intend to route the devices on that network through your VPN connection, but want them to talk to devices on another local network you will need an additional rule. That rule needs to be placed above the default rule, with the source of your WIFI net, the destination will be your local network(s) and it's gateway needs to be "default". That is because currently all connections coming from your WIFI net will be routed out of your WAN gateway. For more in-depth details you better read up on policy routing.

Thank you, that makes sense, I am enlightened! Appreciate the reply.

Thanks for notifying us of this! I just confirmed that this happens even when using the local database as authorization. If you haven't already, could you open up a ticket on redmine so it can be tracked and documented? https://redmine.pfsense.org/projects/pfsense/issues Thank you.

@khorton said in No WAN IP on startup, until lease is manually renewed: Now I need to figure out how to renew a lease from a script. Take a look at /etc/rc.d/dhclient. You'd specify restart and the interface to get a dhcp address.

@johnpoz Yeah John also per previous I did say the time was reporting ok. At the time that I was experiencing the PHP issue. I did mention NTP clock sync issue showing in my NTP log but the GUI was reporting time correctly. Subsequently a couple days after I experienced a crash with IDS/IPS going down stopping and restarting and few other systems going off line and restarting. And that after is when the GUI started reporting incorrect time for several time zones which I have fixed but will check again tonight. The main issue to me now is not the PHP error but the Clock sync issue So if you recommend I backup and then a fresh download of 2.44 again I will do that Thanks again for all the advice!

I do hate those HP racks when network kit needs to go in them, not much space for cable runs down the sides Not great to work in but £50 from ebay so can't complain!

@jimp said in Default gateway, subnets and, gateway groups.: o setup rules to bypass policy routing for local traffic Thanks jim! you nailed it!

The latest one is generally the most stable but they are still snapshots. We don't test them all individually before they go up, so there could be problems there.

@rgc said in pfsense 2.4.4 NTP PHP Error Bug (possible work around): Sorry for bothering you all. Yea I guess I am an idiot No, not at all. It was an honest mistake that just so happened to be quite funny (at least to me). You might have been thinking of python, which can be used for scripting system services. We all live & learn. I've lost count of the times I've been corrected here after giving my best advice, usually by john or jim