Yeah I would put money on one of your neighbours having connected their router incorrectly and it's handing out 192.168.1.X IPs. Whoever is admin on that network should be looking for them with a big stick but... Steve

I also think that PGP signature for sums or ISO image are needed. It will also allow to verify locally the integrity and authenticity of install images, stored in the environment without access to the Internet. And I think that efforts required to implement this is not so high to discard this idea. Many users who put security at the forefront, will be grateful.

For some reason the lastpfSbackup file wasn't appearing for some units. Somehow it's working now. I was banging my head and now it's suddenly working. I did learn a bit about how it works in the process though and documented in my notes. If it comes back I have more information and I'll update this .

I would use a load-balance gateway group on a scheduled firewall rule. Maybe weighted towards the 2nd ISP. Set it to catch only the preferred clients. See how it goes. They will have to open new connections to see the new gateway when the schedule kicks in but it they're mostly web browsing that should be fine. Steve

@toms88 said in OpenVPN issue connecting to controller: Ive snooped around and asked on the QNAP forum but its not very lively. How could i go about NATing as you decribe above? I cant find the interface options for the OpenVPN server :/ https://www.qnap.com/en/how-to/knowledge-base/article/why-cant-i-access-the-administration-page/ Item #2: “Please make sure that the NAS and the PC you are trying to connect from are connected to the same network switch and are on the same subnet. You may also try connecting them directly (crossover cable is not required).”

Ah, well you can do that too. Most people never want to set that as a port forward is applied to traffic from anywhere but you can set the source address in a port forward. Confusingly that same setting in the 1:1NAT is Destination as it's used for outgoing connections too: The 1:1 mapping will only be used for connections to or from the specified destination. Hint: this is usually "Any". Steve

@rsaanon said in IPv6 Track Interface: unable to track muliple local interface: @stephenw10 @jimp Thank you! I changed the the prefix back to /60 (something I tried in the past but didn't work) and it now automagically works Perhaps that's all they offer, which is 16 networks. You could try other sizes to see how much they offer. My ISP has /56s.

Checkout the hangout KOM linked above. Specifically from here onwards. Steve

Yeah you should be able to use either HAProxy or reverse Squid to redirect requests based on the host headers to different internal servers. Or different ports on the same server. https://docs.netgate.com/pfsense/en/latest/packages/haproxy-package.html https://youtu.be/FJSHMyrd29E Steve

@zemlik said in block access pfsense gui OPT1: blocked on OPT1 any to OPT1 address and WAN address ports 22 80 443 Yes, do that. Though you can use the system alias 'This Firewall' as shown in that link and it will cover all IPs on the firewall itself. Steve

@detox It isn't really surprising that it detected known fake-virus signatures. I wonder about how effective it is in general. I've never seen any qualitative comparisons such as those done by AV-Comparatives, for example. It may not even be as effective as Windows Defender, which has been getting better every year and does fairly well in testing. At my company, I don't use any AV on the firewall, and all LAN clients have local AV protection.

@stephenw10 Added pimd be added to redmine.

Ah OK, then yeah it should be just a matter of adding the port forwards for those ports. Try connecting to it externally then check the state table for states on those ports. Steve

It's probably a filesystem issue. It could be an upgrade failure. It's probably not hardware unless the drive is failing perhaps but I would expect bigger issues in that case. The fastest way to get back up is to re-install and restore your config from that situation. You can try this though since you still have command line access: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#forced-pkg-reinstall Be sure to backup the config first though if you do. Steve

You can use Squid ACLs directly rather than using Squidguard if you really wanted to. It's far more complex though. Steve

Yes!

I try!

@truetype Okies nevermind, I found out the issue. I had put a pass between the two subnets, BUT i forgot and left it at TCP and not any, so UDP was not passed. Dumb mistake, but I hope it helps someone who googles and finds this. Check firewall rules!