@Gertjan OK problem resolved. Seems I didn't have enough protocols allowed on OPT1 working now and also NTP on WAP thanks ever so much for assist.

Try setting the monitoring IP to something other than the gateway IP, so 8.8.8.8 for example is commonly used. That gives you a better idea of actual connection quality. The ISP gateway usually doesn't guaranty ping response. Steve

The router used as an access point can, and probably should, be on the same subnet just set as static and outside the DHCP range.... and not the same IP as anything else! That way you will still be able to access it's interface to check signal strengths or make further changes. Steve

@akuma1x This is a hotel network ISP>PFSENSE>SWITCH>AP>Users

@nambi said in Best Way to Achieve this?: if I have something else using 443 would I then need to use the reverse proxy? That's one way. You could also reconfigure the web listen port for one of your servers to some other port. I tend to avoid using a reverse proxy because its extra complexity with potential issues that I'd rather avoid. Also yes, VLANs give you network separation as if they were physical interfaces. You always want to provide a gap between front-facing services and your LAN so that any exploited servers aren't used as a stepping stone to taking over your network.

Yup, that could be it. Though that's not one of the symptoms usually seen with Realtek NICs I would not rule it out. Steve

@stephenw10 thanks. Thankfully I had a good recent backup. Reinstalled pfsense via image provided by Netgate, restored backup back in business. Thank you

I mean 10k states per client does seem..... high! But it depends what those clients are doing. If those are all legitimate states then you could be hitting something else more quickly than we would otherwise expect. But, yeah, did disabling pfSync on the secondary correct the connection drops you were seeing? Steve

Solved by adding static routes in azure pfsense and adding UDR routes of the remote network in the azure route table....finally!

Yep, it does seem right the drive failed after power surge thru the network. Took out one of my switches and two of my Ethernet ports on the server also........

Oh I forgot they’re switch ports, I guess you’d need to go into the switch part of the config and change the main interface mvneta0. https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/getting-started.html#mac-address https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html

@stephenw10 When I do a backup/restore I always do that and make sure I grab every option I have and it always moves over. At this point it doesn't really matter all that much as I'd be losing the recent stuff anyway. Now it's just a matter of how it can be done and if it works manually.

Do you have the Service Watchdog package enabled? If so, you must not use it for Snort! That is one cause of this problem. Check to see if you perhaps have gotten multiple instances of Snort on the same interface. Run this command from a shell prompt on the firewall: ps -ax | grep snort If Snort is running, you should see only one process per configured interface. If you see two Snort processes with the exact same information and arguments, then you have a zombie running. If this is the case, kill all Snort instances and start Snort on each interface again from the GUI. Finally, it's possible some particular rule you have enabled is the source of the crash. A Signal 11 error is basically a segment fault (meaning a process attempted to access memory that was out-of-bounds for that process). I run Snort on my personal home firewall and have no issues with crashes. I don't run the OpenAppID rules, though. And there is no guarantee that even if two people run the same rule categories that they have the exact same rule SIDs enabled. So it's hard to compare apples-to-apples when talking about IDS/IPS setups.

@lmh1 said in What is wrong with pfsense?: system_crlmanager.php So you are using this page : [image: 1558452318970-44918413-188b-47d0-b168-547f2fc42540-image.png] and then what ? Clicked on one of the green buttons and you fed it with a something that isn't recognized ? You want to revoke a certificate ?

Try this Realtek driver: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release -Rico

Yeah you can't have the same subnet on two interfaces. Is that what's happening here? Or this other 'WAN network' a router on the LAN side of pfSense? A diagram would probably be helpful here. Steve

I will just add here that I am not seeing this and I connect to many different pfSense boxes everyday using Chromium by IP address. Whatever it is you're hitting seems more nuanced than just that. Steve

@chrismacmahon Awesome, thank you sir!

Yeah do some research on how proxy works in general, then do some research how squid is setup in pfsense. Then implement that how you want to.. Its not something that you get from a "snap" ;) You prob have a less bumpy right just forcing all your clients to use pfsense as dns - and then making sure that pfsense does not resolve domain.tld.. This can be done via host overrides, domain overrides sent to nowhere. Or a package like pfblocker that allows you to blacklist stuff. Proxy would allow you more control where you could allow say url domain.tld/work - but block say domain.tld/game... But this gets more complicated with https, as you can only use domain.tld and not any paths in the url for filtering. And the proxy would for sure have to be explicit and not transparent, etc. etc. To be honest trying to filter content is always going to be a wack-a-mole game that users find ways around.. It normally works fine when your just blocking them from stuff they don't really want to get to... Say bad malware sites and the such, or ad domains, etc. But when you try and block them getting to where they actually want to go - they will find ways around your blocks.. Can pretty much promise you that ;)

https://forum.netgate.com/topic/137401/unbound-log-entries/2 Sometimes unbound doesn't log anything after a reboot. It will start logging after a Status / Services restart