I think the main point here is that the best practice is to store only the minimal amount of data required in the DMZ and limit access to anything on the LAN to only what is required. However you have to make some assessment of the risk. Is the git server going to be open to the world or only restricted source IPs? The term DMZ used here implies it is exposed and needs to be walled off from other subnets but that might not be the case. Or at least not in the traditional sense. Steve

It is. Yep, just use one of the methods shown there if you need to do it. Or just use Auto Config Backup: https://www.netgate.com/docs/pfsense/backup/autoconfigbackup.html Steve

@stephenw10 After three hours of constant download at 100mb/s there was no loss of connection, I hope it continues like this. At the next restart I will check. Thanks again for the help. EDIT: I confirm that I have solved the problem by replacing the realtek drivers included in pfsense.

More likely something upstream is configured to expect your mail server to have 88:xx:129.147 as it's public IP and you have not added an outbound NAT rule to use that for traffic coming from the mail server. A 1:1 NAT rule would handle that both ways. Steve

Have to say I agree company about security isn't using dnssec for their dns.. Which is really low hanging fruit to pick too.. dnssec is not that hard ;) It really is a shame that all domains are not doing it - the hardest part is registrar that actually supports it... Even though my understanding is its a requirement to be an actual accredited registrar.. I know when I fired up a domain to play with dnssec back in 2015, they had .xyz on sale and said they supported dnssec - yet took some emails to their support to actually get their implementation on their website to work.. And I looked around at the time namecheap didn't even support... From what I recall.. While its only a domain I use for my personal stuff, and use it for mostly testing - its not that hard to add stuff or maintain sign off on your records... I have a cron job that runs, and script I run when I add new records or edit them, etc.

Exactly, you cannot. In general pfSense will not allow any connections inbound from some external web server. Only responses from servers for which outbound connections have been opened are allowed. Steve

@tim-mcmanus Thanks a lot Tim... i am going to read it carefully and will post results... Pedreter.

But actually this is not a change, because the Alias URL remains the same, could change the IPs in the list (for sure not every night, at least in my case), but a backup it's not needed because anyway when you will reuse it it will download again the updated list. If you consider the IP list a (potential) change, then a backup should be taken also when a DNS Alias it's resolved with another IP address, it's exactly the same thing.

Same behavior related here. https://redmine.pfsense.org/issues/8512

First step is to see why this is happening to you. I agree it's most likely related to the configuration/local setup of the devices. Before you reboot the device, you should navigate over to Status, System Logs, take note of the information there, try expanding it to a few thousand entries, there will be something noted in this area about what is causing your lack of internet access. I would suggest getting a console session going, our SG-2440 Manual has a great guide on gaining access to the console. What packages do you have installed on your device? If you run from the command prompt df -h how much disk space is there? The more information you can get to us, the better someone can assist you.

@tejas said in High RTT latency on wan [SOLVED]: I am using Pfsense 2.3.5-release-p2(i386) on Intel Pentium G2020 @ 2.90GHz Why are you running 32bit on that CPU? You should be running 2.4.4 there really. About the only reason those interfaces would not show in the Firewall > Traffic Shaper > By interface tab is if they don't support ALTQ. You would have to check exactly what hardware they are to know for sure though. I would expect the Intel NIC to support it but their ix NICs do not. What are the actual port names listed? re0, re1, em0? pfBlocker and Squid do different things they should not interfere. But bare in mind connections coming from Squid will always have the default WAN as the source IP. pfBlocker can block connections on LAN before they reach squid if you have it configured to do so. Existing states are not removed when you change the ruleset. So if you want to move a client to use a different gateway you would have to kill any open states on the old gateway or just wait for them to timeout. Only new states will use the changed rule. It is accurate. If traffic is passing and you see no states there it is not being passed by that rule. If you want to do full SSL traffic inspection you have to install the generated CA on the clients there is no way past that. However you can do 'peek and splice' to filter by FQDN only. See: https://youtu.be/xm_wEezrWf4?t=637 If any of those alerts are against legitimate traffic you need to suppress them or disable the rule that is being triggered before you switch to blocking mode or you will block required traffic. https://www.netgate.com/docs/pfsense/ids-ips/setup-snort-package.html#alert-thresholding-and-suppression Steve

What other rules do you have on the LAN? Is the GUI running on port 443? Do you see blocked traffic in the firewall log after disabling the rule? Steve

A diagram showing what you want to do would help a lot here. Steve

It depends how restrictive you want to get. It can be difficult to impossible to completely eliminate that though. You can block all traffic except ports 80, 443 and 53. The Squid rules will redirect 80 and 443 to itself and you can add a port forward to to redirect all DNS to Unbound. You will break many things though and get a lot of complaints! Steve

I managed to make 2.2.6 detect my Realtek NIC by patching the driver. But just now realized that the PPTP feature on the pfSense is only for setting itself as a VPN server. Opposite of what I wanted

Ah, then you should update unbound: pkg upgrade unbound It will pull in a new strongswan version with that. Or try a 2.4.5 dev snapshot which contains that. Steve

Well, there's Packet Capture, built into pfSense, that can capture all the traffic on a pfSense interface. However, you'd have to manually start & stop it and then download the capture file. If an interface on another device, you'd also need a managed switch, configured to port mirror.

The Gateway logs does not show any logs during today's outage and also we were are not able to connect out from the firewall during the outage period. Thanks Tanner

Exactly! If the cat catches mice, then who cares what it looks like!

@steve_b okay, I'm seeing inconsistent behavior here and I haven't been able to pin down why. router 1 (the originally not working one): While looking for the debug logs, I noticed that the log entries for success had disappeared. I traced this to a check for boot completion that was failing, preventing the backup from starting (this is a different issue. I also don't know why the boot is no longer finishing). I manually deleted the booting file so that the backup would run, and it started working. I then walked back the firewall and DNS config (and the debugging stuff that I had added in acb.php) that I had done before to try to get it to fail again, and it would not fail. So, I don't know what changed to make it work. router 2 (the originally working one): This one started exhibiting the behavior seen before on router 1 (backups report success in web ui, but they are not occurring). This one does have a backupdebug.txt indicating a timeout on the save. I can still ping and curl acb.netgate.com.