Yes, that is correct. If you assign the server as an interface you have to restart the instance afterwards for the new settings to apply. You almost always want to have the rules on the assigned interface tab and not on the group OpenVPN tab. That is required for policy routing to create the firewall states correctly. Steve

@bmeeks said in Am I being attacked?: The moral of this story (from the article) is don't open stuff like SSH on the WAN side of your firewall. It should be don't use ssh with a password. Use passwordless ssh instead. Ssh supports that. You create a public/private key pair, to allow access.

@noplan said in Rename network interface?: OPT13 .... I suspect you deleted and recreated interfaces quite often.

@stephenw10 Yes, I've tried deleting all the .rrd files in that folder, repeated the import of just the RRD Data from the old box with pfSense CE into the SG-3100. I can see the .rrd files get created in the folder, but still no data appearing on RRD Summary or Traffic Totals.

@stephenw10 said in SSL generation: cert with a longer lifetime that you control. Exactly openvpn does not care if the cert has a 10 year life.. There is little reason to change these certs for the sake of changing them, unless you feel they have been compromised. If so just revoke them and issue new. Or change them out on a schedule you come up with, but don't have to worry about if the schedule gets pushed here or there because its going to expire, etc.

@johnpoz My haprox cert is a wildcard cert *test.ca and in pfsense i created a Host Override as unraid.test.ca which points to the unraid server ip. By doing this, unraid.test.ca is only available via LAN as it is not registered on my domain dns. Also for my acme i have it set to auto renew that cert before it expires. Great suggestions, appreciate the tips :)

I got this working.. I created the opnvpn interface and then that showed up in the outgoing network interface under dns resolver which is had set as (ALL) and now everything works.

@stephenw10 said in all services fail to start all packages gone: Looks like this is the gw_leds script which it appears you're also running: https://forum.netgate.com/topic/165680/sg-3100-21-05-1-kern-ipc-maxpipekva-exceeded-see-tuning-7 Steve Thanks. I’ll follow that post.

I assume you mean you're not doing any internal routing but are still routing between WAN and LAN? Otherwise you would have to be bridging WAN and LAN. Either way in that setup both WAN and LAN are carrying the same traffic so it really doesn't matter which way you assign the NICs. Steve

When you put FQDNs in an alias like that they are resolved by filterdns when the ruleset is built. Anything that the firewall can resolve should work correctly there. Steve

@stephenw10 said in Bricked after Update 2.4.5-p1 to 2.5.2-RELEASE: Everything except checksum off loading should be disabled by default so I would look at LRO if you changed that. Steve I will leave the APU in place. The former device was cobbled together from spare parts anyway (but it worked for years...). Thank you for all the input.

Do you have consecutive sections of zeros replaced with two colons ?

The situation is largely unchanged. The pro services team can convert an existing config from another firewall but it's a manual process for them. There is no tool for doing it. Steve

Mmm, 2.4.2p1 is really old. With the release of 21.05.1 though there should be much reason not to be on that now. If you absolutely need Snort (and can't use Suricata) for some reason you might want to stay on 2.4.5p1. Steve

@stephenw10 thanks yea I worked out my problem. Because I has a rule at the bottom of floating that blocked anything I didn't specifically allow out, I then was allowing WAN to HTTP/HTTPS for Squid and it was quick matching. I had to rejig that block all rule to avoid HTTP/HTTPS so that it allows that traffic by default (No quick rule allow needed for WAN) and then I catch any bad traffic with the explicit deny rules. Seems to work now.

@stephenw10 Yes, ZFS after reinstalled 2.5.2. Bug seems to be known and would be fixed someday... as you said, its just cosmetic :-)

Yeah gmail is a bit special - can you get it to work without 2fa? Maybe?? Don't know, don't care - have had 2fa on since like 2014, and I was late to the party ;) But just tested this with one of play domains, no 2fa - just your typical smtp server over 587 works just fine.. So clearly pfsense is parsing special characters in the password. And his issue is most likely do to the special requirements of gmail.

If there's nothing in the logs then I'd run a packet capture to see if those ping are making it to pfSense at all and if it's responding. No response to 5 pings it something significant though. An IP conflict maybe? Something ARPing with the same address could do that. Steve

It seems that I fixed the issue: Static IP should be : 10.66.66.2/24， but not： 10.66.66.2/32