Sure...there are many ways to do this. Here is one in the Netgate docs: https://docs.netgate.com/pfsense/en/latest/firewall/restrict-access-to-management-interface.html -Rico

@johnpoz Good point [image: 1599696756764-fe007b75-e0f4-455c-bc76-2bf05cece0ca-image.png]

Thanks very much for all of your help on this. I've done as you suggested and all is working as it should be now. Thank you for sticking to this topic and sorry for taking so long to get back to it. I have way too many tabs open :).

@dpettigr said in Open ports: so they are using a cloud based application that needs to communicate with a piece of software installed on the machine. That loopback dns stuff pointing to 127.0.0.1.. Nothing from anywhere is going to connect to that, that is loopback, goes no where other than the machine itself.. Are you seeing them blocked in the pfsense firewall? Where are they blocked in the log? If something is trying to get to your public IP, you would see the traffic doing a packet capture. If you don't see it, then its never getting to pfsense. If pfsense sees it, and the forward is not working.. You either have it setup wrong, post up your port forwarding rules. The nat and the firewall rule that would of been created. Maybe there is something above the rule on your wan that blocking it. Like a specific pfblocker rule or something? Or something on the client, which is very common - firewall on the client, or client not pointing to pfsense as its gateway. Is it tcp or udp? You can sniff on pfsense lan side interface while trying to connect, do you see pfsense send on the traffic to the IP you port forwarded the traffic.

@trombone said in allow LAN clients to "see" OPT1 printer: @akuma1x I like that idea! Now if my boss would come up with eight times $150. Give us the phone number, we'll give him/her a call... :) LOL

In the resolver gui.. Go to the options box and put in the private-domain I showed above. [image: 1599665889788-private.png] Or if you want it to all stay local and not actually send forwards or queries upstream.. Set it to redirect server: local-zone: "powerdmslocal.com" redirect local-data: "powerdmslocal.com 3600 IN A 127.0.0.1" The private-domain is the cleaner option in this case, since that resolves on the public that way

@Frogg said in Port 443 timeout using Netcat but is working in browser: Forwarder & Resolver (Now changed to enabled) was disabled Huh? You can not use both at the same time.. You run into a race condition.. Which one are you using? Place your host override in the one your using.. They both allow for overrides. Do a directed query to pfsense to validate it returns your records you put in host override.. C:\>dig @192.168.9.253 ahost.domain.tld ; <<>> DiG 9.16.6 <<>> @192.168.9.253 ahost.domain.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8719 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ahost.domain.tld. IN A ;; ANSWER SECTION: ahost.domain.tld. 3600 IN A 192.168.1.4 ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Sep 08 13:40:59 Central Daylight Time 2020 ;; MSG SIZE rcvd: 61 C:\>nslookup Default Server: pi-hole.local.lan Address: 192.168.3.10 > server 192.168.9.253 Default Server: sg4860.local.lan Address: 192.168.9.253 > ahost.domain.tld Server: sg4860.local.lan Address: 192.168.9.253 Name: ahost.domain.tld Address: 192.168.1.4 Pfsense in my case is 192.168.9.253

@sanketgroup said in Bandwidth Limiter does not work when Specific Gateway defined under DHCP: Action = Pass /// Interface = OPT1 /// Source = OPT1 net /// question: Destination = shall it be Single Host (UTM 10.5.20.2) or OPT2 net That is not a policy route.. You have to select gateway in the rule if you want to route. 10.5.20.2 would be setup as a gateway in pfsense. Did you read the link provided? You would then be able to create an outbound nat for it.. Hybrid is all that is needed. As to your whatever your workstation does for cards and teaming - that has zero to do with vm passing tags or not passing tags for a vlan.. But sure if you want to create another vm nic and do it that way that works too.. How you do vlans and do your connections have little to do with the logistics of the network. Pfsense doesn't care if its a vlan or a native interface.. How you tie that to the physical world is up to you.

@MCITDept Running on a 1to 1 nat should be ok with vpn's. The only way to assign wan ip's to internal routers is to route them. It will require additional subnets though. Still your setup sounds a bit complicated. Perhaps eliminating internal routers and moving vpn's to the edge where they belong, could make your life easier.

Thank you for your answer

@Fabio-Giacobbe The scenario I posted was specific to IPSec. But don't feel bad, we've all been in similar NAT-induced (read: confusing) situations. Glad you got it figured out!

@stephenw10 thanks for the pointers! I messed up my camera to a point where I had to factory reset, the problem disappeared after reset and not getting DUP! pings any more. But I will watch out if that happens again and share the results of packet capture.

Next server IP should have been set to the gw IP/LAN

Because the current version is x64?

If it was a config error can you access the console to roll it back? Did you make the change via the gui? What change did you make? Steve

@jwj said in DNS filtering Church project: It's a fools folly to think he can. It can't go perfectly for anyone

@nimamhd Thanks again for your response. I'm a newbie to this Freeradius stuff, so I'm not familiar with unlang. In Daloradius there is a "Disconnect User" button. I just thought that there was something simple one can do with it to get it to work.

Yeah, hybrid should work just fine for you. -Rico

@wxppro said in Console report interface down while it is working (and FreeBSD reports "up")?: It is quite stable, running for months without any issue. As you think, if that's right for you.... I only project our experience forward... +++edit: f.e.: https://forum.netgate.com/topic/156637/making-interface-usb-network-interface-persistent-on-reboot