@skybri100 Thank you very much and greetings.

Bingo! I reset it while connected and started getting console output of the boot sequence. It was getting stuck on "Starting DNS Resolver". Quick google lead me to a Reddit post below. Basically delete this "/var/unbound/pfb_dnsbl.conf", recreate the file, and restart. Back in business! You help was very much appreciated John! Thanks, Moon https://www.reddit.com/r/PFSENSE/comments/89gt37/stuck_on_starting_dns_resolver_on_reboot/

Then make sire rules in place at site 2 allowing the traffic from the tunnel subnet the client is in. If the client is not redirecting all traffic over the VPN then they will need to be passed a route to the site 2 subnet via the VPN. Add it as a local network in the remote access server at site 1. Steve

@stephenw10 Great ! Its as I expected, Thank you very much for your answers ! Farisse

The proxy musy be listening on the OpenVPN interface since that's where the traffic arrives. You should be able to put the proxy at either end but I would probably put it at A since that's where traffic is arriving. I'm not sure how the proxy would reply to traffic at B either. Importantly you must have the OpenVPN interface assigned at B and make sure the rules passing the traffic are on the assigned interface and not on the OpenVPN tab. Without that you will not get reply-to tags on the states and the replies from the server (or proxy) will just go out the WAN rather than back over the VPN. That creates an asymmetric route and traffic will be blocked. Steve

Yeah with 5Mbps upload you can saturate the connection pretty easily. However it's also much easier to shape upload than down since we can control exactly what leaves the interface. I would expect to see good results from fq-codel here. Steve

The comment that its easier to fail to untagged vs tagged is a valid statement.. And if your worried about vlan hopping ok... But unless you were in some DOD facility, or had to use known bad switches that drop traffic from tagged to untagged.. It not a "requirement"

I see. I found that one. But thought it odd i couldn't find it on the dashboard, can show individual temps, so why not usage. Was sure i was just looking in the wrong places.

@bkhiatt One thing to check is the DHCP lease, to see if it's being renewed, but given your description that doesn't sound like the issue. Can you ping the gateway when the connection fails?

@guardian said in Certificate Question: Sorry, I don't understand this [image: 1598516212016-9d2889ce-108a-4052-b3f4-0fe0f9abdd88-image.png] One of these reset the GUI access to http. The manual will tell you more. @guardian said in Certificate Question: IIUC this is only if the last configuration was http It must be the last setting change, the one you can cancel. If you change from http to https, and you lose access because https won't work for you, you loose contact with the GUI. Rephrase that : you loose the ability to make changes ^^

I'm US timezone - CST..

@EagleGC You have to have the Procurve switch plugged into the SG-1100 LAN network, which it looks like it already is. Then, the Nest wifi router should be in access point mode, then plugged into a switch port on the Procurve switch. This process will put them all on the same notwork. The Procurve shouldn't "hand out" any IP addresses, you should set it up to NOT offer up IP addresses. Unless, you've got a special reason to do that. Jeff

Doh! Test Port indeed.

I would suggest you probably don't need 8GB in there: Memory usage 3% of 8006 MiB If there is any doubt over any of those DIMMs, remove them. Run a few cycles of memtest. On a 12 year old system though it could be failing in any number of ways. Steve

snorby is old and abandonned ... it's nearly impossible to install on last debian with the ruby crap (dependency problems) ... But docker save the day ! it can install old crapy library on last version of server ;)) with docker, snorby is easy to install AND you can remove old ruby crap in one click if not needed anymore ;) Ok i will go with the ELK thing ... i will learn something at least ... thanks for your link ;) i will look ;) have nice days ;))

Hi, pfSense has a build in VPN server for remote management, and, why not, give access to your LAN based devices (if these accept remote connection). VPN became lately a total buzz word ... I advise you to look at the VPN related video's from Netgate (they have a Youtuve channel with every subject explain step by step). IDS : to reduce a long story in two words : forget it. If you insist, first, use your favourite info source, make your self very comfortable (because this one will last for days) and get to know what 'SSL' (TLS) really is. Now you know that IDS was fun, in the past, when all traffic was travelling 'in clear' - these days it's all encrypted : only most DNS traffic is still visible, and even that changes these days. mails, web access, SSH, whatever : it's encrypted in a way the Mossad, NSA en KGB - or whatever these guys are called these days - can't access it - not without throwing a multi billion installation on it. And yo want to IDS/IPS ? Still, please, I'm just trying to make you understand what needs to be done. Do not believe my words, again : look up the (some) details. DMZ : that was - on of - my boys dream : hosting my web/teamspeak/mail server. It took a moment or two to understand that I would be needing a something called a DMZ. A couple of clicks later I understood that the off the shelves basic ISP router wasn't up to the task. To day, ISP router let you set a .... DMZ ..... IP ( ? !!?). Or, a DMZ is a separated ... isolated ... network like 192.168.10.0/24 NOT 192.168.10.20 (an IP), although 192.168.10.20could be the IP of a web server that operates in the network 192.168.10.0/24. pfSense let you create more then one LAN type interface, and it will be called OPT1, OPT etc. rename them in "Pincky" or "DMZ" and you're done. The rest of the setup is : create firewall rules that enforces a typical DMZ type of operation. See https://docs.netgate.com/pfsense/en/latest/book/intro/interface-naming-terminology.html#dmz Or a good Netgate Youtube video about the subject. A DMZ network has one or more NAT rules (IPv4 still exists these days) that let Global Internet user actually visit - contact - connect to - you server type devices, situated on your DMZ. Finally : I decided to create my own DMZ in the middle of world's biggest "MZ " The internet itself. Like everybody else. A motivation was also that hosting servers behind a ISP line normally just plain s*cks ("big" dwonload, but small "upload"). I rented dedicated servers on the Internet to host my servers. The most incredible thing is : you won't be bothered with firewall rules any more. Just the servers apps like apache2, nginx, postfix, bind, teamspeak, etc. Mastering these will eat up a part of your actual live time (be warned).