That matches the string anywhere in the port number, same as leaving it as 19 which isn't what OP wanted. They wanted it to only match port 19 and no others, so using ^19$ is the way to do it.

@NogBadTheBad Thank you for sending this documentation my way! As it turns out, what I (originally) wanted to do can be accomplished using an "Alias". https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html?highlight=alias You were right. Interface Groups serve an entirely different purpose.

pfSense should host the captive portal. Routers on that network will break things.

@moxi said in Some traffic is escaping from vpn!: but why the firewall rule of: ( block any out on wan) never works? Can you show that rule (an image ;) )? Where did you put that rule ? A final solution will be : use the VPN client on the device where you use the VPN. That is, if that device isn't a TV set or something like that. @moxi said in Some traffic is escaping from vpn!: I would start thinking that this whole game of privacy protection is not 100% legit You start to understand. There is hope for you. You really believed the VPN publicity ??

The outbound NAT rule would be on the WAN at site A with source 10.2.0.0/16. So that traffic from site B can be NAT'd to the site A public IP in order to reach the site C public subnet. Steve

I think the best you’re going to be able to do here, to avoid a login, is to have your browser (Firefox, Safari, Chrome) save the login info for you. You DO NOT want to give access to your firewall interface without a login. That’s really bad. Jeff

@akuma1x okay thanks I will research a bit. the appliance VM is in azure.

You could diff the xml against the most recent backup file like you can in config history. That will show you only what's changed.

Vitualize a FreeNAS sever on that host computer an run Plex as plugin within there. Although, i am NOT a follower of setup, that have all functionallity on one system! A router is a router, a NAS is a NAS and a media server is a media server. pfSense is NO media server at all!

Good to hear.

Thank you for responding @coatmaker618 Yes, I guess there are three questions in there so thanks for splitting the questions up for me. I think I have gotten a little further towards getting some information on this. I have got my pfsense to recognize a USB device as a WAN port which I can configure. I now have to configure the multi wan part now. As for the third question, yes that's the interesting one and I am not having any joy finding any help on that one. The scenario is as you describe. I don't want all my devices to take advantage of the failover WAN because it will be a 4G device with just a tiny amount of data allowance on it. I will keep it topped up for the eventuality of someone cutting up my cable internet while I am not at home so the home can still talk to me and let me know what is going on. For the failover, out of the 50 or so devices that currently use the internet, I only want to allow my IP Camera NVR, my home security system and smart door lock to have access (all with dedicated local IPs). This is to get notifications of any issues while I am out of the house and also jump onto my IP camera feeds if needed just to see whats going on. Hope this paints a good picture of what I intend to do. So if there is anyone out there who knows how to handle multi wan ports in this configuration, please let me know.

@slimypizza said in Home setup issues with WiFi (advice): The thing I like about it relative to the Ubiquiti is that you don’t have to run an ethernet cable to the satellites. You don't have to run a wire to the unifi AP either - you can do wireless uplink, its just ALWAYS going to be better to run a wire to your other AP if possible. ALWAYS!!! Not say orbi or any of the other mesh systems out there won't work - but good luck doing anything above very basics.. Can you even do vlans on your wifi with Orbi - no.. So for many of us that have chosen to go with a more robust network and want to do stuff as basic as vlans - those sorts of wifi systems just don't cut it.. Why would you choose to run a Porsche for your router/firewall - and then put some crappy walmart special tires on it ;) And only do 55 mph..

@provels - Thanks for this. Of course I had to type a litany to eventually discover the problem is one I created but didn't realize I had created one. TL;DR, the AT&T WAN DHCP address specified its IP to renew from. That IP sat in the LAN on pfSense's side as a VIP. The WAN couldn't reach that IP for renewal. At expiry, a new DHCP broadcast would occur and everything would be good for another 10 minutes. I removed the VIP, everything went back to normal. Updated the original post to be more clear since I figured it out.

If you were using unifi controller, ie you had some unifi AP for example - then this would do exactly what your asking for https://store.ui.com/collections/unifi-accessories/products/unifi-smart-power The UniFi SmartPower Plug is a device installed between the AC outlet and the power plug of an internet modem or router. The UniFi Network Controller continuously monitors availability of an internet connection. If the connection drops, the UniFi SmartPower Plug automatically restarts the modem or router by disconnecting power for a short period of time. But yeah with all the smart plugs these days, I would think it would be pretty easy to rig something like this up..

Thanks for the reply Steve :) Good catch! I left off a switch sitting between the user and the Main router. I will update drawing shortly. User is single port device, both routers are multiport devices. From LAN, I am trying to ssh to an IP in the 10.1 space (say 10.1.1.10) by using the 10.1 address. I do not see any blocked data regarding 10.1.1.10 on either firewall log (just searching for that IP in the log). From the link you posted it seems that asymetrical is defined as "traffic going from A-> Z taking a different route then traffic going from Z -> A" My thought is that 10.1 traffic would go through the 192.168.1.99 port on the DMZ router, not going to the main router at all. This would be the same route that I would expect the traffic to take back. So I'm missing why it would be asymmetrical >_< Edit: Picture is updated.

Nope I have homebridge running on a raspberry pi running ubuntu on my iot lan. The rule is to pass allow udp port 9 from my homebridge server on the iot lan to all my subnets.

Check System - Advanced - Firewall & NAT. Look for "IP Random id generation". If it is checked, uncheck that box.

@liboriolibs said in pfSense + Haproxy - internal LAN redirect backend with acme valed certification: ssl offloading - check type - http / https (offloading) Try changing this to HTTP & disabling offloading. SSL Offloading seems to indicate that you want PFSense to get HTTPS and send out HTTP (implying it has the certs). I was trying to do the same thing (see link below). While I had a different problem I think it's the same solution. https://forum.netgate.com/topic/153028/haproxy-deleting-acl-on-modify-bug-or-am-i-missing-something/3

Realtek NICs/drivers are known to crash under high load. Change the NICs or try your luck with the official drivers: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release -Rico