@jimp Thank you for the quick reply him - time to order our SG-5100s!

Redis would be a good choice for exporting the logs. A user contributed support for that into the Suricata package a little while back. Next time I update Suricata I will include a warning in the Help Text for the syslog export settings sections cautioning that the data will be truncated by the FreeBSD syslog daemon.

[image: 1588156483190-tec-to-rs485_contr_2.jpg]

Thought I would give a quick update on this for those who care :) I bought the i5 jobbie. A bit on the steep side in terms of price and spec but I had no other short-term solutions. Must say, it's a nice bit of kit. 6 Intel LAN (I do wonder if they fake though ), i5, I put 4GB RAM in and a spare 60GB MSATA I had. Setup was painless. I did a final backup of my existing one, installed pfSense and restored the backup. A quick interface remapping and I was done. Shut down, switched out and booted. It all worked :) Thoughts: Speedtest always showed around 290/300 over wifi. I now easily get 350-360. (Wifi is Ubiquiti kit) VPNs are faster. Much much faster. I always use PIA and peer locally but only ever got 70-80Mb/s down. Never an issues as I don't need more than that (other than speed test ) I now get full bandwidth. I got 340 to NL (I am not in NL....) So, a combination of faster CPU and AES offloading makes a massive difference. Odd thing though, I never saw the CPU peg on the old j1900 which lead me to believe it was ok. Acid test. Not once have the kids simultaneously gone "DaaaAAAAAaaaaaDDDD I'm lagging!" from across the house Likewise, myself and my wife have continued to work on video calls without issue. Could I have bought one of the £200 cheaper Atom ones and had the same result. Probably. Would I recommend this setup for someone? Sure. It's compact, neat, costs about the same as a self-build (but looks better) A gamble but it paid off (so far). Thanks for your help on this. Hopefully someone else reads it and benefits. FB

@xxnumbxx said in Home Network Layout, Traffic Shapping & More questions.: Web Filtering I want web filtering on LAN2 so the kids are not getting to porn sites and such. I have used this with untangle and found it to work great, is there something similar for pfSense? I have heard of Squidguard but not sure if this is the best route. I can suggest pfBlockerNG-Dev package. Spend sometime browsing here and post specific questions there: https://forum.netgate.com/category/26/traffic-shaping

We need more specifics to even begin to offer anything helpful. How is your network laid out?

Deleted from within the user manager

If you need to do it transparently you need to set Squid to listen on the OpenVPN interface so it adds the required port forwards. To do that you need to assign the OpenVPN server as an interface: [image: 1588078614099-selection_829.png] Enable the new interface, rename it if you wish. Then you can select it in Squid. Steve

@dennypage Agreed. I think it must be the YouTube mobile app caching the duplicates.

If that doesn't pan out, you can try switching back to sc: kern.vty=sc hint.sc.0.flags="0x180" hint.sc.0.vesa_mode="279"

Zabbix is just pulling the hardware interface name. You're going to have to look at aliasing it on the Zabbix side. How to do that would be a question for a Zabbix forum, not a pfSense one.

Hi @mehdii, have you tried to set the corresponding axis-unit?

@Tactis said in pfSense on OVH Dedicated with ESXi and one NIC: It's not the public IP assigned to your ESXi interface right? Yeah I think it is. That's how I'm connecting to it (the public IP). Well at first I wasn't able to, but I enabled the basic firewall (not the Cisco ATA option) in the OVH control panel on that interface, and let port 443 through, then I was able to. This doesn't make a lot of sense either, I would have thought with the firewall off I could connect just as much as if it were on with one port open. I'm flying blind as to how their infrastructure works. As long as it's not, you should be fine. Add another vSwitch and Port group in ESXi for your VMs, and do NOT assign an uplink NIC to that vSwitch. Connect the pfSense 2nd NIC to this vSwitch and setup the LAN. This way pfSense will act as the firewall between your LAN and WAN, with the public IP being the one you picked up from DHCP. I'll do that as I assume I'll need it anyway when I work through it. If you have a range of IPs available, it's probably still best to setup a static if you want to host any services here. Any additional IPs can be added to pfSense by going to Firewall > Virtual IPs and assigning them here. It is a static public IP, and I'm not sure why ESXi picked it up from DHCP. I'm also not sure how I could connect to ESXi to manage it in the first instance if it didn't pick it up from DHCP, because if I set ESXi as an internal static IP (like 192.168.0.X or whatever) their basic firewall doesn't seem to redirect ports to different IP's, so I'm pretty sure I wouldn't be able to get to the ESXi server. It's a weird and foreign setup to me.

Thank you Steve, against that bug, I have also reduced the firewall maximum entries to 65534. Bogon is also disabled. Might be the case with my ISP, I will ask in the dedicated ISP forums for advice on monitoring. There are a lof of pfsense users with Virgin Media in the UK. Helps to drop the ISP name in this thread as well, in case anyone else is going through the same pain.

@pooperman there is some issue with SSL handshake: [image: 1587921920369-1.jpg]

I would not expect a port forward to be required there as Plex can usually be accessed from anywhere, even externally. UPnP is disabled by default in pfSense and you should leave it that way unless you have a very good reason not to. Plex can open port forwards in the firewall to allow access otherwise. Usually when people device their network like you have it is for security. Consider what would happen if one of your cameras was found to have a vulnerability and was hacked for example. What would that give anyone access to? You probably want firewall rules on the 192.168.2.1 interface in pfSense that allow only the required access outbound. So the cameras may not need any external access or maybe only to a known IP or set of IPs. Wifi IoT style devices may not need any access to to the LAN subnet. Though maybe you want Alexa to be able to control Hive.... What you want to do is allow only the traffic that is needed and segregate devices as much as possible to mitigate any security issues should they occur. Does your access point allow for multiple SSIDs / VLANs? If so I would create more so you can separate general access devices like laptops and tablets from IoT devices like cameras and Alexa. Currently you have separated devices simply by wired or wifi and that might not be the best way. The Hive and Hue hubs are IoT devices. I would want those on a separate subnet to desktop PCs and servers if possible. Steve