yeah were are using the little ones with no fans that work really actually well.(j1900) started out with some pc that had pfsense on them but they just offered more for less for as having a appliance firewall, i cant have any complaint they have been great and have worked for years without problems. I am guessing i now have to learn kubernetes. It seems like a solution to the problem.

Local is the host (source or destination) in the same subnet as the firewall on that interface. Remote is the host that it is talking to. If you access a web site, the IP address of that web site would show when in that mode.

See this recent thread for additional detail. https://forum.netgate.com/topic/137939/bypass-su-sorry-on-pfsense

Thank you for your input Grimson and mhertzfeld. The reason for removing the switch was twofold. I am trying to minimise energy consumption and I was curious to see what could be achieved using just the pfSense box without a switch. I tend to always try to find ways of improving things, sometimes more successfully than others. I might just use the switch again. I actually didn't want to implement vlans at all, but the switch is a layer 3 3com/HP switch and perfectly capable of doing that. Kind regards

Thx! Yea, did what you suggested and you're exactly right. It's the card.

Never mind. Found the problem. I'm trying to NAT to a host that's also used in HAProxy. Under HAProxy/Backend/advanced setting, I have turned on Transparent Proxy (So that my logs shows the correct incoming IP). This messed up NAT. Turn Transparent Client IP off and NAT works again.

@stephenw10 says I can't start a chat with you unless you initiate it.

OpenNMS is easy to install and set up on a CentOS image. I use it all the time. If you set up SNMP on all of your devices, you'll get a lot of good data from it. Any open source NMS package will do this, a few have been mentioned already on this thread. OpenNMS will also pull some fantastic metrics from pfSense once you set up SNMP on it.

Thanks guys for your valuable input. Regards Scorpoin

So you stopped using the driver from Realtek you linked in your first post? If so you're hitting the watchdog error that is known to help with. Steve

I replied to the same issue on Reddit, so I'll copy my reply here, too: On FreeBSD, su requires that the user be a member of the wheel group. But there isn't a way to put a GUI user into the wheel group, so you have to use sudo instead. You could work around that by manually editing the groups file in the OS or hacking on /etc/pam.d/su to use the admins group instead, but why bother? The changes would be wiped out on the next update. Use sudo instead. Using su also requires you share the credentials of the root/admin account which goes against best security practices. Using sudo is best in the context of a firewall. Everyone uses their own account, their own password, and can have customized permissions per user.

@jimp Thanks.

Since you admit to being a home user noob... Maybe something like this would be more down with your skillset? https://meetcircle.com/

If all you're trying to do is block all traffic except traffic from Europe, you'll use the GeoIP blocking functionality of pfBlockerNG. In the pfBlockerNG package, go under IP > GeoIP, you'll want to go down the list of the continents (except Europe) and select "Deny Both." This is assuming on the general page you have pfBlockerNG enabled. Also, under the IP settings page, you also need to select the interfaces where you want the rules to be. You'll want them on both your WAN and local interfaces.

Hi, You're pretty close to a prove of concept that the issue isn't pfSense, but Chrome. Chrome's bug fixes or other issues are not known on this forum - see Chrome's support forum. I do think that flushing Chrome's cache will help you with this issue. edit : btw : most routers and firewall use port 80 for an initial contact with it's admin. Then, port "80" is de activated and the communication takes place on 443 - or "https". No need to change the "listening port" and Chrome will be happy. If you are in a "hostile" environment, use LAN only for admin jobs, and activate other OPTx interface for your users - and lock down any access to pfSense web server ports (80 and 443).

I would certainly expect to see 10G on both ports of that card. It looks like there may be some low level incompatibility there if you have tried swapping everything. What is the other card you have installed that can link at 10G? Steve

@johnpoz Yes I know, Sorry I'm not much serious guy today. Well Next update I do, maybe trought cli , I'm not live into enterprise, only small networks, but here is not much diffuse the culture of security, I'm living in small mountain country where eatings Polenta e Capriolo, man.

@aygtx said in How to prevent Mac spoofing and Netcut / Selfishnet on wifi / Lan network: how to prevent ,using pfsense , LAN and WiFi users from cutting / redirecting communications from each other You don't do that at your router, you do that at your layer 2.. So say private vlan on your switches or DAI... Look to your AP feature set to prevent this in your wireless network. The best you can do at pfsense would be static arp. But that doesn't stop a client A from arp poisoning pfsense mac.. etc..

It works fine on CE 2.4.4 with vga/uefi console, the only "issue" is that you no longer get the beep and log output when someone logs into the WebUI while the console is password protected. @luyo Is this a fresh install or an upgrade, any packages installed?

Solved: Bad sg-3100, borrowed a 2440 which is fine. Will contact local reseller and return/swap the 3100. I did connect to the console and reinstall via the adi image (usb) which did naff all, must be hardware related. I now have hundreds of connections set on the 2440 and I am a happy happy boy, the only thing I was a bit "eurgh" about is that the 2440 has only 1 LAN port opposed to the built in switch of the 3100 and I need 3 lan ports in the immediate vicinity to the firewall, so I had to bridge LAN,OPT1,OPT2 which works perfectly. Thanks all.