@stephenw10 said in LCDProc CPU Temp Screen: Unfortunately my own php skilz are such that I'd have to spend significant time on it I understand that very well!

@marvosa Integrated and not having to use an Ubuntu server??

@johnpoz "Yeah you can leave your udm with a wan, I would put that on its own vlan for pfsense" First thing I did, actually.

@stephenw10 Found the problem, I was using Unbound python mode. Now it only blocks in the 101 vlan. Time to continue experimenting with pfblocker. Thanks again!

@stephenw10 said in Cloudflare Dynamic DNS error: Hmm, so you have it set to monitor gif0 but it cannot send updates from there? No, its monitoring opt19 but for some reason was trying to send updates out of opt15 (gif0). So I had to enable that hidden form field to manually change it. Question is, why is that form field even there and why is it hidden? I can only assume Firefox submitted the field even though its hidden (this is expected behaviour) and so the wrong interface got assigned, as gif0 was at the top of the list. I also noticed if I tried to monitor a ppp interface the IP just said n/a and it didn't even give a tick or cross. Fortunately I don't need to do that as both are static IPs, I just tried it while testing.

@stephenw10 Yep, had to reset the admin from the console. I was hoping for a remote solution, but hey, it's always fun to go to the datacenter, right? The weird thing about this problem is that an unrelated/unaltered user was showing the same error after we fixed admin.

@stephenw10 Except it failed overnight, when I changed versions. As the capture shows, there are 2 gateways involved, so there should be no conflict that way and my cell phone is with the same company. I do recall there were some OpenVPN changes when this happened. I redid my config to accommodate them and also because I wasn't thrilled with what I had. Correction, this came in with pfsense 2.5.0, not 2.6.0. I'm currently running 2.5.2. 2.5.0 came out on Feb. 17 and I was inquiring about the the OpenVPN version in openSUSE on Feb. 24, to see if that might be the cause of the problem.

@stephenw10 based on observation over the past day (or so) it looks like a one-time thing.

/usr/local/etc/wireguard -Rico

That setting has nothing to do with clients.. That has to do with how pfsense resolves.. It just what you want pfsense to do when it needs to resolve - say resolve an IP in the firewall logs, or asking for alias fqdn, or checking for its own update. Clients asking unbound - that has no effect on. But with how you have it now - pfsense would not be able to resolve any local resources.. It could have a hard time working out what client is at say 192.168.1.43 for example in your firewall logs..

@potjoe said in How to route promiscuous traffic ?: because you should not see traffic on private subnets go through the firewall. Nope. Because you cannot have the same subnet on two interfaces, it breaks routing, so traffic there should all be on o9nbe interface and the two devices talking to each either directly. But here you are in fact trying to workaround some ISP requirement where you have two devices in the same subnet on different interfaces. I still don't expect to see it on the firewall because they should just ARP for each other and fail. I'm not sure how that TCP session can ever establish. The only way I can see this working is be bridging and that would probably break numerous other things. What exactly is this device on the LAN? Does it have to be on the LAN? Steve

@overlord73978 Stay healthy

There is an entire sub-forum here dedicated to the Snort and Suricata IDS/IPS packages. Here is a direct link: https://forum.netgate.com/category/53/ids-ips. At the top of that forum page you will find a number of Sticky Posts describing the various operating modes and how to configure them. This one should get you started: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions. Note in the linked post that not all hardware NICs support the netmap kernel device required for inline IPS operation. If your NIC does not support netmap, then you will have to switch to Legacy Blocking Mode.

Another option here, if the files are small, is to use the Filer package. That includes additional files in the config file so they will be restored if you have to re-install completely. Steve

Ok, so your public IPs are in the same subnet I assume? Does the TP-LInk actually get a public IP or is it port forwarded from the Comcast router? I would still suggest using a single pfSense instance with just a modem in front of it if you can. Steve

@rico That has literally never worked for me until now. Thanks!

@jimp Thank you for the reply. I have previously researched the solutions you suggest. First, X-Forwarded-For does (obviously) not work when using TCP forwarding in HAproxy. The proxy cannot add an extra header to the HTTP request if the request is encrypted. HAproxy tries to solve this using the PROXY protocol, but that does not work with Microsoft IIS (any version). HAproxys transparent IP is an advanced source IP spoofing that requires a very specific setup in regards to the internal servers remote gateway settings. It won't work with our current setup. We could possibly change our server to make it work, but really - all this extra work for what? Just a much more complicated setup with extra load on our firewalls, larger attack surface (proxy vs NAT) and a non-standard hack to route return traffic (when using transparent clientIP). Relayd is very simple and much more secure by design. Even if there is a problem with the SSL implementation in relayd it is only used for the internal checking of server status (I assume), so it wouldn't be a serious threat to our servers. Since relayd is simple, we can probably write a small script and have it run every second or so. Checking the server status with curl and modifying an NAT alias with aliasmod would actually be pretty similar to relayd in our case. I'm just a bit annoyed by the assumption that HAproxy can do what relayd does, because that is just plain wrong.

No its not it just turn off because of non interaction.. It just goes poof off.. Can be hours into watching, or just a few minutes.. Sometimes seen it happen a few times in a row.. If you look up the tv brand - you see quite a few people complaining about.. But wonder if it is power related. Not going to hurt to have a ups on it ;) When it shuts down for normal reason you see icon in top right showing power down.. When this happens its just "poof" off.. Like you pulled the plug or something.

@ahmetakkaya I agree with noplan...you can and should do this with 2 VMs on a single machine. The Omada controller is free to download for Windows or Linux (https://www.tp-link.com/us/support/download/omada-software-controller/). There are many choices of VMs for Linux...take your choice. Then install Pfsense on a separate VM. You just have to spend some time configuring the interfaces. You really want to keep the firewall separate from other software.

It's not included in pfSense. There's no easy way to add it outside installing it from FreeBSD with all the reasons that's a bad idea. https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html#concerns-warnings Steve