Nice. Yeah the automatic outbound NAT setting will NAT all traffic from internal subnets to the interface IP of any WAN type interfaces. But here it was seeing the LAN interface as a WAN so did not NAT traffic from that subnet as it left the actual WAN. Steve

I figured the problem might be with the monitoring part of the setup but that looks fine too. What other info could I provide to shed better light?

@duvel With the work from home restrictions the wife and I saw the need to upgrade our wifi and so I went from an old Asus AC66U and an older Asus used as an extender, to Netgear Orbi (3 station) in AP mode. Immediate improvement both in throughput and coverage. I wish I’d done this ages ago but was not motivated until now. No problems interfacing with pFsense, Sonos, etc.

mystery solved rawtaz in the irc channel suggested killing the state that referred to a rule it should not be referring to. When the state was re-established, it came up referencing the correct rule. The most likely scenario is that when the firewall rules are changed (i.e. adding or removing rules changes the number of the rules), the already established states do not have the rule numbers updated. This is a pf 'issue' and not pfSense since pfSense reads /dev/pf to get the states that match a particular rule.

Next time you reboot, hit Ctrl-T (^T) at the console a few times with some time in between when it's stuck there. See what that prints.

A VLAN is Layer 2 communication , MAC address oriented. The pfSense firewall is a Layer 3 device , as most firewalls are. pfSense filters (allows/deny) based on IP addresses. Your Vlan150 example uses the ip range 192.168.150.xx , so i'll assume the Vlan222 uses. On each interface where you have devices that has to reach hosts in Vlan222 , you would need to allow that "interface ip range" to send packets to the Vlan222 ip range. Ie. the fw rule on the Vlan150 would be : Action pass Interface "Vlan150" Addr Fam IPv4 Proto Any Source Vlan150 net Dest Vlan222 net Now pray that your Vlan222 hosts have def-gw on the pfSense box , or you'll have to play with routes. /Bingo

Thanks everyone for all the replies, i'm gonna try with Rico suggestion, it looks like that's the correct approach.

Thank you for your reply @stephenw10, I am able to ping from lan the dmz but not vice-versa (for security reasons won't be allowed). A-record for the dmz- pc has been manually created into the DNS of the AD. Let me open all ports, and will let you know back. Best, rickey

First check: https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html Can you connect to the pfSense webgui? Can it connect out? Do you see available packages for example? Steve

The only thing I would change is where the Netgear router is patched. I would patch it into one of your switches instead of the modem. As pictured, your wireless has no access to your LAN. If that was your goal, then you're fine... otherwise I'd enable AP mode and plug it into a switch. You could go for a more intricate and arguably cleaner design by consolidating down to one switch, running extra cable to each room, possibly setting up VLANs, etc, but that involves time and money. Your current setup is completely functional, so If it's meeting your needs, there's nothing wrong with it.

Unsure. That server is a tween server. On the left side ESXi is installed and the right side was not in use, so got pfSense there as needed several NICs for this setup. I think it could be CPU temps getting too high, as every time I saw pfSense showing them in yellow my network was slow. Interesting is that the other motherboard with the same pair of xeons and 24GB running ESXi 24/7, never had a problem. I can't run tests with that configuration anymore and I didn't get any others suggestions here or on the other two forums I've posted, so replaced the entire box with a spare i5 desktop and it is running very well.

I can confirm, that by cloning the MAC address everything is working !!!! thanks for the support @stephenw10, its much appreciated. Let the fun begin now !

@JohnKap said in (2) Firewalls, (2) different networks, both mostly work, 1 can't get to a specific IP: @ccgllc said in (2) Firewalls, (2) different networks, both mostly work, 1 can't get to a specific IP: Routing table: Works all the way to the last-to-next node, so don't think so - but do you have something specific I can check? I would compare the routing tables on the two devices, the fact that they're on the same subnet they should be pretty much the same. I'm thinking maybe there is an entry there that is confusing witch interface to use when going to those affected ip addresses. Routing tables are as expected: 127.0.0.1 The LAN port & network The WAN port & network No other entries. e.g. There are no "tables" I'm aware of that the firewall would build to direct traffic to a specific IP address that is not part of either its WAN or LAN group - all of those go out the default route on the WAN and passed to the next node to handle (in this case, my ISP).

Maybe that can help: https://forum.netgate.com/topic/151929/pfsense-wan-interface-wont-get-ip-address and check the DHCP log file for what it shows (Status / System / Logs / DHCP)

@noplan said in OpenVPN connected-disconnected users log: done but with email ... #!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); $local_connect_value = " \n user_name: " . getenv('common_name') . " \n vpn_client_ip: " . getenv('ifconfig_pool_remote_ip') ." connected from " . getenv('trusted_ip') . " on " . date('F j, Y, g:i a'); if ( strrchr (__FILE__ , 'disconnect') ) { $local_connect_value .= ", \n duration : " . round(((getenv('time_duration'))/3600),2) . " hours, or " . round(((getenv('time_duration'))/60),2) . " minutes, or " . getenv('time_duration') . " seconds,\n upload from vpn-client (received) : " . round(((getenv('bytes_received'))/1048576),2) . " MB, \n download to vpn-client (send) : " . round(((getenv('bytes_sent'))/1048576),2) ." MB. \n DISCONNECTED."; } notify_all_remote($local_connect_value); ?> the script is called in openVPN server [image: 1586988274205-31811e2a-0a24-4db3-a156-363932eeac30-grafik.png] output [image: 1586988379170-c91d2ac8-e261-45ad-8bd2-c9bf34d82754-grafik.png] see also here https://forum.netgate.com/topic/151351/email-notification-openvpn-client-connect-common-name/26 very good works!

Hi! Sorrrrry for the delayed reply, the last few days have been hectic to say the least... Funnily, setted up as it was initially (virtual IPs on WAN connection), it actually failed at boot too... I am at a loss as to why it worked anyway after. In the thread I had posted in the virtual IP related forum I was actually asking if my problem of servers using virtual IPs misbehaving could be caused by those errors, I assume they did but cannot say for sure. At boot is actually fails twice by the way... One time before the interface gets its IP and after it did. Both times it looks something like this Mar 31 15:58:04 check_reload_status rc.newwanip starting pppoe0 Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanipv6: rc.newwanipv6: No IPv6 address found for interface WAN [wan]. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: rc.newwanip: on (IP address: ddd.eee.fff.ggg) (interface: WAN[wan]) (real interface: pppoe0). Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.200'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.201'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet ' aaa.bbb.ccc.202'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.203'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.204'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.205'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.206'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:05 php-fpm 30436 /rc.newwanip: The command '/sbin/ifconfig 'pppoe0' inet 'aaa.bbb.ccc.207'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required' Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Default gateway setting Interface WAN_PPPOE Gateway as default. Mar 31 15:58:06 php-fpm 30436 /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Ignoring IPsec reload since there are no tunnels on interface wan Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: RRD create failed exited with 1, the error is: ERROR: you must define at least one Data Source Mar 31 15:58:21 php-fpm 30436 /rc.newwanip: Creating rrd update script Mar 31 15:58:23 php-fpm 30436 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - ddd.eee.fff.ggg -> ddd.eee.fff.ggg - Restarting packages. (this is after getting the IP...) The fact that it fails before the interface gets its IP suggests this would fail for both PPPoE and DHCP too... Should this script be run before the interface has an IP? I put the virtual IPs on Localhost and it seems to work but I won't be able to test how it behaves when the connection is reestablished for a few days because of the current situation. I have a question though. Wouldn't it be preferable that the script does as if Localhost had been chosen for the virtual IPs when it "sees" that the WAN interface is actually a PPPoE connection? I absolutely love having this workaround if it turns out it fixes my problem but I am sure others will do the same "mistake" I did... Thank you very much for your help and have a nice day! Nick

Yes that is normal. Yes you can build a firewall block rule to block your LAN clients if you wish. Rules are parsed from top to bottom. so- pass rule for your computer block rule for rest of LAN pass rule allowing all (default allow all rule.) pfsense will indeed pass any traffic outside it's own LAN subnet(s) out the WAN. My biggest question here is why would you be on the same LAN as those you don't trust with your cable modem? What model modem is it anyways? Should not be much they can do other than to factory reset it and reboot it. Which would both be only temporary outages until it got its config file from the ISP.

Thanks so much. Ramses

Ah ! Was trying to give some info, as you seem to need it. What are your questions ? Possible to give some details ?