@rcfa said in How to enable ssh and remote web UI access from the console?: @stephenw10 Just one more question, which I can't seem to find answered: what sort of wildcards does easyrule accept? e.g. easyrule pass wan any any any any because I don't mind opening up the system completely, since it's only going for the time until the configuration backup is uploaded, so the chance of someone hacking the system in those 90 seconds is pretty low. OK, I tested it somewhere: the "any" wildcards work. Might be nice to mention that in the documentation...

@adrianoebm See that link I posted above, https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3. Microsoft has turned off SMTP AUTH (option 1 on the page) for new accounts and those with Security Defaults enabled.

@dma_pf here are some tests you might want to do to see if your isp is intercepting your dns.. so query a specific authoritative NS for a record - say www.google.com to one of the actual google ns.. You should see aa in the response field showing that it was an authoritative response.. [image: 1648217341577-aa.jpg] Notice when I just ask some other NS for www.google.com I do not see the aa in the flags.. This means was not an authoritative response.. This points to dns being intercepted if you don't see the aa when doing a directed query to specific authoritative name server. Another simple test to see if all dns is being intercepted is just do a query to some IP you know for sure isn't actually running dns. So for example 1.2.3.4 sure and the hell is not providing dns.. But if its being redirected - sure looks like it is. So a quick test to see if all dns is being redirected is to just do a directed query to some IP you know for sure is not providing dns services - if you get a response, then your dns is being intercepted. [image: 1648217772988-redirect.jpg] another sign of interception is when you query an authoritative ns for a record it is authoritative for.. You would get back the full TTL.. Notice I got a 300 back when I asked ns1.google.com for www.google.com, but when I asked another ns I got back some odd ttl.. That was something lower than the actual ttl - since it was from cache and not from the actual authoritative NS.. Another possible hint of dns shenanigans is odd response times. Lets say 1.2.3.4 was actually some dns I could talk too.. But look at the response time I got back, 0 (since my redirection is local).. But if through some vpn while a query to maybe 1.2.3.4 might take 40ms, if your seeing much lower response time than what would be normal - that points to dns interception as well. There are many clues to look for to see if your isp or vpn is messing with your dns..

Now that I actually have a little free time, I'm starting to play with my pfsense box like this: -10.1.1.1/24=management LAN -10.20.30.0/24=LAB env., have a few poweredge servers with vsphere 7, TrueNAS Scale, unRAID, might get lucky and learn something configuring Microsoft server 2022 ADDNS/DHCP within vSphere on this LAN. -172.16.1.1/24=Personal, or basic home network for laptops, etc. -192.168.20.1/24=IOT devices I guess May try to figure out using the other two ports for the home and lab LANS.....future endeavor maybe. Directing traffic via firewall rules. Management LAN will have access to ALLOW ALL and ofcourse pfsense GUI All other networks, BLOCKED from each other and also blocked to pfsense GUI I dunno.......it all sounds right in my head. I'm sure I'm missing some things. You guys foresee any issues? Is all this needed? I dunno.... Will I break something? All signs point to yes..... Will I learn something? Fosho!! Will the kids if and when I shut this mother down with some jacked up configs? Ofcourse but.......I grew up without internet, they can go without on it occasion.

@bmeeks : Bummer. But I understand now. Thanks!

It's because of the new RSC support in the updated hn(4) driver which is apparently broken. It only supports TCP to when you use OpenVPN (UDP) the traffic is unaffected. See: https://forum.netgate.com/topic/169884/after-upgrade-inter-v-lan-communication-is-very-slow-on-hyper-v Steve

Mmm, OK looks like that bug then. Updates will be on the report as they are found/patched.

If you don't need to filter between them then it's better to just have one interface as VLAN10 in pfSense and connect both those things to the vswitch with VLAN10 trunked directly. You usually can bridge VLAN interfaces like that but when you add ESXi that complicates things. You could also try bringing that traffic in untagged to pfSense and bridging those interfaces directly if you need bridging. Steve

In some situations that's all that is required. I have done exactly that on a system with a 'Smart' TV DNLA client and a NAS on different VLANs and it connected immediately. Steve

All good. Found a way. SSH into pfSense and run pftop -f 'src host 192.168.0.XXX'

@johnpoz I finally got it to work. Believe it or not, I experimented quite a bit and finally changed the format from exFAT to NTFS and it started working fine. Goes against everything I read on Google. Who knew you couldn’t trust the internet. ‍️

@stephenw10 very true. Thank you anyway

This was prob. a config error from my side ... First i removed (deleted) all the "old patches" [image: 1647969183923-7601eb38-f389-4eea-bb9c-0e5c68602e83-image.png] The system still said it was on a newer version. Then @SteveITS suggested to go to the update , and there i saw it ... My "home box" is still 2.5.2 , and has has this set [image: 1647969047267-f1486378-7058-449f-a5cd-ba0b34f6531d-image.png] That was also set on the new box that runs 2.6.0 [image: 1647968958885-6060f2a6-afe7-4ec4-ac84-35b60c033ff9-image.png] After i changed to 2.6.0 the system showed i was on the latest version Thanks Gents Now i might try to "hand delete the patches" in the xml , and reupload. If you have a backup w. patches applied , and the main box dies , it's not easy to remove the patches , unless doing it in the xml. Edit: It was quite easy to remove all patches from the config.xml You just have to search for the below two XML Tags <patches> </patches> And delete everything between them. Edit2: As i fixed the DNS error too , in the new config.xml. And restored the config again wo patches. The packages was also installed .... All except Avahi , but i was notified about that , and just did an install of that one. Avahi installed wo any probs. /Bingo

@m0l50n said in pfsense freeze: with mSTATA, am I better enable RAM Drive anyway? Not really. It reduces writes but also prevents using some packages and saving crash reports and your will lose some log data in the event of a power outage. With an SSD the drive writes should not be an issue anyway. Steve

Did you see anything similar on other VMs? Are you running pfSense 2.6? The system time is determined by whatever the hypervisor is sending for the system clock. If if was using a much earlier time, like 1970/1/1, pfSense will see that and set the clock at boot to the most recent known time source but not if it's ahead already. Steve

@ghost-0 said in thinking about 2.5Gbps Switch upgrade, any issues with pfsense?: Is this instability due to loops or a poorly configured pfSense? Almost certainly not. If you get a flood created by a loop you will not be able to access anything. Since merely restarting OpenVPN corrects it, and it sounds like that is a WAB connection, my first guess here would be that the default gateway is still set as automatic and is switching to something invalid. But STP loop prevention should only be to prevent loops in the event something is mis-wired IMO. If your switches are connected correctly you should not have any loops. Should I upgrade to 2.6.0? It depends but probably. It will do nothing for STP though. Steve

@dinu Issue resolved, I have moved all my VM's to Hyper-V and I am getting 100% band with of 145Mbps download and upload. Thanks for the support guys... Dinu

pfblocker with Dnsbl is your weapon of choice here Python mode and everything is fine and good to go... Block Br np

@stephenw10 thank you again!