That option is in 2.5 already: https://redmine.pfsense.org/issues/9808

Hi, I have been looking for a similar setup, can you give me a few pointers please, thanks

Did you use the metronet supplied dns or use your own?

Fixed now Issue was it seems that I was applying the PPPOE to the WAN interface and not then assigning WAN as re0.911. Thank you so much for taking the time to respond! Regards Ben

What server computer? The one running pfsense or the one you using to access pfsense web gui? That pfsense time is not going to be correct.. Since its not currently able to talk to what you set for its ntp source.

The VPN is actually disconnected or traffic inside it stops? Check for blocked traffic at that time. Check the states still exist. Are you running Snort or Suricata? Check the alerts. Do you have multiple internal clients using the VPN client connecting to the same external server? Steve

@JKnott well not much if I'm honest.... to be clear I haven't set that... In mobile clients I've ticked the "provide a virtual ip address to clients" box and specified 192.168.205.0 with a mask of 24 (as per the instructions I think). I'm not sure what else I'm supposed to do to be honest (all a bit new to me) which was sort of the point of the post. All help gratefully received.

@m0zeid said in Replace Fortigate with pfsense, hd requirment? options to sell fortigate? and other questions: 2x256 gb RAID 0 SSDs (chinese models) About this, I'd change to a RAID1 configuration. We moved from a couple of FG100-D (HA) to 2 pfSense (CARP) with UniFi APs (12 AP-AC-Pro) and pfBlockerNG-devel. No regrets.

Yup that^. Pretty much no place for a 32bit appliance currently. Definitely not running pfSense. Steve

Ouch! Hard to see why that would have caused such problems for Unbound though whilst other traffic was passing. If it loses connection entirely Unbound might use significant CPU trying to connect, though that still looks high. If the card is failing though it could fail in interesting ways, almost anything could happen! Steve

@Vlee said in Locking down web browsing activities: @NollipfSense Thanks! You're welcome! Just so you know; you'll need to disable transparent proxy when you install pfBlockerNG-dev as they will conflict.

Adding a client machine to my test network generates some writes on my test installation, which confirms it is related to the existence of client machines. Since it's unlikely related to traffic (as most of that is logged in RAM), I guessed it maybe something related to DHCP leases. I used a modified version of the find command listed by BlueScreenOfTOM above to identify some files being written to, and it seems like /etc/hosts is being written to quite regularly. I looked at the contents and it seems to be related to the DHCP leases getting written to the /etc/hosts files I believe this is caused by "Register DHCP leases in the DNS Resolver" being selected in the DHCP server settings, so I have removed that for now. Given my hostname is not really legit, these are pretty much pointless anyway. So far, disabling that has reduced the writes to zero. [image: 1579884239319-6cf5ea10-5535-45c3-9d71-535d270fbd11-image.png] So perhaps the mystery is solved? :)

Ah, OK. Well since I can't replicate it in 2.4.4 it's probably something that has been fixed since 2.3.2 was released in 2016. You should upgrade for many reasons but an additional one is to retest this on that hardware/network in 2.4.4. Steve

Run a packet capture on the internal interface do you see the ping requests or replies there? Check the state table for open states using the .25 IP. Make sure you can ping out from the .25 IP in Diag > Ping. Steve

I followed the advice of bmeeks and have the VLAN routing done by pfSense. As my main goal was to ensure high throughput between my Server and domain joined clients (all on the same VLAN) and all of those devices are wired to the Netgear M4300-28G-PoE+ switch, the data is handled at L2 level by the switch and does therefore (to my understanding) not pass via the pfSense box. In the end, I also ditched the ISP Fritzbox because I didn't manage to get PPPoE passthrough working; my ISP gave me a fiber to ethernet converter instead. Everything has been working great ever since.

https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html

Yep, right here (see attachment) under the Interfaces tab. [image: 1579800525307-screen-shot-2020-01-23-at-11.27.08-am.png] Your new LAN can either be an actual network port if you have an open port on your pfsense box, or it can be virtual (VLAN) if you want to do it that way. Then see here for some setup instructions for this new interface: https://docs.netgate.com/pfsense/en/latest/interfaces/interface-settings.html Jeff