My VPN Provider is PrivateVPN. The Log of the VPN Dec 22 10:01:08 openvpn 5717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 22 10:01:37 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:02:07 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:02:07 openvpn 5717 Could not determine IPv4/IPv6 protocol Dec 22 10:02:07 openvpn 5717 SIGUSR1[soft,init_instance] received, process restarting Dec 22 10:02:07 openvpn 5717 Restart pause, 300 second(s) Dec 22 10:07:07 openvpn 5717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 22 10:07:37 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:08:06 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:08:06 openvpn 5717 Could not determine IPv4/IPv6 protocol Dec 22 10:08:06 openvpn 5717 SIGUSR1[soft,init_instance] received, process restarting Dec 22 10:08:06 openvpn 5717 Restart pause, 300 second(s) I will try with Watchdog option. Thanks a Lot Stefano

First off, let me just say thank you all, for just diving head first without me having any clue what you all needed from me. This network was setup before anyone that works in our dept was even there over 12-13 years ago. We have upgraded equip since then and went to 10Gb routers and switch stacks for furture enhancement but not sure if anything design wise has changed, I'd have to ask our net admin. We all wear many hats, I more than anyone only because I engage in everything I can get my dirty little hands on. Ok so after I learned how to draw, learned what transit meant, then learned how to semi properly map things out, the consensus seems to be that the network is not as bad as originally thought by everyone "so I hope". "creating aliases for allowing and/or denying internet access for certain subnets." this works with our current setup and as far as diagnosing problems, we or I should say our net admin has never had problems doing so so far. Updated map. (Yes I know that 10.31.0.0/19 wireless network is huge. Did it for a reason as it is our guest network. There are only ever about 150-300 people on it at once but my thought was give them an IP and they keep it for I think 2 years. Lets us easily track mischievousness) I will not be making major changes until after the holiday break seeing as I am not at work to see how those changes affect anything. I do have a remote AP at my house with a VM added to our domain so I will continue working/testing other things in pfSense until i get back. [image: 1545516076590-1545431488056-cbb2b239-5e97-4b13-8b9b-b69c38524203-image-resized.png]

I'm an ex-Brit living in Canada - have the same issue. I spent a lot of time playing around with this. It was easier to run a VM machine at home dedicated to the UK and have PF Sense route all it's requests via the VPN to the UK. After much testing, it was the only reliable solution. Then run a remote desktop session on the machine connected to the TV when you want UK TV. By the way - the offline BBC iPlayer app can run on the UK dedicated VM and download material, but if you make sure it stores the material in a place that other machines can access, you can run the offline BBC iPlayer app on other machines looking to that location for material and it works fine. Regards Paul

ok, the arp reset didnt work, i changed the OPT netowork ip to 10.10.0.0/24 instead of 10.0.10.0/30 and it started working! so i think its because of the network range of my lan ( lol my bad) but now when i ping 8.8.8.8 i only get duplicate packages....

What do you mean "no logs"??? Status - System Logs - DHCP. All DHCP client messages are logged there. You're saying there is nothing at all? Also, what do you mean by "I can't capture packets"??? Diagnostics - Packet Capture. The tools are there. Use them.

@marvosa said in Network Access Problem: You could also create a NAT rule to translate your IP to the camera subnet when accessing your cameras from another VLAN, which sounds more like the solution you're looking for. Thanks @marvosa - You are 100% right here - this is for home use, so I am looking to keep the amount of excess HW to an absolute minimum. Can someone give me a few hints - possibly what tab to use and/or references/good keyphrases to google etc. I understand NAT in principle, but I'm very sketchy on the details of how it works in pfSense.

Bump

There are not many VOIP providers anymore that require static port. Who is your VOIP carrier? Im curious if you have an MTU problem.. What kind of internet connection is this?

Ah, yes you're right, I've alson seen pfSense boot notifications. I think it's great to have the ability to get notification, but it doesn't do much good if you can't specify what events you want to get notified about. I know about the mailreport package, and it's great, but it only give you periodic reports, no instant alerts.

By chance were you running snort in Inline Mode? Nvm, I'm thinking of Suricata. Snort does not appear to have a district "Inline Mode".

We'd need more info to offer more targeted advice, but In general, you'll need to: Policy route the static IP's for QBittorrent and Couchpotato on your LAN tab, which it sounds like you have done. BTW, how are these apps using different IP's on FreeNAS? Are they VIP's that are bridged to the LAN adapter? I'd like to know how these apps are communicating on the network and if they truly are sourcing traffic from the IP's you've configured. Add an Outbound NAT entry for your static IP's that is configured to send matching traffic out your VPN interface Verify the rules on your OpenVPN tab are explicit so the traffic you want to be routed thru the VPN isn't matched on the wrong interface.

it worked thanks Derelict. Regards

@babiz Thank you kindly. The /var/log was empty except for the reboot; there were no past logs. That bugged me and I wondered if they were somewhere else I hadn't thought to look for. I have wireshark, but honestly hadn't thought to try it while everything was flipping out. As far as I can tell it looks as if the WAPs attempted to take over when something happened to PFSense. There was a cable modem reboot in there, too, which once triggered some strange IP issues. But without the log (and I was desperately trying to get everything back up) I've got nothing to go back and look at. Thank you for taking the time to read and respond to my post, and point out ways I can in the future better analyze issues. That's a very welcoming approach you have there, and I'm quite thankful for it. ~J

@johnpoz : I had to deactivate pfblocker because it was blocking internet access and once freezed the whole system and I had to reboot. But I don't know for sure if it was pfblocker itself or the rules I have.

There must be something wrong with the installation. The fastest way to recover it would be to reinstall, choosing the option to recover the configuration during the install process.

https://www.netgate.com/docs/pfsense/install/upgrade-guide.html#upgrading-from-versions-older-than-pfsense-2-4-4 Specifically see the part at the end of that section about putting kern.vty=sc into /boot/loader.conf.local.

Thanks for letting me know. I decided to upgrade on HW mainly because I want the box to do more. IDP, bandwidth monitoring and Traffic shaping...

Ah, OK and the IPTV stream is being accessed over the VPN when pfSense is in play? Most likely the IPTV service has blacklisted the VPN providers IPs as the source of either hack attempts or users bypassing geo restrictions. Try disabling the VPN and testing through pfSense. Steve

Its upgraded I’m not gonna mess with it again until I have too.. I still have my sg2220 has my backup I probably need to update it to 2.4.4 at some point!