@stephenw10 said in Monitoring Gateway: Hmm, you might try disabling ntop-ng as a test. It can use resources and cause problems. Though I don't see any direct evidence of that here. I tried this from the beginning but without result.

@ki3den I figured it out :) well, with some help from r/Networking, a mod there explained a bit about asymmetrical routing that I had forgot about - the switch is aware that the client device is directly connected, so it sends packets direct to the other device (?) I suppose. So that's why I was getting login/feedback from the switch in my session. But, this caused the state in the firewall to drop/timeout. The underlying issue was... that I forgot the dang default gateway on the switches lmao edit: and, I still had both IPs on the switches.

@mattpdx86 You mentioned the server is in VMWare Fusion, is it NAT? or is it on the same network as the host (bridge mode)? Where is the Windows 10 device, is it also in VMWare? Maybe you mentioned it but I missed it if you did... It's been a long time since I had to setup Fusion (people at work largely switched to Parallels) and I am not a MAC person... but I think the default is to NAT the VM. Bridged mode would give the VM an IP in the same network as the host is in, but NAT has a software firewall that may be an issue here if the server is natted. Same for if it's the Windows 10 machine if it is the natted one. If they are on the same network, then PFSense has nothing to do with it at least in terms of firewall. It is best to have the Server 2012 box handle DHCP and DNS, and give out via DHCP, ONLY the IP of the 2012 box for DNS. Have the 2012 server then forward DNS to the LAN IP of PFSense, and let PFSense take it from there for any address that is NOT in your internal network. Otherwise, you need a host override for the IP of the server AND a host override for the domain name, pointing it to the server IP. If you have more than one server, point the domain override at the master roles holder (or the PDC Emulator role holder if the roles are split amongst several DCs). When joining a domain, the desktop is looking for the DOMAIN, not the server.

@stephenw10 Agree, but do you know how pfsense determines the WAN link is UP? When I reboot with wrong credentials my WAN static IP is shown on the Dashboard which I can ping o.k, the UP timer is running but I can't do anything else and that puzzles me? My Pfsense box is behind an OpenReach fibre modem. Can that issue an IP address from the ISP which does nothing until the link is authenticated by the firewall?

@stephenw10 Thanks, this helps a lot.

No, pfSense is intended to be used through the webgui. There will be functions that only work that way. But you could likely create a php shell script that created users with certs. It would need to be coded directly though. If you have a very large number of users you probably want to be using some external authentication server anyway.

+1 Regards

@biggsy thanks for the Quick reply. I will use a Docker image as it is only going to be a low load.

@jimp I've restarted the service and that solved the problem.... HACKERMAAAAN

Which issue specifically is that?

@johnpoz All of the devices use same dns server. It's veeeery strange. I disabled also ipv6 just in case, but nothing works

The only other thing it does is restart the webgui to use the new cert.

@steveits It doesn't look like they are allowed in those various configurations i mentioned. I've been having to hand-type the the networks and ports anywhere outside of the Firewall tab.

@cmcdonald Thanks. I did mess with DNS settings quite a bit lately if that could set this off... Last message about two hours ago, about the time I was done. Fingers crossed that was it. :)

@troy-0 Remove the offending lines from Suppression file:- Services -> Snort -> Suppression -> List Then hit save.

Ah, nice! Yeah it's very easy to get stuck down the wrong path with something like that. Sometimes you need to re-examine the problem. Steve

Not exactly what you asked for, I do not have multiple pfSense devices here in real action. I am using IPsec for site-2-site VPN, but because remote devices supports only IPsec v1, the VPN connection is only established by demand (I enable the tunnel in pfSense GUI). For remote access to my LAN I use both, IPsec (v2) and Wireguard. Wireguard is really fast compared to the IPsec, but some complain, the client is less secure when the mobile device gets lost. With IPsec, you can specify an individual password when establishing the connection, with Wireguard all settings are stored iin the configuration. So if someone has physical access to the mobile device, he just opens the Wireguard app and is able to establish a connection. Regards

@troubleshooting74 You need none of those. To download an openvpn client config file, go here : OpenVPN > Client Export Utility and over a created user ( System > User Manager > Users ) you can select : [image: 1677506454027-c7d3f740-db42-4477-937a-bbe672d4d5f1-image.png] For most of the options, the needed certs will be in the opvn file. See here https://www.youtube.com/@NetgateOfficial/video and have a look at : How to use pfSense Plus OpenVPN Client Import Package Configuring OpenVPN Remote Access in pfSense Software etc.