Let me summarize: The vast majority of functionality is just fine.  Thus layer 1 appears healthy. From a statically addressed PC:  Sometimes SOME Internet sites are unreachable, as described below, but most work just fine.  Thus DNS, DHCP, cabling, DNAT rules, etc. are unlikely a problem. From a  statically addressed linux box:  I've noticed intermittent access to zec.slushpool.com port 4444.  I have 100% access from St. Louis, and "sometimes" access, lasting minutes to days, from a linux box behind the PFSense firewall of concern.  A PC on a different port of that same concerning PFSense firewall also has "sometimes" access to zec.slushpool.com port 4444 - and access outages do not correlate between the PC and the linux box.  I don't think there is anything special about zec.slushpool.com - it just happens to be the site the linux box and PC are configured to use. From my 160+ DHCP addressed processing machines, all linux based, I've seen a couple of instances of not being able to reach their primary site oh1.kano.is and have confirmed with the operator of that site they were not experiencing any issues.  Their backup site, stratum.kano.is functions fine when needed, so I only loose about 5 minutes of failover time.  I'm stating this just because its likely related. DNS resolution works fine ALL the time.  Pinging of zec.slushpool.com fails when access stops. Access to both zec.slushpool.com and oh1.kano.is will randomly and independently toggle, without any administrative changes occurring on the PFSense box.  (Note that oh1.kano.is is AWS based and requires a TCP ping, not ICMP).  Normally access is stable for hours - but under a curve.  e.g.  I've seen access for as little as a few minutes to days. I have not specifically checked if the linux box can ping the firewall, but SSH sessions continue to work.  Clearly the PC can access the firewall since most web browsing functions. Rebooting the PFSense box will sometimes resolve the access issues although its become a guessing game as to any individual website working or not.  Most do. Changing my external static address resolved about 90% of the access issues, at least for now, but that only occurred a few days ago. ALL of these problems started when I upgraded recently.  Prior to that I had no problems accessing everything. ps.  I've disabled Snort blocking just to eliminate it from suspicion.  Snort is the only add-on package installed.  Also switched to 8.8.8.8 and 8.8.4.4 to minimize the chances of this being a DNS issue, although the PFSense DNS Resolver is enabled (provides effective caching for most of my machines). pps.  Basic firewall health stats:  [image: 193f38f148.png]

I would search google for samaccountname and pfsense and see what other have done. All about configuring the authenticator with the requirements for your LDAP server.

Fiber or DSL?  What Modem??  NAT or Bridge?

searched further .. Looks like i'm having a similar issue "ingenium" had in march 2017 with pfsense 2.3.3 => https://forum.pfsense.org/index.php?topic=126742.0

Well, that was incredibly stupidly easy in the end … went to my FIOS box outside the house, unplugged and replugged the network cable that leads to the pfSense box, and all is fine now. And yea, I guess my new project is to replace that cable. Thanks for the help! -rob.

Enabling it in pfSense prevents users/processes access the memory regions of other users/processes by exploiting the Meltdown vulnerability. As I understand it that only affects users/processes running in pfSense not pfSense as a VM. You need to be looking for a fix in the hypervisor for that. In general Meltdown/Spectre has minimal impact for most pfSense use cases where there are not multiple users with different privilege levels running on the firewall. IMO  ;) Still better to have it available than not though. Steve

@mdes So you're probably aware of the following but it does cover what i understand to be the most relevant aspects of GDPR in relation to a pfSense device. https://www.firewallhardware.it/en/gdpr-pfsense-opnsense/ You'll know what you are using the device for, so some aspects will affect you more than others.

Control internet as per user (student) Are you talking about an URL filter here?  Squid + squidguard can do AD auth. You should try it out in your lab or test environment, and ask questions as you go if you get stuck.

Of course I figured out the answer myself once I started digging around a bit more.  I'll leave this here in case anyone else comes looking for something similar. The solution… In OpenVPN custom options, add...``` --route-up "/sbin/ifconfig bridge0 span ovpnc1" Bear in mind, I'm using this to carry the output of a span switchport over to another network in another location, hence 'span' in the command above.  If you just need to join the bridge, use 'addm' instead of 'span'.

It's that simple.

I will try this at work tomorrow. Note: I am using vSphere Client to connect to VMware ESXI machines.

The firewall can't do that on its own. Something had to trigger it, most likely the hypervisor sent a shutdown to the VM. Check your hypervisor logs.

My eyes! All that's missing is a scrolling marquee. Unless you have a sight issue, then I apologize, could you try to use a normal sized font? Speaking of fonts, it's like a variation of comic.

So we got everything working fine. When we use vpn we can connect to our server on opt1 and everything. But now we want to get external access to our server using the opt1 interface. But when we forward the port it doesn't work. we want to forward a port to our server that is n opt1 interface. example: external ip:poort x ->to our server that is connected to the opt1 interface

Veeam 9.5 vmtools installed Not sure if quiescence was enabled, I've already scrapped that pfsense instance and deployed a new one, had to reconfigure everything from scratch I don;t think it was a write issue, I had 30 days worth of backups and every single one of them had the same issue. I restored alreayd a few other pfsense firewalls and none had this issue restoring from Veeam. Bear in mind this was one of the first pfsense devices I deployed like 4+ years ago so it could be that some update screwed it up. I tried file level restore but I could not get the appliance working, as it was a urgent matter we just ended up reconfiguring it from scratch