@johnpoz said in Confusion About Log Entry: So anything someone or something running on that device could be doing the queries.. Say in a remote desktop session.. Thanks for your feedback. I guess that might be technically possible but I think there would be a whole bunch of hoops that would have to be jumped through. First of all the server is part of a MS domain. So only an authenticated user that can provide proper login credentials could connect to it (of which there are only two) and then the only things that they could access are the remote apps installed in Remote Desktop Services. And those connections can only happen from a LAN address, nothing is open to the WAN or other internal vlans. Secondly, the server has Microsoft Server 2012 as it's operating system and does not have the dns role installed on it so I don't think it could respond to a dns request from another machine. And thirdly, if that server itself did have a dns request via it's own ethernet adapter it would be routed first to the domain controller at 192.168.163.10 which would then forward to pfsense at 192.168.163.1. In that case I would expect to see the domain controller's ip address (192.168.163.10) as the source of the query. It really seems more likely to me that I must have missed something in my pfsense setup. @johnpoz said in Confusion About Log Entry: Might be helpful.. I would for sure actually sniff on that device that its sending the specific queries your seeing, and this would also allow you to see if anything is asking that IP for this which is somehow being sent on.. I'll run a sniff and post back my findings. would you run it with the Host address as that of the server (192.168.163.25) or scribe.logs.roku.com? @johnpoz said in Confusion About Log Entry: I see queries for that scribe.roku.com on my network all the time - but they all come from my rokus - but there could be some sort of software that also does queries for that?? There is some sort of roku app that can run on windows 10 for example, not sure if just a remote - but something like that could be doing the queries. The weird part is that I have no blocked queries whatsoever in pfblocker reports on the roku vlan (192.168.168.xxx) for scribe.logs.roku.com. All dns requests on my system for scribe.logs.roku.com are showing as coming from the server. Resolver is listening for queries on All networks, so I would think if the roku was sending them out they would be blocked too. There is a roku app installed on a tablet but that is on a completely different vlan (192.168.160.1/24) than what we have discussed and which is also isolated from the LAN and the roku vlan. I would find it hard to believe that the server has a rogue app on it as the only things installed on it is Word, Excel, a pdf reader and a CRM. It's running a pretty stripped down Microsoft Server 2012 and not a bloated OS like Windows 10 Home. Thanks again for your help! I'll work on sniffing around tomorrow and will let you know what I find.

Ah, that would do it!

@sergei_shablovsky What exactly are the rule(s) they enabled. Because I still do not get what the issue is here. When asked if they also disabled the antilock out you stated no. It is not possible to block your lan network from accessing the gui with the antilock out rule there - that is the whole point of it!! Sure you can block internet access, and you could block dns doing that - but access to the pfsense lan IP on the gui or ssh port would still be allowed by the antilock out.. [image: 1636982261256-firstrule.jpg]

Since you can still specify the VLAN tag in the modem when it's in bridge mode I would expect that it handles the VLAN and pfSense would only need to setup the PPPoE session. That's how my modem works and it's quite common. However your modem may not behave like that. I would test this by just establishing a PPPoE connection from a laptop connected to the modem. Remove any potential virtualisation issues. Steve

Ok, and specifically you were seeing ~1Gbps with the same test in 2.4.5p1? Can you test a 2.6 snapshot? There have been a number of improvements gone in since in 2.5.2 was released. Steve

@stephenw10 Thank you stephenw, i have now found my issues, the webserver closes the connection on 150 (per default). i have done apache tuning now all is good. thank you so much

That was most of the problem. I also had to change the VID of each port on the switch and it worked after that. Thank you for the help.

@viragomann That triggered something in this tired brain. :) I want to access and reconfigure the device (I'm not it's original admin) with IP 10.0.5.251 for a different subnet. The device is statically configured and from a previous packet capture, it appeared that it is configured for a default gateway of 10.0.5.1. After changing the virtual IP to 10.0.5.1, I can ping/access the device. Thank you!

@stephenw10 No, no remote deployment. You flash pfsense box with Balena and pfsense locally and then put in the remote office. Then from Balena VPN - SSH into it and perform troubleshooting/configuration within containers? I am not a coder that's why I am asking this question.

@stephenw10 said in Status -> Monitoring shows no activity: Hmm, well that's odd! It 'feels' like some clock/timestamp issue. Hard to see what though. The data files looked good IIRC. Steve Yeah, most probably. I'll leave it at this and move on, at least for now. Hopefully, it doesn't come back.

That ^. 200Mbps is an odd number though. Usually with a link negotiation issue you would see something below 100Mbps or even below 10Mbps depending on what it falls back to. That looks more like it's negotiating at 1G but seeing errors at a guess. Steve

@unififcf If your ISP provides a DHCP the gateway as well as the primary WAN IP are configured automatically. You have to set the WAN IP settings to DHCP. In this case you have to assign he static IP in Firewall > virtual IPs as type "IP alias" to the WAN.

@ppal Try another network cable.

@sergei_shablovsky The answer is : no. My iPhone also decides to update itself to 15.1 (2 GB download) and the rest of the companies network was also actif. I also use an IPv6 connection, that tunnel IPv4 packets out over the WAN with IPv6 traffic in it. So my IPv6 goes over the IPv4 WAN (technically, I have a double WAN setup). I've shut down our main switch, so I was using the only PC on the network : Test again : [2.5.2-RELEASE][admin@pfsense.my-local-network.net]/root: fetch -v -o /dev/null https://snapshots.netgate.com/amd64/pfSense_master/installer/pfSense-CE-memstick-2.6.0-DEVELOPMENT-amd64-latest.img.gz resolving server address: snapshots.netgate.com:443 SSL options: 82004854 Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384 Certificate subject: /CN=*.netgate.com Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA requesting https://snapshots.netgate.com/amd64/pfSense_master/installer/pfSense-CE-memstick-2.6.0-DEVELOPMENT-amd64-latest.img.gz remote size / mtime: 439979895 / 1636700812 /dev/null 419 MB 1868 kBps 03m50s That is close to 19 Mbits / sec, my ADSL down bandwidth. It was using IPv4 - as IPv6 (ipv6.he.net) would be slower for me.

@newberger glad to hear it. Even before it was officially supported you just had to create a VLAN 2 with a QOS of 3 on your WAN port and you were set. I was so happy to get rid of their network box. Hope you enjoy the service and your pfsense experience.

Hi Guys, This issue has been resolved. There is nothing wrong within the proxy and I figured out reinstalling the software agent. Thanks

@viragomann Was intuative to put URL's in Firewall/Aliases/URL simply by the name. Didn't think to look at Firewall/Aliases/IP to find the ability to enter hostnames rather than only IP's. I should have looked beyond the intuative, thanks.

Thank you @johnpoz for taking the time to write such a detailed reply. Do you know if pfSense can create a certificate that is signed by an Intermediate CA that is trusted due to chain of trust to a Root CA? I have managed to get FF to work by importing the the intermediate cert into firefox, but if I just import the root CA it doesn't work. I just went back to revisit this and it looks like I didn't create my certificate correctly because when I execute openssl s_client -connect against my TrueNAS server with a server key created by pfSense, I only have the Intermediate CA in the certificate chain. @johnpoz said in Is anyone using pfSense as a Certificate Authority for their Own Network?: @guardian I have been doing this for years and years.. While I don't see the need of intermediate CA setup.. This is only certs for my stuff, and its all on my secure/trusted home network anyway.. @redsector73 said in Is anyone using pfSense as a Certificate Authority for their Own Network?: @johnpoz Any chance you can link the posts or a guide, this is something I need to do, inclusive of plex / printers etc but haven't got around to yet. Sorry OP not trying to hijack your thread, just interested. @redsector73 So sweat - maybe I can help: If you are on firefox: Settings > Privacy & Security > Scroll down to Certificates Click "View Certificates" Scroll to the bottom and click import Navigate to your CA Certificate (.crt file you have exported from pfSense) Click Open Any certs you sign with that CA will be trusted by the browser (as long as you have created the certificate correctly) On chromium there is a "Manage Certificates" under the Advanced Section of "Privacy and Security". I suspect that Google Chrome is very similar. Hope this helps. [I should have refreshed before sending this... I wrote this yesterday, but forgot to post - @johnpoz has a really great writeup in the link he just added to his previous post.]

@jc1976 said in dnssec and DoT incompatibility question: Why is there a compatibility issue between DoT and dnssec? There ISN'T as I just went over!! If your going to forward be it your doing normal udp 53 or dot.. Uncheck to use dnssec - because it doesn't matter.. Where you forward to is either doing dnssec or they are not.. You checking that box isn't going to do anything but cause extra dns queries..