@rico That has literally never worked for me until now. Thanks!

@jimp Thank you for the reply. I have previously researched the solutions you suggest. First, X-Forwarded-For does (obviously) not work when using TCP forwarding in HAproxy. The proxy cannot add an extra header to the HTTP request if the request is encrypted. HAproxy tries to solve this using the PROXY protocol, but that does not work with Microsoft IIS (any version). HAproxys transparent IP is an advanced source IP spoofing that requires a very specific setup in regards to the internal servers remote gateway settings. It won't work with our current setup. We could possibly change our server to make it work, but really - all this extra work for what? Just a much more complicated setup with extra load on our firewalls, larger attack surface (proxy vs NAT) and a non-standard hack to route return traffic (when using transparent clientIP). Relayd is very simple and much more secure by design. Even if there is a problem with the SSL implementation in relayd it is only used for the internal checking of server status (I assume), so it wouldn't be a serious threat to our servers. Since relayd is simple, we can probably write a small script and have it run every second or so. Checking the server status with curl and modifying an NAT alias with aliasmod would actually be pretty similar to relayd in our case. I'm just a bit annoyed by the assumption that HAproxy can do what relayd does, because that is just plain wrong.

No its not it just turn off because of non interaction.. It just goes poof off.. Can be hours into watching, or just a few minutes.. Sometimes seen it happen a few times in a row.. If you look up the tv brand - you see quite a few people complaining about.. But wonder if it is power related. Not going to hurt to have a ups on it ;) When it shuts down for normal reason you see icon in top right showing power down.. When this happens its just "poof" off.. Like you pulled the plug or something.

@ahmetakkaya I agree with noplan...you can and should do this with 2 VMs on a single machine. The Omada controller is free to download for Windows or Linux (https://www.tp-link.com/us/support/download/omada-software-controller/). There are many choices of VMs for Linux...take your choice. Then install Pfsense on a separate VM. You just have to spend some time configuring the interfaces. You really want to keep the firewall separate from other software.

It's not included in pfSense. There's no easy way to add it outside installing it from FreeBSD with all the reasons that's a bad idea. https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html#concerns-warnings Steve

There have been a number of other threads detailing this sort of setup for other providers but it usually complex! Looking at the config he uses for Mikrotik it looks like he's just bridging the internal TV port with a vlan on the WAN side trunk. But I could be wrong, I don't use Mikrotik. Steve

Sure, on the INTERFACE SETTINGS tab for the Snort interface, you can choose to send logs to the system log (which is syslog). You can also configure some of the metadata tags that are attached. So go to the INTERFACES tab in Snort, and then either double-click on the interface line in the table or click the edit icon (the little pencil) on the right side of the table row to bring up the INTERFACE SETTINGS tab. Within pfSense you can configure the system logs to be sent to a remote syslog server, if you want to do that.

Yes, that is correct. If you assign the server as an interface you have to restart the instance afterwards for the new settings to apply. You almost always want to have the rules on the assigned interface tab and not on the group OpenVPN tab. That is required for policy routing to create the firewall states correctly. Steve

@bmeeks said in Am I being attacked?: The moral of this story (from the article) is don't open stuff like SSH on the WAN side of your firewall. It should be don't use ssh with a password. Use passwordless ssh instead. Ssh supports that. You create a public/private key pair, to allow access.

@noplan said in Rename network interface?: OPT13 .... I suspect you deleted and recreated interfaces quite often.

@stephenw10 Yes, I've tried deleting all the .rrd files in that folder, repeated the import of just the RRD Data from the old box with pfSense CE into the SG-3100. I can see the .rrd files get created in the folder, but still no data appearing on RRD Summary or Traffic Totals.

@stephenw10 said in SSL generation: cert with a longer lifetime that you control. Exactly openvpn does not care if the cert has a 10 year life.. There is little reason to change these certs for the sake of changing them, unless you feel they have been compromised. If so just revoke them and issue new. Or change them out on a schedule you come up with, but don't have to worry about if the schedule gets pushed here or there because its going to expire, etc.

@johnpoz My haprox cert is a wildcard cert *test.ca and in pfsense i created a Host Override as unraid.test.ca which points to the unraid server ip. By doing this, unraid.test.ca is only available via LAN as it is not registered on my domain dns. Also for my acme i have it set to auto renew that cert before it expires. Great suggestions, appreciate the tips :)

I got this working.. I created the opnvpn interface and then that showed up in the outgoing network interface under dns resolver which is had set as (ALL) and now everything works.

@stephenw10 said in all services fail to start all packages gone: Looks like this is the gw_leds script which it appears you're also running: https://forum.netgate.com/topic/165680/sg-3100-21-05-1-kern-ipc-maxpipekva-exceeded-see-tuning-7 Steve Thanks. I’ll follow that post.

I assume you mean you're not doing any internal routing but are still routing between WAN and LAN? Otherwise you would have to be bridging WAN and LAN. Either way in that setup both WAN and LAN are carrying the same traffic so it really doesn't matter which way you assign the NICs. Steve

When you put FQDNs in an alias like that they are resolved by filterdns when the ruleset is built. Anything that the firewall can resolve should work correctly there. Steve

@stephenw10 said in Bricked after Update 2.4.5-p1 to 2.5.2-RELEASE: Everything except checksum off loading should be disabled by default so I would look at LRO if you changed that. Steve I will leave the APU in place. The former device was cobbled together from spare parts anyway (but it worked for years...). Thank you for all the input.

Do you have consecutive sections of zeros replaced with two colons ?