There are packages for sending snmp data, allowing external collectors to query the firewall, but not for using the firewall as a collector itself.

You should upgrade to 21.05.1, the current version. It should (obviously!) not reboot at random like that. You should open a ticket with us to troubleshoot that: https://go.netgate.com/ Steve

Code carried over from the old forum was incorrect. Check now.

I had the "firewall optimization options" set to "conservative" and changed this now back to "normal". maybe......

@chudak dns has NOTHING to do with ports.. As I already went over if your goal is to get redirected to some port, then use HAproxy.. And then sure you can hit the public IP on port say 80 or 443 http/https and get proxied to port 1234 if you wanted.

An HA pfSense setup would usually be between two devices in the same location, often in the same rack. It's intended to mitigate a failing node or connection to/from that node. There is no reason it could not be between nodes in different buildings as long as they can be on the same layer 2 segments but there's not really much advantage in doing so. Steve

@johnpoz Yap! You are right... Some times we don’t think as it should be. It’s exactly the same situation that I’ve with the printer – just an IP assign and everything is working. As far as I know, TrueNAS (before FreeNAS) has not any internal firewall. At least configurable with the GUI. I’ll investigate deeper. Maybe it’s the gateway (I’ve some doubts that is wrong), so I’ve to confirm. For testing, I’ll also change the NAS to the LAN (same net where I’ve also the pfSense) and check if anything changes.

@bmeeks I have set min ttl of 3600 on my unbound.. Everything works - so its not like these sites are changing IPs they use every 5 minutes and old IP no longer works.. ;) I would normally say do not mess with the ttls that the owners have set, but 60 seconds, 5 minutes - FU! that is insane unless you were getting ready to do a big change to another IP, etc. I guess it does give you the ability to change IPs on the fly and nobody to notice at all - but I sure and the F do not want to be doing a query every 60 seconds because your shit might fail ;) In this day and age of load balancers and ability to ramp up processing power on your server (since its VM) and network access on the fly.. There should be little reason that I have to query for www.domain.tld every freaking 60 seconds..

HA with CARP? Two pfSense nodes? Hmm, it's unusual but you should be able to do it. You will end up with some asymmetry. Really you would want the /29 directly on the WAN for HA, not routed via a /30. You will have to use the /30 IP as the WAN side CARP VIP and two IPs from the /29 as the WAN IPs on each node. But that means the /29 will always be routed to the master node including backup node WAN IP. The Master node will redirect it but you will get some asymmetric routing and might need appropriate firewall rules to pass that. Steve

@jkalber Another quick and dirty way is to set up a domain or host override in the DNS Resolver. Then anything that wants to connect to (www.)spotify.com will get the address you put in, like 127.0.0.1 or whatever. Nowadays DNS over HTTP will bypass that so also need to disable DoH.

Packet loss that high is almost always an IP conflict of some kind. It's definitely not dual Master on LAN? Even if it was that would not affect traffic to from the FW02 LAN IP directly. Steve

Ok but do you have both routers connected via PPPoE at the same time? Most ISPs do not allow that but some do. Anyway I'm sure you could do something better there. Just moving the VPN router behind pfSense and setting it to use DHCP instead or PPPopE should work fine. It can establish the VPN through pfSense no problem. Steve

You will see entries in the system log like: kernel arp: aa:bb:cc:dd:ee:ff is using my IP address 100.0.0.101 on ix0! If the conflict is with an IP pfSense holds. Steve

If it had no internet when you restored the config it would not have been able to pull in the packages. If it now does have internet the easiest thing is to just restore the config again. That will trigger the package reinstall after it boots. Steve

@oldhome7 I have a PPPoE bonded pair from centurylink and when I set it up I enabled transparent bridging on modem and rebooted modem. On pfSense I entered PPPoE login credentials no vlan or anything else. Worked for about a year like that.

@jimp I apologize for resurrecting a thread that was not relevant to my particular issue (that should tell you a thing or two about how much i know about this) but at the same time i want to thank you for the suggestion. Changing the file extension worked right away and my issue is resolved.

@battlesng Search YouTube for "PFSense console accessing using putty".

Ok great I see that. That looks OK for a TAP connection. Using TAP is generally far more complex though. The only reason to do so is if you need the OpenVPN clients to be in the same subnet as the local resources. If you don't need that just use TUN mode. You should be passing the incoming connections on the assigned openvpn server tab not the global openvpn tab. So remove or diable the rules on OpenVPN. Add a pass all rule, using source any, on the 'OPENVPN_Interface' tab. Steve

@cjnazz said in Cert issue for accessing local web pages: I'm somewhat surprised that this resolves a certificate trust issue. Hum... It resolves it because without that you are just hitting the pfSense webgui which is obviously not valid for the site you are trying to reach. https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html Steve

@stephenw10 thanks Steve.