What did you have in mind? You could open a feature request: https://redmine.pfsense.org Steve

Yes, probably. The new system will be much better in that respect. https://redmine.pfsense.org/issues/9693 Steve

The pfSense base system itself cannot do that, but a reverse proxy such as the HAProxy package can. It has to be a proxy and not at the firewall because the hostname being requested isn't visible in the packet headers when the connection is initiated, it's sent by the client when making the request after the connection is established. At that point it's too late for the firewall itself to do anything. But a proxy can accept the connection, read the request, and hand it off as needed.

The only way to validate rules on an interface is to check from client on that network, you can not test them from pfsense directly.

Well then your not ttalking to pfsense is the only thing I can think of dude.. did you do my test of trying to sync a different client to that same IP your using..

sorted.. the damn modem had port mappings in it, removing and rebooting to clear to state table fixed it. '....Shakes head'

Thanks Steve, Yes, It's quite difficult to nail it down to why I get these speed variations between WIFI and ethernet. The master socket is one side of a door frame and the other is a phone extension socket along with a twin power socket. Don't worry I won't get the PCI version. The whole idea is to have separate devices. It's a pity the V130 isn't POE that would make life easier. I did think about using an existing phone wire (4pairs) as a power cable(12V) for the V130 and power it from another location over that. That would put a V130 right next to the incoming master socket. Then I could use another pair in the same cable as a VOIP extension to the existing phone extension socket. I would only need put CAT6 up the wall next to the phone cable into the loft.

@chpalmer, @chpalmer chpalmer thanks for the response: @chpalmer said in How can I backup a production image?: @guardian said in How can I backup a production image?: Am I missing something? What Ive done in the past is to keep a spare storage device.. Identical to the drive that is in my box.. loaded and ready to go for my site here. I might have to buy another drive and do a fresh install to that drive, but I would rather not have to open the box. And a spare box ready to go that I can back up to that is kept for several of my remote sites. Great idea, it's simple a matter of economics I would ask- what if during the action of re-imaging a drive you have problems? You could be fighting an unknown for a longer period and possibly not get there. Then how do you ask for help from a community that has not themselves attempted what you are trying to do? And on a production system that people are counting on.. That is a possibility, but nothing is risk free. IIUC what I am trying to do should be as simple as: Boot an install USB into the single user rescue mode Mount the internal partition Mounti the ZFS slice on the flash drive Doing a tar czvf. A restore would replace step 4 with rm -rf on the botched install tar xzvf Is there any reason this should not work? My first question of my people would be- "why did you choose to take that course of action when the manufacturer recommends another?" The course of action that I am considering is a fallback only. May plan is to run the upgrade first, if it works, job done, If that fails run a new install, if that fails then use the backup. If your connection is in deed that important.. that you have no down time, then you should have a standby at the very least. And you should already know that the latest installer is going to work on the standby. IMHO I agree entirely, economics often rules, especially in a home installation. @stephenw10 said in How can I backup a production image?: Having a recovery plan is pretty much vital even for a home user if you have any sort of reliance on your connection. Agreed Your points about a newer version being incompatible with your hardware are valid. Though unlikely IMO. In a commercial setting I would suggest setting up a test install (preferably on identical hardware) and updating that before doing so on the production equipment. That's impractical for most home users. However the cost of small SSDs is relatively low these days. You could get a new SSD swap that out and install 2.5 on it. Restore your config and see what happens. Swapping back to the 2.4.4 SSD is trivial if it doesn't go smoothly. That's what I may be forced to do, but I can't see why what I have outlined above shouldn't work. I would certainly work with a linux system (If boot were a separate partition, I would have to make a second tar file for boot). I don't know enough about FreeBSD, but maybe I would need to run some other utility to preserve the boot code.

And that solution would be.......?

Yes you can set the monitoring preferences for each gateway by editing it in System > Routing > Gateways. If you are using packet loss or latency rather than only member down on the group it will trigger the failover. The default settings for throwing an alarm of 20% packet loss and 500ms latency are usually good though unless you have an unusual WAN like a satellite link. Steve

This isn't anything specific to FreeBSD, but rather how VMWare maps the NICs into the guest OS. The same issue occurs with Linux. While it isn't always possible to add all the interfaces you think you might need in advance, if you get stuck with this issue, you will need to go match up the MAC addresses VMWare has assigned to the NICs to the MAC addresses seen by pfSense, and reconfigure the interfaces appropriately if they have changed.

Thanks, done. https://redmine.pfsense.org/issues/9703

Ok, I'm glad we found the problem.. I didn't got the Sonicwall message, and because the router is pretty new, I thought it was my own fault.. The vendor is now aware of the problem. They will fix it. Thanks for the help, sorry it wasn't really a pfsense issue.

It's possible to do that using the captive portal with radius accounting enabled. See: https://youtu.be/nJ3NzU_7xd0?t=2279 Steve

The only actual issue I see there are two re-tranmissions but that may be normal packet loss. Not really something that should kill the connection. You are seeing traffic in both directions there. Was that pcap on the WAN? How was it filtered? Do you see anything different on the internal interface? Steve

That was quick! Thanks so much for the reply. I was wondering if it was something like that. I just don't have the time to do a lot of tinkering these days. Much appreciated! Thanks, Supe

Not fixed as of 2.4.4-RELEASE-p3 (amd64) built on Wed May 15 18:53:44 EDT 2019 FreeBSD 11.2-RELEASE-p10. Only after appending the text dump of my ca cert to /usr/local/share/certs/ca-root-nss.crt was I able to send test messages. "Validate the SSL/TLS certificate presented by the server" had no effect. Package captures verified that pfsense was rejecting the certificate being returned by my email server.

@gwaitsi While I agree with everything you said, you really should be maintaining your own manual backups and not trust the cloud to never rain on you. Having a cloud save is nice, but nothing is better than having a local backup.

@Derelict said in Unable To Reach Second pfSense Firewall On LAN: That is completely normal since the secondary has no route back to the connecting client since the VPN is running on the primary. Workaround: https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html Ah okay that's good to know, I was afraid I had misconfigured something. I can successfully connect to services on our network from exposed ports on the WAN IP of the second firewall. I guess the only thing left to do now is properly configure HA. Thanks all!