The DNS forwarder (dnsmasq) uses the option –stop-dns-rebind by default, which rejects and logs addresses from upstream nameservers which are in the private IP ranges. In the most common usage, this is filtering DNS responses received from the Internet to prevent DNS rebinding attacks. Internet DNS responses should never come back with a private IP, hence it's safest to block this. There are some cases when public DNS servers have private IP address replies by default, though it is not recommended. In those cases, DNS rebinding can be disabled or an override may be placed in the DNS Forwarder Advanced Settings box as follows: rebind-domain-ok=/mydomain.com/ Note this is automatically overridden for domains in the DNS forwarder's domain override list, as the most common usage of that functionality is to resolve internal DNS hostnames.

Just enable the descriptions in the firewall log settings… Or just view the full rules with https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset And you can see which rule that number shows up on.. [2.4.2-RELEASE][root@sg4860.local.lan]/root: pfctl -vvsr | grep 1000000110 @23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state @24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state @25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state @26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state @27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state [2.4.2-RELEASE][root@sg4860.local.lan]/root:

Yes. The one thing you may not do is resell pfSense (like bundled with your hardware). Using it is not restricted in any way. Supporting the project with a Gold Membership or through buying pfSense/netgate hardware is a plus, of course.

thanks for the reply @chpalmer, just wanna get my voip clients to work. when doing an outbound calling I don't have any problem but for my inbound I work it out.

Everything fails eventually. A good configuration backup taken regularly and a cold-spare system is a decent alternative. GMIRROR should ride out most failures of a single hard disk. ZFS should also help with a disk failure. Two live units in HA/CARP will generally have zero downtime if a node crashes.

Pretty much my current setup (ddwrt provides nothing more than access points, pfsense handles everything else).  You may want to have a read through here: https://forum.pfsense.org/index.php?topic=116980.msg720119#msg720119  Although the author is using lede/openwrt principals are the same.

I have several TL-SG3210 (trying to be a cheaper SG300-10 derivate) and 1x TL-SG5428 as well as 1x TL-SG5412F. Those are fully managed L2 "JetStream" switches and do not exhibit the behaviour of the entry-level smart switches. This is at home only. Since we use Cisco in the office and at client's site's extensively I probably would buy those for my home now as well.

Hi, what are your DNS server settings on System / General Setup? Here's my settings: [image: AJKWU9D.png] And Services / DNS Resolver / General Settings? [image: R3xTcI6.png] I recently fixed this myself, but i'm not 100% certain what i did to fix the problem, but i remember i changed some settings on these two places. As you can see here: [image: 4tPGFxy.png] https://vpn.ht/dns-leak-test My DNS is not leaking, as it shows the Google DNS.  ;D

By upgrade to pfSense, I assume you inserted a piece of hardware running it into the network.  If so, then yeah latency will increase, as the packets have to pass through the hardware.  Don't forget, that packet has to be received, processed and transmitted by pfSense, so it all adds up.  Also, if you're still using that Linksys as a router, don't bother.  Just use it as an access point & switch.  That will remove the latency of the router portion.  See what the latency is when passing only through pfSense

Good catch Derelict - yeah "OUTSIDE address of my ISP" never going to work that way ;)

Yes, I tried with and without ECN.

An update… Opened a ticket with Netgate but do not expect any updates from them now until Tuesday. I have discovered that I can ssh into device (via VPN) and issue a ifconfig down / up on the LAN interface and connectivity is restored. So to keep this thing working until I can get on site or Netgate finds an issue I have added a crontab entry to run the ifconfig command every 5 minutes. I also checked netstat when connectivity is down and here is the output: [2.4.2-RELEASE][admin@shelter.applegate.privatedns.org]/root: netstat -i|grep cpsw1 Name    Mtu Network      Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll cpsw1  1500 <link#2>7c:38:66:26:ba:30  6412951    0    0  5694350    0    0 cpsw1    - fe80::%cpsw1/ fe80::7e38:66ff:f        0    -    -        1    -    - cpsw1    - 192.168.1.0/2 shelter              5536    -    -    2488    -    - [2.4.2-RELEASE][admin@shelter.applegate.privatedns.org]/root: netstat -i | grep cpsw1 Name    Mtu Network      Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll cpsw1  1500 <link#2>7c:38:66:26:ba:30  6412963    0    0  5694356    0    0 cpsw1    - fe80::%cpsw1/ fe80::7e38:66ff:f        0    -    -        1    -    - cpsw1    - 192.168.1.0/2 shelter              5542    -    -    2488    -    - [2.4.2-RELEASE][admin@shelter.applegate.privatedns.org]/root: netstat -i | grep cpsw1 Name    Mtu Network      Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll cpsw1  1500 <link#2>7c:38:66:26:ba:30  6412984    0    0  5694367    0    0 cpsw1    - fe80::%cpsw1/ fe80::7e38:66ff:f        0    -    -        1    -    - cpsw1    - 192.168.1.0/2 shelter              5547    -    -    2488    -    - There are no output packets for IPV4…</link#2></link#2></link#2>

The book is only $24.70. See .sig

@johnpoz: PCIe is HUGE difference… old at 2.0 and x1 but still 500MB/s. way better than your pci bus.. Well there goes my Friday. Thanks for all the help!  :D

@kaysersosa: With the proxy confirmed off and the Chrome extensions disabled, the site works.  Cache was cleared and confirmed a couple of times. With the proxy confirmed off and the Chrome extensions enabled, the site works.  Cache was cleared and confirmed a couple of times. With the proxy confirmed on and the Chrome extensions enabled, the site does not work.  Cache was cleared and confirmed a couple of times.  So the issue appears to be related to the proxy. On the Proxy Filter (PackageProxy filter SquidGuard: Common Access Control List (ACL)Common ACL) I have the following: own personal Whitelist - whitelist –-only thing on it is the swsheets.com which is on the domain list [blk_BL_adv] - deny [blk_BL_spyware] - deny [blk_BL_tracker] - deny The list is downloaded from <http: www.shallalist.de="" downloads="" shallalist.tar.gz="">. Even with them set to allow the denied ones, the site still will not work correctly.  Thoughts?</http:> Surely based on the following post you can correlate what's missing from the whitelist? @kaysersosa: I have confirmed with the site owner that it uses CSS and Javascript. Most CSS and Javascript is hosted on swsheets.com itself, but some CSS is loaded from googleapis.com and some JS from maxcdn.com. I'd add the following to the whitelist maybe? googleapis.com maxcdn.com Just a suggestion, I'm new here so don't know if this will fix your issue, but it sounds logical. Regards, MATT (infiniti25)

Yeah, you need to change the standard location for the hard disk cache, since you have placed /var in your ramdisk.

thank for explaining, i did with noip.com created host and configure with one of my pfsense server, it show green ip and same ip on pfsense and on inside web account of noip.com. how can i access the by noip.com host name..