@bob-dig @stephenw10 You guys were 100% right... lol. I ended up having it configured through my wireless router (which I had setup as ap mode only). In AP only mode, it hides the ddns configuration... (smh). So when I checked it as a possibility it didn't show up. But after monitoring tcpdump I saw it reach out and try to update, so changed it back to router mode and was able to disable it. Thank you all for your help!

@matthew_beck You setup a traffic shaper (also called a limiter), or multiple traffic shapers, and apply that to an interface or one specific machine, or an alias of machines (hosts) on an interface. https://docs.netgate.com/pfsense/en/latest/trafficshaper/index.html Here'a a good video on the process: https://www.youtube.com/watch?v=gIvc1qZn5dc

@hlrobert said in Local Password policy: My PCI/SOC2 auditor would like to talk to you. I known you're joking ;) When handling private data like credit card stuff, medical data, or worse, army stuff, all bets are off. Even simple systems that handle the power grid should be seriously protected, because it's the blood of our society. I only need one training when I have to deal with "PCI/SOC2" : and that is wrting clear and correct huge payment checks, as I would eject myself out of the "I know that" position. I would pay some one. And sue the hell out of him when thing go wrong.

Thanks, everyone. You're all correct. The count did include the replies. hahaha, I need more coffee. But, I also would like to reduce the noise. These answers are exactly what I was looking for. Really appreciate the quick responses. Thank you again!!

But it could be and by doing that the other side will be able to reply. Your rule need only apply to the monitoring pings. So you probably want it on the MPLS interface. Steve

Right obviously the package is not required and the Radius config is all on the remote and not in the firewall. But from the user auth point of view t configured in the same way. In both cases you need to add a Radius server in User Manager. The only difference there is that with Freeadius the server is specified as running at 127.0.01, because it's local. With a remote Radius server you need to configure the server IP address so pfSense knows where to find it. But the OpenVPN config is no different, the only change would be selecting the new radius server to use. Steve

@tedquade Seems it was quite broken. Did a bare-metal memstick install and config restore. Am now back in operation. Thanks for your help. Ted

Not sure what post you were refering to there, the link was removed. What exactly are you seeing? I assume a 502 error. What pfSense version are you running? Did this just start happening? Steve

@stephenw10 said in pfSense pkg from FreeBSD ports or repo: That's really only any use if you have wifi hardware in the firewall. And we are all familiar with the issues there. Unless you run kismet in server/drone config. But in that setup running the server part on some other host would probably be better. With the drone part running on an AP. Been many years since I did that.... Ok thanks for clarifying this, I would set up it then better on an small RAPI and combine there kismet and fail2ban for rough hosts in AP mode.

I've never tried that. But I'd say you're doing it correctly since the logs are reporting the file was loaded as expected.

Mmm, OK I replicated that. That clearly that is loaded though. Something in the perl config maybe. Someone more familiar with perl will need to look at it.

I'm using the RADIUS class property (Group Membership) > like described here. Is there not a way to write into the radius server certificate in wich vlan the user must be put in? And each vlan has then its own IP range. Done.

@johnpoz @stephenw10 Yes working great, thank ya'll so much :)!

@bert-0 said in No Internet: BTW: I am new to CMTs. How can you tell if a device you hit is a CMT or not? A CMTS is the device you connect to at the cable company head end. I used Wireshark to examine the DHCPv6-PD packets and saw the error message that identified, by host name, the failing system. Anyway, as I said, try connecting a computer to your modem directly. And if a tech comes make sure he can connect with his own equipment. BTW, have him try test-ipv6.com to show you everything is working properly. You should get 10/10.

@stephenw10 @jimp @Patch @Gblenn Thanks again everyone for your help. I am going to run this like this for a while - and take weekly backups. When I am ready to move to Proxmox - I will install fresh and then restore the last backup. Right now I have another issue... suddenly the 4-port card that I put into the HP Z240 prevents the machine from booting. I can take it out and put into another machine and that one boots just fine. Boots all the way to Windows server 2019, is seen and all 4-ports are there. Put it in the HP and I get 3 slow-beeps and RED power light, then 2 fast-beeps and white power light. I have a ticket with the folks at HP. It is an HP card 331T card.

Yes, should be possible

My background is dev, I only know basic networking. But those numbers look odd to me. Then perhaps a fresh install and "only" pfSense and some rules set up will be the best starting point for you. If then something went wrong it is better to find out or narrow down to a special point. Snort and pfBlocker-NG will be also not real "set-it-up-and-forget-it" applications and this also not for very experienced users. Home routers maybe sorted with some small ASICs and running (acting) therefore a bit more faster, also Linux is a few bit more liquid and smooth running on the same hardware as FreeBSD, it also comes with much more hardware and better driver support for many different hardware. So it is not the same running Linux and/or FreeBSD based systems on the same hardware. My suggestion to not run in a "many-problems-but-what-is-it-searching" loop, fresh install, configure it out, and then if all is fine start the next packet installing and again configure it out, ......... So the forum might be best able to help you, owed to the different sections you maybe point your "problem" or question in.

@shakeel If this, what you are reporting here, was pointed to a power outage, you might be perhaps als looking for a qualified UPS unit (Uninterruptible power supply) also. It should then be able to hold both pfSense firewalls if you run a active/passive setup. Try tog et the same box again might be also nice for narrow down troubleshooting.

Ah, if some of the VMs don't have private IPs that pfSense can reach already then that might be all you can do. Otherwise it's really only the bridge option and that would definitely be a last resort solution for me. Steve