@gertjan Your main post about private/public network looks like it may have been the main thing, then I forwarded the ports for Plex, my old box forwarded them automatically which is odd, looks like that has fixed the main issues. Thanks for the help there, I was losing my mind.

Mmm, that error is usually the result of traffic shaping and isn't usually a problem. https://redmine.pfsense.org/issues/8991

If you just see two, it's probably OK and a normal part of (re)negotiation depending on which side does what. If you get more and they start piling up, then you might need to adjust the settings: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html

@steveits It worked after the patch. I had already rebooted and tried a few other things, and let it even sit for several days to see it it would drop. Using top it would always have the High memory usage. After that patch, the reboot it has not hit 30% memory usage yet. I feel more confident adding rules and such now. I do believe the patch corrected this issue for me, as I was up to date, at least the system said I was, and I had purchased this netgate 1100 only a couple weeks ago. Thanks again!

Yes, some 1100s don't have eMMC that supports reading that data.

@gertjan - I do know how to do the troubleshooting, I was just trying to avoid the 24 hours for each iteration but I'm sure it will help someone else if they're reading. I had already updated pfBlocker but it looks like those processes were orphaned from before I updated the package. All seems to be fine now.

By default all traffic inbound is blocked on the WAN anyway so this only applies if you've added a rule to pass traffic.

Generally you would not have DNSSec enabled with DoT but only because you will be in forwarding mod for DoT. You should be able to use them together but it's likely far less tested because there's little point.

@michmoor My CyberPower has been stable with the NUT workaround from the thread I referred to previously. [image: 1678219492202-nut-screen-shot-resized.png]

@the-other [image: 1678210804389-f2b8929a-3ac9-43ba-99a2-4e7d6fd6257d-image.png] [image: 1678210826140-e6e9eced-0a1c-41e8-b66e-6752a70d1860-image.png]

@johnpoz said in Questions about setting up a more secure home- and small business network: @stef_r please tell you don’t have idrac exposed to public internet you vpn into the edge? I am aware that exposing the iDRAC interface to the public isn't a smart way to do it! :-) So yes, I have restricted access for only one trusted IP address and only through the VPN connection through the EdgeRouter.

@jonathanlee As soon as cookies are cleaned it's gone. I would say you could install some privacy addons and say absolute no to cookies! And you only keep your cookies from your switches and routers or firewalls and use only that one (browser) for your internal tech equipment. Google Analytics I have never seen on it. I have seen cloudflare analytics also. pfBlocker-NG and/or Squid & SquidGuard may be sorted with some add blocker lists.

@bumzag said in Basic firewall rules for interfaces: I want LAN to have access to every interface indiscriminately, and NET2 to have WAN access, but no LAN access. The block comes before the allow so LAN would be blocked

@steveits fair enough, will just pivot to blocking all and only allowing ports that are confirmed in use, thank you for the confirmation

As the Fritzbox can be accessed and adjusted remotely by your ISP (similarly to most ISP supplied boxes) you can not guarantee your configuration as well as one can with a pfsense box. It is worthwhile with a Fritz!Box looking at the security tab to see what open ports exist and the services supported. Configuring pfsense to work with a Fritz!Box in modem mode is a whole other kettle of fish!

Ok perfect... I would like to keep all the configuration of ACLs, VPN, etc. redoing everything by hand, besides the waste of time would definitely cause errors. Thank you very much

I would not remove the switch if you have multiple devices on the same VLANs talking to each other. The 6100 ports are not a switch. If you have devices connected to them that need to be in the same subnet they would have to be bridged and that uses significant CPU cycles. An external switch can do that without loading the firewall. Steve

Ok, start a new thread for that then it seems unrelated to the notifications issue.