Yes!

I try! 😁

@truetype

Okies nevermind, I found out the issue.

I had put a pass between the two subnets, BUT i forgot and left it at TCP and not any, so UDP was not passed.

Dumb mistake, but I hope it helps someone who googles and finds this.

Check firewall rules!

@Gertjan
OK problem resolved. Seems I didn't have enough protocols allowed on OPT1
working now and also NTP on WAP
thanks ever so much for assist.

Try setting the monitoring IP to something other than the gateway IP, so 8.8.8.8 for example is commonly used.
That gives you a better idea of actual connection quality. The ISP gateway usually doesn't guaranty ping response.

Steve

The router used as an access point can, and probably should, be on the same subnet just set as static and outside the DHCP range.... and not the same IP as anything else!
That way you will still be able to access it's interface to check signal strengths or make further changes.

Steve

@akuma1x
This is a hotel network ISP>PFSENSE>SWITCH>AP>Users

@nambi said in Best Way to Achieve this?:

if I have something else using 443 would I then need to use the reverse proxy?

That's one way. You could also reconfigure the web listen port for one of your servers to some other port. I tend to avoid using a reverse proxy because its extra complexity with potential issues that I'd rather avoid.

Also yes, VLANs give you network separation as if they were physical interfaces. You always want to provide a gap between front-facing services and your LAN so that any exploited servers aren't used as a stepping stone to taking over your network.

Yup, that could be it. Though that's not one of the symptoms usually seen with Realtek NICs I would not rule it out.

Steve

@stephenw10 thanks. Thankfully I had a good recent backup. Reinstalled pfsense via image provided by Netgate, restored backup back in business. Thank you

I mean 10k states per client does seem..... high! But it depends what those clients are doing. If those are all legitimate states then you could be hitting something else more quickly than we would otherwise expect.

But, yeah, did disabling pfSync on the secondary correct the connection drops you were seeing?

Steve

Solved by adding static routes in azure pfsense and adding UDR routes of the remote network in the azure route table....finally!

Yep, it does seem right the drive failed after power surge thru the network. Took out one of my switches and two of my Ethernet ports on the server also........

Oh I forgot they’re switch ports, I guess you’d need to go into the switch part of the config and change the main interface mvneta0.

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/getting-started.html#mac-address

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/switch-overview.html

@stephenw10

When I do a backup/restore I always do that and make sure I grab every option I have and it always moves over. At this point it doesn't really matter all that much as I'd be losing the recent stuff anyway. Now it's just a matter of how it can be done and if it works manually.

Do you have the Service Watchdog package enabled? If so, you must not use it for Snort! That is one cause of this problem.

Check to see if you perhaps have gotten multiple instances of Snort on the same interface. Run this command from a shell prompt on the firewall:

If Snort is running, you should see only one process per configured interface. If you see two Snort processes with the exact same information and arguments, then you have a zombie running. If this is the case, kill all Snort instances and start Snort on each interface again from the GUI.

Finally, it's possible some particular rule you have enabled is the source of the crash. A Signal 11 error is basically a segment fault (meaning a process attempted to access memory that was out-of-bounds for that process). I run Snort on my personal home firewall and have no issues with crashes. I don't run the OpenAppID rules, though. And there is no guarantee that even if two people run the same rule categories that they have the exact same rule SIDs enabled. So it's hard to compare apples-to-apples when talking about IDS/IPS setups.

@lmh1 said in What is wrong with pfsense?:

system_crlmanager.php

So you are using this page :

44918413-188b-47d0-b168-547f2fc42540-image.png

and then what ?
Clicked on one of the green buttons and you fed it with a something that isn't recognized ?

You want to revoke a certificate ?

Try this Realtek driver: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release

-Rico

Yeah you can't have the same subnet on two interfaces. Is that what's happening here? Or this other 'WAN network' a router on the LAN side of pfSense?

A diagram would probably be helpful here.

Steve

I will just add here that I am not seeing this and I connect to many different pfSense boxes everyday using Chromium by IP address. Whatever it is you're hitting seems more nuanced than just that.

Steve