Ah, yes you're right, I've alson seen pfSense boot notifications.

I think it's great to have the ability to get notification, but it doesn't do much good if you can't specify what events you want to get notified about.

I know about the mailreport package, and it's great, but it only give you periodic reports, no instant alerts.

By chance were you running snort in Inline Mode?

Nvm, I'm thinking of Suricata. Snort does not appear to have a district "Inline Mode".

We'd need more info to offer more targeted advice, but In general, you'll need to:

Policy route the static IP's for QBittorrent and Couchpotato on your LAN tab, which it sounds like you have done. BTW, how are these apps using different IP's on FreeNAS? Are they VIP's that are bridged to the LAN adapter? I'd like to know how these apps are communicating on the network and if they truly are sourcing traffic from the IP's you've configured.

Add an Outbound NAT entry for your static IP's that is configured to send matching traffic out your VPN interface

Verify the rules on your OpenVPN tab are explicit so the traffic you want to be routed thru the VPN isn't matched on the wrong interface.

it worked thanks Derelict.

Regards

@babiz Thank you kindly. The /var/log was empty except for the reboot; there were no past logs. That bugged me and I wondered if they were somewhere else I hadn't thought to look for.
I have wireshark, but honestly hadn't thought to try it while everything was flipping out.

As far as I can tell it looks as if the WAPs attempted to take over when something happened to PFSense. There was a cable modem reboot in there, too, which once triggered some strange IP issues. But without the log (and I was desperately trying to get everything back up) I've got nothing to go back and look at.

Thank you for taking the time to read and respond to my post, and point out ways I can in the future better analyze issues. That's a very welcoming approach you have there, and I'm quite thankful for it.

~J

@johnpoz : I had to deactivate pfblocker because it was blocking internet access and once freezed the whole system and I had to reboot. But I don't know for sure if it was pfblocker itself or the rules I have.

There must be something wrong with the installation. The fastest way to recover it would be to reinstall, choosing the option to recover the configuration during the install process.

https://www.netgate.com/docs/pfsense/install/upgrade-guide.html#upgrading-from-versions-older-than-pfsense-2-4-4

Specifically see the part at the end of that section about putting kern.vty=sc into /boot/loader.conf.local.

Thanks for letting me know.
I decided to upgrade on HW mainly because I want the box to do more. IDP, bandwidth monitoring and Traffic shaping...

Ah, OK and the IPTV stream is being accessed over the VPN when pfSense is in play?

Most likely the IPTV service has blacklisted the VPN providers IPs as the source of either hack attempts or users bypassing geo restrictions.

Try disabling the VPN and testing through pfSense.

Steve

Its upgraded I’m not gonna mess with it again until I have too..

I still have my sg2220 has my backup I probably need to update it to 2.4.4 at some point!

I am not blocking the 169.254 - I block the multicast address.
But sure you could block it via 169.254.x.x if you wanted too..

I don't want or need any of that multicast noise - and I sure don't want it going out to the wifi, which that vlan is where my roku sticks connect..

169.254 is IPv4 link local and yes is used for APIPA... In a correctly configured network there should never be any need or use for it.. What you posted is clearly what I would call NOISE.. that should be able to be disabled on the device sending it.. But if you can not, then the best place to stop is before it even enters the switch ;)

I had looked all over to how could disable the noise coming out of the directv box.. Could not find anyway.. So block at switch it is then ;) Which reminds me should look to thread I had on plex forums about the noise it was sending out.. Even when dlna and disabled - it was sending out SSDP nonsense.. I had to block that at the switch as well..

edit: F'ing Crickets over there
https://forums.plex.tv/t/stop-pms-from-sending-ssdp-dlna-and-gdm-disabled/321779

Thing sends every freaking 10 seconds.. Wonder if any of the beta's after posted that fixed it? On 1.14 something now.. going to remove the acl on the switch and see ;) fingers crossed.

edit: Arrggghhh still chatty kathy..

13:22:57.575617 IP 192.168.9.10.42339 > 239.255.255.250.1900: UDP, length 101 13:22:57.575635 IP 192.168.9.11.45988 > 239.255.255.250.1900: UDP, length 101

@stephenw10 Thanks for the quick response.

I would expect that to be OK as long as the load balancers are acting as true proxies rather then forwarders. If all traffic to/from the servers goes via the load-balancer that is all the rules you will need.

Steve

The "this firewall" includes ALL ips on the firewall.. For example your WAN IP that is normally not a rfc1918 address. So this rule makes sure that NO IP on the firewall can be accessed.

pfsense runs in a vm on proxmox, can that be a problem with the linux bridge proxmox uses?

I did a second setup with pfsense in NAT mode and a local IP address on the LAN side, same problem with outbound connection. I can only ping.

EDIT: Found the solution: disable "Hardware Checksum Offloading" for Proxmox VirtIO interface

This is my test :

0_1545093184825_3Gbit iPerf.PNG

I run pfSense on Cisco UCS C210 M2 with 2x X5650 CPU and BroadCom QLogic dual port 10G NIC... Maximum load I registered was 11%...
I am pretty sure this result is caused by a speed limitations between me and server instead of my pfSense box... After a few day I will have second 10G line from separate ISP and then I can test again... This machine was released in 2010 so almost 9 years old but works pretty well and I am happy with it ;)

Yes, it looks to me like your Asus router has started handing out DHCP leases in conflict with pfSense. Make sure it is running the same settings it was previosuly.

But, yes, it would be far better to use separate devices as the DSL modem and wifi access point. You're relying on PPPoE to separate WAN from LAN there.

Steve

Nice.
Realtek NICs are better than they used to be but there's a reason they still have a bad rep. 😉

Steve