Hey there

Normally you would assign your WAN interface to the NIC that's connected to your public IP address and your LAN interface to the private subnet. I would not recommend to assign your LAN interface to a private subnet and to your public IP address simultaneously in any case whatsoever.
IMHO, the assignments should be like this:
WAN -> public IP address provided by Azure (only)
LAN -> private subnet (only)
I don't think it's necessary or that it makes sense to add some virtual IP in this case.

I'm not familiar with Azure, but if you can add more virtual interfaces to your pfSense VM, go ahead and add one if you need another private subnet.

Now of course with this configuration you can not access the Web Configurator from the Internet. But I wouldn't recommend making it available to the Internet anyways. So if you can keep your Windows VM that's in the same private subnet, access the Web Configurator from there.

Of course there are other options to get to what you're trying to achieve, but I think just using another VM in the same private subnet is the easiest way.

Greetings, Philipp

Thx for the replies!  Although nmap reported only 1 dhcp sever on the network, I found an access point with dhcp turned.  I'm assuming this was the issue…..

Squid has a traffic management page that allows you to specify a maximum download size, and have it apply only to specific file extensions such as txt.

If you can ping other sites, but not the email server, the problem is likely with that server.  However, they may have pings blocked.

In case you haven't figured it out yet, firmware 1.5.11 (1.5.12?) breaks access to 1.1.1.1.  This ip is now some sort of internal ip within the gateway (bgw210).

All you have to do is Diagnostics > Packet Capture on WAN for port TCP 445 then run a scan.

If you get a connection refused (CLOSED) but do not see the traffic on WAN, then something upstream is responding.

If they are responding AND forwarding the traffic to you (which wouldn't make much sense) then you will see the SYN to port 445 on your WAN but no SYN/ACK response because you are blocking the port.

Ok, thanks for confirming.

Probably something changed at your ISP or they were doing maintenance etc. Certainly not unusual.

Steve

@stephenw10:

Yes, keep 400,000. As Johnpoz says above that will be the default value in the next release and in current 2.4.4 snapshots.

Steve

Got it / Thanks

ok look, I actually restored my config after I tried all the possible fixes, i tell you not even a vanilla installation fixes it, and i dont want to bother my self to resinstall pfsense just to post new logs.

you can just use your imagination or common sense and think of those extra packages doesnt exits.

I repeat, I restored my config after I tried everything and gave up posted here to ask help and thus those logs says.
just fyi that pfblocker should not be causing issues anyway since it was disabled as I posted those logs.

@jsaad:

Comcast calls them micro-outages which kills the remote desktop and the phone.

It’s fairly common to see 2-10 seconds outages in cable modems, I see notifications all the time from our system and I normally see this on the same sites repeatedly. Usually ends up being signal fluctuations from somewhere up the street but the ISP don’t deem them problematic enough to fix. Higher latency and jitter are also known issues with these types of service and while most applications work fine with this, VDI and RDS do not. If your customer considers these application critical than they really need to look into a fiber solution. I prefer PRI over SIP for phones but it depends on the business and their current phone system. You could look at a low speed fiber for mission critical applications and push everything else out the modem.

Just a bump on my last question about how to use a DHCP special option setting for assigning VLAN's. Thanks.

Since you haven't checked "Don't pull routes", the NordVPN gateway will be your default gateway. That means that any traffic including that one from pfSense itself (DNS) is routed to the VPN gateway. However, that won't work, cause you are missing an outbound NAT rule for pfSense.

So either check "Don't pull routes" in the client settings or add an outbound NAT rule for 127.0.0.0/8 to the NordVPN interface.
The outbound NAT solution should avoid DNS leaks.

I've been trying to get this to work for a long time but just can't get HAproxy setup correctly with Ombi. Any chance you can do a step by step?

Also, are you using SSL?

Cheers,

Zane

https://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5&n=1

urgent Generate debug messages only for serious errors.

The pfSense devs are using "debug urgent" so it only shows debug messages for serious errors.

Probably not.  All your traffic is going to be within your switch but it depends on where you're putting these clients relative to your bridge.

I don't know why you don't just create a fake WAN and LAN.  Make the WAN a bridged adapter on your LAN, and make the LAN an intnet interface.  Then put server on LAN and attacker on WAN.  Then you have pfSense acting as routing firewall between them.  You can use pfSense's Suricata package instead of needing a third system.