Where did you get the idea that pfblockerng needs to use forwarder mode?

https://forum.pfsense.org/index.php?topic=128721.msg709743#msg709743

Straight from bbcan177
You can use either the DNS Resolver Forwarding mode or the DNS Resolver mode.

That is correct VLANs are at Layer 2. The SVIs (Switched Virtual Interfaces (logical L3 interfaces)) are in place to facilitate the intervlan routing. This all works correctly. The connection from the switch to the pfsense isn't configured as a transit VLAN - it is a routed link created using a routed port (no switchport) on the 3750.

What I'm saying is:

The SVIs, default route on the switch and routes on the pfsense are all set up correctly as I can ping/browse from a host on any of the VLANS to a host on the internet which indicates that the mechanics are in place.

What I cannot do is ping from the switch itself to the pfsense and beyond when the source interface of the pings is the egress port on the switch (the egress port being the routed/172.34.2 interface). Everything else works.

Hope this is a little clearer.

:'(

I forgot to mention that the box is running  Pfsense ver 2.3.4 release p1 (I386). Any ideas?

So now I am scared what will happen if I Restar the Host of "Firewall PF2" wich is Root1?

That depends on how you have it configured.

How am I supposed to Start Pf2?

If it is that critical for you, why do you not have it set to auto-start under VM startup.shutdown in ESXi?

do I have to start any Services on the VM or is it enough to let the vm Start?

Just start it.  All services should start by themselves if they're enabled.

Btw you should probably upgrade to ESXi 6.5.

Without more comments, I'm right if I'm saying, this should be a gateway issue with this Static IP?
I get connected (and Successfully updated PFSense version), but can't get online other machines connected over LAN <-> WAN (inside - outside)


Hello Harvy66
did the same for my net: WSUS and SCCM local, via GP distribute the addresses and get local full speed and offload the WAN line at daytime for user stuff. Afair: "one ring to bind them all"
As alternative: you could use squid as transparent proxy and there's a manual esp. for the WSUS case to offload the WAN line (problem with the lot of IPs/subfolders).

Cheers
Michael

Either the hardware is bad, the installation is bad, or some combination of the two.

Take a backup ASAP, run hardware diagnostics, and then reinstall with a current version if the diagnostics pass.

[2.4.2-RELEASE][admin@pfSense.geek.local]/root: pfctl -vvsr | grep -A3 1000000103
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"
  [ Evaluations: 666223    Packets: 6750      Bytes: 588103      States: 0    ]
  [ Inserted: pid 15505 State Creations: 0    ]
@6(1000000104) block drop out log inet all label "Default deny rule IPv4"

Did you also try setting the Peer Certificate Authority for the LDAP server to Global Root CA List?

As you get a bit more advanced, your prob going to want to do vlans on your wireless networks and even wired networks, etc.  In that case get a vlan capable switch and your AP.. you would then be able to leverage any interfaces in pfsense as other networks either via physical or vlans, etc.

Network interfaces make really poor switch ports..  If your at a point where your thinking - oh I can bridge one of my interfaces on my router to use as a switch port..  Your going at the problem the wrong way - clearly you need another switch or higher density switch at that point ;)

Like saying hey I need to drive this nail in to that piece of wood..  Oh shit my hammer is on the other side of the room - let me just use this screwdriver I have to hammer it in.. Its got a big handle on it ;)  I will just hold it by the shaft and swing it like a hammer.  While it might get the job done - its not the proper tool for the job..  Its not really designed to do that..  Your prob going to miss the nail and slice up your hand, etc. etc..

Ok I figured it out. Indeed the problem was a routing issue. I

I first added a route in my VPN Client software(Draytek Smart VPN client) andnoted that it worked . I could have connected to resources behind the Pfsense box.

Since that worked I furgured that I'd try to reconfigure the  VPN Server. I put the IP address of the VPN server withe the same network as the LAN( 192.168.12.2). That did the trick.

Thanks for your support.

It only happens to Google Docs when the Sophos Web Agent is running.  This happens on the Chromebook itself, or when the kids log into the Chrome Browser with their school accounts.

As far as using wireshark to capture packets, should I run ChromeOS in a VM? How do I get Wireshark to just capture the packets from the Chrome Browser or ChromeOS?

help please :-[

@slimypizza:

I removed the TP Link smart switch and replaced it with the Cisco SG200-08.  I get the same results as before.

That's as expected.
Rules apply where traffic enters into an interface/"the pfSense box".
On your VLAN90 rules tab you control where traffic from VLAN90 host may go to - NOT how they can be accessed.
Ruling traffic from LAN to VLAN90 is controlled on the LAN rules tab. Only (except for floating rules).

Any yes, this particular TP-Link switch is a bad choice. Others perform as expected (I have multiple TL-SG3210 but prefer Cisco SG300 or SG350 now.)

Some users seem quite happy with D-Link DGS-1100-08 "$30 for an 8-port D-Link DGS-1100-08 would have been better money spent."

Use PfBlockerNG to blackhole the DNS for sites do is protocol agnostic.  You just need to find the right block list to feed it.

Do not use visudo. Use the GUI, System > sudo