Hi @mehdii, have you tried to set the corresponding axis-unit?

@Tactis said in pfSense on OVH Dedicated with ESXi and one NIC:

It's not the public IP assigned to your ESXi interface right?

Yeah I think it is. That's how I'm connecting to it (the public IP). Well at first I wasn't able to, but I enabled the basic firewall (not the Cisco ATA option) in the OVH control panel on that interface, and let port 443 through, then I was able to. This doesn't make a lot of sense either, I would have thought with the firewall off I could connect just as much as if it were on with one port open. I'm flying blind as to how their infrastructure works.

As long as it's not, you should be fine. Add another vSwitch and Port group in ESXi for your VMs, and do NOT assign an uplink NIC to that vSwitch. Connect the pfSense 2nd NIC to this vSwitch and setup the LAN.
This way pfSense will act as the firewall between your LAN and WAN, with the public IP being the one you picked up from DHCP.

I'll do that as I assume I'll need it anyway when I work through it.

If you have a range of IPs available, it's probably still best to setup a static if you want to host any services here. Any additional IPs can be added to pfSense by going to Firewall > Virtual IPs and assigning them here.

It is a static public IP, and I'm not sure why ESXi picked it up from DHCP. I'm also not sure how I could connect to ESXi to manage it in the first instance if it didn't pick it up from DHCP, because if I set ESXi as an internal static IP (like 192.168.0.X or whatever) their basic firewall doesn't seem to redirect ports to different IP's, so I'm pretty sure I wouldn't be able to get to the ESXi server. It's a weird and foreign setup to me.

Thank you Steve, against that bug, I have also reduced the firewall maximum entries to 65534. Bogon is also disabled.

Might be the case with my ISP, I will ask in the dedicated ISP forums for advice on monitoring. There are a lof of pfsense users with Virgin Media in the UK. Helps to drop the ISP name in this thread as well, in case anyone else is going through the same pain.

@pooperman

there is some issue with SSL handshake:

1.JPG

I would not expect a port forward to be required there as Plex can usually be accessed from anywhere, even externally.

UPnP is disabled by default in pfSense and you should leave it that way unless you have a very good reason not to. Plex can open port forwards in the firewall to allow access otherwise.

Usually when people device their network like you have it is for security. Consider what would happen if one of your cameras was found to have a vulnerability and was hacked for example. What would that give anyone access to?

You probably want firewall rules on the 192.168.2.1 interface in pfSense that allow only the required access outbound. So the cameras may not need any external access or maybe only to a known IP or set of IPs. Wifi IoT style devices may not need any access to to the LAN subnet. Though maybe you want Alexa to be able to control Hive....

What you want to do is allow only the traffic that is needed and segregate devices as much as possible to mitigate any security issues should they occur.

Does your access point allow for multiple SSIDs / VLANs?
If so I would create more so you can separate general access devices like laptops and tablets from IoT devices like cameras and Alexa.

Currently you have separated devices simply by wired or wifi and that might not be the best way. The Hive and Hue hubs are IoT devices. I would want those on a separate subnet to desktop PCs and servers if possible.

Steve

@tgdsilva said in Cannot access pfSense LAN subnet from outside:

I think I would need it just for the purpose of converting incoming ONT (coaxial) to Ethernet.

Exactly... Get an AP put it behind pfsense, then you can do whatever you want for segmentation of networks.. I would suggest you get an AP that supports vlan, and also a switch that does as well.. Then you be cooking with gas ;) For anything you might want to do.

Thank you!
I have set it through SSH and finally, after 4 days I have rebooted it (I was afraid it won't work and didn't have the time to setup a monitor and a keyboard to the pfsense machine).
It works great!

The HG612 will be plenty fast enough if it works, it doesn't really do anything but pass the traffic to pfSense.

I think you will need it unlocked to change to bridge mode. That's quite easy though.

I hope it's the 3B version. Some of the earlier ones had known over heating issues.

Steve

@Fredouye

THANKS!! I had done a search, but obviously my search was not well stated to come up with the right answer.

I entered the "0-4,6" in the weekday field. So it should run tonight. Thanks again.

Phizix

The XG-1537 or XG-1541 can easy do 10 Gbps.
https://store.netgate.com/XG-1537.aspx
https://store.netgate.com/pfSense/XG-1541.aspx

-Rico

ok so here are the results of my efforts last night until 0130!
I am currently unable to get my plex to work.
the plex server is on the server 192.168.1.251 and I am trying to access it via the tv firestick. can anyone help?Skynet.jpg

@NollipfSense @tompark
ok so here are the results of my efforts last night until 0130!
I am currently unable to get my plex to work.
the plex server is on the server 192.168.1.251 and I am trying to access it via the tv firestick. can anyone help?

Skynet.jpg

Although I have not gotten my VPN to work yet, the youtube video "pfSenseBasics - Remote User VPN" has been very helpful for doing the VPN configuration.

@fischstäbchen said in pfsense short cpu load hang:

Zotac Zbox CI329 Barebone nano

https://www.reddit.com/r/PFSENSE/comments/8kasfm/celeron_n4100_fanless_dual_nic_zotac_any_good_for/

@NollipfSense I am using a cable modem, so I guess I'll just wait and see if the issue returns. Hopefully not!

Yes, you will almost always need a modem of some sort. The only time you would not is if you have a direct Ethernet connection which would be extremely in likely in the UK, certainly for any home/soho user.
But you can ditch the ISP supplied router in almost all cases and use something is, or acts as, a modem only.

Steve

@notarobot said in Hosting websites on DMZ gives cert error from LAN:

Does it seems like the right thing to do ?

This is the moment that Iwould advise to check up with pihole manuals/forum/faq/.
So I'll to that ;)