Although I have not gotten my VPN to work yet, the youtube video "pfSenseBasics - Remote User VPN" has been very helpful for doing the VPN configuration.

@fischstäbchen said in pfsense short cpu load hang:

Zotac Zbox CI329 Barebone nano

https://www.reddit.com/r/PFSENSE/comments/8kasfm/celeron_n4100_fanless_dual_nic_zotac_any_good_for/

@NollipfSense I am using a cable modem, so I guess I'll just wait and see if the issue returns. Hopefully not!

Yes, you will almost always need a modem of some sort. The only time you would not is if you have a direct Ethernet connection which would be extremely in likely in the UK, certainly for any home/soho user.
But you can ditch the ISP supplied router in almost all cases and use something is, or acts as, a modem only.

Steve

@notarobot said in Hosting websites on DMZ gives cert error from LAN:

Does it seems like the right thing to do ?

This is the moment that Iwould advise to check up with pihole manuals/forum/faq/.
So I'll to that ;)

From the description of the symptoms it sounds more like a hardware problem

You welcome and Cool_Corona didn't accidentally ask the bogons, ;-)

Attached logs ?

The errors were present before you tried to upgrade to 2.5.0 ?
Upgraded from what version ?

@yon-0 said in How to solve ISP blocking remote UDP port?:

https://github.com/bol-van/zapret/

Incredible.
And impressive, the effort that has been taken to circumvent this 'MITM' thing.

Using this tool asks for some serious networking knowledge. It's rather simple to know how much you need : you have to be smarter as those guys that made and put in place this 'DPI' thing.

I don't know where you are, @yon-0 , I advise you to move out/away.

Btw : DPI on https (TLS/SSL) : forget it, those DPI guys are not human, or aren't using terrestrial resources to do so.

I'm guessing some kind of routing issue.

The tracert from both the LAN & WAN interface should be identical as they will be both routing via the same gateway - at least that what's I got when tested on my firewall.

Have a look at the routing table of FW1. It's LAN interface (which is the WAN/FW2) may require a static route telling it that 192.168.1.0/24 should be routed via its 192.168.2.1 interface. This would explain why WAN/FW2 works & LAN/FW2 doesn't as WAN/FW2 is sitting on the same subnet as LAN/FW1.

I'm not aware of any issues using AES-GCM dircetly to Azure either. 😉

But, yeah, better to start a new thread for that.

Steve

Nice. Yeah the automatic outbound NAT setting will NAT all traffic from internal subnets to the interface IP of any WAN type interfaces. But here it was seeing the LAN interface as a WAN so did not NAT traffic from that subnet as it left the actual WAN.

Steve

I figured the problem might be with the monitoring part of the setup but that looks fine too. What other info could I provide to shed better light?

@duvel

With the work from home restrictions the wife and I saw the need to upgrade our wifi and so I went from an old Asus AC66U and an older Asus used as an extender, to Netgear Orbi (3 station) in AP mode. Immediate improvement both in throughput and coverage. I wish I’d done this ages ago but was not motivated until now. No problems interfacing with pFsense, Sonos, etc.

mystery solved

rawtaz in the irc channel suggested killing the state that referred to a rule it should not be referring to.

When the state was re-established, it came up referencing the correct rule. The most likely scenario is that when the firewall rules are changed (i.e. adding or removing rules changes the number of the rules), the already established states do not have the rule numbers updated.

This is a pf 'issue' and not pfSense since pfSense reads /dev/pf to get the states that match a particular rule.

Next time you reboot, hit Ctrl-T (^T) at the console a few times with some time in between when it's stuck there. See what that prints.

A VLAN is Layer 2 communication , MAC address oriented.
The pfSense firewall is a Layer 3 device , as most firewalls are.

pfSense filters (allows/deny) based on IP addresses.
Your Vlan150 example uses the ip range 192.168.150.xx , so i'll assume the Vlan222 uses.

On each interface where you have devices that has to reach hosts in Vlan222 , you would need to allow that "interface ip range" to send packets to the Vlan222 ip range.

Ie. the fw rule on the Vlan150 would be :

Action pass
Interface "Vlan150"
Addr Fam IPv4
Proto Any
Source Vlan150 net
Dest Vlan222 net

Now pray that your Vlan222 hosts have def-gw on the pfSense box , or you'll have to play with routes.

/Bingo

Thanks everyone for all the replies, i'm gonna try with Rico suggestion, it looks like that's the correct approach.

Thank you for your reply @stephenw10,

I am able to ping from lan the dmz but not vice-versa (for security reasons won't be allowed). A-record for the dmz- pc has been manually created into the DNS of the AD.
Let me open all ports, and will let you know back.

Best,

rickey