Wanting to use all of rfc1918 space because its available is not a good reason ;) for example..

I would really like to understand how you came to use /19 - is that your favorite number or something?

That's true for anything written in script for compiled code you need to check the source. 😉

Steve

@stephenw10 I will have to wait for this tuesday coming to go on site in order to test.

Ok, if you only have a firewall rule with the OpenVPN gateway set it will force all traffic out that way which will break connectivity to the LAN.
Add a rule on the new interface above any rules with a gateway set to pass ping traffic to the LAN.

Otherwise check the firewall logs. Check the state table while you're pinging.

Steve

You can also provide the timezone to DHCP clients, my Linksys switch (LGS318) uses it.

Just add these 2 DHCP options to your DHCP server :

option 100 : "CET-1CET-2,M3.5.0,M10.5.0/3" option 101 : "Europe/Paris"

Unfortunately no but the problem disappeared. Maybe it was something else I don't know.

You removed the gateway from LAN. That's a big change to the system.

Without that gateway the WAN is probably the only gateway and therefore the default. With a gateway on the LAN the 'automatic' default gateway option probably set LAN as default and hence it failed.
Go to Sys > Routing > Gateways and make sure the WANGW is set as the default v4 gateway.

Also you're running 2.4.4-rel and the latest version in 2.4.4p3, you should upgrade. That would not change this though.

Steve

pfSense uses the dpinger daemon to monitor connection quality. It pings something on the WAN twice a second, by default it uses the gateway IP as that;s what it always has but you can set any IP.
It's almost always better to use an external IP as that then actually monitors internet connectivity as opposed to just to the ISP.
https://docs.netgate.com/pfsense/en/latest/monitoring/using-an-alternate-monitor-ip-address-for-gateway-monitoring.html

What you are describing though starts to sound like a possible modem issue. What is the modem they have there?

Steve

@mikeisfly said in Notification when a connection is established:

or a packet capture.

Check a build-up of of such a packet.
You will have your router's MAC (= pfSense), the cameras MAC, the cameras's LAN IP and the IP (WAN IP) of the visitor.
Not the payload, as it is all TLS these days (well, the camera should send over TLS, other scrap it).
At most, you could see who - from the outside world - visited your device. If it isn't recording, as you can check using the same access time, then you will not know what they saw.

Btw : One of world's most famous and most used free programs, fail2ban, can do what you want right out of the box.Comparable programs exists.

Btw : my DVR's - see above - logs user access by login code ... everything is already there.

There are only 100 packets there, it's all outbound from 100.92.220.245 and none of it is DHCP.

But you should start your own thread. Unless this turns out to be identical it's only going to confuse things here.

Steve

Nice. Let us know if you are able to connect, that would definitely need looking at if so.

The generated ruleset on the secondary looks good here though.

Steve

The best way is to remove the SWAP partition at install time. If re-installing is an option for you.

@johnpoz @jimp that's exactly what I was missing, thank you for pointing that out.

Lesson n.1: There are different types of layer 2 switches (managed and unmanaged), some of them support 802.1x protocol and some of them not.

Lesson n.2: The 802.1x authentication is done at the layer 2, before the IPs are handled to the devices. When packets reach the layer 3 is too late to do any kind of 802.1x authentication as the devices were already authorized to enter the network.

Cheers!

Just because you have something that will relay or forward (that device that has access to both L2s) doesn't mean its going to work with alexa or google home or homekit, etc. etc.

Not without some major background work and setup most likely, and understanding the details of how your device you want to say wakeup X actually does that..

My Alexa can turn on my TV, and off.. but I have my harmony remote in the same vlan as alexa, while my tv is in its own vlan. Both of these vlans are different than my other vlans. It would prob work without even... Since the harmony remote isn't in standby and the alexa should be able to talk to it over L3.

But trying to find ways to move L2 data into another L2 is not the right approach.. Correct design of your L2s is better option from a security standpoint.. You need X to talk to Y via layer 2 - then put them in the same layer 2, its really that simple!!! Isolate that network from your other stuff..

Do you trust alexa... do you trust your tv, do you trust your iot - well no that is why we isolate them.. But if X needs to talk to Y via layer 2 stuff.. The simple solution is just put them in the same L2 ;)

There are lots of things you could do with running your dhcpd on another box, if that is what they want.. Be it windows, freebsd, linux, etc. etc.. That you can not do with pfsense dhcpd instance.. Multiple scopes without having to have leg in the network for one thing.. Reservations inside the pool range, etc.

While the dhcpd setup in pfsense is easy to use and has easy to use gui, etc. Not all the features of running say isc dhcpd on some other os or box..

But turning off dhcpd on pfsense has zero to do with running unbound (resolver)...

Thank you all, i modified configuration via web configurator and it works perfectly.

Thank you again.

Roberto

Nice catch! Thanks for the follow up. 👍

@AndrewZ I don't know if there is a permanent virtual circuit for voice.

Many years ago we did a hangout on this: https://youtu.be/1wfjv3j57KI?t=1228

Gui looks outdated now but the principals are all the same. Not sure what potato converter was used from Fuze. 😬

I would probably switch to tftp server that does log what's happening at least as a test.

Steve

Ah, bad cable, bad port maybe?