You really don't want your firewall to be a host for syslog of other devices. Spin up a VM and use something else as your remote syslog.

I understand that, but lets put things in perspective, these are a few modules already part of the OS, the work to activate them is adding them to a build script, and the size of the modules?

Average 14kB each.

I have seen far bigger things taking much more effort implemented in pfSense.

For reference modules are not loaded by default, they optional, so the risk of crashing on boot, simply by compiling them and distributing them is pretty much zero. If the end user has gone to the trouble of adding a module to their loader.conf.local then they can go to the trouble of removing it as well if it becomes a problem.

RTFM
https://www.netgate.com/docs/pfsense/book/services/ntpd.html
https://www.netgate.com/docs/pfsense/book/services/ntpd-gps.html

You keep your config.. You just want to make sure you have a backup in case the worse case scenario happens and you have to clean install.

99 out 100 you will be fine with just clicking go... But if its really production you have to make sure if the worst happens the down time is minimal.. Or you get yelled at, worse case could be a PSGE (pink slip generating event)..

Any typical enterprise change control process would include backout plan, and recovery.

I have had to fly out to locations for "risky" upgrades of hardware.. And then doing the work at after hours so that you have enough time to even get new hardware onside in the 4 hour support window and back up before production starts again, etc.

The level of precautions needed to be taken depend on the level of production your talking about taking a risk with.. I click update on stuff all the time when there is no SLA for the service ;)

I would say 999 out 1000 just hitting clickity clickity on the update will be fine.. But always plan for the worse ;) Let us know how it goes..

time up will also be in the stats
time.up=81609.360209

Which would be in seconds.

And to be honest most everything on my network points to downstream pihole, so that reduces the number of queries unbound sees because pihole only asks unbound for stuff that has not been blocked, and also it caches.. So if say 3 things asked for xyz.com unbound would only see the 1 from pihole, then piehole would serve the answer up to the clients via its cache.

That looks like the expected result. The gateway IP is whatever is upstream from you at the ISP. The interface IP is your local address that external sites see to reply to.

Steve

In the end i managed to figure it out. It seems that the certificate is case sensitive so once i fixed that it all works. the only thing im not sure about is why it worked sometimes before i fixed it.

thank you for your help

That... uuuuuhhh... would actually make a lot of sense. I'll go ahead and ask them, thanks!

If you have any advanced DHCP options set the default settings are overridden but what is added should still be valid there.
Were you able to check the values in the generated conf file? For example /var/etc/dhclient_wan.conf

Steve

Was this after an upgrade? During the upgrade?

From what version? To 2.4.4p1?

More details needed.

That could be a filesystem error or it could be due to the php version change in 2.4.4.

Steve

My VPN Provider is PrivateVPN.
The Log of the VPN

Dec 22 10:01:08 openvpn 5717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 22 10:01:37 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:02:07 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:02:07 openvpn 5717 Could not determine IPv4/IPv6 protocol Dec 22 10:02:07 openvpn 5717 SIGUSR1[soft,init_instance] received, process restarting Dec 22 10:02:07 openvpn 5717 Restart pause, 300 second(s) Dec 22 10:07:07 openvpn 5717 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Dec 22 10:07:37 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:08:06 openvpn 5717 RESOLVE: Cannot resolve host address: it-mil.privatevpn.com:1194 (hostname nor servname provided, or not known) Dec 22 10:08:06 openvpn 5717 Could not determine IPv4/IPv6 protocol Dec 22 10:08:06 openvpn 5717 SIGUSR1[soft,init_instance] received, process restarting Dec 22 10:08:06 openvpn 5717 Restart pause, 300 second(s)

I will try with Watchdog option.
Thanks a Lot
Stefano

First off, let me just say thank you all, for just diving head first without me having any clue what you all needed from me.

This network was setup before anyone that works in our dept was even there over 12-13 years ago. We have upgraded equip since then and went to 10Gb routers and switch stacks for furture enhancement but not sure if anything design wise has changed, I'd have to ask our net admin. We all wear many hats, I more than anyone only because I engage in everything I can get my dirty little hands on.

Ok so after I learned how to draw, learned what transit meant, then learned how to semi properly map things out, the consensus seems to be that the network is not as bad as originally thought by everyone "so I hope". "creating aliases for allowing and/or denying internet access for certain subnets." this works with our current setup and as far as diagnosing problems, we or I should say our net admin has never had problems doing so so far.

Updated map. (Yes I know that 10.31.0.0/19 wireless network is huge. Did it for a reason as it is our guest network. There are only ever about 150-300 people on it at once but my thought was give them an IP and they keep it for I think 2 years. Lets us easily track mischievousness)

I will not be making major changes until after the holiday break seeing as I am not at work to see how those changes affect anything. I do have a remote AP at my house with a VM added to our domain so I will continue working/testing other things in pfSense until i get back.

0_1545516075552_1545431488056-cbb2b239-5e97-4b13-8b9b-b69c38524203-image.png

I'm an ex-Brit living in Canada - have the same issue. I spent a lot of time playing around with this.

It was easier to run a VM machine at home dedicated to the UK and have PF Sense route all it's requests via the VPN to the UK. After much testing, it was the only reliable solution. Then run a remote desktop session on the machine connected to the TV when you want UK TV.

By the way - the offline BBC iPlayer app can run on the UK dedicated VM and download material, but if you make sure it stores the material in a place that other machines can access, you can run the offline BBC iPlayer app on other machines looking to that location for material and it works fine.

Regards

Paul

ok, the arp reset didnt work, i changed the OPT netowork ip to 10.10.0.0/24 instead of 10.0.10.0/30 and it started working! so i think its because of the network range of my lan ( lol my bad) but now when i ping 8.8.8.8 i only get duplicate packages....

What do you mean "no logs"??? Status - System Logs - DHCP. All DHCP client messages are logged there. You're saying there is nothing at all?

Also, what do you mean by "I can't capture packets"??? Diagnostics - Packet Capture. The tools are there. Use them.

@marvosa said in Network Access Problem:

You could also create a NAT rule to translate your IP to the camera subnet when accessing your cameras from another VLAN, which sounds more like the solution you're looking for.

Thanks @marvosa - You are 100% right here - this is for home use, so I am looking to keep the amount of excess HW to an absolute minimum.

Can someone give me a few hints - possibly what tab to use and/or references/good keyphrases to google etc. I understand NAT in principle, but I'm very sketchy on the details of how it works in pfSense.

Bump

There are not many VOIP providers anymore that require static port. Who is your VOIP carrier?

Im curious if you have an MTU problem.. What kind of internet connection is this?

Ah, yes you're right, I've alson seen pfSense boot notifications.

I think it's great to have the ability to get notification, but it doesn't do much good if you can't specify what events you want to get notified about.

I know about the mailreport package, and it's great, but it only give you periodic reports, no instant alerts.