Be sure to have source/destination check disabled if you're not NATing, which you probably aren't.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

Steve

You should upgrade to 2.4.4 if you're running 2.4.0.

Check to see if those URLs actually resolve when the sites fail. What are your clients using for DNS?

Steve

I assume you're using L2TP over IPSec rather than unencrypted L2TP?

Did you ever see any hits in the firewall logs before adding those floating rules?

If the VPN is actually dropping rather then the connection across it that sounds more likely something timing out. And since the Windows client seems unaffected it's probably something specific the MacOS client is setting.
Do you see anything in the VPN logs at either end when the tunnel drops?

I would recommend switching to IKEv2 mobile IPSec or OpenVPN to be honest. Both if those work well with current MacOS (and most other things).

Steve

Thanks Steve.

I think it wouldn't be a bad feature to have, or at least a way to order interfaces within the GUI, especially the monitoring parts; especially if one has many interfaces/Vlans.

Cheers

You probably mistyped that command in a way that caused openssl to fill up that drive or at least run until it died some other way. That isn't something you'd normally see.

I did and nothing showed up. With something like a firewall, there shouldn't be such an increase in disk usage, as you might get with a regular computer. Maybe you should try finding out where those large files are coming from.
.

If the crash report is empty then there is nothing to worry about:

https://redmine.pfsense.org/issues/8915

You'll need to provide some examples of what you mean there. When you set a rule to log and then save/apply you will see a log entry for all new connections made from that point on -- not for every packet and not for connections already open when you clicked the apply button.

If you want to see every packet of incoming traffic at that moment, use a packet capture, not the firewall log.

As Derelict has been trying to tell you for this whole thread. Now create your firewall rule with dest of your IP of your nat, ie 192.168.x.x

Put that above your rule that allows it.. And that IP would be blocked.

@akuma1x
Thanks for the help
Bypass squid for the client is not an option. It's also my workstation not dedicated steam box.😕
I used the do not cache option and it worked for me. Only trick was to enter ".steamcontent.com" instead of "steamcontent.com", the little dot catches all subdomains.
I also had to manually edit the squidav conf to bypass antivirus for steam, otherwise it will still use quite a bit memory and lots of CPU.

abort \.steamcontent\.com

As you can see if squid can be bypassed totally for certain domains then things can be a little easier. Or if the squidav GUI is more versatile...

Ahh i was able to make a "new" sorting by deleting the VPN interface ;)

Ok that was easy.

Thx to give some hints.

@jkmuk said in Routed /29 subnet from ISP and exposing services to internet:

how a /29 subnet is normally setup in pfsense for exposing internal services to the internet?

By actually just routing it - ie you this /29 on a interface connected on your lan side of pfsense and just firewall rules to allow inbound and outbound traffic.

Is how you would normally do it. Since your question really has nothing to do with that and your natting to private IPs - your questions should be in the load balancing section. Since that is what your question is about.

Which type of scsi controller do you use in your VM ? What do you see in VM console after ''dummy state''?

I can't interact with the VM at the command line either

Make sure to hit Scroll Lock next time - sometimes console ''freezes'' and don't show last messages/current screen.

pan_2...thanks for the response. I currently have a Intel E1G44HT I340-T4 4 port PCIe Ethernet Server Adapter (Intel 82580 controller) in my pfSense computer and use it for my LAN and WLAN interfaces and have had no issues with this NIC. However, in the FreeBSD hardware notes, I can't find an 82580 controller listed in any driver section; there is a listing for an Intel Single, Dual and Quad Gigabit Ethernet Controller (82580) in the igb(4) driver section but I don't know if that 82580 listing is meant for the controller or not. The igb(4) driver supports Gigabit Ethernet adapters based on the Intel 82575 and 82576 controller chips.

Indeed, a means to return/refund is at the top of the list. I'm just looking for a PCIe, <= 4x, quad port gigabit NIC that will work with Suricata in Inline Mode. I've not had any issues with Intel NIC cards in the past which is why I was looking in the FreeBSD hardware notes in the em(4) driver section. Trying to find one that is either not discontinued or fiber seems a little more difficult than I expected.

Check out the 'OpenVPN as a WAN' hangout by Jim Pingle /Netgate: https://www.youtube.com/watch?v=lp3mtR4j3Lw

-Rico

I was actually trying to delete the post. I ended up finding the text on the forum after all. My apologies.

YOU need to specify to use pfSense as your DNS with the nslookup command otherwise it uses the client's default DNS config:

server 192.168.4.1

THEN try to lookup vcenter.smart.az:

nslookup
server 192.168.4.1
vcenter.smart.az

What does it come back with?

What is the contents of your Linux client's /etc/resolv.conf file?

Acutally, it doesn't matter if you enter fqdn or ip address in nslookup, it should resolve both.

You are trying to resolve hostnames to IP addresses. That was your stated problem. Doing a reverse lookup doesn't help you with that.

https://www.virten.net/vmware/vmware-vsphere-esx-and-vcenter-configuration-maximums/

http://sdebbeche.com/wp-content/uploads/2016/11/vsphere-65-configuration-maximums.pdf