Hey, once more.

So, I have played around a little bit more with configurations and I managed to force that opt1 interface would be used on tun0:
http://prntscr.com/iifq73

I set Manual NAT rules, and forced LAN to go through OPT1 gateway but that did not make the trick.

Maybe you guys would have any trick under the sleeve? As it feels that all configurations are so close.

If you do not have control of the upstream router and its routes, and nat functions and firewall rules then yes you would have to nat at pfsense to use it..

As to getting to stuff behind pfsense from stuff on the wan network you would need to port forward and hit the pfsense wan IP to get forwarded to the stuff behind pfsense.

Why not just replace whatever is at the edge with pfsense?  And let pfsense handle all your networks and the nat to the public, etc.  Then you would not need to nat between your network and could just firewall.

Worse case is just move everything behind pfsense and live with the double nat to the internet, etc.  You would just need a AP to put behind pfsense if you can not just use that sg306 device as AP and need it to be your modem/gateway to the internet.

While your at it get a smart switch so you can do vlans and AP that can do vlans and now you would be cooking with gas! ;)

And you could do all that with a nat as well..

That crash appears to be in ZFS disk i/o.

It could be a filesystem problem or it could be a disk/hardware issue

All that done, it works now, but I may have configured wrong.

Regarding NAT configuration (Firewall > NAT > Outbound), mine was set to "Automatic outbound NAT rule generation (IPsec passthrough included)". This was its default configuration, I had never touched it. All what it did had been generated automatically. It contained three pairs of rules (total 6 rules), related respectively to the 127.0.0.0 /8 source (whatever that may be) and my two VLANS. Then, the instruction was to add a new outbound NAT rule. Specifically: (1) switch to "Manual outbound NAT" ; (2) create the ModemAccess new outbound NAT rule ; (3) save. Now, my Firewall > NAT > Outbound configuration is set to "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)". The screen shot below shows that I have now my original 6 automated rules plus the one that I manually added.

I still do not know the role of the initial 6 automated rules and would be perfectly unable to determine when this set of rules would need to be changed. For that reason, it seems to me I would be better off switching now to "Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)", thus preserving the one manual rule that I created, the former 6 automated rules that were formerly generated automatically, plus any additions (or changes) to my initial 6 automated rules.

To which extent is my thinking wrong ?

Any advice on this would be welcome. TIA.

2018-02-22_OutboundNATrules.png
2018-02-22_OutboundNATrules.png_thumb

https://forum.pfsense.org/index.php?board=60.0

I personally have been using the dns resolver/forwarder blackholeing in combination with a dns NAT rule to force all DNS requests to be resolved locally.

Helo all
I've found the Problem. It wasn't on the pfsense.
It was a DOS-Prevention on a Zyxel Switch.

admins

@johnpoz:

Now once your device always is 192.168.1.X you can setup a firewall rule per a schedule that allows them to only use the internet when you want.  You will need to make sure the states are reset when you do this or any current connections they have open would continue to work until that state expired on its own or they closed the connection..

Can show an example of this if need be…

Many thanks. Yes, an example of how-to, including resetting the states, would be highly appreciated!

Great, guess I'll try my hand at shell scripts.

The laptop will connect when it's on the lan and the ras server lan ip is used, this is what leads me to believe it's PFsense.

To see the configuration of the kernel your firewall is running, use this command:

No.  WOL requires a specific Ethernet frame, not IP packet.  So, it will not pass through an IPSec VPN.  The best you could do is use the smart phone to trigger something on the network to send that frame.

https://en.wikipedia.org/wiki/Wake-on-LAN

What you want, can only be achieved with a proxy.

To make it less complicated, configure your web server to (also) listen to http://xyz.com.
Then set the host override with "xyz.com" in the Host box and only "192.168.100.76" in the IP Address field.

Thanks for the reply, but how to do this?

Thanks, Derelict, I will have a look at their service offerings

Squid/squidguard forum.

Go there and post your current config, any error messages, etc.