@akuma1x Thank you for your reply. I have the WAN with a 10Gb SFP on ix0 plugged into the new 5Gb fiber ONT. I have igb0 configured as LAN and it is routing properly. I have the other 5 1Gb interfaces enabled with names LAN01 - LAN05 and addresses 10.0.10.1/24, 10.0.20.1/24, 10.0.30.1/24, etc. I have DHCP started on all 6 and it is working now. I have the pfsense box on my desktop with two laptops testing each interface. I cannot route from any of the other 1Gb interfaces. The only difference I can see is IPv6 Configuration Type. LAN is set to "Track Interface" and the others are DHCP6 since I can't have more than one as Track Interface. Is this part of my problem? The Cisco switches are still in production on the Juniper on the old 1Gb fiber ONT.

@gertjan said in Can i create firewall rule from a wildcard dns entry?: A couple of years ago, RFC DNS rules changed : wildcard DNS requests like dig update.microsoft.com ANY are refused these days. By the way, dns request of ANY type does not have anything to do with wildcards, but rather that you request any type (A, TXT, CNAME) of dns record.

@skilledinept I needed a shorter update interval some time ago. I had to modify this file: /etc/inc/pfsense-utils.inc Search for the line ((time() - filemtime($urltable_filename)) > ($freq * 86400 - 90)) || '86400 - 90' is the minimum table age in seconds for a new update, so one day here. However, changing this value applies to any of your tables. Since I needed it just for one table only, I stated it in the code. So the line looked like this: (!strpos($urltable_filename, "GMX_SMTP_Server") And ((time() - filemtime($urltable_filename)) > ($freq * 86400 - 90))) || (((time() - filemtime($urltable_filename)) > ($freq * 43200 - 90))) || 'GMX_SMTP_Server' was the table which I wanted to be updated twice a day (43200 - 90). Additionally you have to edit the cron job which is executing /usr/bin/nice -n20 /etc/rc.update_urltables and set an appropriate interval. However, a pfSense update will overwrite the modification in the file naturally.

@johnpoz said in [Solved] Broadcast from client on specific network?: Why do you have to move it? what does its location have to do with what network/vlan its on? This why you use vlan capable switches ;) Logic move ;) And yes, it's awesome

@warloxian 1: May i suggest you download the Free DIA diagram writer program https://forum.netgate.com/topic/166945/free-network-diagram-drawing-tool-for-win-mac-or-linux And make a drawing of your "As IS" and "To BE" network. 2: Since this is a LAB , that will end up with multiple vlans (else it's not a lab) I will suggest you assign a : 10.xx.yy.00/16 network to your lab network. Then you would have room for 255 labs (xx) with 255 (yy) /24 networks (vlans) , that can be used in your lab(s). Match the xx to your "Lab number" , and yy in the ip address to the same vlan number. Ie. 10.xx.10.0/24 would also be vlan 10 Ie. 10.xx.20.0/24 would also be vlan 20 etc ... Hint ... Do not use 10.00.x.x or 10.01.xx.xx Aka avoid using "Lab 00" and "Lab 01" Those ip's are way to used by ISP's , and will bite your behind at some time. I'd start with "Lab 101" (10.101.xx.00/16) or something "random" you feel for 3: If possible i'd prob use the USB as "Lab Wan" , as the built in adapter prob. has higher performance , and would be better used for the "Lab inside vlans" I like to always have my WAN connected via a "Real L3 interface" , have seen too many "Vlan Leak bugs" on "Consumer switches" to trust a Vlan as my WAN. 4: You would need a Vlan capable switch for your LAB inside, to "Fan out" the multi vlans to separate ports. 5: I did a ultra brief intro on how2 make a vlan on a pfSense here https://forum.netgate.com/topic/158196/making-best-use-of-physical-nics-vlans/6 Affordable switches I like the D-Link DGS-1100-08v2 switches $42 https://www.amazon.com/D-Link-Ethernet-Managed-Internet-DGS-1100-08V2/dp/B08P2C2GXF/ They are basic vlan capable switches , for a nice price. Basic means they can't do ie. 802.1x authentication , or SNMP write confguration. But they can do (i think 32 Vlans) and IGMP etc .... They're nice low wattage fanless "sattelite" switches ... I also like the DGS-1210 series also fanless (they can do 802.1x auth etc ...) But they seems to be in backorder , prob. due to the Chip shortage. I use DGS-1210-24 and DGS-1210-28 , in EU you can get them for around $150 , if in stock. I'm not sure if the TP-Link's have gotten their vlan leaks under control in the current revision, but they were NOT recommended a few years ago. /Bingo

@silence So there was something fishy (ransomware as you mentioned) on your LAN behind your pfS BR np

@johnpoz Thanks again for the info! Ive been needing an excuse to dive in further and this is perfect. Ill give this a shot. Thanks again!

@dnwigley Then why would you think you need to put them in the forwarder???? Maybe your browser is using doh, and not even asking pfsense.. Create a host - ask the dns, it responds - its that simple.. If its not working, you didn't create the host in the right resolver/forwarder, your not using the that as your dns on your client. You did a domain override vs host? You created different host then your asking for? So when you ask via say nslookup to pfsense running unbound and you created your host override in - what do you get back? timeout, nx, refused? [image: 1647868138776-hostover.jpg]

@fmohcine26 dear sir this issue is available on 2.6.0 CE captive portal and there is a patch for this temp fix. please go to captive portal section and see topic block whatsapp calls. thanks

Oops, I had an inbound NAT rule still enabled from an earlier round of testing. False alarm!

@remember dear sir please note suricata or snort are IDS scanners so its better use this on Lan side not on wan side to overload performance. for mac trust use ovpn client and trust will be assured by binding mac on that OVPN ID or depends as per your need. thanks

@tiger-0 If you are trying to upgrade from CE to Plus that is here: https://docs.netgate.com/pfsense/en/latest/install/migrate-to-plus.html If you are trying to restore your configuration from CE to a new Netgate router you can do that to. If it has the same number of interfaces you can just assign them when restoring.

@ngnutzer89 You would for sure want to assign an interface for a client connection from pfsense to some vpn service. So it can use that interface as a gateway. As to running vpn server on pfsense. No you don't really need to assign an interface.. But you would could use the tunnel networks that you assigned as ways to filter different clients using different vpn instances.. Or you could assign specific clients specific IPs via the client overrides and then create rules to allow that specific client access to something you block other clients to or block specific clients from talking to specific stuff on your lan side networks, etc. The general openvpn tab that comes up in firewall rules when you create a vpn instance is what you would use for firewalling different aspects of your vpn clients.

@akuma1x Thank you very much for taking the time to explain, that does help. I do know that normally it's the firewall to decide, but since I have two very different lines with specific use cases, it's a requirement to let the client decide which line to use. Of course I can do something like that the client chooses to have a specific IP address that will trigger a policy, but that's more cumbersome. Adding policies that route differently by looking at the destination is pure hell (yes, CDNs). Having the firewall serving as two gateways is not a setup I've seen around indeed, and I believe that some firewalls might be able to do that, but since I'm not seeing any way to do it here, I'm asking in the forums. My WAN connections do have redundancy by default btw. So it's not feasible to trigger a policy based on the firewall's virtual IP that's receiving the request, right?