How is this configured? Are you passing the NICs?

Not sure how the host could see 5Mbps but a VM on it can see 191Mbps...

@johnpoz hehe, only my friends and my home systems (Home Automation). My friends know better than go looking for Pron on my systems, they've been redirected to some of the more 'interesting' sites. ;-) They still can't unsee that.

@dma_pf said in Access only to the Internet and not to the DMZ. How to do?:

Youl'll need to create a block rule on the LAN like this:

LAN interface
Protocol: TCP - ICMP / Echo request
From: LAN Net
To: DMZ Net

For general blocking, it will be more secure to set the source to "any". Can't see any sense to state the subnet here at all.

@pixel24
Ich versuche das noch einmal etwas zu differenzieren.

Grundsätzlich lauscht die pfSense auf allen ihren zugewiesenen IPs und der Zugriff darauf kann von allen Interfaces erfolgen.
D.h. du kannst bspw. auch vom internen Gastnetz die WAN-IP ansprechen, wenn es, wie üblich, da eine Regel gibt die Zugriff auf alle öffentlichen IPs erlaubt.
Daher könnte so auch das Web-Interface der pfSense vom Gastnetz erreicht werden, wenn es auf einem erlaubten Port lauscht.

Mit NAT ist hier die Portweiterleitung von der WAN IP auf eine interne gemeint. Die NAT-Regel ist allerdings auf dem WAN Interface definiert. Du kannst zwar von intern auf die WAN-IP zugreifen, allerdings fehlt dir da die NAT-Regel, die dich auf den internen Zielhost weiterleitet.
Da kommt NAT Reflection ins Spiel. Es macht nichts anderes als die NAT-Regel auf allen internen Interfaces abzubilden, ohne die Regel in der Admin-Oberfläche darzustellen.

Der HAproxy ist aber einfach auf die WAN-IP gebunden. Wenn du diese IP von intern ansprichst, kommst du auf den Proxy und damit auf deine interne Webseite.

@wesleywillis said in VIP setup for web hosting:

I confirmed that I only get that block as described under 'Simple IP Subnet on WAN':

Yes, in this case you'd probably better go with Proxy ARP, so you can cover the whole subnet with a single VIP assignment.
It is a good way, when you want to forward the whole subnet behind pfSense.

So I'm assuming it's easiest to just setup NAT 1:1 as such:
External IP: 1.1.1.3/26
Internal IP: 10.0.10.3/26

Possibly you may have to state the network address here, when using network type.

There are some things that don't show as 'in use' there in 21.05.2 such as:
https://redmine.pfsense.org/issues/12206
https://redmine.pfsense.org/issues/12205
https://redmine.pfsense.org/issues/12204

But since it is in use cannot be deleted.

Steve

@stephenw10 At the moment i'm not sure if the server supports Upnp, i have to investigate a little bit more.

This approach sounds interesting, you mean create the permanent rule, but limit the connection's source with a hostname instead of a specific ip?

Thanks for your reply Steve.

@viragomann
okay werde ich tauschen, danke.

@zoltrix

You might also get an IPv6 address, as IPv6 is a mandatory part of 4G & later. However, this depends on your carrier. Mine, Rogers, does it properly and tethered devices get an address. Another company (work phone) does a lousy job. However, since the phone doesn't provide prefix delegation, pfsense can't pass IPv6 on to the LAN.

@jimp Great, thanks for the help!

@darkcorner
Since there is no other device on the DMZ2 NIC there is no need to state the specify the source in the block rules. Simply set it to "any", as already mentioned in the other tread.

Presumed you use only RFC 1918 networks on LAN and DMZ1 there is no need for extra block rules. The RFC1918 block will cover all these networks.

Permit Any From Any to Any

Are you expecting other sources than DMZ2 subnet?
In a pass rule stating the source would make sense to me, but possibly you have other requirements.

Can't believe it! Randomly tried something out and it works.

So the answer is:
!(memberOf=CN=GroupA,DN=test,DN=domain)(memberOf=CN=GroupB,DN=test,DN=domain)

Sometimes less is more :)

I have two USB Ethernet NICs I use for testing here, an Aquantia AQC111U based and a Realtek RTL8156 based. Neither are recognised by pfSense directly. So, yes, you would need to work out some drivers.

There is also the fact that USB NICs in general are not well supported. If you have assigned the NIC, ue0, as WAN and it becomes disconnected for any reason pfSense will not boot without manually re-assigning.
I would be looking at a PCIe based NIC to do that if you can.

Steve

Redmine issues created:
https://redmine.pfsense.org/issues/12718
https://redmine.pfsense.org/issues/12719

I can't replicate that here, I login as root to most of my lab systems on a somewhat daily basis and nearly all of them are running 22.01/2.6.0 RC images.

What kind of authentication setup do you have configured on there for the firewall? Is it maybe using LDAP auth for the GUI?

So I have an update.

I was configuring wireguard between my sites and after the static routes it allowed sync to the other routers.

So I guess I just missed it before.