@Strike1asd
There isn't a GoogleFiber router and GoogleFiber doesn't block any ports from what I've researched.

My pfSense is connected directly into the Fiber to Ethernet connector.

@micneu

Ich persönlich, will mir privat keine subscription ans Bein binden. Einmaliger Kauf, gerne...

@johnpoz

Same here.
With out of the box pfSense resolver settings I can access it just fine.
It's even native IPv6.
DNSSEC : the entire DNSSEC chain is a indeed a mess, somewhat a proof that the site is legit : only a real 'gov' site can make such a mess out of it 😊

@Gertjan said in Email Reports PHP warning -> report not created:

@patient0

This one : https://redmine.pfsense.org/issues/15872 ?

I don't think so, it's on line 44 and my issue was on line 210 and not an PHP error but ${id} not set. But not very important, it's fixed and that's good.

Try mtupath
mtupath www.detran.rs.gov.br

I have had similar problems some time ago, this was happening with IPv6 enabled but some sites were ipv4 only, so after mtupath discovery I have changed the MSS to 1352

BTW I have zero problems opening www.detran.rs.gov.br in firefox also, but not in edge.

@tknospdr said in How to read FW rules in plain English:

Packet arrives to my WAN interface and says "I'm here to see PUBLIC_IP in apartment 3290.
NAT rule says, "Hmm they're actually looking for 192.168.2.2 in apt 32400, but before I send them on their way, let's see if the doorman will allow it"
Doorman says "My rulebook says packets from PUBLIC_IP visiting 2.2:3400 are welcome here"

Close !
This order :

Packet arrives to my WAN interface and says "I'm here to see PUBLIC_IP in apartment 3290.
Doorman says "My rulebook says packets from PUBLIC_IP visiting 2.2:3400 are welcome here"
NAT rule says, "Hmm they're actually looking for 192.168.2.2 in apt 32400, but before I send them on their way, let's see if the doorman will allow it"

Where doorman = the WAN firewall rule (created by the NAT rule).
So, first, an incoming packet has to be allowed by this fire wall rule.
The packet can now enter the router and the attached NAT rule will kick in : it will replace the source IP of the packet with the destination IP for the local LAN IP, like 192.168.1.22. If needed, the original destination port number can also be changed, but this is optional. In your case it was originally '32400' and it sated '32400'.
The NAT rule (and firewall rule) is statefull : the answers from the traffic going to 192.168.1.22 will get remapped in reverse, so a bidirectional data stream can take place.

@nobugswanted said in Domain Override works for Debian and Windows but not Ubuntu:

Did you verify if the port forwarding worked?

How can I verify this?

You can sniff the traffic on the localhost with Diagnostic > Packet Capture.
Select the localhost interface and enter 53 at the port filter, start the capture and run a DNS lookup on the concerned machine.

So I've tested from a VPN-computer only. Maybe the solution you proposed will not work on VPN-clients.

Did you push the DNS to the VPN clients or configure the client itself to use your DNS?
Which VPN?

@stephenw10

Thanks for the replies and insights. So far it's been over 24 hours with no issues. I'll report back after a longer period of time if issue re-occurs with details.

Hmm,

So based on reading other threadposts.

It appears the proper etiquette to run radius -X command would be to first stop the freeradius with the command service radiusd onestop and ONLY then initiate the diagnostic.

Else the error i was receiving is expected. I GUESS im back to square one, why isnt radius enforcing my stopaccounting.

A bridge interface is tricky because there is no sent/received really. Every packet crosses it. Unless the interface is assigned in which case pfSense can send/receive from it and will use the generate bridge MAC.

I followed some of your instructions and it is working once more.

I made a new CA as stated
I made a new Server Cert
I changed the OPENVPN to use the new CA & Cert
I changed 1 user to use the new CA & Cert
I downloaded and installed a fresh installed and it is now working.

@Gertjan Once more, thank you for time help time and assistance with helping me get this fixed. I really appreciate it.

@marcosm looks good to me 👍 , save + froce update works and the ui is also correct

@viragomann said in Can't access to Proxmox from outside (OpenVPN client):

o limit the rule to a single IP, enter the IP with a /32 mask.

Effectively !
Thanks again for your support.

Actually it looks like we have replicated it locally so may not need it. I'll let you know, thanks!

@stephenw10
58799/4456/63255 mbufs in use (current/cache/total)
49273/3559/52832/1000000 mbuf clusters in use (current/cache/total/max)
3/2029 mbuf+clusters out of packet secondary zone in use (current/cache)
0/1524/1524/524288 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/524288 9k jumbo clusters in use (current/cache/total/max)
0/0/0/84161 16k jumbo clusters in use (current/cache/total/max)
113245K/14328K/127573K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for mbufs delayed (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters delayed (4k/9k/16k)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0 sendfile syscalls
0 sendfile syscalls completed without I/O request
0 requests for I/O initiated by sendfile
0 pages read by sendfile as part of a request
0 pages were valid at time of a sendfile request
0 pages were valid and substituted to bogus page
0 pages were requested for read ahead by applications
0 pages were read ahead by sendfile
0 times sendfile encountered an already busy page
0 requests for sfbufs denied
0 requests for sfbufs delayed

@xmacj Perhaps the remote side didn't like something about your original ip address.

I have an ecobee premium (upgraded by ecobee due to wifi issues on a ecobee 3 lite - data drop outs, morse code).

No wifi issues (it's bound to 2.4ghz band). But it does like to phone home to amazon every 50s. None of the amazon features are enabled, but it still insists.

To mitigate this, 2 different measures are in place. On the dns side, only requests to *.ecobee.com are resolved (adguard home). All others return 0.0.0.0 .

On the pfsense side, amazon asn is blocked for this device just in case the dns filters are off (sometimes happens during testing).

@carlosRamos said in set up port forwarding:

from interface wan to destination Lan and then specific IP

As you sure that is how you did it, in which case you need to change destination to WAN address instead. Otherwise there is no difference port forwarding to a device on a VLAN or the LAN. Just use whatever IP the target server has...

It might be easier to assist if you could provide some pictures showing your rules.

@stephenw10 You are right Stephen, I forgot about the issues with N100.

@justanotherpfsenseadm
If the interface is configured as a DHCP client it possibly gets a gateway from the DHCP, or you've stated the gateway by yourself in the interface settings.
In theses cases pfsense automatically adds an outbound NAT rule.

You can verify automatically generated rules at the bottom of the outbound NAT page.

@stephenw10 Ok I'll keep that in mind.

So I was able to use the console to go to an earlier configuration, reboot, and I was able to get into the WebGUI. Proceeded to immediately make a backup configuration on file just in case. Phew! Thanks for that suggestion, and thank the Devs for having such a feature available. Truly a lifesaver!

Next meeting we're gonna take it slow and only forward the ports that he needs. Maybe he won't need all of them.