@stephenw10 You are right Stephen, I forgot about the issues with N100.

@justanotherpfsenseadm
If the interface is configured as a DHCP client it possibly gets a gateway from the DHCP, or you've stated the gateway by yourself in the interface settings.
In theses cases pfsense automatically adds an outbound NAT rule.

You can verify automatically generated rules at the bottom of the outbound NAT page.

@stephenw10 Ok I'll keep that in mind.

So I was able to use the console to go to an earlier configuration, reboot, and I was able to get into the WebGUI. Proceeded to immediately make a backup configuration on file just in case. Phew! Thanks for that suggestion, and thank the Devs for having such a feature available. Truly a lifesaver!

Next meeting we're gonna take it slow and only forward the ports that he needs. Maybe he won't need all of them.

Your comment gave me the bug..., I double-checked my LAN host conf and found out that on the LAN host, there was a static route that was sending packets to the LABO network using the wrong gateway... I'm really sorry to have taken your time for such a stupid thing... thank you very much for your time and your help...

@mvbif Yes, you're right, port forwarding is a DNAT, actually, I was wrong. The thing is, this port forwarding is SNAT-ing too.

Nat lonely should not allow anyway traffic not allowed from a security rules.

The port forwarding was done and a rule has been added to allow the traffic. Also, the IPSec traffic is allowed via a different rule, so the traffic is allowed.

So now i will check but, i feel to say that yes that nat rule will apply only on traffic coming from openvpn and has that destination.

Well, this is what should happen. Only traffic coming in via the OpenVPN interface should match. But it doesn't.

About the ipsec traffic, are you saying that with nat on, your ipsec host can ping 172.x.x.x , with nat off can't anymore?

Yes, that's what I mean. If I exclude the IPSec connected subnet (10.41.13.0/24) from the NAT rule OR I disable the NAT rule, the IPSec traffic cannot go to 172.31.254.100.

Btw ipsec should have rules permitting traffic to 10.41.99.65 isn't it?

Yes.

Also, the thing is, the rule's SNATing too: With the rule in place, 10.41.13.225 for example, can curl 172.31.254.100 and get a reply. On the 10.41.199.65 (the actual IP that the port forwarding rule is set on) I see the traffic coming from 10.41.199.2 (PFSense).
Test scenario: Via the IPSec, I'm sending, from 10.41.13.225 a curl 172.31.254.100:2345 (port was chosen so no traffic is going to disturb the test). With the port forwarding rule enabled, I can see traffic on 10.41.199.65, coming from 10.41.199.2 (PFSense IP address) dst port 2345. This clearly matches the traffic. Checking the firewall logs I can see the traffic being allowed from 10.41.13.225 to 10.41.199.65 (translated IP address). This means that PFSense matched the traffic and DNATed via the above rule, but it also SNATed (why?).
Disabling the above rule and running the same scenario: curl 172.31.254.100:2345 in the firewall logs I can see the traffic as being allowed from 10.41.13.225 to 172.31.254.100 (not translated) but the traffic doesn't reach the 10.41.199.65 VM (normal, since it was not translated).
What's going on?!

Also, check this out: states tables filtered by 2345 (dst port):
8710e90a-870d-4772-8d91-8056ab5d502a-image.png
So it sees the traffic as coming from the IPSec interface, but it's SNATing it and then delivering it to 10.41.199.65.
I have NO NAT RULES to match this traffic (outgoing on VLAN199 interface) so there should be no SNAT done, from what I can say. There's no NAT rule matching 10.41.13.225 or 10.41.13.0/24 or 10.41.0.0/16.
Can't I somehow see what NAT rule is this traffic matching?

Yes, that applies to the local side where the VPN would effectively be the other WAN.

At the remote side you just need firewall rules to pass the traffic coming in over the VPN and outbound NAT rules to translate it at the WAN. The OBN rules may already be added.

Try routing some traffic from a single client. Start a ping to something unique then check the states at both ends.

@stephenw10 Thanks! I actually emailed him but haven't got an answer yet...

@stephenw10 Well I got through the login page to the checkout page by moving to another desktop..... but it wants me to agree to the terms and conditions - and I finally realized I had to click on the whole Legalize paragraph to agree and finish the transaction.

I guess I better order some hard drives.

Again thank you for your expertise and answers.

What pkgs do you have running?

Check the RRD graphs. Do you see resource usage spike or something being exhausted?

@am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

note: I do not know how to open logs

Goto Status > System Logs

pfBlocker, a nice short cut is hiding in plain site :

3e1fbf6c-1210-41a4-bb06-fb168dc5a8b3-image.png

Or Firewall > pfBlockerNG > Log Browser and pick your file in de second pull down box.

For the no-mouse solution : console or SSH, menu option 8 and then

cd /var/log

Hmm, what's different in pfSense? You can't login as an admin user?

You don't have to 'discover' OUs, you can just enter the query directly.

Fix is incoming.

I'm talking about having two separate installs with one as a backup.

Using a separate drive in an existing install is not supported. You need some custom scripting to handle mounting the drive at boot etc.

@bmeeks copy that. Thank you sir

Actually it looks like we have replicated it locally so may not need it. I'll let you know, thanks!

@manjotsc said in Domain Override (DNS Resolver) Not Working:

need to set Outgoing Network Interfaces to ALL, I had it set to WAN

Oh ... cool ... tel unbound to use (only) WAN as an outgoing interface, while it should have been to using the Wireguard tunnel (which also goes over WAN) to do its job.

edit : I'm actually echoing what @SteveITS said

@manjotsc said in Domain Override (DNS Resolver) Not Working:

Is there a reason why it needs to be to ALL?

You've already got my point : because someone decides that that settings is perfect for us ^^

As the fireguard connection is a second type of WAN interface : a network that goes "somewhere" outside the local LANs, and not reachable by classic WAN, you have to inform unbound about it.
Set it to

c743ced4-d244-49d5-b205-b66c86a160e6-image.png

(it was set by default on All - which proofs Netgate's default settings are perfect - who are we to make them any better 😊)
but yeah, WAN is fine, but check-select also your wireguard interface.
I don't quiet understand what danger or harm there is if it also uses my local LAN connections (no DNS devices will reply from there ) so I don't bother : All is fine for me.
Their might be cases where All is not good - I just didn't discover them yet.

@manjotsc said in Domain Override (DNS Resolver) Not Working:

server:
private-domain: "example.xyz"

There is another part worth look at - same file :

# Domain overrides include: /var/unbound/domainoverrides.conf

Look at what "/var/unbound/domainoverrides.conf" contains.

@borjaevo said in Bridge mode static IP config vodafone HFC:

About the subnet when i set the WAN to DHCP, if i dont change the MAC i get a valid dynamic public IP and i have Internet. When i clone the CableModem MAC of the router i get a private IP

So then the correct setup is to let pfsense have it's unique MAC and not to clone the MAC from the Cable Modem. I'm guessing they use VLAN's to deliver the 10.132 subnet for management purposes and your public IP on a different VLAN. Perhaps they use the 10.132 for TV as well?

@stephenw10 just saw that thx,
"By default, the M.2 SATA drive will then be the first drive recognized by pfSense" that's good :)
Thanks for your help!

No worries. I remember hitting that issue myself when I first setup pfSense with multiwan. Too long ago to mention!

Until you realise how pfSense determines what is a WAN interface and what that triggers it can easily seem like magic. 😉

@w0w said in pfSense 5Gb/s Ethernet NIC:

@Craash
X710-T2L or T4L should support directly with latest firmware, but really don't know about FreeBSD and some OEM versions like Dell, have seen some 10/1 Gbe versions only.

Late to the party with this reply but you can flash the Dell versions of the X710-T2L and T4L to Intel firmware without too much hassle. This will enable the missing 2.5Gbps and 5Gbps speeds.

https://forum.level1techs.com/t/crossflashing-intel-official-firmware-on-dell-lenovo-pcie-x710-da2-nics-solved/196357/7

Little bit of reading but it works great. I used Linux but the tools are available for FreeBSD too. I've done a T4L and a T2L and both worked as expected.