@tinfoilmatt We use Zabbix, along with the script and template created by rbicelli.
I have my own fork of the script and template that I can post later.

Zabbix Agent and Proxy packages are available in pfSense (including Zabbix 7.0 in 24.11!).

You will need to set up a Zabbix server, which is pretty easy to do.

vfs.dev.write is the agent function for getting disk write activity.

@Gertjan

It works!

You need to turn on the new machine and check in which order the network cards are recognized.
You edit the backup file of the old machine with the names of the interfaces in the right order you want and then perform the restore.

Hmm, interesting. So you actually see that address shown as current in the dhcp leases after reconnecting? But it's not in the arp table?

If you try to ping out from pfSense to 10.1.1.100 does that re-create the arp table entry?

The dhcp lease is odd because that implies pfSense has sent some traffic to the client and must have known the MAC to do so. 🤔

Is there any reason you are using static ARP entries?

Thanks, yeah, makes sense, but using the gateway of SUBNET1 IP 3.x.x.3/26 on the .20 server disables access to the server all together. The route to the public SUBNET1 from the data center flows to the WAN Virtual IP address. Perhaps for these reasons, I am not able to do what I'd like. I'm looking for a way to pfSense to handle the responses when the server itself is always going to do that. The server is a TrueNAS server, perhaps I'll need see if there is a way to route back to the two different routers depending on which one it came from? There is a layer 3 switch between the two as well, maybe something there could help.

@marcosm another GC customer is on 25.03. Doesn’t fix the issue. We have a real problem here impacting every Gigaclear pfsense customer in GBR.

BTW - Reached out to TAC. Closed as I'm a TAC Lite customer. SIGH. I pay a yearly subscription for pfSense and still receive ZERO support when reporting a bug despite being a paying customer.

@ngr2001 said in Web Traffic Reporting Question:

Perhaps this could be a feature request for PFSense ?

Reply

You could install it their way with an appropriate license key that will give you the features you want.

https://www.ntop.org/guides/ntopng/third_party_integrations/pfsense.html

@Gertjan Yep i get it 😊

I dont know what the laws and compliance/regulation is where the OP is from when it comes to filtering. In the united states there is CIPA which regulates this sort of things. pfBlocker absolutely would not be used and neither would Squid. A more well rounded solution would be implemented.
Can pfsense do web filtering? Ehhh..... Would I want it to do filtering? No. Especially when there are regulatory requirements. All comes down to what is permissible to the OPs region.

Yes, I tried that too.
I tried to ping the client's tunnel IP - unsuccessfully.

There's a pfSense package for it too. And a specific section on the forum for that. 😉

@yuriewcli said in SMB | Two Vlans:

For the sake of the discussion, i'll say IT dept network range is 10.0.12.0/24.
Support Dept is 10.0.11.0/21 where the printer is also connected.

Now, the thing is, printing is okay, we can print from IT dept. But we can't scan.

First : 10.0.11.0/21 : are you sure about that /21 ?
Without firing up my network calculator, this /21 might overlap your 10.0.12.0/24 .... introducing network issues.

A device, lets imagine a Windows PC, living on 10.0.12.0/24 can connect to a device on 10.0.11.3/24 (the printer) : it can print. If SMB doesn't seem to work : use the printer IP, and your good.
Or assign a local DNS host name to "10.0.11.3" and use that wherever possible.

The other way around : the scanner : did you check that the destination of the scanner, as it is a device living outside of the local (printer's point of view) is reachable ,
Windows devices, afaik, only accept, by default SMB traffic from their own local network, like 10.0.12.0/24 only.
You have to visit the Windows firewall on that PC, and add other networks like 10.0.11.0/24.
Normally, you should have a shared directory on the PC so the scanner can access it and drop the image or PDF scanned files.

@femtosize Ah, yeah, an amd64 (and CE) kernel module won't work on arm64, of course.

I don't expect there to be alignment issues in this particular code. That's one thing that might be going wrong, but it's also possible there are issues in how the PHP passes the password via pppcfg, so it's worth checking this anyway.

I'll make an arm64 build, but that might not happen until Monday.

@jhmc93 https://docs.netgate.com/pfsense/en/latest/nat/index.html but consider limiting the source/remote IP or using a VPN so the internet isn’t accessing your servers.

If you're still trying to connect from a laptop in the pfSense WAN subnet to a server in the LAN subnet the primary thing you need is a route to allow it.

That probably means adding a static route to the laptop directly. It has to be a route to the LAN subnet via the pfSense WAN address.

Without that the laptop will send that traffic via it;s default gateway which is the ISP router. And that probably has no idea where to route it so will either drops it or send it to the ISP... where it will be dropped.

@gigabitguru Pro tip - if you have an active tnsr software sub you should open a ticket. You can see, from the parent category, that there's not a lot of tnsr activity over here.

I am not someone that can help you out -- but simply directing you to TAC if you need/want more responsive suggestions.

Cheers.

@CarAnalogy I should also note that the computer's firewall profile setting is set to private, the server's software firewall completely disabled for testing.

Maybe this is a Windows problem, I just don't understand how I can make it work so easily over the local network but somehow can't get it to go over the VPN.

@comet424 said in my openvpn site to site i cant seem to ping or access other site doesnt stay stable:

what is OBN?

OutBound Nat.

@comet424 said in my openvpn site to site i cant seem to ping or access other site doesnt stay stable:

when i try the pinging in unraid terminal with the
ping -I br0.10 192.168.1.1 or 192.168.10.1 it doesnt wanna work

192.168.10.1 is in he br0.10 subnet so that would go directly if it's actually using the correct source IP. In which case pfSense never sees it and it must be something in the virtual infrastructure or the taret host blocking it.

When you have multi-homed hosts like that it's common to see asymmetric routing issues. Check the firewall logs for blocked traffic.

I have upgraded pfsense yesterday Apr-02-2025 to latest version. Upgrade failed multiple times. Also when I connect my wifi router to pfsense, I see no network and cannot access management console

Setup is pfsense is connected to Internet modem on wan port. A wifi router is connected to pfsense on Port1LAN

Pfsense IP address is 192.168.1.1, when I connect to wifi router which is configured as Access Point, cannot access pfsense management console, if I connect the ethernet, I do not see LAN icon. However I can access the management console when connecting laptop to Pfsense on LAN port.

I cannot access serial port console; earlier, it was working.

I suspect the upgrade is the reason for these issues, let me know if I can downgrade to previous version
Platform: Netgate 4200
Software Platform: pfSense
Netgate Device ID: ***************-192f
Software Version: pfSense Plus 24.11

I think pfSense has bugs. I uninstall pfBlockerNG and install the pfBlockerNG-devel and I still have the same problems.
Furthermore, I add manually list to permit the specific IPs of starlink...
49526da4-6011-45e1-85ef-53b9af36df86-image.png
.... the rules are in the top of list in Floating rules but pfSense ignore it
58af0305-9903-43cd-961b-a7abe09591b2-image.png
d93b1fca-8743-43af-8ce6-c3d78cdb973e-image.png

I added manually the specific IPs in floating rules. Tomorrow, I will check if this tricks works.
fdc341b3-36f9-4638-bd37-f10ac905b1e7-image.png

Also, I disabled cron in pfBlogerNG and it is still running ! How to fix this bug?
8ac5d95d-17bb-4515-9b2e-31bbb9f53b0b-image.png
92a41c31-b461-4a70-aec7-689e40c891da-image.png

@JonathanLee said in Googletagmanager google-analytics and gstatic:

google-analytics.com
googlesyndication.com
gstatic.com

if you url block
google-analytics.com
googlesyndication.com
gstatic.com

google drive will not work. Just a FYI learned this the hard way.