Bonjour à tous, Voila un schéma de mon réseau: cijUmXXUtQ.png Donc sur le serveur est installer le serveur OpenVPN. Pour le moment un client issu d'internet peu se connecter au serveur via le VPN. Ce serveur OpenVPN est en mode routé. Est-il possible de rendre accessible les "Postes client" pour le VPN? D'après mes recherches c'est possible. Mais comment? Au niveau de la LiveBox, les IPs de l'ensemble des poste (et du serveur) sont fixé, et commence 192.168.1.1. Pour le VPN les IPs attribué commence à 192.168.0.0. Je ne sait pas s'il manque des informations pour préciser mon problème, donc n'hésitez pas à me poser des questions! Merci.

you can inbound shape + fq_codel to 85-90% of the isp rate.

A good start for you might be to setup all of your DNS queries to go to unbound and configure unbound to forward to 1.1.1.1 or 9.9.9.9 (I think those support TLS) using TLS. The options for TLS aren't "check boxes" in the GUI. You have to put it in the text field of unbound advanced options. I'm not sure what other options unbound has for meeting your requirements but it's a good place to start. Also, block outbound port 53 and require TLS to only come from unbound (I don't remember the port. Maybe 853?) to make sure you're not accidentally allowing DNS on misconfigured machines.

If the modem is in bridge mode and pfSense connects to the ISP gateway directly then, AFAIK, the modem is out of the transit network. pfSense gets the public IP on WAN (or 100.64.0.0/10 with CGN) and the modem can be reached on an RFC1918 IP as described in the docs. You don't have double NAT in this case either.

@dgall said in PFBLOCKER DNSBL Shallalist not working when I click on google links: Better solution yet trash shallalist use a list like this one https://github.com/StevenBlack/hosts it works just as good without enabling TLD and uses nowhere near the ram Shallalist is a large database... YMMV on its use compared to other feeds. You need to do some research/testing to see what works best for your needs. I typically do not recommend using a "middleman" compilation of Feeds as "StevenBlack" does. You would be better off adding the feeds that are represented in that compilation directly. In pfBlockerNG-devel, there is a Feeds tab that had quite a few feeds to choose from and also research their support pages. I'd also recommend to enable TLD, it does use more ram, but it will block subdomains for malicious sites, which will not be blocked when that feature if disabled. But up to you...

@jwj said in Not understanding this ip block (https://ipinfo.io/AS32934): So, it looks like ipv6 "tab" lists get incorrectly setup as ipv4 rules. And it looks like this has been fixed in the devel version. Yes this is fixed in pfBlockerNG-devel

@mloiterman said in PHP Error on exhausted memory: 2.1.4_8 Best to move to pfBlockerNG-devel which will fix that issue.

ok mais ou mets je la DMZ? thanks Thierry

1:1 does not create any firewall pass rules automatically. You have to do it. All it does is set up the BINAT.

It uses the routing table whether you use NAT or not. Yes, you can make outbound NAT as simple or as complicated as you require. Something tells me you are not accurately communicating what you are trying to do though.

So to add to @rainer_d comment, I've recently purchased the APU2C4 as my pfsense box and frankly considering the costs I'm rather impressed. I'm have a WAN\LAN setup running Squid, Squid Guard, Suricata, PFBlockerng, and ntopng - my main focus is keeping my kids from getting into too much trouble as they start exploring the internet. Looking at the performance to energy cost, I really feel this box hits a lot of check boxes. Sadly, I'm limited in my bandwidth so I can't speak to how it handles on 1Gbps, but I've hear you can get close but I don't know if would need to limit the packages your running. If you do end up do end up looking at the APU2 setup, here is what I came up with so far to improve performance: Get thermal grease and stand the box vertically - Reduced my CPU temp by 10C Avoid ClamAV, it will eat the CPUs alive with large downloads Suricata seems to perform better than Snort, but is twice as hard to setup... but twice the trouble is twice the fun in my book. Between the multi core support and the APU2 supported inline mode, you can get IDS on without to much impact to your system. Get the 4GB version, it's not much more and gives you lots of RAM to play with.

@derreckbercier said in Pfsense blocking Livestream: I have a 100mb pipe that's symmetrical. Well, it should be pretty hard to saturate that link with a typical livestream upload. How big is your audience for this livstream? If several dozens of users are trying to view the stream simultaneously with your upload, then I could see how your download link might approach saturation. That could then impact upload as the ACKs could not get come through from the livestream remote host on a timely basis.

Other strange - when i put master in "persistent CARP maintenance mode" - all work properly, but when I stop master - ping is stoping. Magic...

Spoke too soon, had to power down to add a blanking plate (couldn't find enough when I initially built the box) and it still doesn't start up at boot or clicking start on the dashboard. It only starts if I go into the configuration and save it. I don't have to make any changes, just click Save.

https://forum.netgate.com/topic/21817/recomendaciones-al-postear Revisa la configuración del browser (navegador) que utilizas Prueba con "otro" browser (navegador) Adjunta captura de pantalla del error

@shiftyjoe said in Did I just overclocked my apu2c4 (AMD GX-412TC SOC)?: GX-412TC SOC I agree 100% with the heat comment, I doubted that I was getting the increased CPU speed after seeing no additional heat. As far as the marketing, I think that's where the confusion comes in. It seems like there is a number of mixed messages regarding the speed available on the GX-412TC which lead to @MarcoP comment that he might have unlocked the higher speeds that are by default disabled on APU2C4. Personally I'm going to keep poking at this to see if there is anything "extra" that can be eked out of the CPU without impacting the system too much, so any suggestions or insights would be appreciated. Reported Speeds of GX-412TC SOC https://www.amd.com/Documents/AMDGSeriesSOCProductBrief.pdf => Says 1.0/1.4GHZ http://www.cpu-world.com/CPUs/Puma/AMD-G-Series GX-412TC.html => Says 1.2GHZ http://www.pcengines.info/forums/?page=post&id=7D3ECCD1-AFFB-441C-9527-78A0B0E53074&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A => Even on pcengines there are talks about how the CPU specs should be 1.2GHZ vs the 1.0GHZ

@jdh Mdrrr, joli tacle sur mon pseudo, même si je considère qu'il y a plus important que de parler du pseudo de quelqu'un. Sachez que vous, jdh, vous n’êtes pas LA personne qui me fasse penser de cette façon, mais vous faites parti d'un tout. Peut-être que si je vous avais parlé à vous seul ou à ccnet seul je n'aurais pas eu ces réflexions mais là ... et je ne regrette rien de ce que j'ai dit parce que n'importe qui de respectable - en relisant tout le topic - trouverait que vos réponses se veulent un poil "rabaissantes". J'ajouterais que ce qui prouve que vous êtes quand même un peu des indésirables et le fait que vous n'ayez de toute évidence pas pris le temps de jeter un œil à ce que j'ai écris juste après. J'ai dit : "Peut-être que je m'imagines trop de choses".

Some pointers: You need to buy a domain You need a DNS server being authoritative for your domain (either your server OR given by some company) Then you need to create a www record to point to your pfsense ip.. is it static or dynamic.. if it's dynamic then you need to use something like dyndns or use a super low TTL on the www record and use some sort of automatism to continuously change the IP of the www record then you need a webserver, centos+apache is perfectly fine (probably you will need some kind of php engine or similar, unless you want to host static files). https is a must these days.. open port 80 and 443. setup a forced redir from http to https (if you want to create an user-friendly website) and mount a Let's encrypt cert (yes you can install on the server a system which let's you renew the cert). You also need to play with locking ports on the centos server, apart from pfsense. I think DNSSEC is totally over the top, unless this is an exercise.. Hope this helps!

I tweeked a few things and now have all the ram I need I have always found the using a swap file is slow this may not be the case on the sg-3100. I cant believe a board that cost me this much I cant put more ram in

Agreed, the more discussion of how dns works the better for the end user.. It seems to be a black box for many of them.

@infosoporte Solucionado, me equivoqué de protocolo Gracias

I've just successfully troubleshot a 2nd extension today: Depending on your OpenVPN connection (all traffic, DNS etc) you may want to change your PBX hostname in the SIP client from FQDN to LAN IP, and make sure that all Local networks are listed in the appropriate sip.conf file.

@marcelloc Obrigado pela resposta. O dns dinâmico está configurado no dispositivo do cliente, seja ele no DVR ou no roteador AP. Desde já agradeço.

@shreenair said in ACME Cert management package does not appear to be working properly?: I'm having issues with getting ACME to work on pfSense 2.4.0 to issue certs IIRC then lots of work on ACME has gone into the 2.4.3 branch. Better upgrade your install to current and check again before beating a dead horse...

@andrezaomac Boa tarde! Nessa sua regra o SKYPE funciona direitinho com chamada de áudio? conseguir liberar através da sua regra, mas a chamada de áudio não funciona. Você poderia me ajudar?

@grimson I just disabled "Pure NAT" and let it fall back to the default of no NAT Reflection and everything is still working as before. I'd have assumed it would need that, but it works so that's the main thing. However the transfer between servers once connected is still an issue.

Since there is no internal connection between the host and pfSense, that's an expected behavior. You may configure the eht2 as a virtual bridge instead of passthrough and give the host an IP on it, or add an additional virtual network and interfaces to both the host and pfSense for management access.

pihole does this really well. If what your after is info on dns queries - while unbound can log everything. Its not going to be easy to digest the information. While pihole will give you a pretty web gui with all the info you would want about what a client is doing for dns queries.

@pnunn The default route is simply the way out of the network. It's just like driving somewhere. The first thing you have to do is get out of your driveway. On more complex networks there may be other, more specific routes that might be used first, but eventually you'll need a default route. The only exception is at the top level, between ISPs, carriers, etc., where every possible route must be known and the packet gets dropped if there isn't a route. You could route through an interface, but only on point to point links. On Ethernet, there's always the possibility of more than one other NIC out there, so you can't rely on using just the interface.

For starters you shouldn't run iperf to pfsense, you should run it between client and server with pfsense the router between. First validate that your clients can do what you want them to do for speed just on lan, ie on the same network. Now put them on different networks to validate pfsense is routing/firewalling at the speeds you want/need it to route/firewall/nat at..

Who are these clients.. Why would they want to use 1/50 of lets call it 70mbps?? Why would they not just use their own LTE connection.. For that matter would wold even want to use 1/20 of 20mbps.. Your not going to find a way to divide up something that changes on the fly. Are you running into problems with people using up the whole pipe with p2p or something. Block p2p - or limit it to couple k...