Ok, 550 x 2Mbps pipes is greater than the total available bandwidth. So it's possible you're simply seeing an upstream limitation dropping packets at which point pfSense has no control over it. You might be better off setting a bandwith sharing dynamic Limiter on the interface rather than a hard 2Mb limit per user.

Até agora, o que eu consegui: Fui em Firewall -> Virtual IPs -> IP Alias, e criei da seguinte forma: 172.25.16.1/24 Daí usei essa faixa como Phase2 da configuração do IPSec com a concessionária. Daí a concessionária consegue pingar normalmente 172.25.16.1, que é o PFSense. Daí criei um NAT 1:1 da seguinte forma: Interface: WAN External Subnet IP: 172.25.16.2 (endereço virtual do "Device" que é o dispositivo que quero enxergar) Internal IP: Any Destination: 192.168.102.10 NAT Reflection: Enable Porém a concessinária não recebe o ping desse endereço. Alguém tem ideia do que está faltando, ou como posso fazer esse redirecionamento?

If I understand your post correctly, you have devices on your internal networks (LAN) that communicate with a database server located elsewhere on the Internet (accessible via your WAN). If this true, then you need to simply add the IP address of the remote DB server to a Pass List by creating a list on the PASS LIST tab, accepting the default checked options, adding the IP address of the remote DB to the list using the controls at the bottom of the EDIT LIST screen, then save the new list. Now go to the INTERFACE SETTINGS tab in Snort for your WAN (since your are running Snort on that interface) and select the newly created Pass List in the drop-down selector there. Save that change and restart Snort on the interface. You do NOT need to be changing the HOME_NET nor EXTERNAL_NET variable settings. Changing those is almost never required. And changing them from the defaults without a full understanding of what they are for and how they work will result in a setup that will NOT trigger rules properly. The fact you altered them in an attempt to solve the problem you describe indicates you may not understand what those parameters are actually for. They define the networks to be protected (HOME_NET) and the networks that are assumed hostile (EXTERNAL_NET). The default setup puts every address/network not defined in HOME_NET in EXTERNAL_NET. Literally, in the PHP code, $EXTERNAL_NET is defined as !$HOME_NET (the leading '!' character indicates a logical NOT operation).

Sieht du denn Anfragen von der Fritz kommen? Du kannst ja einfach ein Capture erstellen mit der IP der Fritz als Filter, dann hast du recht wenig anderes Zeugs drin.

@gertjan I will attempt this tonight and report back. Thanks.

@zipping8761 haha - I warned you, but it a good learning experience ;)

@mrDick гляньте тут - https://forum.netgate.com/topic/131401/%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D1%8F-openvpn/75 настроено не по феншую, а переделать не получается. Но сколько лет работает на 3 офиса. UPD по новым требованиям отключите сжатие и поставьте алгоритм на 512 UPD2 тьфу, забыл. Может уже и не актуально, но в Keenetic в ПЕРВУЮ ОЧЕРЕДЬ отрубите свой OpenVPN от других интерфейсов через CLI (там мануал есть в их хелпе), иначе эта пакость будет туннель пихать и в WI-Fi, даже если там гостевая сеть настроена!!!

@dwren78 Hmmm this is frustrating, could you describe what is happening in more detail? I am confused why it works when you have the Smarthub ahead of the pfsense router. I am not familiar with configuring the smart hub as a bridge, so where is the pppoe authentication done, in the smarthub or pfsense? Are you getting a v4 address? Is the v6 interface up? Are you getting a link-local v6 address? Dumb question, but I am going to ask it anyway, are you using your bt business pppoe username/password? cheers F

Obrigado, vou dar uma olhada.

@stephenw10 I didn't realize that I was able to create an interface for VPN. I did that (and it booted the remote users, lol), and was able to configure the FTP Proxy Client plugin to work with it. Thank you for your help!

Take a look at a HP t620plus thin client, it needs to be the plus model though not the t620. The t620plus is thicker than the non plus because it has a pcie port to add a network card. They are quad core 2.0ghz and use around 12-15w of power, you can find them on ebay for around £100. The link below has some good information on the t620plus. Link to parkytowers site

Yeah, you wouldn't want to do that because the backend/frontend need to stay the same protocol. But if you want to be able to enter fqdn.com and have that redirect to www.fqdn.com/home/somepage.htm you should be able to. And doing it there prevents HAProxy accidentally overmatching. Steve

@unififcf said in Block Internal vLan from accessing Web UI: they said it is a TrueNAS Ah - yeah they do not have a "gui" to admin it, but you can for sure configure ipfw on it and manually setup the rules. Haven't played with that in long time. But ipfw can be its own learning curve for sure - yeah best to move that to different vlan than all your users and just use pfsense.

@ptt and @johnpoz It worked. Thanks so much for all your help

Yeah...I just saw this post...didn't see it in my search of the forum before: https://forum.netgate.com/topic/147330/how-to-tag-interface-sfp-ix0-on-an-xg-7100/8 hmmm, I see what you are saying they route between the interfaces. In our small network, we have those vlans listed above with end devices spread out on different switches. I have the Eth 2, and 4 used to ensure routing. Yeah I should have the switches connected but they are not top of the line, and with the costs and this being a nonprofit it is hard to spend that money and even to get the money. I was hoping to utilize the SFP+ ports like I did on the Ubiquity UDM Pro of which we replaced. I like this unit Netgate, so much better, though...I am now recommending this to everyone.

When you connected the PC directly to Eth1 did it show the expected link speed/duplex? 40Mbps is sufficiently slow to point to a link issue. Steve