@Gertjan Had the same issue, thank you for the helpful explanation!

i will try also to clone the MAC address from the providers router to pfsense pppoe interface

@ccigas said in Basic Firewall Set Up: I guess from there, I would not have to allow DNS or HTTP/S through the firewall from there or is that not needed? Typically, on an second LAN interface - called OPTx - you would block http and https acces to the Firewall (= pfSense) itself. Don't block DNS, devices could use pfSense as a DNS, or whatever other DNS they want to use on the net. @ccigas said in Basic Firewall Set Up: For the DNS, it seemed to only work pfSense doesn't use or care about DNS in receives from upstream routers. The resolver - unbound - uses the 13 main root DNS servers (the real back bone of the Internet) to find domain info. That will always works. There is no need - isn't used by default : Ustream DNS servers, ISP DNS servers, Private info collection servers (Google and others); etc. If the default resolver doesn't work, something is wrong with your Internet access. Btw : 'named' or bind, isn't used by pfSense. bind is much bigger and capable, and offers functionalities that hugely surpasses the needs of a firewall.

@kiokoman Saved my bacon! Thank you! And, despite @stephenw10's suggestion, @kiokoman had it right: date yymmddhhmm (two digit year and no seconds).

@KOM ok thanks will try that

Damn that’s encouraging

@oldrik said in Setup and configure snort on pfsense to detect an intrusion detection attemps within a LAN: @kiokoman pls if i understand well, does it mean that snort can't actually alert and block an attack such as a portscan performed by a user on a LAN network to another user on the same LAN ???? if that is the case, how can snort be configure to alert and block a user on a LAN from another user on the same LAN who perform an attack such as a portscan ??? Thanks in advanced Snort runs on the firewall. The firewall is not in the traffic path if two machines on the same LAN talk to each other. Only the LAN switch is in that pathway. The only time the firewall can see traffic from a LAN client is when that client is communicating with an IP address that is NOT part of the LAN. That would be a different LAN subnet where the firewall is the route to the different subnet, or some host out on the Internet (which means the traffic is traversing the WAN interface). So since Snort would not see one LAN client port scanning another LAN client (in the same subnet), it can't do anything about it. If you wanted to monitor traffic between LAN hosts on the same network, then you will need a managed switch that provides a span port (or port mirroring). You would then configure mirroring on the switch and set up a separate installation of Snort on say a Linux host on the LAN and connect that host to the span port on the switch. Only then could Snort on the Linux host see traffic between other LAN hosts.

Show your OpenVPN Config and Firewall Rules (Screenshots). -Rico

Some of those Realtek device should be supported: https://www.freebsd.org/cgi/man.cgi?query=rtwn_usb&apropos=0&sektion=4&manpath=FreeBSD+12.0-RELEASE&arch=default&format=html You might find they work OK. You alreadt have them so nothing but time to lose by testing them. Steve

You would set up a virtual address. https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual Then either port forward or use 1:1 NAT to the second address. Plus some WAN firewall rules to let the traffic pass.

Hola, desde la LAN a vpn externas

@KOM I will wait for the purchase of the new Hardware and perform the system update. Thanks a lot for the help.

Well, I have just got it working. The solution may be very specific to my scenario. First, I need to go through and test all the individual changes I made to ensure each one was needed, remove the cruft that was not needed and I will post the final solution here there after. What I had to do in this scenario was go Pfsense A, go to advance settings of IPsec, From there: Auto-exclude LAN address Enable bypass for LAN interface IP Exclude traffic from LAN subnet to LAN IP address from IPsec. This box was checked by default. I cleared it and traffic is now working both ways. I suspect what mattered here was the fact that Pfsense A didn't have a LAN subnet, and OpenVPN client subnet may have been seen as a LAN by this rule. I am sure one of the Pfsense developers could provide an explanation. Now I just need to check all the routes, rules, Phase 2 parts to ensure they are needed.