Checkout the hangout KOM linked above. Specifically from here onwards. Steve

Yeah you should be able to use either HAProxy or reverse Squid to redirect requests based on the host headers to different internal servers. Or different ports on the same server. https://docs.netgate.com/pfsense/en/latest/packages/haproxy-package.html https://youtu.be/FJSHMyrd29E Steve

@zemlik said in block access pfsense gui OPT1: blocked on OPT1 any to OPT1 address and WAN address ports 22 80 443 Yes, do that. Though you can use the system alias 'This Firewall' as shown in that link and it will cover all IPs on the firewall itself. Steve

@detox It isn't really surprising that it detected known fake-virus signatures. I wonder about how effective it is in general. I've never seen any qualitative comparisons such as those done by AV-Comparatives, for example. It may not even be as effective as Windows Defender, which has been getting better every year and does fairly well in testing. At my company, I don't use any AV on the firewall, and all LAN clients have local AV protection.

@stephenw10 Added pimd be added to redmine.

Ah OK, then yeah it should be just a matter of adding the port forwards for those ports. Try connecting to it externally then check the state table for states on those ports. Steve

It's probably a filesystem issue. It could be an upgrade failure. It's probably not hardware unless the drive is failing perhaps but I would expect bigger issues in that case. The fastest way to get back up is to re-install and restore your config from that situation. You can try this though since you still have command line access: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#forced-pkg-reinstall Be sure to backup the config first though if you do. Steve

You can use Squid ACLs directly rather than using Squidguard if you really wanted to. It's far more complex though. Steve

Yes!

I try!

@truetype Okies nevermind, I found out the issue. I had put a pass between the two subnets, BUT i forgot and left it at TCP and not any, so UDP was not passed. Dumb mistake, but I hope it helps someone who googles and finds this. Check firewall rules!

@Gertjan OK problem resolved. Seems I didn't have enough protocols allowed on OPT1 working now and also NTP on WAP thanks ever so much for assist.

Try setting the monitoring IP to something other than the gateway IP, so 8.8.8.8 for example is commonly used. That gives you a better idea of actual connection quality. The ISP gateway usually doesn't guaranty ping response. Steve

The router used as an access point can, and probably should, be on the same subnet just set as static and outside the DHCP range.... and not the same IP as anything else! That way you will still be able to access it's interface to check signal strengths or make further changes. Steve

@akuma1x This is a hotel network ISP>PFSENSE>SWITCH>AP>Users

@nambi said in Best Way to Achieve this?: if I have something else using 443 would I then need to use the reverse proxy? That's one way. You could also reconfigure the web listen port for one of your servers to some other port. I tend to avoid using a reverse proxy because its extra complexity with potential issues that I'd rather avoid. Also yes, VLANs give you network separation as if they were physical interfaces. You always want to provide a gap between front-facing services and your LAN so that any exploited servers aren't used as a stepping stone to taking over your network.

Yup, that could be it. Though that's not one of the symptoms usually seen with Realtek NICs I would not rule it out. Steve

@stephenw10 thanks. Thankfully I had a good recent backup. Reinstalled pfsense via image provided by Netgate, restored backup back in business. Thank you

I mean 10k states per client does seem..... high! But it depends what those clients are doing. If those are all legitimate states then you could be hitting something else more quickly than we would otherwise expect. But, yeah, did disabling pfSync on the secondary correct the connection drops you were seeing? Steve

Solved by adding static routes in azure pfsense and adding UDR routes of the remote network in the azure route table....finally!