hi there

unfoutuantly i have the same issue as you and have been trying this lately but also am having no luck

on the upside (if you can call it that) i can have the vlans working ssid assigned, so not radius assigned but one ssid per vlan and this all works here as i have it now

basially the differences between our setup and yours is such i have a dedicated interface on the pfsense for vlan trunk seperate to my lan interface to main switch (also handles the vlans) so pfsense to switch two cables one lan one all vlans as a tunk port (i did this as the pfsense is routing to and from lan to vlan and wanted some more bandwidth

the in the unifi i have the ssid set to vlan as you do and on the switch config the vlans are set on the ports bettween aps and pfsense as tagged vlans

one las this reading around it looks like you do not set the vlan id for radius assigned vlans i noticed that in you config you have an ssid with a vlan

hope somehow this helps or someone comes along to put us both right ill keep tinkering in the meantime
one thing i did find on the subject though is this :- https://community.ubnt.com/t5/UniFi-Wireless/I-need-help-setting-up-dynamic-vlan-assignment/td-p/1661658

I've done something similar with all my IoT devices. But I've gone a bit further: All of them are in a VLAN having any outgoing traffic to any other network (WAN, LAN, etc.) rejected by default. Only my defined list of rules are allowed.

I've even redirected all DNS queries to pfSense (NAT TCP/UDP port 53 to 127.0.0.1), so they can't even use any freely chosen DNS server like Google Public DNS. All DNS traffic is sent to pfSense so I can log DNS queries and find out which hosts they are trying to reach (and maybe open them in the firewall if required).

In my case I'm using Ubiquiti UniFi Access Points which allow to create multiple WiFi networks with different VLANs, so even wireless devices can be restricted to a specific VLAN. 8) I'm not sure whether that is going to work with DD WRT.

"Windows domain, then the domain is added automatically"

that is a simple search suffix, and all OSes can be setup to do that.. But its not going to do it in your browser.. It would be done on the dns query..

There is zero reason to put in just a hostname for a cert.. .Try an get a CA to sign off on that ;)

Whether home or business, if I could only choose one package to install it would be pfBlockerNG. First, DNSBL is fantastic (think built-in Pi-hole). Yes, the default WAN rules will already block everything if you don't have any forwards. But as motific and others have alluded to, even then, if you deny both directions (LAN and WAN) via the IP component your internal clients will get blocked when trying to communicate with known bad addresses. The alerts/reports will show this activity as well. This is a pic of the alerts on the new version, but the older version had similar functionality. On this particular firewall, if the LAN interface shows up in the list of "denies" I need to investigate the cause of the alert.

pfblockerng-alerts.png
pfblockerng-alerts.png_thumb

Agree with johnpoz and marjohn56. If you need helping setting up DMARC (and SPF/DKIM), a group and I put together a technical guide at the link below if you are interested. It also has an associated testing guide which walks you through the process of discovering your authoritative nameservers.

https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/

I have the same issue, have not found a way to remedy it  :(

@robi:

If you'd change all the clients, you could easily do the job with OpenVPN inside pfSense.

robi, what do you mean by "change all the clients"?

Thanks for all of the pointers from everyone. I decided to forgo the VLAN multi SSID feature of the TL-Link AP and move it over to the LAN. I do have a Ubiquiti NanoStation loco M2 that I thought that I would swap with the TL-Link, but until I can understand the VLAN process, I will save that for another time.

I am kind of getting further.

I tried once more but rebooting with both LAN and WAN disconnected ie. yanked the cables out.

It seemed to boot properly.. just trying to restore each bit in turn now and seeing how it goes…..

Thanks, that explanation also confirms what I read here:

https://www.openbsd.org/faq/pf/filter.html

ctrl-f tcp flags

This doc cleared up my confusion on tcp flags a lot.

The diagram was more for me to talk to while I tried to explain to my friend.  Not much useful content.

Sent you a PM.

Thank You Grimson…. It is working..

The following command helped....

gpart recover da1
gpart set -a active da1

regards,
Ashima

@aadder:

I can understand that.  I'm curious when they might clear up the issue.  It's been 3 days.  I would hate to see sourcefire have the same issue at work.

I believe this was identified as an error in one of the volunteer-maintained OpenAppID rules.  That rules package was created and is maintained by an individual in Brazil.  The pfSense team just recently moved the hosting site from a Brazilian University over to pfSense infrastructure.  The text OpenAppID rules are not maintained by the Snort VRT.

I was under the impression this rule typo had been corrected a couple of days ago.  You could try reaching out to the pfSense team for more information, or temporarily turn off the OpenAppID rules and see if the error goes away.  I think it will.

Snort has one failing compared to Suricata.  With Suricata, when a rule syntax error is encountered, the binary will print an error message but then skip the offending rule and load the others.  Snort, on the other hand, will print an error and exit when encountering a rule syntax error.  This behavior is baked into the underlying binary and is not something the pfSense GUI package can influence.

Bill

For https checks with host to work, it requires SNI. The load balancer is very, very basic and cannot do that.

HAProxy is only recently gaining that ability. I'm not sure if it's in the haproxy package yet, but it might be there, or in the haproxy-devel package.

Check the cache/proxy board here under packages.

can a pc can ping 192.168.178.1? if not, then your routing/firewallrules are wrong.
should the telephones connect to the fritzbox? if yes: is that option enabled on the fritzbox? can you see something in the errorlog on the fritzbox or on the phone?

do you have specific rules to allow traffic from the phones to the fritzbox? or do you allow all for testing?

WINSCP is the easiest method.

Can you try with this patch applied?:

.../files/usr/local/www/haproxy/haproxy_listeners_edit.php              | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php b/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php index 7f2d2af..1647034 100644 --- a/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php +++ b/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php @@ -361,7 +361,7 @@ if ($_POST) { } if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) { - $input_errors[] = "The field 'Client timeout' value is not a number."; + $input_errors[] = sprintf(gettext("The value '%s' in field 'Client timeout' value is not a number."), $_POST['client_timeout']); } }