So easy?!

-.- And I found nothing on the web.
Thanks a lot.

After a while trying diferent settings i get it to work, it's not the best way to do this but the only i found. In the SSL Man In the Middle Filtering i changed from "Splice Whitelist, Bump Otherwise" to "Splice All" and now IE in windows XP is browsing with the proxy settings, as i said before it's not the best way but the only i get working, and the sites that are forbidden don't show the custom message but an ssl error and it's not accesible, in the end the result it's the same.
Thanks everyone for the help.

cheers

From what I can see in my logs, the "syslogd: exiting on signal 15" is usually associated with a reboot/restart but there may be other circumstances.  For example, the old postfix package used to cause a syslogd restart whenever the package config was reloaded.

It's not something I've really worried about though.

And by your reply, it's clear you completely missed the point of what I said, while simultaneously proving my point.

I hope you find a book that fits your level of IT learning ability.

Install Squid& SquidGuard and create for each user and device an account and then you can better allow what to use
through that proxy server. Together with OpenDNS it will be a nice service and prevention.

If this might be not enough, you could try out pfBlocker & DNSBL + TDL, for sure your memory (RAM) system
should be high enough but using then snort with AppID rules you may get closer to your goal.

Or more expensive it could be nice to install a deep packet inspection device behind the pfSense firewall
this might be then more time to fine tune it but with the most effect all. Or a combination of some of this
things could be the real deal breaker.

Squid is probably breaking the HTTPS cert chain if I was to guess.

Hi I've got the same problem.
Yesteday I instaled PFSense on OpenStack and, since the DHCP config has failed for the WAN, I had to set the IP Address (also Netmask and Default Gateway, of course) manually.
The weird thing is that I'm able to ping and reach Internet sites and external IPs, but my PFSense instance filters all incoming connections.
I tried also some scans with nmap but it returns always the same message: "All ports are filtered".

Could you please help?
Maybe the problem is related to the basic firewall which has not been configured correctly due to the DHCP error at boot.

Thank you in advance

Thank you very much for taking the time to comment.  After rereading what I posted, I realize I posted it to soon.  There is definitely information missing and some of the sentences seem to be incomplete.

Ok, as for your post:

I have 6 other firewalls that are in a CARP configuration and they are humming along with zero issues (knock on wood).  I have mine setup with a bi-directional state sync.  It has made my fail overs and fail backs seamless.

The reason these two units are NOT in a CARP setup is simply because this pfSense is directly connected to the ISP equipment and we only have one supplied port from them.  I realize simply putting a switch in front of the gateway would allow us to CARP the two pfSenses together but I don't have an extra one to do this.  It is our gateway router.

Why I don't have ready access to the backup gateway??  That actually was not accurate.  I have physical access and console access to the firewall BUT since the configuration is IDENTICAL to the primary, I don't have GUI access to the unit.

So it's my understanding then that transferring the sync state across to the backup is a waste of time.  But syncing configuration changes from the primary to the standby will work.

Again thanks for your time.

Dino

@johnpoz:

yes.. ;)

Ok, thank you very much.

@BlueKobold:

Debian Linux on a small Raspberry PI 3.0 or on a Netgate Minnow TurBot and OpenLDAP on top or with nice graphical user
interface (GUI) together with TurnKey Linux. TurnKey Linux & OpenLDAP Packet

Radius Server 3.0 is announced to be coming as a packet for pfSense directly! The Captive Portal with voucher system will be able to be used for guest WiFi.

So I need additional hardware?

No. Just managed layer 2. Any "web smart" switch should do fine. As long as it properly supports 802.1q.

@AndroBourne:

@johnpoz:

Or just use unbound and let it resolve vs forward.  Now you have dnssec for sure and doesn't matter how shitty your isp dns is ;)… ...Your talking .6 of a sec vs .1 of second - doesn't make much a difference either way...

It does matter, especially if his ISP DNS is having issues….

No it doesn't, resolver doesn't use his ISP's DNS at all, for anything.

@silverberg:

Hi, did your find a solution for this? I've been having this issue for about a month but can't find a solution. I've even changed hardware

What have you tried and exactly what behaviour are you experiencing? As per my last post, the combination of changing monitoring IP and the Gateway Action have sorted it for me.

would suggest you use Squid and Squidguard/Dansguardian. PFS on it's own can't block addresses using aliases in firewall rules.

And on top of this you may combine this with an OpenDNS account too!

I would personally set up a DMZ if I have servers that need Internet a permanent connection
or IoT devices that are sniffing my network and then snitching all home to the vendor server.

It could be also a nice place for smart TV, game consoles and/or internet radios or many IoT
devices, for sure that can be also done with an extra multimedia VLAN for sure, so nothing
wrong with it if they are all not disturbing the rest of the LAN.

I would the entire local area network divide into several VLANs and this by using a small switch
either Layer3 or Layer2, likes needed and/or wished. Cisco SG220/SG250 or SG350 series are
here one of the best you can get your hands on, they are starting with 10 Ports and ending up
with 48 port models, likes you need it. This is based on my own opinion and nature and surely
not a must be. If you need a switch you may get also the benefit from that, if your entire
network load is to high, based on what ever, the switch is saturated and if this all will be
connected to your firewall directly this one will be freezing!

I would set up:
pfSense 192.168.1.0/24
VLAN1 - management VLAN - 192.168.1.0/24
VLAN10 - IoT devices - 192.168.3.0/24
VLAN20 - private wired devices - 192.168.4.0/24
VLAN30 - office - 192.168.0.5/24
VLAN40 - WiFi guest - 192.168.6.0/24
VLAN50 - WiFi private - 192.168.7.0/24
VLAN60 - children (each) - 192.168.8.0/24
ect…...

wired devices over OpenLDAP on a small MinnowTurBot or Raspberry PI 3.0 with Debian Linux or TurnKey Linux
wireless devices (guests) over the Captive Portal w/ voucher system
wireless devices (private) over FreeRadius Server 3.0 w/ certificates
OpenDNS Account if children are in that house hold and then matching to their age

pfBlockerNG & DNSBL + TLD might be also nice to use, but a Squid Proxy with user auth. might be
better together with SquidGuard & SARGE to get knowledge who is surfing where! (Children)

The Vlan will be untagged at the Unify AccessPoint with 2 SSID.

WiFi AP with one SSID is untagged and a WiFi AP with multi-SSID support must be tagged running.

I would try out to secure the Guest WiFi named "Student" with the Captive Portal and vouchers divided in several different groups
and the other WiFi network named "Staff" I would try out to secure with a Radius Server working with certificates.

So the staff has its own WiFi (VLAN10) and security and the Guest WiFi (VLAN20) will be separated from that one.

I agree with Blue. This is pretty much what DMZs are made for.

Another thing you could do is.

Created the DMZ.

Put all your devices on the DMZ interface then make a policy to block PFSense Web UI on the DMZ. (best to put web ui on a custom port and just block that port on the DMZ)

This should block PFSense Web UI from the DMZ side but with rules, you should be able to allow it on the local LAN only, at which point I'd do as you laid out earlier and create a management interface for that traffic.

Another option would be leave it enabled but force HTTPS and change the port number to something totally out of the norm. While it would still be enabled. It would be very difficult for someone to figure out what port it is on and pull it up.

Just a thought.

That pretty much sums it up.

beer-793x526.jpg
beer-793x526.jpg_thumb