@fleece:

My son stays up too late gaming.  Could I use pfSense to restrict his Internet access during days of week and time of day, say from midnight to 6AM?  I can give him the same IP address through reserved DHCP or something.

Yes.

In Services/DHCP server you can give your son a static IP.

Then, in Firewall/Schedules you can create a schedule.

Then, in Firewall/Alias, you can create aliases with adresses your son is allowed to go to (the gaming, for example).

Finally, in Firewall rules, you can:

1. Add the alias to allow him to game;
2. Add, in advanced settings (at the bottom) the schedule) which limits the time he can do that.

So after that time, the can still google his home work (sorry, I still can't live with that thought, I'm old fashioned, back in my days we had books  :-[ ) but can't game.

Or, of course, even beyond that: he can't internet at all.

Or, beyond that, with two schedules:

Firewall rule 1: he can game until 4 PM with a schedule.
Firewall rule 2: he can game from 9 PM-10PM with a schedule.

I have installed Status_Traffic_Totals too, many moths ago, but it always seems to not be collecting data until I go look at it. I've re-installed it, but every time I go back and check it, it's all zeros.

I just told one example, actually I have this problem with any website.
and I don't want to see the content, I just want to block the site.

@ast:

Can we use squidguard together with pfblockerng?

Of course.

pfBlockerNG has many, many, many, blocklists.

Because pfSense saves its logs on RAM, after reboot I cannot see any of the logs from before the reboot, so I don't have any information on what happens when the firewall gets into this state. I didn't set-up a log server because I am not very sure about how fast I will run out of memory.

What version are you running? full installs haven't logged to ram for some time now.

A remote syslog wouldn't run out of ram … if configged badly, it might run out of diskspace

@johnpoz:

get a bigger tube ;)

That's the kind of responses I was looking for ;-)

What size do you recommend?

https://forum.pfsense.org/index.php?topic=132534.msg728642#msg728642

I am on 2.4 snapshots and its running 2.4.3 just fine.

You could setup an additional pool and then control access using the deny/allow MAC fields.

The items on the status screen are all that relayd will show you. Between that and what you can find by filtering under Diag > States you can see what is connected.

If you need more detailed information or control over balancing, you should consider moving to HAProxy.

There isn't anything on pfSense for that. pfSense isn't a mail server, it's a firewall. You need a mail server filtering appliance type distro to sit in front of your existing mail server.

Me too.  I just learned about it recently.  I thought I might try it.

No, we are all not rebooting our 2.3.4 nodes weekly.

Can you get to the webgui and look around when it acts up before you reboot it?

Look at the usual things. disk space, ram, mbufs, etc.

If you can get a status output: https://firewall_ip_address/status.php download that file before rebooting next time so you have one while it's failed.

Need more info and keep in mind this is coming from an amateur but I would give the client who is allowed access a fixed lease on your network, then write an allow rule to the specific website(assuming the site has a manageable ip set) with the client as the source, then write a second rule blocking everything else to the website.

Make sure to place this rule set above your allow rules(depending on your rules)…I believe this is a form of "whitelisting".

Not sure that answers your questions but need more info to be more help...

After some reading i understand now that this will lead to bigger problems …
the cisco router is routing because of fixed routing tables ... bah

im changing the big subnet in smaller ones on the client side

@maymaster:

@jimp:

The Let's Encrypt CA on your system does NOT include the key, it is only the certificate. You can't make your own certificates without the key.

Let's Encrypt automatically signs requests only if your request can pass validation. Since you don't control the domains or sites in question, you could never pass the validation and thus could never obtain a certificate from Let's Encrypt for those sites.

The only way you can do MITM is with your own self-signed CA installed on every device/browser. Period.

What kind of certificate should I buy to make Man in the Middle to filter https? And some place that you recommend me to compare?

The USA government cannot even do this. You make your own and manually install them on your local machines.