No. Adding the CA cert to Mikrotik would allow connection from the Mikrotik itself but would not do anything for connections from phones (or other hosts) behind it. It would onyl help if the clients are already using the Mikrotik to proxy traffic. Steve

@raviktiwari said in Sending and Recieving emails...: As soon as I open the ports, scammers get excited and they start hitting my server and because the port is opened pfSense ... That's totally normal. If you have a to serve port Xx, you'll be needing an server type application that you should (totally) trust, it should be set up to 'listen' to that port, and that port should be reachable by the public that could have to use that port Xx. This actually means that anybody on planet earth can connect to 'your' server. ( people tend to use firewalls on server type devices to lock down non-served ports. Think about this for a minute or so. If your laughing right now , then ok, perfect. You got it. A firewall on a server is ... quiet useless - There is no reasons to 'close' non served ports, because they are black holes by nature. This reasoning is valid if the admin admins his server. That is : that he controls what executes,a nd when, on his server - and how it is executed. When the looses control, well, the first thing that would fall is the firewall - so start with not using a firewall on a server => one thing less to 'admin ;) and one thing less to mess up l. Like Apache2, nginx will be listening to port 80 and or 443. postfix will be listing to 25 TCP and probably also 465 TCP and 587 TCP (now out phasing) postfix will show / produce huge logs daily ****, filled up connection attempt from 'other' devices on the Internet connecting to your IP:port to try to 'dump' their rubbish. That normal, and you should consider it as simple back ground noise. Important to know : postfix, as worlds most used mail server, is pretty darn good to take care of the rela mails 'for you' and discarding the rest. But : postfx is as good as the admin maintaining it. The setup of a postfix server is ..... huge. And, IMHO, its totally impossible to encapsulate the settings with some sort of GUI like VirtualMin or others. You have to master - with your head - the master.cf and main.cf files. This is my opinion of course, as I needed a multi domain, multi IPv4, multi IPv6 with added IMAP/POP mailbox support. It should work with Outlook Express (back then) - all Thunderbird version, as up to the latest "Office 365". For me, it all started here (I guess) : http://www.postfix.org/SMTPD_ACCESS_README.html This is gold : http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt is still actual as of today !! A firewall can't help you here "with some rules". *** What really helps to get out the 'door knockers' is a tools like fail2ban. It parses the postfix logs, searches for known - non accepted by postfix - incoming connections, and if they repeat themselves, or come back to often, the firewall gets loaded with a block rule for that IP. Se it here in action. fail2ban parses also ssh logs, web server logs, teamspeak logs, etc, and acts if it finds something suspect. *** most traffic, even mail traffic, is SSL encoded, so a firewall hasn't even access to the payload, it would see the source IP, and that's it. **** you'll meet up with logrotate for log file management. edit : sorry for losing the subject. edit 2 : I'm not running postfix on or after pfSEnse postfix of course (@work) . ISP lines are mostly big mega f*ck to host mail servers, as they are listed as such. It's a typical VPS usage, or what I use : a pair of https://www.ovh.com/ca/en/dedicated-servers/ which includes all the IP's needed, and, hopefully I never need it : a huge DOSS protection - on a naked (no GUI) Debian 9/10 install. When you start to run postfix yourself, bind (named) wiill follow as a master DNS server for your domains, and a web server will follow. Some Squirrel (old ... I know)/Roundcube instances, a MariaDB (ex. MySQL) for housekeeping etc etc. Btw : the "rock science" used by the big ones has nothing to do with what I / you do. They will not tell how they do it for - logical - security issues. But English/German/Belguim/French/Spanish biggest ISP did this : they took a copy of postfix, as it is 'free ware' (somewhat), and adapted it to it scales up on a pure maddens level. They ware using qmail back then .... they all paid the price. And no, no 'Exchange' for them.

In Linux (mint) is set both IP4 and IP6 to nothing for WAN Now Linux doesn't get any WAN traffic It goes to pfsense first and comes back to LAN This works but I think I'm creating a mess

With policy based IPSec you will need phase 2 policies carry the traffic he is sending and you probably don't right now. For example if his subnet is 10.130.100.0/24 he probably has a P2 on his tunnel that is: 10.130.100.0/24 to 10.128.0.0/16 That will grab any traffic coming from hos local subnet destined for you office networks and send it over the tunnel. But if he tries to access another remote site, say 10.130.200.0/24, that traffic will be ignored as it's not covered by the policy. To connect between spokes in a hub and spoke design like that you need P2 policies on each tunnel to carry it. So for that example the remote worker would need a P2 on his tunnel: 10.130.100.0/24 to 10.130.200.0/24 And the remote site he'd connecting to would need: 10.130.200.0/24 to 10.130.100.0/24 That escalates quickly if you need to connect between a lot of sites. It's much easier if you have route a based VPN like OpenVPN or VTI (route based IPSec). But that would require changing all the tunnels. You could proxy the traffic on your office network somehow so his traffic appears to be coming from there. You could setup an OpenVPN server for this one worker (or more remote support staff). If you choose a tunnel subnet that is inside 10.128.0.0/16 then the existing IPSec tunnels will already carry that traffic. Steve

@redfox let's go step by step read this thread, here I describe exactly how to create the environment for game play: https://forum.netgate.com/topic/153514/nat-issues-when-playing-games-on-two-computers once you have interpreted and have a problem, write and I will help ++++edit: @redfox "How would your suggestion work in my situation?" playing can be dangerous behind a firewall as ports need to be opened but with a good setup this shouldn't be a problem

With AEAD ciphers the "hash" function gets used as a Pseudo-Random Function (PRF) instead. It's still necessary, but not necessarily used for hashing. strongSwan is smart enough to do the right thing there. 2.5.0 allows choosing PRF explicitly as well https://redmine.pfsense.org/issues/9309

it actually looks normal to me. i can post it later, but ill have to do extensive redacts. interestingly, the upgrade pre-2.4.5 one has this entry in its backup xml: <opt3> <descr><![CDATA[LAGG0]]></descr> <if>lagg0</if> <enable></enable> <spoofmac></spoofmac> <mtu>9000</mtu> </opt3> and the new fresh install of 2.4.5 does not, but it does have all sub-interfaces for all the vlans, like this: <opt1> <descr><![CDATA[VLAN_130]]></descr> <if>lagg0.130</if> <enable></enable> <spoofmac></spoofmac> <ipaddr>redacted</ipaddr> <subnet>24</subnet> </opt1>

You can't find 2.4.4 info, because that version doesn't exist anymore (snmp bug). The actual version works just fine : root@DiskStation2:~# snmpwalk -v1 -c public 192.168.1.1 | grep 'pfSense' SNMPv2-MIB::sysDescr.0 = STRING: pfSense pfsense.brit-hotel-fumel.net 2.4.5-RELEASE-p1 pfSense FreeBSD 11.3-STABLE amd64 SNMPv2-MIB::sysLocation.0 = STRING: pfSense HOST-RESOURCES-MIB::hrSWRunParameters.426 = STRING: "-q -f /etc/pfSense-devd.conf" Btw : for "regex" reason, this snmpwalk -v1 -c public 192.168.1.1 | grep '2.2.5' will not work. "2.4.5" isn't a literal search string !

@barakath said in Email Alert for CPU Temperature: Diagnostics--> Edit file. Look at it, then never look or even use that option again. To see / load / upload to any device - not just pfSense, but any device around you (Phones, VCR, Access Points, wall clock, coffee machine, you name it), use a SFTP (example : WINSCP, or the far superior SmartFP) to access you pfSense over port 22. Also : activate the SSH access. While you're at it, test also the console access, which show the same info / same access. Also, install Putty (windows SSH client - MAC users have a SSH client build in). Ones you have access, install a descend text editor like 'nano' (or use the good old build in editor 'vi'): pkg install nano Copy the file using select in the Github windows and Ctrl-C - from here https://gist.githubusercontent.com/JMac87/1303f78c56a54165447568318eeca3b3/raw/8eaf407f0aa90d0134be12b51c0996bf9337da70/cpu_temp_alert.sh (the 'raw' view). Then, on pfSense, - login menu option 8 - open non exiting filer with nano like : nano /root/temp.sh and then paste ( Ctrl-V) the script. Ctrl-O to write the file, Ctrl-X to exit nano. 'chmod' the file (see above). etc etc.

Thanks both, that is definitely what's happing, as like bigsy I have an account with Zen. So the answer to my question is no there is no simple way of making my ports stealth . Project abandoned. I tried adding rules to see if they would make any difference which they did not so I will remove them. The implicit deny rule I have added would stop anything internally using those ports anyway. I put an extra implicit deny rule in to monitor any network activity I was not expecting. I presume like most firewalls I have worked on there is an invisible deny rule anyway. Thanks for the help

@GunerX Try to temporary disable "Block bogon networks": [image: 1595222333018-screenshot-from-2020-07-20-08-18-10.png] and run /etc/rc.update_bogons.sh (without force) again

@BocajPF You need 1 NIC on the WAN side. You set up rules according to what you want. You haven't said anything about what you're doing. For example, do you have enough public IPs for all your hosts? If so, then you'd create a subnet for those addresses and not worry about NAT. For example, on IPv6, I get 256 /64 prefixes. Each /64 can be used for a LAN or VLAN. So, on my network, I assign 1 /64 for my main LAN and another for my test LAN. This config means I have a 2nd NIC for my test LAN, in addition to the 1 used for the main LAN. Without knowing what you're trying to do, it's hard to tell you how to do it.

You could always try this: https://forum.netgate.com/topic/64735/speedtest-cli-run-speedtest-on-pfsense-box If I was able to figure it out anyone can. But not as easy as clicking "+Install" ... That said, a speedtest should be run from a client and not the FW. That's what I do. [image: 1595172691719-0da1b89d-5921-495f-9dcd-8437fc2c0531-image.png] [image: 1595172888341-932e0062-0825-4902-8c0b-f44841651d5c-image.png]

@jim0266-f said in Upgrading to 2.4.5 hosed my install: Time blends... Singing to the choir there buddy ;) And the older you get the faster it goes too... I was like it can't be 20 years - can it??? NFW ;) hehehe Had to double check to be sure.. And I was like whew.. Ok it hasn't been that long. heheeh

Thsoe IPs are in the WAN subnet (assuming they are real or representative) they can't be used directly internally. A WAN VIP and 1:1 NAT is the correct way to this if they need to have those downstream routers. They might insist on it if those are separate clients for example. Otherwise you could just have separate VLANs weth pfSense handling the subnets and the clients there directly. Just use a different outbound NAT rule for each to get different public IPs. Steve

@Farisse you welcome