Whether home or business, if I could only choose one package to install it would be pfBlockerNG. First, DNSBL is fantastic (think built-in Pi-hole). Yes, the default WAN rules will already block everything if you don't have any forwards. But as motific and others have alluded to, even then, if you deny both directions (LAN and WAN) via the IP component your internal clients will get blocked when trying to communicate with known bad addresses. The alerts/reports will show this activity as well. This is a pic of the alerts on the new version, but the older version had similar functionality. On this particular firewall, if the LAN interface shows up in the list of "denies" I need to investigate the cause of the alert. [image: pfblockerng-alerts.png] [image: pfblockerng-alerts.png_thumb]

Agree with johnpoz and marjohn56. If you need helping setting up DMARC (and SPF/DKIM), a group and I put together a technical guide at the link below if you are interested. It also has an associated testing guide which walks you through the process of discovering your authoritative nameservers. https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/

I have the same issue, have not found a way to remedy it  :(

@robi: If you'd change all the clients, you could easily do the job with OpenVPN inside pfSense. robi, what do you mean by "change all the clients"?

Thanks for all of the pointers from everyone. I decided to forgo the VLAN multi SSID feature of the TL-Link AP and move it over to the LAN. I do have a Ubiquiti NanoStation loco M2 that I thought that I would swap with the TL-Link, but until I can understand the VLAN process, I will save that for another time.

I am kind of getting further. I tried once more but rebooting with both LAN and WAN disconnected ie. yanked the cables out. It seemed to boot properly.. just trying to restore each bit in turn now and seeing how it goes…..

Thanks, that explanation also confirms what I read here: https://www.openbsd.org/faq/pf/filter.html ctrl-f tcp flags This doc cleared up my confusion on tcp flags a lot.

The diagram was more for me to talk to while I tried to explain to my friend.  Not much useful content. Sent you a PM.

Thank You Grimson…. It is working.. The following command helped.... gpart recover da1 gpart set -a active da1 regards, Ashima

@aadder: I can understand that.  I'm curious when they might clear up the issue.  It's been 3 days.  I would hate to see sourcefire have the same issue at work. I believe this was identified as an error in one of the volunteer-maintained OpenAppID rules.  That rules package was created and is maintained by an individual in Brazil.  The pfSense team just recently moved the hosting site from a Brazilian University over to pfSense infrastructure.  The text OpenAppID rules are not maintained by the Snort VRT. I was under the impression this rule typo had been corrected a couple of days ago.  You could try reaching out to the pfSense team for more information, or temporarily turn off the OpenAppID rules and see if the error goes away.  I think it will. Snort has one failing compared to Suricata.  With Suricata, when a rule syntax error is encountered, the binary will print an error message but then skip the offending rule and load the others.  Snort, on the other hand, will print an error and exit when encountering a rule syntax error.  This behavior is baked into the underlying binary and is not something the pfSense GUI package can influence. Bill

For https checks with host to work, it requires SNI. The load balancer is very, very basic and cannot do that. HAProxy is only recently gaining that ability. I'm not sure if it's in the haproxy package yet, but it might be there, or in the haproxy-devel package. Check the cache/proxy board here under packages.

can a pc can ping 192.168.178.1? if not, then your routing/firewallrules are wrong. should the telephones connect to the fritzbox? if yes: is that option enabled on the fritzbox? can you see something in the errorlog on the fritzbox or on the phone? do you have specific rules to allow traffic from the phones to the fritzbox? or do you allow all for testing?

WINSCP is the easiest method.

Can you try with this patch applied?: .../files/usr/local/www/haproxy/haproxy_listeners_edit.php              | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php b/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php index 7f2d2af..1647034 100644 --- a/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php +++ b/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php @@ -361,7 +361,7 @@ if ($_POST) { } if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) { - $input_errors[] = "The field 'Client timeout' value is not a number."; + $input_errors[] = sprintf(gettext("The value '%s' in field 'Client timeout' value is not a number."), $_POST['client_timeout']); } }

Port 5224 is Plesk license updates (outgoing connections only).. Do you run that on your network?  Also listed as HP vm console port, etc. udp 123 would be anything setting time.. A lot of apple devices will point to apple for time hard coded.. Many things could have ntp coded… My freaking smart lightbulds like to got to uk.pool.ntp.org etc.. Even when I hand out local ntp server via dhcp.. They don't care they are hard coded - and Im in the US.. So I juts redirect that fqdn to my local ntp server IP via host override.  As to icmp - again many things might ping something out on the net to see if they have internet access.. In your home network seems pointless to not allow outbound for devices you trust to run on your network.  If your curious or paranoid then log it and look into what the traffic is..  I log all my iot devices outbound access.. They normally do dns queries to hard coded 8.8.8.8 for example, they phone home to amazon CDN on https, etc.  If I saw them sending traffic to china might be a bit perplexed and look into that for sure. Your 16385-6 is Apple FaceTime, Apple Game Center (RTP/RTCP) Trying to block ports is going to turn into a wack a mole game.. Oh shit this doesn't work, open that.. Oh shit that doesn't work open this.. Oh why do my iot devices not work on the schedule I set - well shit I was blocking them from setting time, etc. etc.

Option 8 console, du -sh command / directory