Nice find.

Ah, well similar deal if the VPN client is routing all your traffic over the VPN.

Do you mean outgoing connections? You can allow only the ports you need. You will find there are a lot of ports you didn't realise you needed for most environments. Steve

Yeah, DNS override or NAT reflection: https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html Steve

Yes, the AWS AMI deploys with mobile IPSec configured but disabled. It has that VIP set to allow mobile IPSec clients to use it for DNS. Steve

It's always by an interface perspective. How else could it be?

@johnpoz LOl, correct :). Thanks very much for all of your input. Even if I am not able to commit it all to memory, I have these threads to come back to when I'm stuck.

Clear those alerts and reload the filter in Status > Filter Reload to make sure the current ruleset is loading. Those pfBlocker errors are quite common at boot though and not usually a problem. Steve

@skilledinept said in Do the OpenSSH 7.9 CVEs apply to pfSense?: -to see how readily is info like this available to scanner. you could turn off the banner, Not sure if pfsense allows for that in the gui? But if your allowed to talk to the ssh and try and negotiate a connection to "auth" you would still be able to get info like what algos and ciphers are possible. You could edit the sshd conf directly, but that would just get reverted on update, etc. Security scanners can be very useful - and fun even. But a lot of what they report really needs to be taken with a grain of salt, if not a whole freaking tablespoon of it ;) But it did do its job - it got you curious, and looking into, and now you prob make for a more secure setup even if what it had reported wasn't really valid ;)

@johnpoz many thanks I shall take it on the chin and update .... will see how things play after that - I guess I took the 'you're on the latest version' for granted.

I've created a script to convert the dnsmasq.conf dhcp-host to XML to insert into the config file. I then read it in with vi. It's mostly manual. I also told the dns to include the static dhcp entries. I can now resolve the local names and I hope the DHCP works. I won't know for a few hours.

@rtw915 said in WAN optimization/acceleration: Now the SQL team needs me to find a way to improve SQL linked server transfer rates to synchronize transactions. This will bring you back to the initial wan accelerator solution. The only other possible solution is to redesing the db subsystem, utilizing some way of sql replication, taking into consideration propagation delays

@mike_broxt said in WhatsApp is showing connecting but can't connect: After setting up a NetgateSG-1100 Go back to default, and redo your setting up sequence. Do it step by step - and test each step. As soon as Whatapp breaks, undo the last step. Done !?! pfSense doesn't block whatsapp out of the box.

@steveits Yeah, I'll clear the field and see if that makes a difference. And thanks for confirming my thoughts on the SSHguard. :)

Hmm, I wonder what that's causing that would trigger this...

@jknott said in What's a pfSense equivalent to standard linux minicom?: It uses a 2400N81 weird serial cable protocol. That isn't weird, it's just slow. It's the cable that's weird ;) -- Designed so if you plug in a standard 9 pin serial, the UPS shuts down My pfsense box runs 8N1 @115.6K. 8N1 is pretty much standard for anything faster than the 110B you'd find on a Teletype machine. That's 8 data bits, no parity and 1 stop bit. BTW, I started in telecom as a bench tech overhauling Teletype machines, where the ASCII models ran 110B... Oh how I know! I used the Teletype and other slow links...we had one at home for my dad's R&D work when I was in jr/sr high school. Graduated to a 300 baud Silent 700 after a while. I had unlimited remote access to the mainframe. Pushed that and paper tape and punch cards out of the way during college. Built a bunch of "glass teletypes" -- adm-3a -- for our university Low Overhead Timeshare System. (They sold as a kit for $200 less than pre-built... paid me $50 to assemble. They assumed $3 an hour and 16 hours, but soon I had that reversed: 3 hr build time, so $16 an hour. Not bad pay for a freshman in 1975 :) )

That looks fine for general access. You don't really need those top two rules, the pass-all rule covers that traffic. The anti-lockout rule will be on your VLAN10 interface. Steve

That was it! I had everything set up on pfSense after adding the P2, but the Azure VNET wasn't aware of the 10.8.0.0/24 address space. Thanks Stephen.

How do you have Wireguard configured? Is the traffic using it? Steve