You could do this using an alias with all the client subnets in it and then use that as the source in the firewall rule at site A on the IPSec tab.
That wouldn't filter clients that are at site A that don't use tunnel so you'd still need a rule on the client VLAN there directly.
Or as you say you could put that rule as floating outbound on the resources VLAN at site A.

There are some ways to realize it;

Each LAN Port gets an own subnet like
192.168.1.0/24 and on the next one 192.168.2.0/24 You can also add a switch to each LAN port and enrich
that scenario for more users or devices. You may be able to work with VLANs for privat and home
VLAN10 = Home - 192.168.1.0/24
VLAN20 = Work - 192.168.2.0/24
VLAN30 = WiFi - 172.xxx

You may be able to set up behind the pfSense also a small
MikroTik router for each network if you want.

There are many ways you may be able to walk on.

You can use rewrites in Squidguard. It's limited though, it might do what you need.

Screenshot from 2023-04-14 18-45-20.png

Steve

Um....yes we will need a lot more information to offer any sort of solution here! 😉

@stephenw10 ah that makes sense. Thanks. The 8200 already has uc-18 so it was just a BIOS update.

Probably. I have no insight there. I imagine the intention was to have the widget display flash in some way to alert the user.

@stephenw10 said in Network wide compliance policy:

Right, I'm not sure that's in the open source server.

Ugh that is the paid server for 180 dollars a month "built on the open-source structure".
I think I am gonna stay away from that. Anyways seems like my quest has hit a rough end. I will try to harden my network in a different way.

Thanks for all of the replies. Great community!

@stephenw10 this worked. Thanks!

@rubensan112

I'm pretty sure that IP, 192.168.1.1, is very close to you.
Like 3 foot away, the cable between pfSense and your ISP router.

The idea is that you use another, public, IP, one that is further down "the road", a gateway IP of your ISP.
If that one is to hard to find, you could use some other "nearby" IP, like 8.8.8.8.

I'm using the IP of one of my servers somewhere nearby the main 'ISP gateway' :

ececd44b-0e5d-4945-99ec-7b2f9438d480-image.png

Now I see :

8f8df7d3-43ff-4671-90b1-f7a38245e45a-image.png

Which means :
192.168.10.1 is the IP of the LAN of my ISP router, just 30 away from me and pfSense.
188.165.5x.87 is my server IP, and that one is just to 'test' my uplink.
The whole ieda of all this is : If I (pfSense) can reach (receive answers to my pings) from 188.165.5x.87, I know (and pfSEse) that my connection is ok.

Pinging your upstream router on your site/home makes no sense. That says nothing about the 'quality' of your uplink.
Test this yourself : remove the cable (phone/adsl/coax/satellite disk/fiber/whatever you use) from your ISP router : you will see no alerts in the pfSense GUI dashboard, as your 1921.168.1.1 is still answering, so pfSense thinks the connection is ok.
Well, it's not.

@matrix2113

You could use a VLAN and managed switch to separate WAN & LAN interfaces.

@shaw222 I don’t have a link but forward the ports to your VPN server running on your LAN. I was just brainstorming.

@stephenw10 i got it, thank you so much!. if any doubts will let you know.

@johnpoz said in Cisco vs. pfSense:

Throw ddwrt or openwrt on that 20$ box and he would have cool stuff to play with for days and days.. Vs trying to get 15 year old hardware trying to do something actually productive.

I know both DD-WRT and OpenWRT very well and I also use them.
But even then, the differences lie in the hardware.
Just as I wouldn't buy a PC with water cooling if I only use it for writing programs and the Internet, I don't have to invest expensive hardware for an AP if I don't use it in a productive environment.
As @stephenw10 said so beautifully.....

@stephenw10 said in Cisco vs. pfSense:

It's all relative.

@stewart said in Can't get notifications on 1 firewall to work with Office365:

@bmeeks We have 60 units in production. They are about 75% static / 25% DCHP. That could work for some but not for others. Did you try using an app password?

It's been several months back, but I am pretty sure I tried the app password route and it would not work with the new Office 365 security settings. Microsoft's goal is to completely shut down simple password authentication for SMTP including app passwords.

You can postpone the inevitable for a short time by not turning on multifactor authentication, but eventually you will get forced over to MFA and lose simple password login.

Thanks Gertjan! I have turned it off.

Yes, that's what I meant.

If you're using the CLI and have not recently opened the dashboard you might need to run pfSense-upgrade to pull a current cert before running pkg update.

Steve

Do you have a crash report?

We can usually see what's happening just from the backtrace and panic string contained in it. Neither of those have anything you shouldn't post publicly.

Steve

Reading between the lines I expect to see no IP address on vmbr1.

IP B should be assigned to the pfSense WAN directly.

I assume IP A and IP B are in the same public /24.

Steve

@stephenw10

Seems to be working fine so far. As you said, just making sure that specific devices have their gateway set to the correct firewall for I/O to Internet.

Devices are able to communicate internally so it's kind of a nice simple setup for adding bandwidth in an environment with a number of limitations.

Exactly the same php error?

Undefined function errors like that are more often issues with the upgrade itself.