@deanfourie Normally MITM is achieved by installing a CA cert on each device and then creating "certificates" on the fly. Can be done on a PC but you can't really install your cert on an IoT device.

Easier to just block DoH per the above and then if you need to, allow a device to use it.

@patryan I like the simple ones!

Ted Quade

@pf-sense-help here is a quick walk thru I did years ago, that still valid

https://forum.netgate.com/post/831783

This is how you would create a CA, sign a cert and have your browser trust it. You can use whatever sections of it you need if parts have already been accomplished.

@rcoleman-netgate
Am I correct that the i915 kmod video driver would not help with this as it not loaded at the time boot menu shows?

Btw I tested booting 2.7CE (feb 15th build) from usb-drive and it had the visually correct boot menu.
For proper testing, I would need to swap in another ssd and make a test install with 2.7CE, but I don't think I'll waste time at that...

@johnpoz Thanks! That worked just fine. I am not knowledgable about certificates and was nervous about changing anything that might break web access.

@stephenw10 Yeah, it's recurring, still nothing in a Zpool scrub.

@stephenw10

LOL me 2
ill have to reload the old settings on the old hardware and load the patches 1 by 1 and see what fixed it i guess.

pfSense itself must already have a static IP address on that interface. The DHCP server would not be able to run there if it didn't.

The 'Copy my MAC' function there is the MAC for client you're accessing the gui from, not the pfSense MAC.

Steve

I work for IPinfo. If we are not providing accurate IP geolocation data for you, consider submitting an IP correction request: https://ipinfo.io/corrections

The request goes through the verification process. If the correction is verified within 24-48 hours the geolocation data gets updated.

@johnpoz @dobby_ Thank you I will explore

@rcoleman-netgate Sorry, can not reproduce now this error to make screenshots. Did fresh reinstall of Windows 11 and for this moment no any warnings. That was standard error warning "your connection is not secure and site can steeling your sensitive data."))) Took a look on certificate of this site and was intercept with additional certificate from my ISP! No any idea , how it possible during using of VPN. My laptop was connected with VPN client (ExpressVPN) throw home router ((Router not from ISP and firmware is OpenWRT ) to pfSense box (pfSense plus 23.01 is installed on old laptop). But this warning start coming not immediately on fresh copy of Windows but a few days later. Now after reinstalling will watching out this situation again(((

@ffuentes said in Logs Settings and OpenVPN:

After upgrading from the latest 22 branch to 23.01 I lost my logs settings page
Also OpenVPN no longer wants to start for nether client or server.

I fixed the OpenVPN issue with the patch: https://redmine.pfsense.org/issues/13963

@Stugots open a ticket at https://go.netgate.com and include your current Netgate ID and the order number from your original CE->Plus upgrade token.

I agree, it should almost always be bridged if you're running VBox in any sort of permanent way.

400Mbps between VMs is pretty slow though. That seems like it must be a problem in the VBox config somehow. Though it's been many years since I ran in Windows.

Ok. I can see it now. Thanks for your help.

@viragomann
Yeah I did before you replied and that's actually what told me how it works haha. I thought "it can't be that".

@efriseer
Wake on LAN packets are broadcasted by default. So the packets do not pass a router at all.

If the bot belongs to the server anyhow you can possibly put it behind pfSense as well.
Or send the WoL packet from any other host which resides within the servers L2, maybe from pfSense itself.

@billy_c

Thanks for the additional information Billy! It's all helpful.

@johnpoz said in PfSense pretty slow GUI opening FW rule:

@operations said in PfSense pretty slow GUI opening FW rule:

I don't even use PfBlocker

So you don't have any large aliases setup like with all of the internet IP ranges in them?

Nope, couple of aliasses with one to max 6 or 7 IP's.