So what is the actual problem here? You are unable to browse the web from clients behind the firewall?

That blocked TCP:SA traffic looks like a coincidence to me if it's always from the same remote IP. It's something in particular triggering that.

Do you have outbound NAT set to automatic still?

Check the routing table in Diag > Routes, do you have a default route?

How are you getting a WAN IP? DHCP from your ISP? Is it pulling a valid IP and gateway? I would assume it is since you can ping out correctly.

Check you can open TCP connections? Go to Diag > Port Test. Try to open port 443 to netgate.com.

When you try to open a webpage from a client what actual error do you see?

Steve

I think this will help you
https://docs.netgate.com/pfsense/en/latest/book/config/what-to-do-when-locked-out-of-the-webgui.html
https://forum.netgate.com/topic/13464/change-firewall-rules-with-shell

Yup, connect over VPN is most secure method and hence the recommended one.

https://docs.netgate.com/pfsense/en/latest/firewall/remote-firewall-administration.html

Steve

@Pippin Thank you for show me the origin of the issue. Pointed on github.

EDIT: Full TCP dump of switching cables to fiber ISP and then renewing/releasing DHCP in the UI: https://gist.github.com/marshallford/f6fd85988b2ceaed882cec37038efcfd

EDIT 2: TCP dump of plugging in fiber directly to linux laptop: https://gist.github.com/marshallford/c67afcfb121c13f20df8dc830fc50b13

That is out of the box how it pfsense is - nothing to do for that.. Not sure what part your not understanding about the default deny.. All unsolicited traffic inbound to pfsense wan is just dropped.

Nice! 👍

I didn't see that one, but I'm not terribly crazy about adding even more JavaScript to work around that. Might be worth considering, at least.

You can block without trusting.. You have to use explicit (I believe), ie the client has to point to the proxy.. It will send the connect command for https, so proxy know where trying to go, and can either allow or deny based on that host name...

What you can not do is allow say www.domain.com but block www.domain.com/something without doing mitm... Since onlly the host is sent in the connect.

There is a hangout that I believe goes over this stuff - let me see if can find it.
edit: here you go
https://www.netgate.com/resources/videos/squid-squidguard-and-lightsquid-on-pfsense-24.html
peek&splice.png

edit: Also if all your looking to do is block access to sites, be it http or https wouldn't pfblocker be another option?

It seems that the secure shell daemon not have been running for some reason...all is good now.

Ok @jimp thanks for the feedback. I do hope you can add that to the roadmap, I'm sure it would be useful for many.

Best regards.

Outlook Web Access. About the rules i have only one rule (from any to any).

If i use HAProxy what settings do i have to make?

@jimp said in ext. LDAPS auth flapping after CA import -> only working after restart:

Because of the, let's say "suboptimal", way that PHP requires setting up the LDAP environment for certs

I really laughed hard at "suboptimal" 😁 That's why we love PHP ;)

If you really want to be sure it works, then you could always use a CA for LDAP that can be validated against the global root CA list, like one from Let's Encrypt.

Ah nice idea! Even if not possible ATM as that would mean re-organizing the internal AD and dependencies but a good thought for an update later along the road.

I'd love to fix it, but the new method still isn't working in PHP: https://redmine.pfsense.org/issues/9417

Will have an eye on that one :)

Thanks for the hint about restarting, after restarting PHP-FPM, WebGUI and the OpenVPN servers that used the LDAPS connection all is working again!

UPD: the same issue as described at the beginning of my post is happening when connecting switch to pfSense and RouterA and RouterB to that switch thus hanging two routers on one pfSense port. Seems to be not an issue with virtual switch on pfSense as in this scenario using only one port.
Once separated Port5 and Port6 on pfSense to different private subnets and attaching RouterA and RouterB independently to pfSense box (+NAT with public VIPs) issue is gone. It appeared when both routers are connected to the same bridge or external switch they can't work reliably together. But I would still appreciate if someone can point me to the right direction how to investigate that further and perhaps with some Layer-2 debugging.

Hi johnpoz,

I will verify my connection and try to connect my two subnets to my primary pfsense.

Thank you and regards for your answers.

@provels I havent managed to get it connected to the internet just yet, but a new network switch I picked up yesterday should be coming in tommorow. I'll hook it up and try it.

Otherwise I did try manually downloading and installing the 2012 drivers; but as I made note of above it only displays the cards model, no luck getting it to work.

Will try using online windows update though. I'll report back tomorrow.

@Mats I got win server 2019 running normally now; headless. I control it with RDP over LAN.

XG-7100-1U ... envy that grows 🤤
and don't forget Firewall / NAT / Outbound to set the correct ip to go out for every VLAN

Thanx a lot :)

I still don't have the HP yet but on the current Supermicro board and the two onboard intel NIC, it would drop ping every 20-30 seconds. I'm using the latest build and only the two onboard NIC.

However, when it did work, my speed test yield much better performance than the Asus router that I'm using now. on my 200mbps connection I've only yield 160 ish down but when using PFSense I'm getting closer to the advertised speeds so it's definiteyl a good start.