You can see what can be done in that video hangout at this point:
https://youtu.be/xm_wEezrWf4?t=935

If you were set to splice whitelist and bump everything else I would expect any https not in the whitelist to fail unless you have installed the Squid CA on all the clients.

Steve

@kartoff Sure, if you can reproduce the problem.

The public IP is assigned to a client inside the firewall? On an internal interface?

Are you passing that traffic to it?

If you have allow rules on WAN and enable logging on those rules you will see traffic passed in the firewall log.

There is nothing in pfSense that ever listens on port 110 so either that traffic is being forwarded to something else or you are testing against something else accidentally.

A diagram of how you're testing might help here.

Steve

The first thing do here is make sure you actually need one single layer 2. If a smart TV and media server is indeed what you're using make sure that you can't just enter the IP address directly in the TV. Some can and that would allow you to have two subnets and route between them which would be better for everything else.

Using 1:1 NAT would allow you to keep the same subnet at each end but still route. But the subnets would 'appear' to be different to clients at each end so the auto discover scenario would still fail.

Otherwise you would need to run a single subnet and TAP connection between the sites.

Steve

Where I come from, there is a difference between "insecure" and "potentially less secure"!
If someone (magically) exploited this, he would get access to my network anyway, no matter if I run this on my PC, NAS or pfSense device. At least the pfSense device doesn't hold any data that I would consider sensitive.
Anyway... I think this is going nowhere. I appreciate your concern, but I don't see anyone exploiting this.

Edit:
I replaced The Dell Optiplex 790 completely with a known good one and same crashes, same error message to the letter. The only piece of hardware that was the same was an Intel Pro 1000 NIC. After replacing the NIC the issue is no longer present.

I was incorrect in believing this issue was related to PFSense. PFSense assisted me in discovering bad hardware as did Jimp.

MCA: Bank 3, Status 0xfe00000000800400
MCA: Global Cap 0x0000000000000c09, Status 0x0000000000000004
MCA: Vendor "GenuineIntel", ID 0x206a7, APIC ID 0
MCA: CPU 0 UNCOR PCC OVER internal timer error
MCA: Address 0x3fff805ea790
MCA: Misc 0x3ffff
panic: Unrecoverable machine check exception
cpuid = 0
KDB: enter: panic

You would normally have both private subnets as internal interfaces on pfSense but here you have pfSense inside your network presumably behind some other router for some reason.

Check for blocked traffic when you're using RDP in the firewall log.

Do you have the WAN firewall rules open for all the appropriate ports and destination?

Steve

Single user mode gets you to a shell prompt with far fewer things running/loaded/mounted. So if you have an issue with some component you might be able boot single user mode when the normal boot fails.
Are you able to boot to the prompt by pressing 2 at that menu?

Usually it boots the default selection, which is 1, after a few seocnds there. You should not have to press anything to boot normally.

Steve

Zabbix. There are several agents in the repository.

@bmeeks This was after the crash but before a restart. However, it was only running for a few minutes before I triggered the crash again. For clarity, I just triggered it again. The logs are the same. The last logs were about 30 minutes ago (the exact same as I submitted above), then I triggered the crash. Nothing new was recorded in that log file at the time of the crash.

When blocking is disabled, the crashes seem to never happen and I can't seem to trigger it.

Thank you stephenw
I solved my problem
I don t specify the gateway upstream on wan interface

Mmm, I agree it seems odd. Have you been able to test it in FreeBSD directly?

If it is something we are doing in pfSense we could dig into it but if it's something FreeBSD does it would need to be reported upstream really.

Steve

yes from the same subnet and the register dhcp option was also ticked, the only way i could get it working was to use the DNS Forwarder and at 127.0.0.1 as the 1st dns entry followed by an external dns entry?

I would choose AHCI there if you're going to use a ZFS mirror.

The hardware RAID controller may or may not be supported but they do relatively often give problems. I would avoid that and use a ZFS mirror instead if you can.

Steve

If the client is behind NAT then the tunnel can only ever be established outbound but that's not really a problem. If you use IPSec you'd need to be sure to use identifiers and a remote IP setting that correspond to the actual public IP.

Yes the redirect gateway setting there changes the default route on the client end to send all traffic over the tunnel. That's now just a check box in the GUI you don't have to add it as a custom option.

Steve

That's the expected behaviour. You can open a feature request if you think it should be different.
https://redmine.pfsense.org/

Steve

Do you want time to be accurate? Out of the box pfsense uses ntp pool, which yes will be multiple servers that change even.. Yes ntp asks other ntp servers time and picks the best one to sync with.. And then yes checks quite often and then as its time gets in sync with the server it will back off on how often it checks, etc.. to longer between checks..

I suggest you research how ntp works ;)

But sure if you don't want it to use pool, you can set it to use specific ntp servers.. Public lists can be find on the ntp pool site.. But yeah normal ntp will talk to a few different ntp servers.. Unless your sure the one you talk to is correct and are not worried about it going offline, etc.

You do understand the amount of traffic 2 and from the ntp servers is very small right ;)

Look in status ntp, it will show you which peer your active with, which others are candidates, and which are outliers - it will also you show you how often will query them for their time.. should start at like every 64s and then slide upward to like 512/1024 seconds between queries..

If you just want to turn it off - remove all the listed ntp servers. No ntp servers listed, nobody to query.

The benefit is that you don't need to use port forwarding at all and you only need to have one port open. You can have HAproxy listen on the WAN on port 443 and send requests to the appropriate backend server based on the requested URL.
You don't have to remember what port the services are running on externally just the FQDN.
It isn't necessarily any more secure though. You only have one firewall rule on WAN so you can't apply different rules to each service at the firewall level. Connection limiting, traffic shaping etc.
You still can have HAprxy listen on different ports though if you found you needed that.

Steve