If cost isn't an issue then most of the vendors have demos you can log into and check out.  If you just want simple networking with basic statistics and such the Ubiquiti is nice.  I've also had great success with OpenMesh and their cloud controller.  Neither are on the level of something like a Meraki.  The big guys let you do things like require a PC to have AV installed to connect to the network, have each AP scan traffic for virii, and application reporting so you can see what programs a user is running to pass the traffic.  It's been a couple of years since I took the training but it's just page after page of features.  They cost a lot more and have annual fees but there are a lot more features.

@hahnice:

Hi
This is my first post but would like to say what a fantastic product pfsense is.

With regards pfblockerNG, I have read a lot of posts describing why you dont need to block the world and only allow certain countries due to the fact that there is a explicit deny on the inbound WAN connection - excepting any configured open ports.

My question revolves around IoT devices like security cameras and Smart TVs that 'call home' on a regular basis. The other worry for me is APPs downloaded from Google Playstore that have the ability to open ports outbound to a unknown destination.

Using Pfsense I found a camera app on my phone that was calling home to mail.ru. This is a worry. Also, my Swan security cameras (hikvision) regularly try to connect to china but are blocked by the country blocker.
I understand that DNSBL stops large amounts of this traffic so if I use DNSBL with regularly updated feeds should i deselect these Countries and let DNSBL stop the traffic?

pfBlockerNG is a great tool if you want to block geographic areas from accessing a viable service since the default WAN block rule wouldn't apply to a port forward.  For example, if you have a Terminal or RDS server with a port forwarded for remote access then the service is out there and available for people to connect to and it needs to be secured.  In this case you can throw RDPGuard on the server (an inexpensive and great product btw) to protect and lock out IPs with failed logon attempts but it would be a better use of resources to just block the packets altogether at the firewall.  That's what pfBlocker would do.  Same thing with an FTP server or a web server.  Once the rule is in place (unless you specify the source IP) pfBlocker becomes useful.  If a needed IP is blocked it can always be whitelisted.

UPDATE
I have created a CA and activate HTTPS/SSL Interception with this configuration :
SSL/MITM Mode –------------- Splice All
SSL Intercept Interface(s)----------- LAN
SSL Proxy Port----------3129
SSL Proxy Compatibility Mode ----------- Modern
DHParams Key Size-------------2048
CA------------- CA Filter (the cetificate that I have created)

other fields are default

At this point everything is ok the blacklist is blocked and the whitelist works but after some minutes some of whitelist goes black for example gmail.com. I have add it as gmail.com / mail.google.com in both Target Categories as whitelist and at Squid Proxy as whitelist at ACL.

Here : System => Advanced => Miscellaneous => Load Balancing => Use sticky connections
Wonder why … Jamerson never spoke abound load balancing.

@Scotts:

yea… windows is nuts

No argument here.  ;D

Steve

An addendum to my previous post. This setup seems to create an Asymmetric Routing issue. I fixed this by creating manual firewall rules per https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules.

In addition, outgoing packets appear to be NAT'ed (they all appear from the outside come from the gateway address). I've experimented exhaustively with the NAT settings and have not been able to resolve this yet. I'll post an update if I figure it out. For now, it hasn't affected any of my services, except that e-mails appear to come from the gateway address, not the mail server address–necessitating some PTR record tweaks.

Disable sync of haproxy on the secondary machine should fix that.

thank you all!

@Videonisse:

Based on recent info from Loopia Support, the recommended API to use is not https://dyndns.loopia.se but https://api.loopia.se/. One important advantage is that you then also can create a separate User for the DNS update and doesn't need to use your admin login for the Loopia Customer Zone.

But are there any specific reason why you want to use the old API?

https://translate.google.se/translate?hl=sv&sl=sv&tl=en&u=https%3A%2F%2Fsupport.loopia.se%2Fwiki%2Fuppdatera-dynamisk-ip-adress-med-loopiaapi%2F&sandbox=1

I'd much rather use the new API of course. But… how would I do that?

Anyhow, I've switched to OPNsense so it doesn't matter for me anymore.

My outdated knowledge of Cisco vaguely recall such HELPER feature, can always google it and find out exactly what it does then attempt to replicate in your environment. Things to also look at NETBIOS, NETBIOS OVER TCP/IP, WINS.

It might be better for you to seek such explanation from VMware. I noticed the same thing after installing Ubuntu on VirtualBox recently; however, I just went with what worked.

I think I figured it out.
Thx 4 Ur help.

Sam

You could bridge your WAN interface and WAN passthrough interface.

https://doc.pfsense.org/index.php/Interface_Bridges

any ideas?

What a bummer!

Whilst I had copied every setting the key one username needed the domain name in front of it. All sorted now.

On a side note it would be useful if the syslog printed the LDAP error message when something goes wrong. I had to edit the auth.inc file to get additional logging to see what was going on.

So, is it working now? If not, did you go to Services > DHCP server and enable the service on LAN?

one DHCP server per one subnet