@longhorn said in pfSense Blocking MAF... any idea why and how???: @stephenw10 appreciate your thoughts and comments. I've now been able to determine it's not a network issue - as you said - but appears to be narrowed down to my Windows 10 workstations. Snooping some of the forms not displaying correctly to the end user, they share some characteristics: iframe JavaScript calling a 3rd party site for MFA Security software might do things like that.

@mrpete said in "Cannot delete alias. Currently in use by ." [Not reproducible]: it sure would help to list the interface name along with the description :) Yeah prob be best to list as much info as possible, interface, actual rule number, etc.

Really we need to know what bandwidth you're actually going to be routing/filtering. I would assume you will not be passing (or trying to) 10Gbps between those VLANs if each client is limited to 100M. If it's all going to be WAN-LAN traffic what's the available WAN bandwidth? Steve

@leacho73 for openvpn look here: openvpn-external-crl-automatic-renewing-openvpn-restart So... you could download the CRL with Curl, transfrom it in x509 and drop it where it is needed.

@tiger-0 Services - DNS Resolver or DNS Forwarder, depending on which you use. Resolver is the default.

@stephenw10 that did the trick! Thanks a bunch

@crucialguy said in Slow Network Problems - pfSense is Firewall + DHCP Server.: Users are great.

@stephenw10 bugger, ok thanks

@lohphat said in Email Notification error when using microsoft exchange: Newer Office365 tenants have MFA (Multi-Factor Auth) enabled (i.e. login verification by MSFT Authenticator app or SMS) so that simple name+password+STARTTLS is going to fail. You first have to ENABLE SMTP Auth as an allowed auth method in the users Mail / Manage Mail Apps settings. SMTP Auth is now DISABLED by default so it has to be checked for it to work at all. There is a way to disable this I believe by creating an "application password" which is accepted for auth, bypassing MFA. You have to set the user account to "Enforce" MFA first. Then go to https://mysignins.microsoft.com/security-info as the user and then add a method "App password" to create the static password to allow login without MFA. More detail here: https://d365demystified.com/2021/10/17/allow-users-to-create-app-passwords-in-office-365-multi-factor-authentication/ I'm working on this now as I just migrated to O365 and all my automated notifications are broken. Thanks. This is what was causing the issue... I enabled SMTP Auth and now everything works fine.

Hmm, why are you not going straight from pfSense to the LDAP server? With LDAP auth. Steve

The filter log format is described here: https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html I'm not sure what sort of capability PRTG offers to parse that structure though. Steve

Ah, good to hear.

@xtjoras-0 Bom dia, Amigo estou na procura também de outra solução semelhante ou igual ao que o shallalist entregava, se achar alguma luz da um toque aqui também. Abraços.

Are you accessing the GUI using the LAN IP? Is pfSense the default gateway for the LAN side clients you're trying to access? The LAN side hosts might be blocking access from anything outside their own subnet. The Windows firewall will do that by default for example. Steve

Yeah, that's definitely pfBlockers DNS-BL returning the the single pixel it hosts. Just stopping pfBlocker is not enough to clear the DNS lists from Unbound. You have to disable DNS-BL and save/apply that. Steve

What response are you seeing now? What were you seeing?

You can run more than 2 HA nodes. It's not supported though. 3 is relatively easy, more requires some code changes. That's because the config sync code adds 100 to the advskew of the CARP VIPs for the target and the maximum is 255. So the 1st node is 0 on all CARP VIPs and syncs the 2nd node as 100. The 2nd node syncs (which it would not normally do) to a 3rd node at 200. Other parts of the config sync may fail. The DHCP servers auto configure two nodes to share the load but I have no idea what it would do with 3. The CARP VIPs can exist with many nodes as long as they advertise at slightly different rates. You would have to use multicast state sync if you need seamless failover so all nodes you see all other nodes. That could be a significant amount or traffic. I have occasionally seen people run more than two nodes but YMMV! Steve

@johnpoz said in Webconfigurator slow through MANAGEMENT interface after upgrade from 2.5.2 to 2.6.0: Well have no idea how your blocking on the outbound direction then? Lack of state? Exactly it passes the TCP:SYN outbound on MGMT on PF01. Then the SYN:ACK from PF02 goes dircet. Then the client responds ACK, there must be something to allow that in on PF01 LAN, but it's blocked outbound on MGMT because it never saw the SYN:ACK. Usually in that sort of setup you end up having to add sloppy-state/all-flags rules on every interface in the route, In and Out. You might be able to just check the box though: https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html#automatic-fix Steve

In Firewall > NAT > Outbound first set the mode to Hybrid. Then add a rule on the LAN. Make it as specific as possible to avoid catching other traffic. So I would do at least: Source: OpenVPN subnet Destination: Access Point/Router IP address. Steve