@LesF In TCP mode (where traffic passes through unchanged) Haproxy can read the SNI 'hostname' requested.. But it cannot send a HTTP-reply. (a website-redirect is a Layer 7 HTTP action not a SSL Layer6 one..) It can choose a different backend server with a acl checks for a specific requested hostname. But it doesn't sound like that's what your after.. I think what you currently want is impossible.

@Bob-Dig No worries! I did check, with a specific server trying to use UPnP. If I don't manually set the WAN IP, it flags "Router WAN IP: Unknown". But if I set it ... it's happy, and uses it. I also have no issue writing a script to get my WAN IP, but not sure how to then set the variable in pfSense Thanks!

Yup, if you must do it then use the correct pkg versions. Just be aware of the risks before doing so. Steve

I have found the bottleneck to be ntop. Once disabled my throughput was better but not perfect. It seems ntop needs to be fine tuned for connections greater than 1GB otherwise it cannot process the data fast enough.

I know this is old but it was a top search result. The good news, there are 3 methods: https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 The bad news: the purple note in section 1 (info on using a login and password) on that page: "This option is not compatible with Microsoft Security Defaults or multi-factor authentication (MFA). If your environment uses Microsoft Security Defaults or MFA, we recommend using Option 2 or 3 below. You must also verify that SMTP AUTH is enabled for the mailbox being used. See Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online for more information."

Hi Well, it can be rebuilt, and a backup from 2019 is that, did unfortunate not help this time. this is the only error I manage to find: [image: 1602307967870-2966d30d-3a18-4c9d-87af-51cdf84078e6-image.png] the big question is why my computer reach mail server when on OFFICE LAN and not on HOME LAN? Same internet provider (get.no) and same mail provider. Only difference is router config: HOME pfSense + bridged get.no router WORK only get.no router. Reason I mention SSL certificate is that it is information you forum useres may understand and connect to my mail issue. Mail provider write on his home page: "Use of encryption (SSL) If you wish, you can use encrypted connection to the mail server. Note, however, that your e-mail server does not have its own so-called SSL certificate, but shares this with other customers. You will thus get a warning in your e-mail reader the first time you activate SSL which says that the certificate does not match your domain name. You must accept the certificate then presented before you can use SSL."

You uncommented the diag lines and checked the log file like it says? What does it show?

Try running: /etc/rc.newwanip That will run more things then you actually need but does restart dpinger. Oct 9 18:03:12 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 172.21.16.1 bind_addr 172.21.16.226 identifier "WAN_DHCP " Oct 9 18:03:12 php-cgi rc.newwanip: rc.newwanip: Info: starting on . Oct 9 18:03:12 php-cgi rc.newwanip: rc.newwanip: on (IP address: 172.21.16.226) (interface: WAN[wan]) (real interface: igb0). Oct 9 18:03:13 php-cgi rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Oct 9 18:03:16 php-cgi rc.newwanip: Resyncing OpenVPN instances for interface WAN. Oct 9 18:03:16 php-cgi rc.newwanip: Creating rrd update script Oct 9 18:03:19 php-cgi rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 172.21.16.226 -> 172.21.16.226 - Restarting packages. Oct 9 18:03:19 check_reload_status Starting packages Oct 9 18:03:20 php-fpm 2184 /rc.start_packages: Restarting/Starting all packages. You can specify which interface it is too so it only restarts your 4G WAN. Steve

Or even a second router seems better than days of effort, and one will have continuous uptime during pfSense updates also: https://docs.netgate.com/pfsense/en/latest/highavailability/index.html https://docs.netgate.com/pfsense/en/latest/recipes/high-availability-multi-wan.html Note the interface names have to be the same in order to sync states. https://docs.netgate.com/pfsense/en/latest/highavailability/pfsync.html#pfsync-and-physical-interfaces

Thank you both for your replies. @bingo600 , my existing home LAN in not in the default and I plan to install the default for him, so I should be OK. @JKnott yeah, that makes sense...that way there wouldn't even be any need to explicitly change the WAN IP during deployment. glad to know that it's just as easy :)

FYI, this has not re-occurred yet so I am going to assume this was a one off.

Thanx Steve. For the reassurance. And yes .. A reboot would not have been optimal. /Bingo

I changed the php file under /usr/local/www/widgets/widgets/thermal_sensors.widget.php and it worked. Thanks!

@ErniePantuso : @stephenw10 said in pfSense-based network security appliance?: The MITM part is still via Squid so the same things apply. You have to install the CA certs on the client or configure them to use the proxy explicitly. As you might have noticed for a long time, nearly every program has settings that enable you to set up a proxy. When a proxy is used, your program will use it for all it's "Internet" communications, and the proxy will do the request on the programs behalf. Normally, when your browser want to connect to "forum.netgate.com" it will resolve this host name into an IP, and connect to that IP. While requesting info (a web page) "forum.netgate.com" will reply back with a server certificate that embeds the name of the host you are connecting to. Now your browser knows it's actually communicating with "forum.netgate.com". When you use a proxy, when your browser want to connect to "forum.netgate.com", it will connect to, for example 192.168.1.1 - where the proxy 'lives', and that one will certainly not answer with "forum.netgate.com" (that's impossible). It will probably be something like "pfsense.yourlan.tld". Your browser is informed that this is a proxy it has to use, and it is informed to accept this certificate. The proxy will go ahead and does the real request to "forum.netgate.com" for you. It will do the normal TLS verifications, and answer back to the browser with the results. For a short moment, the data received on the proxy, is visible. It could do all kind of data inspection. 3 reasons why all this isn't as simple : For all programs, all protocols, all ports, the proxy should know how to handle the traffic. Basic web browsing, ok, that will work. But web pages could contain scripts, ad they can do whatever they want, on a totally non documented way ... proxies won't work : the web page doesn't 'work' any more more. Every program on a device has to be set up to use the proxy. Maybe a OS wide setting is possible, but now you should hope programs actually respect this. If a server certificate announces "HSTS" your proxy won't work any more (edit : that is, the browser will not the proxy certificate as re replacement). And guess what, more and more sites use HSTS these days. Because "sites" won't to talk to the 'real' person, not some MITM guy has these sites have to guarantee the end user that the data isn't robbed, scanned, mistreated etc etc. Btw : these are my words. Never used a proxy, squid etc. I'm just reading about it, for years, a decade or so. @jimp video's, @stephenw10 mentions them above, are very well done. Many more exist on Youtube. True, I tend to say that the usefulness of a proxy doesn't exist any more. It something of the past. MITM has to die. It wasn't "The solution".

Hi, i have resend the the pc to the retailler who sent me back a new motherboard with cpu and nic integrated. It's now ok many thanks for your help

@tobiasfrajka I feel your pain. I had similar issues with trying to cast Youtube from phone on one subnet to my xbox on another subnet. Of course I made sure it worked when on the same subnet. Followed all the tutorials, videos, threads and suggestions, and had any-any rules on both networks but I eventually gave up. I don't know if I was missing something or if something has fundamentally changed with how casting, SSDP/mDNS works and whether the solutions people once had success with is still relevant? I was actually more interested in understanding why it didn't work than anything else, but never got to the bottom of it. I was even trying to compare packet captures of the working setup on the same subnet vs. the broken one, but I had no idea what the packet process should look like when it's working. I wish someone with deeper knowledge could shed some light on that or how to troubleshoot such issues.

@jwj, I suggest you watch The Social Dilemma on Netflix. It's exactly what you're talking about. [image: 220px-Social_dilemma_xlg.jpg]

Turns out global vNet peering on the LB function of Application Gateways is not supported. This is a Azure Application Gateway limitation and not related to Pfsense: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-troubleshoot-peering-issues. Posting this on 10/5/2020 if anyone else runs into this issue, I hope this helps

Script de conexión --> #BEGIN EDIT /bin/echo "Client $common_name from $trusted_ip connected @ date" | /usr/local/bin/mail.php -s"OpenVPN Connection Beginning" #END EDIT Script de Des-conexión --> #BEGIN EDIT /bin/echo "Client $common_name from $trusted_ip disconnected @date" | /usr/local/bin/mail.php -s"OpenVPN Connection Ending" #END EDIT Estos scripts funcionan perfectamente, acabo de testearlos. Así debería quedar el script "openvpn.attributes.sh" [image: 1601906994131-30c42a3b-68e4-4c13-a83e-828d0a586bcc-image.png] Saludos

Do all interfaces in the bridge fail to hand out DHCP leases? Or just this new one? If the pcap shows the DHCP offer leaving the member interface either it's not reaching the client or the client is rejecting it. The client and server are using the same OUI there, they are both virtual devices? Something in ESXi blocking/dropping it? Steve