To make matters worse, the debug version I created and compiled, works. Apparently there is a difference between the igmpproxy-0.2.1 in the freebsd repository (I didn't build that) and the same version when built with freebsd ports.

So I was able to build an instance of 0.2.1 that works, but I'll never know what is wrong with those others.

@stephenw10 Ahh all good!!

Really appreciate all your help.

@evilside said in Encrypted browser-Squid connection:

but I don't care, almost nobody use that browser.

😆

@tim-mcmanus Ahh, Thanks :D, I might go for the spf since I can future proof it, or booth. Thanks again :)

I think the main point here is that the best practice is to store only the minimal amount of data required in the DMZ and limit access to anything on the LAN to only what is required.

However you have to make some assessment of the risk. Is the git server going to be open to the world or only restricted source IPs?

The term DMZ used here implies it is exposed and needs to be walled off from other subnets but that might not be the case. Or at least not in the traditional sense.

Steve

It is.
Yep, just use one of the methods shown there if you need to do it. Or just use Auto Config Backup:
https://www.netgate.com/docs/pfsense/backup/autoconfigbackup.html

Steve

@stephenw10
After three hours of constant download at 100mb/s there was no loss of connection, I hope it continues like this.
At the next restart I will check.
Thanks again for the help.

EDIT: I confirm that I have solved the problem by replacing the realtek drivers included in pfsense.

More likely something upstream is configured to expect your mail server to have 88:xx:129.147 as it's public IP and you have not added an outbound NAT rule to use that for traffic coming from the mail server. A 1:1 NAT rule would handle that both ways.

Steve

Have to say I agree company about security isn't using dnssec for their dns.. Which is really low hanging fruit to pick too..

dnssec is not that hard ;) It really is a shame that all domains are not doing it - the hardest part is registrar that actually supports it... Even though my understanding is its a requirement to be an actual accredited registrar..

I know when I fired up a domain to play with dnssec back in 2015, they had .xyz on sale and said they supported dnssec - yet took some emails to their support to actually get their implementation on their website to work.. And I looked around at the time namecheap didn't even support... From what I recall..

While its only a domain I use for my personal stuff, and use it for mostly testing - its not that hard to add stuff or maintain sign off on your records... I have a cron job that runs, and script I run when I add new records or edit them, etc.

Exactly, you cannot. In general pfSense will not allow any connections inbound from some external web server. Only responses from servers for which outbound connections have been opened are allowed.

Steve

@tim-mcmanus

Thanks a lot Tim... i am going to read it carefully and will post results...

Pedreter.

But actually this is not a change, because the Alias URL remains the same, could change the IPs in the list (for sure not every night, at least in my case),
but a backup it's not needed because anyway when you will reuse it it will download again the updated list.

If you consider the IP list a (potential) change, then a backup should be taken also when a DNS Alias it's resolved with another IP address, it's exactly the same thing.

Same behavior related here. https://redmine.pfsense.org/issues/8512

First step is to see why this is happening to you. I agree it's most likely related to the configuration/local setup of the devices.

Before you reboot the device, you should navigate over to Status, System Logs, take note of the information there, try expanding it to a few thousand entries, there will be something noted in this area about what is causing your lack of internet access.

I would suggest getting a console session going, our SG-2440 Manual has a great guide on gaining access to the console.

What packages do you have installed on your device? If you run from the command prompt df -h how much disk space is there?

The more information you can get to us, the better someone can assist you.

@tejas said in High RTT latency on wan [SOLVED]:

I am using Pfsense 2.3.5-release-p2(i386) on Intel Pentium G2020 @ 2.90GHz

Why are you running 32bit on that CPU? You should be running 2.4.4 there really.

About the only reason those interfaces would not show in the Firewall > Traffic Shaper > By interface tab is if they don't support ALTQ. You would have to check exactly what hardware they are to know for sure though. I would expect the Intel NIC to support it but their ix NICs do not. What are the actual port names listed? re0, re1, em0?

pfBlocker and Squid do different things they should not interfere. But bare in mind connections coming from Squid will always have the default WAN as the source IP. pfBlocker can block connections on LAN before they reach squid if you have it configured to do so.

Existing states are not removed when you change the ruleset. So if you want to move a client to use a different gateway you would have to kill any open states on the old gateway or just wait for them to timeout. Only new states will use the changed rule.

It is accurate. If traffic is passing and you see no states there it is not being passed by that rule.

If you want to do full SSL traffic inspection you have to install the generated CA on the clients there is no way past that. However you can do 'peek and splice' to filter by FQDN only. See: https://youtu.be/xm_wEezrWf4?t=637

If any of those alerts are against legitimate traffic you need to suppress them or disable the rule that is being triggered before you switch to blocking mode or you will block required traffic.
https://www.netgate.com/docs/pfsense/ids-ips/setup-snort-package.html#alert-thresholding-and-suppression

Steve

What other rules do you have on the LAN?

Is the GUI running on port 443?

Do you see blocked traffic in the firewall log after disabling the rule?

Steve

A diagram showing what you want to do would help a lot here.

Steve

It depends how restrictive you want to get. It can be difficult to impossible to completely eliminate that though.

You can block all traffic except ports 80, 443 and 53. The Squid rules will redirect 80 and 443 to itself and you can add a port forward to to redirect all DNS to Unbound. You will break many things though and get a lot of complaints!

Steve

I managed to make 2.2.6 detect my Realtek NIC by patching the driver. But just now realized that the PPTP feature on the pfSense is only for setting itself as a VPN server. Opposite of what I wanted 😅

Ah, then you should update unbound:
pkg upgrade unbound
It will pull in a new strongswan version with that.

Or try a 2.4.5 dev snapshot which contains that.

Steve