Thank you for your quick response and advice. I will ignore it.

Understood, I wouldn't mind understanding it better myself :)  But unfortunately I don't know why (or even if it is possible) to configure and use a VPN client connection without subsequently assigning an interface to it.  Hopefully someone more knowledgeable will drop by . . .

Sorry, the 10.0.2.10 is a NAT adress.
I checked the settings on 10.0.1.200 (sap router)
and the gateway was set to 10.0.1.1 and this is a miktrotik router so I changed the gw to 10.0.1.2 wich is my pfSense
Telnet…Works
niping...Works

In what way? Your question is a bit too vague. Can you be more specific about what you're wanting to do with the certificate?

pfSense 2.4.3 can create certificates with SANs, and they work fine for things like the GUI. I'm not aware of any problems in any area of pfSense with using SANs.

You have upgraded your pfsense from 2.4.2 to 2.4.3 or just installed fresh 2.4.3 from scratch?

Upgrade.  There is no reason to install from scratch.

These things didn't happened on your pfsense? Did you increased variables in bogonsv6 file?

No.  I waited a couple of weeks after release to let the early bugs get found before I put it in production.  When I saw the bogons issue, I increased my Firewall Maximum States before I upgraded so I would avoid the problem.

I can't speak for other people's issues but it's working fine for me.

There's a FreeBSD port for it but based on little googling the pfSense package just wasn't maintained by anyone and was dropped.

https://www.freshports.org/mail/spamd/

https://forum.pfsense.org/index.php?topic=100334.0

Since my last post I've tried:

several cables several BIOS versions several combinations of BIOS settings (especially around the interrupts/serial console) almost all of the things on the boot problems page two hard disks ZFS/UFS 2 different versions of I350 firmware many combinations of loader.conf.local settings including disabling beastie_mode blanking out the SMBUS pins on the I350.

All my experiments still end up with  "crash at the pfsense boot menu when there is traffic on the I350 during (or before) loading the kernel."

The network configuration boots fine with a Watchguard X750e (but that is stuck on nano-bsd)

Is there really nobody that can help?
I did ask the mods several weeks back if they could move this thread to somewhere more appropriate - was there or did they not look?
Is there any way to force the network ports to be disabled until the kernel  boots up?

Thanks

@steve40:

Hiya Meeks… I got all the suricata file matching stuff working ...thanks for your help

I identify binary files and block them via an empty hash whitelist. Which basically turns the box into a carbon black operating at the gateway level.  Works like a charm. (as long as you got pass rules for microsloth and places you wanna get exes from)

It all works like a charm UNTIL.....

you go to download an executable from an HTTPS enabled site.

So out of desperation I'm going to ask a stupid question

Is there a way to intercept these files while passing through an HTTPS session? I've got MITM fully working but I'm guessing that suricata operates at the NIC card and Squid decrypts the packet way higher up the stack...

I really really really don't wanna have to do virus checking via ClamAv

By the way, I've got this whole setup running on a KVM hypervisor so I can get very creative If I need to

thanks

Suricata and Snort both work at the NIC card level (more or less).  When looking at the flow from the point of view of inbound traffic from the Internet, Suricata or Snort is the first thing the packet sees after leaving the NIC on the way into pfSense.  Any MITM stuff is farther down the line (or higher up in the stack if you want to think from that perspective).  So all Suricata is going to see is the raw HTTPS encrypted datastream.

Bill

Hey there

Normally you would assign your WAN interface to the NIC that's connected to your public IP address and your LAN interface to the private subnet. I would not recommend to assign your LAN interface to a private subnet and to your public IP address simultaneously in any case whatsoever.
IMHO, the assignments should be like this:
WAN -> public IP address provided by Azure (only)
LAN -> private subnet (only)
I don't think it's necessary or that it makes sense to add some virtual IP in this case.

I'm not familiar with Azure, but if you can add more virtual interfaces to your pfSense VM, go ahead and add one if you need another private subnet.

Now of course with this configuration you can not access the Web Configurator from the Internet. But I wouldn't recommend making it available to the Internet anyways. So if you can keep your Windows VM that's in the same private subnet, access the Web Configurator from there.

Of course there are other options to get to what you're trying to achieve, but I think just using another VM in the same private subnet is the easiest way.

Greetings, Philipp

Thx for the replies!  Although nmap reported only 1 dhcp sever on the network, I found an access point with dhcp turned.  I'm assuming this was the issue…..

Squid has a traffic management page that allows you to specify a maximum download size, and have it apply only to specific file extensions such as txt.

If you can ping other sites, but not the email server, the problem is likely with that server.  However, they may have pings blocked.

In case you haven't figured it out yet, firmware 1.5.11 (1.5.12?) breaks access to 1.1.1.1.  This ip is now some sort of internal ip within the gateway (bgw210).

All you have to do is Diagnostics > Packet Capture on WAN for port TCP 445 then run a scan.

If you get a connection refused (CLOSED) but do not see the traffic on WAN, then something upstream is responding.

If they are responding AND forwarding the traffic to you (which wouldn't make much sense) then you will see the SYN to port 445 on your WAN but no SYN/ACK response because you are blocking the port.

Ok, thanks for confirming.

Probably something changed at your ISP or they were doing maintenance etc. Certainly not unusual.

Steve