Just an update after some investigations today.

On TalkTalk but might apply to other UK ADSL ISP's, the username and password issued is irrelevant!

I noticed in the huwei supplied firewall logs today the default username after a reset is 01warehouse@talktalk.net which was giving me net access when the router was working like one would normally expect, i not having changed the nas_0_38 from ppoa to bridge with tr069 switched off.

I then noticed I had keyed in the username wrong on pfsense, due to the linux device used to access pfsense having the wrong keyboard mapping so the " had swapped places with the @ so my login name was [phonenumber]"talktalk.net not [phonenumber]@talktalk.net. So having corrected it and still no joy, back to the drawing board, messed around the username & password on the huewei router and noticed I could use anything for a username like DoTalkTalkCheckThis@all with a random password and still got net access from the huewei router.

So I then went back to pfsense and reset the wan adaptor and set it to PPPoE with the correct username and password, set the MTU to 1400 to be on the safe side, removed some gateways so it only showed the WAN_PPOE and it all worked.

Now I also know I spoofed the WAN mac id the other day in a bid to see if I could attract some visitors who might be aware of the mac id I was using, I set it first to the talktalk youview box and with hindsight thats when the drop outs first started some hours later. I had also set it to the huewei mac id today and it didnt like that either.

Some further tests tonight and I can confirm it appears talktalk dont bother with usernames and passwords just the mac id, so like the mobile phone IMEI database which exists, the UK adsl net access is monitored/access given by the mac id it would see because everytime I used the router mac id in pfsense, no access, in fact everytime I spoofed the mac id in pfsense, no net access was given.

Its worth pointing out in part of the mac id is given out in the ARP packets so its probably possible to detect spoofed mac id's, which perhaps goes to show, coupled with things like google instant search which is obfusicated java script that can be used to detect typing speed and thus the unique typing patterns of an individual when combined with mac ids and other meta data as the spooks would call it, shows how deep and pervasive the big brother system really is!

Food for thought none the less when considering Edward Snowdens revelations, and the under hand tactics the politicians used to bring in various bits of legislation to "facilitate" this surveillance, whilst giving the biggest tech companies millions/billions to help them facilitate the big brother society.

Might be worth seeing if the nics hardware can be reprogrammed to get new mac ids to beat this system as we are all slowly financially cleansed from existence!

did you found a solution?

No problem, your thanks is enough.  :)
I think Jason's catch was probably the showstopper anyway.
Enjoy playing with pfSense!

Steve

Thank you  so much.

You could for instance get a VPN tunnel provider which is located in another country, and then use policy-based routing on pfSense to send traffic towards the website through the VPN tunnel. Not sure if pfSense is able to use external http proxy services based on rules.

Ok, so what's behind pfSense that can't see the IPTV box?

Steve

So just to be sure you're not running pfSense yet at all? Instead you're running Windows on the box just to test the hardware?

To make windows run as a router you need to use 'internet connection sharing'. Just enable it on the connection to the internal wifi device. They may have renamed it in the 10+ years since I last used it for anything!  ::)

Steve

If you're using that wifi router just as an access point you probably don't want to use its WAN port. Instead connect directly to one of it's LAN ports and make sure you've disabled its DHCP service. That will make it act as an access point only.
The exception to this is some routers have an 'access point' mode where the WAN port is added to the LAN port bridge or if you're running a third party firmware and can add the port manually.

Steve

Both of the above suggested methods do not produce the result of issuing the command manually through CLI, the debug.txt contains no specifics to point to errors or privileges in execution of the script.

the environment of cron is /var/log while environment of CLI is /root  How to execute cron scripts with /root environment

The two CA don't need to have the same keys on windows but must have the same name/freindly names

I know this because I use a MITM to peek at SSL data and then isue fake certificates on the fly and did not always import the root CA and it all still worked if that helps

Friends, I have pfsense running perfectly with firewall and also authenticated proxy.
But I have a serious problem when access the Proxy Server Logs in Real Time.
So I Denied appears on users to pass through authentication. Anyone know why?

Example: I when the user authenticate with your password and try to access blocked sites, deniede appeared in the logs. It does not.

The error page also takes a long time to appear, even redirecting it to another page.

Can someone help me?

ok will need to try it

Have seen the same problem occur with our setup: https://forum.pfsense.org/index.php?topic=73460.msg401168

I had that problem myself but never found out the reason. The problem just did not occur anymore and I did not have the opportunity to analyze this.

There are several possible reasons apart form a problem with pfSense itself: pfSense could not receive group membership packets by the receivers of the stream or the provider could simply have caused that drop.

You could start by monitoring the IGMP traffic on the WAN interface (Diagnostics / Packet Capture). I would prefer using tcpdump from the command line on pfSense because you can filter IGMP traffic.

If you do that while receiving the stream then when you have drops you should check the exact time. This way you can associate the drops with events in the packet trace. I would first look whether the drops have been caused by missing IGMP packets to your provider.

What error are you seeing?

You can switch back to http at the console:
https://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#HTTP_vs_HTTPS_confusion

Steve

The backup/restore functionality is pretty comprehensive.  Instead of imaging, perhaps try installing fresh and then loading the old config via Diagnostics - Backup/Restore.

@paklids:

3. Make pfsense "puppet friendly" (or just get the ball rolling - it doesn't have to be complete). Yeah, someone can post a bounty….then wait.....then get no response. Keep in mind that these changes are going to appeal to Enterprise environment admins who already have their commercial firewalls with dedicated change management systems - those people rarely post bounties.

Although this is a somewhat old post, the situation may change to match your needs… I've started adding puppet support to pfSense as a separate package:
https://forum.pfsense.org/index.php?topic=79397.0

You're welcome to contribute to the pfSense puppet provider and the puppet modules:
https://github.com/fraenki/puppet-pfsense
https://github.com/fraenki/puppet-pfsense_rancid
https://github.com/fraenki/puppet-pfsense_autoupdate

Regards