@bjm3805:

Is there an easy way to simply block all traffic and only allow a few sites?

The short answer is yes:
Assuming you have a default configuration with only two active interfaces… Create LAN rules to allow the sites you want and then disable the "Default allow LAN to any rule" on the LAN interface. (I highly recommend that before you do this, you ensure the anti-lockout rule is enabled at System: Advanced: Admin Access: be sure that  "Disable webConfigurator anti-lockout rule" is not checked.) NOTE: I am assuming you want to block outbound from the LAN and not pfSense's outbound which would require floating rules.

Just for some clarification:

Are you asking how to restrict outbound traffic? (The default for pfSense is to block all inbound traffic already and allow all outbound traffic. )

What do you mean by "sites", IP address(es) like "192.168.1.1", or websites like "www.google.com"?

What kind of site-site, OpenVPN (PKI or Shared Key), IPSEC, other?

Are both ends pfsense, what versions, network details etc?

How do you know the VPN is up and running? Have you tried a simple ping of the firewalls from each side?

Anybody?

1. You can use HAVP,
2. You can use Squid with Squidguard.
3. There is a mailscanner addon but it's community supported only.
4. Not sure how you'd do that.

Fundamentally pfSense is a firewall/router and not a UTM device.

Steve

In your diagram the pfSense 1 box still has its WAN interface as the gateway to the pfSense2 box and then the internet in general.
You could run the NTP server on pfSense2 and have pfSense1 use that.
The NTP client uses the default route so you mighty change that.
You may be able to use a floating firewall rule to direct ntp requests.

Steve

check https://forum.pfsense.org/index.php?topic=54206.0

this fixed pfsense freezes on my esxi hosts

acpi_safe.png
acpi_safe.png_thumb

Thank you for your replies. It turns out my knowledge of pfSense was up to snuff, but not my knowledge of IP address blocks. Apparently I was trying to squat the pfSense interface on an address that is used by a piece of equipment my telco uses for 'redundancy.'

Apparently out of the block of 8 IP addresses they gave me there were only 3 usable. They had two blocked off for normal uses like Gateway and Broadcast (expected) but then they had 3 more blocked off for other pieces of their equipment. So I was simply trying to use the wrong IP address. As soon as I changed it over to the one recommended by the tech it came up instantly.

On a not so funny side note, as soon as our connection came back up, after 6 hours of being down during business hours, we flooded our EOP gateway with so many messages at once that they blacklisted our IP. Thankfully I had a spare address and I was able to reassign the pfSense interface IP and get our mail flowing again. I'm still waiting on a response from Microsoft's Delist team about the original address though. I should probably go see if there are other Blacklist services that partner with Microsoft too.

@stephenw10:

You can adjust the size of /tmp and /var in System: Advanced: Miscellaneous: as long as you have ram spare to do so.

Steve

Wow, I completely forgot that they were RamFS. Thanks.

Ben

Netgate is in a unique position where they can do custom images. I'm sure they put work into optimizing the image. If you don't like it, then roll your own. What's the problem?

Well it allows you to set higher power on the surface.
The lower layers still make sure no illegal levels are transmitted.
Unless you connect a power-meter and measure what's getting out you only get shown a number which might or might not be correct.

Never would have thought of that. Thanks for reporting back.

Steve

Yes you could do a MITM style intercept and replace images a-la 'Upside-Down-Ternet'. You could, more easily, have the captive portal leases expire after an hour forcing users to login again and be subjected to advertising. However that still won't push anything you have to wait for the clients to pull something you can intercept. I would think there is no way to this without some client side plugin.

Steve

I gonna try thanks.

As i do not want to mess up anything, may i use a gmail.com account of mine to create a certificate from startssl.

If not, i ve got a real domain name as well blablabla.eu

Thanks for help.

"It won't be an "MS Windows Logon" or a popup"
I was speaking about freeradius..section 2)
Why radius is so hard to implement on W7 ?

Yeap, that did it. Reenabled Squid, found and checked the "Disable X-Forward" option, and now it seems I have a cache without sharing my private IP addresses.

Thank you again.

Yeah Gotta gotta have it… no matter the bandwidth... although queuing is good until is bad...

@sjim:

Here is my pfSense setup. I setup a NAT so that all TCP/UDP traffic coming to any ports
on the WAN interface (from port# 1 to port# 65535 except port# 443 for the
pfsense webui) will be forwarded to the IP address of my NFS client.

AFAIK the only difference between the secure and insecure option on NFS is that the server will only accept mount requests from the client if they come from a port less than 1024. I suspect that you may not be using 1:1 NAT and so pfSense is choosing it's own source port for the translated request from the client. One solution would be to use 1:1 NAT since you are already mapping all the ports anyway. You would need to create a special port forward if you need 443 to point to pfSense (by default it should be processed before the 1:1 NAT [1]).

Another option would be to create a special case NAT rule for just the NFS client to server request using the Translation: Static-port [2] option.

[1] https://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NAT
[2] https://doc.pfsense.org/index.php/Static_Port

That wouldn't be a "cron" job since those are periodic.

To run a shell command after bootup in a way that would work across upgrades and such, look at the shellcmd package which runs shell commands at boot time.

If the rules pass the traffic, and outbound NAT is set to NAT them out, it should work. Though there is not enough detail to say for sure. Make sure the rules pass all traffic, not only TCP.

Some other things to check:

Try to ping the firewall (their gateway), if they can't, then rules are probably to blame
Try to ping an Internet host by hostname, such as www.google.com, if it can't translate the name to an IP address, check your DNS
Try to ping an Internet host by IP address, such as 8.8.8.8, if the other parts work but that does not, it's likely outbound NAT