There is a checkbox to add the CA to the system when you import it if required:
Screenshot from 2023-12-31 18-31-58.png

However in this situation I would add the proxy IP to pfSense specifically so it doesn't need to have that CA.
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#proxy-support

Steve

@jeffshead
That is correct. Snort/Suricata operates outside the firewall so to speak so it cannot inspect ssl traffic. There is no mechanism within pfsense to decrypt a flow and send to an engine to inspect. This largely,in my opinion, makes the threat prevention aspect of pfsense quite useless. It would be more useful to have your endpoint mitigation tools on the clients do the protection.

@lkh allow windows firewall to approve ping you shouldn’t need to disable defender. Make one rule in windows firewall to approve pings.

You might be able to use a driver for the specific hardware rather than the cdce driver. It's possible some specific driver gained support for that hardware in 2.7.1/2.7.2 and that's what changed.

I did do that when testing last weekend and I can confirm that with a factory default config the CPU usage and load was greater on 2.7.1 and 2.7.2. This is not an issue with the hardware, or any specify post installation configuration. This is an issue with the base system running 2.7.1 and 2.7.2 on this hardware. is there some log or debug level that i can get you output for that might allow you to narrow down the issue so that I can get this box back to running at normal utilization?

@kdmiller61 the request wouldn't be dynamic. And you don't really need a client on some other pc on your network.. Pfsense can keep your IP updated to the dynamic service you are using.

It supports no-ip
noip.jpg

Or it prob supports whatever other ddns service you were using.

All a ddns does is point to your internet IP, the IP on pfsense wan normally unless pfsense is behind a nat router.

Just create your normal port forward rule using your wan address as the destination. This built in alias will know if pfsense wan IP changes. And just forward this to whatever IP behind pfsense.

@stephenw10 said in Congestion control choose (BBR2, QUICK, RACK, CDG) for music streaming:

Unless you're streaming music from or on pfSense itself (which you shouldn't be!) then it makes no difference what pfSense is using for those.

Of course, streaming are from separate servers set.

The only exceptions to that might be if you're proxying the traffic in pfSense or perhaps routing the stream over a TCP VPN.

In this moment - stream traffic not proxying.

Additionally most streaming is UDP anyway.

Let me correct You: more and more services nowadays using TCP and QUICK.

But:
——
For instance, Netflix and Amazon Prime use TCP as transport layer protocol, while YouTube has adopted both UDP and TCP protocols.
——

It has probably pulled in some newer pkg.

See: https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors

Old forum post led me in the right direction.
I have forgotten that in pfBlocker there is an option in SafeSearch to block DoH/DoT.
Unchecked apples relay names and reloaded. Everything works.

I am currently in that same process, but I have been using pfsense with captive portal and freeradius for authentication for 8 years. I have a little more than 1800 clients and I am about to switch to pppoe with limiters, in the tests it has worked excellently. I have segmented by area with VLANS so these will continue. In this way, I reduce the need to have a pppoe server with a high number of users. I have to run a PPPoE server for each VLAN or interface.

@SteveITS

Thank you, I will re-examine the logs and see if for any reason it appears I was in one of the two cases. I will test as well again entering and exiting the maintenance mode.

Andrea

@kiokoman Thank you

@remlei @EveningStarNM
Scoured the interwebs and could not get my home lab working . Same symptoms as you and this fixed it !! Only signed up for the forum to thank you haha

@jeff3820 See Notes on remote access to NUT in the second post of the NUT support thread, and the section Notes on Synology at the end of the post.

@stephenw10 @jrey

Ok, I ordered a USB-serial cable and did a reinstall from scratch this morning.

It was easier than I thought and everything seems to be fine again.

I also saw that the router had (from factory) still UFS as file system before and that might be the reason why I had such strange file system corruptions. Hopefully ZFS is more robust now against power failures. And I will try to change the configuration so that my router is also powered by my UPS

Thanks to all,
Michael

@stephenw10 Back to pfSense from Sophos. Glad to be back. That is all I will say. Fresh install of 2.7.2 CE and upgraded to 23.09.1 plus on a new NVME drive. No other hardware changes. All is working perfectly out of the box. I have purchased TAC Lite. I didn't realize before I was on home/lab license so I didn't get any kind of support except for community. All is right in the pfSense world now.

@sloopbun Hmm, that does sound strange. I have no suggestions for how to troubleshoot that. It could be that the NIC PCIe card needs different drivers or some optimisations are needed for the current driver.
But it could also be that the SFP does not play nice with that NIC.

Had one incorrect CIDR included. Solved

@kdmiller61 For one web server, a NAT port forward. For multiple, a oroxy as noted.