@stephenw10

I've managed to get this to work. Thank you for the pointer.

@SteveITS said in Interface and Rules:

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

"Using this mechanism, traffic need only be permitted on the interface where it enters the firewall. When a connection matches a pass rule the firewall creates an entry in the state table. Reply traffic to connections is automatically allowed back through the firewall by matching it against the state table rather than having to check it against rules in both directions. This includes any related traffic using a different protocol, such as ICMP control messages that may be provided in response to a TCP, UDP, or other connection."

You are right. Thanks a lot!

Thanks @stephenw10 I give feedback a soon I can test it.

Then it will probably be NATing by default. You'll need to disable it if you want pfSense to see traffic from the subnet behind it.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

I assume you have no access to the ISP device config interface? What device is that exactly?

The site is in another city, but I guess it's a ZTE. It allows access on the LAN, but you cannot configure WAN, or view configuration.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.

This one does use credentials. But they probably know who you are by the line.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.

That was my thinking exactly. I'll try that the next time. I cannot call and ask them to undo what they've just done.

@wineguy said in Unable to configure notifications using port 587:

I expected that it would default to the 'From email address', which would make a nice enhancemen

Noop.
The "From" is the mail address from which you send the mail.
This can be different one as the USER login credential, needed for submission over port 587 (smtp with authentication) to work. These two can be identical, true.

@wineguy said in Unable to configure notifications using port 587:

So, another nice enhancement would be to require a username and password when port 587 is selected.

'587' or submission means (imho - check with RFC ?) : must authenticate.

You could go one step beyond :
Set up your mail server to use plain TLS, or SMTPS, normally over port 465. Most FAI's - look how gmail does things - don't use - or should I say : don't enforce the use of 587 anymore. It's TLS all the way = port 465, which means : from byte zero all is TLS.
You can pick any port actually, as it would be used by your mail clients, the ones you control.

@johnpoz ~ I also added filter-AAAA to the DNS forwarder's Options so I think I've now killed IPv6 in every way possible on my firewalls! :o)

Roy...

@Gertjan thanks you so much 🙏🤟🏻

@Laxarus Thanks for the help my friend. It helped me a lot!! After 12 hours of migrating 4 domain controllers, I almost hit the rollback button until I saw your tip. I tried this and it worked for two systems that had problems. The only two systems that we could not test in our lab environment.

@roben1000

See here : I RESTART THE PFSENSE BECAUSE OF THIS NOW I CANNOT ACCESS IT

We may be able to recover the old key if you send me the NDI or hint in chat.

Aha, that would do it! Easy mistake, we've all done stuff like that. 😁

If you have a legitimate reason to need to migrate the NDI then we can accommodate that. If you had a hardware failure for example. Or, here, if you upgraded and found your new hardware is incompatible. We're not completely inflexible.

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

@viragomann, thank you very much for your help!

@LaUs3r

I am experiencing the same even on the latest pfSense Plus beta version (25.03)

@stephenw10 Thanks again. I've submitted a correction suggestion to MaxMind for the IP. I assume that the regular scheduled auto updates of pfBlocker databases within my pfSense also update Maxmind's free GeoIP database as well -- I noticed the free GeoIP database is updated by Maxmind every month. Cheers

@johnpoz

getting a squid transparent proxy running on pfsense with ssl/mitm from scratch wasn't easy tbqh (but maybe that's another topic...)
it is quite satisfying though to see the RT access logs flow in pfsense, and the secure lock in the browser at the same time (=
squiddie.jpg
but still, as you mentioned before, without the device accepting my ""internal-ca"", it's besides the point 😁

There is, here: https://redmine.pfsense.org/

Are you able to test in 25.03-Beta?