@hspindel said in ping from WAN disallowed by default?: pinging my DDNS name Well if you have your vpn up, and it reports the vpn IP as your ddns name, and then you ping the ddns name - then yeah you would be pinging the vpn endpoint.

@bumpmark said in PSA - 2.7.0 and ssh keys: It seems that Microsoft has decided Win11 users don't need a later version Not sure why anyone would limit themselves to what MS puts out - just use the another.. You can grab windows version here https://www.mls-software.com/opensshd.html Microsoft Windows [Version 10.0.19045.3570] (c) Microsoft Corporation. All rights reserved. C:\>ssh -V OpenSSH_9.4p1, OpenSSL 1.1.1v 1 Aug 2023 C:\> Or just use your fav client, I use securecrt most of the time, its not a free option. But it is a very robust client.. There is also https://itefix.net/copssh-client which has 9.5p1 C:\tools\copssh_client_7.12.0_x64_free\bin $ ssh -V OpenSSH_9.5p1, LibreSSL 3.7.3 Putty is a common fav as well.

Opened to track it: https://redmine.pfsense.org/issues/14917

@stephenw10 Thanks for the update.

Ok, then first check the state table in Diag > States when you try to place a call. Is the phone opening the expected SIP states? Next would be to run a packet capture for that SIP traffic and check when the phone is actually sending and whether anything comes back from the PBX.

You should block the specific url you are trying to deny access to in Squid. It's a lot of trouble to go to to just block one URL though.

Thanks for the info. This is my first time setting up a pfsense. I have been using Sonicwall for years. Site to Site VPN seems to work good with ipsec. Steven V. Snead, MCSE, CCNA

@stephenw10 will do

You can using openssl, though I've never tried it in Windows: https://docs.netgate.com/pfsense/en/latest/backup/restore.html#encrypted-configuration-files Steve

It's more "clean" (as in unaltered) to leave the records as they are from the builder than to delete data for the sake of hiding it. I'd rather a system have an audit trail from the time it was built, not just when it was installed/instantiated.

Thanks Stephen

@cdsJerry those look like retries to me 1-2 seconds apart with the same source IP.. So very well could be cloudflare attempting to use an old session, that pfsense no longer had a state for.. If happens again make sure to grab or note what the protocol was if anything other than Syn, then it is an out of state block.

@paoloposo oh my bad - yeah read that the wrong way. Yeah I don't see pfsense maintaining lists of stuff you might want in an alias..

@johnpoz, I guess I may have screwed something up during the initial installation. I just did a complete reinstall from scratch and now both interfaces are coming up correctly. Thanks for your help.

OK, I agree looks like a problem with the two dhcpv6 clients. That should be easy enough to test at least. Remove one or both of those see if it stays up.

Run fsck on the root partition and run it at least 5 times. See: https://docs.netgate.com/pfsense/en/latest/troubleshooting/filesystem-check.html#manual-filesystem-check

Hmm, odd. I wouldn't expect that. I have openvpn tunnels that have been up without issue for weeks.

@johnpoz Yep, right... forgot that.

@stephenw10 OK, I found a way to send emails from pfSense via SendGrid, using the current pfSense configuration (version 2.7.0) (SendGrid, as noted above, has a free plan that enables you to send 100 email per day, via its service, for free, which should be, I think, more than enough to get email notifications from your pfSense device). The delivery is done via SendGrid's SMTP server, but the security advantaged of services like SendGrid is kept – as the actual delivery does not include the IP address of the sending pfSense device (like when sending via web API); but it DOES INCLUDE the name of the pfSense device, like pfsense.home.arpa, so notice to change the device's name if you wish to avoid identification by the recipients of the notification emails. You can change the device name at System > General Setup. First, some preparations at SendGrid: Create a SendGrid user account at https://signup.SendGrid.com/; or login if you already have an account there - https://app.SendGrid.com/login/ Create an API key, how to - https://docs.SendGrid.com/ui/account-and-settings/api-keys 2.1. It is better, for both security reasons and for operational reasons – to have a unique API key for pfSense, even for each pfSense device 2.2. Grant the API key the minimal permissions needed to send email – Settings > API Keys. For "API Key Permissions" select "Restricted Access". For "Access Details" open the "Mail Send" section and only enable "Mail Send". Save the change. 2.3. Save the API key value at your records offline, you will need to use it as the SendGrid account "password" at pfSense. Once the API key is generated and saved, you will not be able to see the key's value! If you enabled " IP Access Management" (limit delivery only from allowed IP address(es)), then Go to Settings > IP Access Management. Add the IP address of the pfSense device, the IP that is facing the Internet and will be the one to communicate with the SendGrid email server Generally follow the instructions on the following post by SendGrid, "Integrating with the SMTP API" (although I think it is better to use port 465, as it uses a more secure method than the one of port 587) https://docs.SendGrid.com/for-developers/sending-email/integrating-with-the-smtp-api DO NOT do what is written in the following post, titled "How to Send an SMTP Email", it is for sending via SendGrid emails using Telnet to SendGrid's SMTP server, which needs the input to be formatted as Base64. Base64 format will NOT be accepted by SendGrid when sending emails via pfSense, and you will get an error message like " Could not send the message to <email address> -- Error: PLAIN authentication failure [SMTP: Invalid response code received from server (code: 535, response: Authentication failed: Bad username / password)] " https://docs.SendGrid.com/for-developers/sending-email/getting-started-smtp At pfSense: Go to System > Advanced > Notifications Of course Uncheck "Disable SMTP" Add to "E-Mail server" the value of smtp.SendGrid.net For "SMTP Port of E-Mail server" I used 465 (SMTP with TLS, most secure) (Connection timeout to E-Mail server – whatever you wish) Secure SMTP Connection – Enable-Checked Validate SSL/TLS – Enabled-Checked (From e-mail address – whatever you wish) (Notification E-Mail address – whatever you wish) Notification E-Mail auth username (optional) – this is NOT optional; you have to insert here exactly the system word of "apikey" (without the quotations). This tells SendGrid that you are not authenticating as a specific regular user, but as an API key Notification E-Mail auth password – insert here the exact relevant API key value that you recorded when your created it. It is acting as your "password" Notification E-Mail auth mechanism – Select the fixed value of "PLAIN" Scroll down to the bottom of the page and click "Save" Once the page reloaded – Click the "Test SMTP Settings" button to see if you receive a test email to the target email address If you get a warning about network issues, like "Error: Failed to connect to ssl://smtp.SendGrid.net:465 [SMTP: Failed to connect socket: Operation timed out (code: -1, response: )]": Test the general ability to reach the target server at the target port, using pfSense's port test at Diagnostics > Test Port If the above port test also fails (but generally you have network admin access to pfSense from the Internet, or even pfSense can perform a check to see if it has a new version (at Status > Dashboard > System Information widget > Versions section > click the arrows circle icon)), I suggest approaching the support of the ISP/Cloud host firm. Many of these firms block by default access to SMTP ports on the Internet, to prevent spam delivery from their systems by their customers Notice that you do not need to create any Firewall rule for the notification emails to communicate with the target SMTP server, it will be allowed internally by pfSense, based you the notifications configuration you enabled and adjusted. Good luck!

Thanks!!! That explain other things I did not understand ;-) I also try to stop some traffic between other device in the same VLAN (and of course it does not works)! So only explaination is on the Raspberry... (Or maybe on the Wifi access point that is definitively between the computer A and the Raspberry ;-)