@Uglybrian Thank you so much. My LAN3 is working now.

I had similar setting to yours:
c49a79ef-7b09-447e-bd92-ccc5005d1f1a-image.png

So the changing the "Kea DHCP" to "ISC DHCP (Deprecated)" has fixed the issue?

Thank you both! This was exactly the issue; subnet was configured incorrectly on the device at 192.168.20.4! Thank you!!

@clawsonn In my case, I had a bad WAN connection that was triggering this issue. It was also making HAProxy crash. As soon as I disabled that WAN (it was a 4g backup), everything went back to normal.

@Terho said in Safe isolation of device under forensics analysis:

Any other ideas anyone? How to keep danger for my examination laptop minimal?

Use a VM, snapshot it and connect that, rather than the host laptop, to the isolated VLAN. Probably easier to accomplish if you use the latops ethernet.

@flo-0

Good for you 👍

www.amazone.com www.cnn.com www.whitehouse.gov www.apple.com www.microsoft.com www.netflix.comto to name some big players all switched.
google.com adopted it years ago.
Others, like twitter or truthsocial.com have still issues .... ^^

@socrateberserk said in If this is not the right place to post my question, please direct me to the correct one.:

I am unable to properly configure pfSense to allow the use of the SSH protocol

What pfSense does is : routing, and fire-walling : IP packets.
These packets might contain - in the so called payload - fragments of the mail you send or receive, a web server that is sending you a web page you requested, or a DNS answer from a DNS server you've requested zone info.
The SSH protocol is the description of that payload. And because it's SSH, the payload i, for pfSense, a complete random set of bits, and pfSense can't do anything with it, as it is encrypted.
All this boils down to : pfSense doesn't care about the payload. It doesn't use or 'touches' the payload.

Out of the box, when you installed it, pfSense behave like any other firewall router out there : it has a WAN, a LAN, and everything from LAN passes to the WAN.

pfSense itself also contains a SSH 'server' so you can connect to it. By default, its disabled.

I can connect to my web server, a server rented in a data center somewhere in Paris, from a PC connected on pfSense LAN, just fine.
And the other way raound also works : the same server can connect to my Syno NAS on my pfSense LAN also : I opened up the IPv4 port 22 on my WAN with a NAT rule (I've set the source address is the IPv6 of my server. So this is secured.
For IPv6 things are simpler : just a pass firewall rule, IPv6 destination is the IPv6 of my NAS, destination port is '22' and source address is also set == the IPv6 of my server, so also secured.

@abesh

I have pfsense to use external DNS server and i'm running unbound in resolver mode.

428aface-b662-46f8-bc5f-b8a84403ce41-image.png

DNS Resolver:

aebe7f1b-d29b-4b61-96e7-a369f5868321-image.png

@AndyRH Awesome ! Thank you :) Isn't the setup then sort of similar to one that I started with ?

@TomNick said in Email Client times out trying to reach mailserver in lan:

Mine is on default, still not working

"default" means "System default". If this is set in the NAT rule, the setting in System > Advanced > Firewall & NAT > NAT Reflection mode for port forwards is used.

@snippem

You might consider static addresses on ULA, though I haven't tried that. Unfortunately, pfSense doesn't filter on MACs, at least not in CE.

@Antibiotic it's a new "feature":

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html#packets-with-ip-options

You can create a rule above the default allow rule, to block it and not log it:

623a0dfd-a921-40f9-9469-3e9c841b7c86-image.png

@konacat under LAN it should show a outbound rule make sure you make rules for web traffic and all the ports you need and once that is done delete the pre configured rules.

Reference this:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html

Keep in mind you need your firewall to be accessible to access the GUI for admin needs, if you mess up that rule it is ok you can console in and set it back.

If that happens
Reference this:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html

If you looking for NAT (network address translations

Reference this:
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html

Also last one for aliases...

Reference this:
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html

Hope that helps I would work methodically first make a rule for the GUI so you don't get locked out and after make a list of needs and create rules for it.

Keep in mind WAN will block everything inbound unless it originated from LAN going outbound requests and return traffic. It is really secure by default. Again you can really lock it down like Fort Knox if you want and protect the Heidelberg printing presses. (hypothetically speaking)

Ok I don't know why but when testing it this weekend it was working. I did not change anything neither did I reinstall and fresh setup.

Would this have to do with the static routing that was setup previously but the device it was pointing to was removed the same day it was setup till recently when the client went over to the new system and was installed again. I mean it makes sens that the pbx server was speaking to the firewall and the firewall was pointing to a device on the network that was not available.
NAT is now disabled and siproxd is kinda setup.

I'll arrange to test the DNS rebinding check to disable and the preferred work around and the same for Browser HTTP_REFERER enforcement and get back if it works now. Though the client registration check for the App was an issue even before static routing was setup.

Please let me know if there is clarity needed.

@bitperfect I run Pihole on a tiny VM ahead of pfB. Clents look to the Pi, Pi looks to pfB/Resolver. With the blocklists I have enabled there, this is blocked, plus whatever else pfB does. It's amazing everything still works!

3689b380-29fb-4a5b-aa79-ef8a10f586a0-image.png

@eeebbune While you might of had some sort of state table issue.. But there is no way the source IP of traffic into interface is going to be its own address.. When your trying to talk to it from device on that network.

Glad you got it sorted, but that rule you posted of mgmt address with desc allow to reach internet makes zero sense..

@Gertjan which is exactly my point ;)

Yeah stated as such

have no IPS, proxy, or squid running,

@phoenixfsense I know it's been a while but I'm experiencing the same issue. I was wondering if you were ever able to resolve the issue and what you did? Thanks.

@Shuldyk-Andrii said in Aliases don't give ips:

I've tried to add 40 000

you pfsense to resolve 40k fqdn to their IP(s).. Yeah that seems unlikely to be a good idea..