I was having issues with this several years ago and eventually gave up and got a cell spot from Verizon, and now I don't have any more issues. I did have to fight with them on the phone to send it for free but they did send it. I know this doesn't help solve our issue but I just want to add my two cents that I too was having issues.

Hello! One option: https://docs.netgate.com/pfsense/en/latest/cache-proxy/squidguard-package.html John

Hello! This might be a good starting point for transparent squid with http: https://docs.netgate.com/pfsense/en/latest/cache-proxy/setup-squid-as-a-transparent-proxy.html Not sure you can can do transparent with https. You can always setup squid in non-transparent mode for http/https and configure clients manually or via dns/wpad/dhcp/gpo/etc... https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html John

Use a VPN don't use port forwards for RDP.

Depends - maybe he wants to serve something to the public.. Can not let the whole world vpn to your network ;) I want to serve up some website to the public, I don't setup a vpn in that scenario ;) But sure you wouldn't port forward to your box that you want to RDP too ;) That would have serious security issues.. I have a port forward to my plex server for example - I can not expect everyone to vpn to access it, while that would be a more secure option. Problem is a users TV can not vpn, nor do they have a router were we could even setup a vpn even though that would be a much more secure setup. So you compromise and do what you can to allow the access. plex server is isolated from the rest of my network.. I use a different port than the standard 32400, really to just help with the log noise. And I also lock down the port forward to countries my users are in (via pfblocker geoip aliases). I tried just locking it down to their IPs... But this proves to be difficult getting the information from them. And then prevents them from using their devices while traveling.. Say they bring their roku stick to a hotel with them, etc. And when they are on a IPv6 device, they get random IPv4 address via whatever ipv6toipv4 gateway their service is using.. Phones tend to do this quite a bit.. Since many phones are only getting IPv6 addresses.. And even if my plex was served up on IPv6 - been toying with doing that. The source IP would change all the time.. So yes you should always use the most secure way to access your resources remotely.. A vpn is not always possible.

Agreed. Mine is set to 2000000 and works perfectly

https://docs.netgate.com/pfsense/en/latest/book/nat/nat-reflection.html Found this... Works like a charm!

https://docs.netgate.com/pfsense/en/latest/book/firewall/troubleshooting-firewall-rules.html -Rico

Hello! https://redmine.pfsense.org/issues/9296 ? John

@Grindey said in Firewall rules issues: This is very embarrassing, I am a retired Cisco engineer with 20 years of networking experience and I did not notice that. Well, that's it then... off to the stocks with you! LOL [image: 1582658045482-4513678.jpg] Jeff

Mail subject line and initial other content of your Google's mail box pisses of squid/quard. Remove the "offending" content or recheck how to white list. (Never used squid myself)

@letuanvn said in How deploy Certificate automation to mobile (IOS, Android) use Squid Proxy?: @NollipfSense Thanks for your feedback! I understood Gertjan mean. But it's a manual action. It cannot be done automatically as you're wanting to do.

@NogBadTheBad said in Aliases configuration file: Look here Diagnostics -> Tables Thank you.

Static source port outbound is required for a lot of games (which is absurd IMO but....) but some also require UPnP. You may find you still need that. Of course by having the PS4 in a different subnet you are limiting exposure to that only. Steve

I feel that pain! If you are able to retest it at any point that would be helpful.

Oh, doh, right. When I ping the vpn client the traffic is allowed by my LAN rule and not subject to that ruleset, return traffic I assume is allowed because there is a state established. I see now that the remotes can not initiate traffic if I place rules in 'openvpn'. Thanks.

@johnpoz said in Firewall Files: pfsense is a gui based firewall, all settings are stored in xml file.. While you can edit this - would not be recommended. If you want to view the full set of rules, gui doesn't show everything https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html But if you want a cli managed firewall - your prob better off looking for different solution. Thanks for your reply.

And how do you think its going to work, even if you allow the traffic... How did the syn get to the box without going through pfsense, and now the answer is going to flow through pfsense - so how is it going to get back to the sender. Asymmetrical is BAD... Correct it vs trying to get to work... If you want asymmetrical traffic flow you wouldn't be using a "stateful" firewall.. Draw up how this is connected - and why you think asymmetrical flow is the solution.. Which its not - never is, never will be.. Its pretty borked no matter how you look at it. Maybe a client will not even accept the traffic even if gets back... Because its from a different mac...Either I sent the traffic to mac of my gateway, so traffic should come back from that mac.. Or I sent it to the device, so it should come back from that mac... Again asymmetrical is BAD!!!

Hi, The gateways are up and running so that is not the problem Greetings snellie