@jack7076 transparent squid does not work with policy routing. Squid binds to wan. Policy routing is done before it reaches wan

@heper I understand now! Didnt know that the new connections need to be established. Thank you very much! Is there a way (besides snort/suricata) to achieve what i did with iptables? Thanks again!

Well, if anyone wants to check it out: https://github.com/imthenachoman/pfSense-Firewall-Rules-Manager.

This will be helpful. Read through the entire firewall section. There are also practical examples in the documentation. https://docs.netgate.com/pfsense/en/latest/firewall/index.html We'll be here to answer specific questions when you're ready. Screen shots of your rules are almost always needed to help debug. pfSense does ingress filtering by default. On the LAN network any rules are evaluated as packets enter the network from clients on that network, for example.

A transit network is just a network that connects routers that has no hosts on it.. So pick a network, 172.16.0.0/30 works.. No need for more address. And connect the 2 routers with it.. This can be physical network, or just a vlan.. Here.. [image: 1611752379753-transit.png] It removes the asymmetrical traffic flow.. When you have hosts on your transit, that do not do host routing for the downstream network. Or when the downstream router is not natting you run into this. [image: 1611752670121-asym.png]

@brephil Maybe it created a loop? The best test for iperf is not against pfSense, but through it. Put a device in the LAN and another in the WAN and do iperf between those two devices.

@pietro-morre said in DynDNS and host (rdp): I set them as "client" You're in luck. The VPN section has also a VPN client. So you can connect one pfSense to another pfSense etc etc. And guess what : There are video's about that to ;) @pietro-morre said in DynDNS and host (rdp): use 3 classes of ip (1 in the openvpn server and the other 2 clients) without any problem? (all 3 are set with 3 different DynDns. The two clienst don't need an DynDNS. Only the server. The server is like a ...... server - a web server ! - it waits. Just wait, until some one connect to it. This "some one" can be a phone with OpenVPN client or a PC with OpenVPN or pfsense with OpenVPN client. These have to know your hostname (your DYNDNS URL), that's all. And that will be the WAN IP of your openVPN server. So, yes, why not, two or more OpenVPN pfSense could all connect to a OpenVPN server, also a pfSense. Btw : before you ask : No, you won't be able to 'see' all the devices in all the networks on all the sites in the Windows Explorer. But you will be able to use IP's or host names and use these to connect to other devices, local, or remote, all over VPN tunnels. So, have a look at some serious video's what DNS is really about. Time to leave the state where you think you understood it, now you have to know. Or just stick to IPv4 and it will plain work. Troubles will arise when everything shifts to IPv6....... ;) Goof to know : interconnecting two networks : Your LAN network on site A has 192.168.1.0/24 Site B - its LAN, can't be 192.168.1.0/24 - it should be another RFC1918, like 192.168.2.0/24 Site C should have a be different LAN, also 192.168.3.0/24. The tunnel network, used by the VPN server, should be different again like 192.168.254.0/24 You will probably also have to refresh the knowledge about what a router is / does - what routes are. Example : On site B you should 'inform' your pfSense that the network 192.168.2.0/24 and 1982.168.2.0/24 goes over the VPN, the rest, by default, goes over the default gateway == your internet access. Same : on Site be you have to inform the system that the network 192.168.1.0/24 can be reached over the VPN. The rest over the default WAN. Etc. Myself, I my VPN just as a road warrior access - never tried to connect to sites together. That is, I can connect from my home to my work, and then use/connect to all work LAN devices. That's already bad enough.

@wits-end said in pfsense / iredmail issue: The webmail interface is accessible from outside, but not from inside unless I use the IP address. On the unbound / resolver page, at the bottom, add a domain override. Add the domain as you use it when connecting from the outside. Like : [image: 1611647438940-76cbd431-b690-41ee-8351-69f8e054e49f-image.png] where the IP is the IP of your mail server. Or use the IP directly with your devices/programs locally, as DNS is just for humans, programs work with IPs. @wits-end said in pfsense / iredmail issue: When there was just the old Asus router, I was able to connect using the FQDN and it allowed webmail, outlook, and phone from both inside and outside. Yeah, if a host name like "mailserver.my-local-domain.tld" can't be resolved locally ( actually strange : your local DNS resolver doesn't know who "mailserver.my-local-domain.tld" or, its very local .... you should have informed him ^^ thus the over ride ) it will get resolved up stream, because you probably used a DDNS method, or defined it direcly manually in the my-local-domain.tld zone with your domains registrar. This one will give back the WAN IP. That's like being in the kitchen, going to the toilet, using the front door of the house. It might work with some ugly (build in ?) NAT like hacks. pfSense doesn't implement this method - although it can be done, I think - not sure. Anyway, there is a better solution.

Thanks again @hieroglyph . I've added rules for both NTP and DNS for This_Firewall destination. Appreciate the feedback.

Thanks for your help. I'm all set now.

While I was going to suggest that - its not really the same thing as ipset. But ipset ties in with iptables, and pfsense doesn't use iptables - even if has dnsmasq.. But yeah its the closest thing.. But what is kind of kewl with ipset, is you can set netflix.com - and then anything.netflix.com would be in the rule. I don't believe, off the top of my head there is anyway to do that with aliases.. You have to be able to resolve the fqdn, or use a list of ip/netblocks..

@teamits and that was it. its working now I had turned off tagging on 5 earlier on opt 1 because i saw that the default lan didnt have 5 tagged. Probably everytime i did the setup there would always be one step i messed up because on other attempts i had it tagged properly. anyways its working now thank you!

@nachofest I think you can do it using Wireshark. https://osqa-ask.wireshark.org/questions/48871/how-can-i-replay-a-tcp-packet-captured-by-wireshark

@asdjklfjkdslfdsaklj I'm still having this problem. Like in the original post, I've tried it with scrub disabled etc. with no luck. Before it would work when pf was disabled, which lead me to think that it was a issue with pf (maybe something like https://redmine.pfsense.org/issues/8165), but now it doesn't seem to work even with pf disabled.

I am facing the same problem. Could you show me your rules? I can't get it right :-(

@azon2111 said in Using PfSense as a GeoIP filtering appliance ONLY: self-hosted email where it actually thwarts quite a bit of spam messages I know all about that one. Back, in the 'good old days' I was said ones to myself : want to have my own domain names (private and company (a hotel)) and taking care of my own mails, as using a mail server from some where else binds you to the mail reputation of the host. Shared mails can be great, and the next day you can't mail to gmail, or yahoo, or whatever. Or the other way around : one of the biggest (Belgium) mail suppliers, skynet.be (don't laugh) was often blocked, me not being able to do anything about it. So I went for the 'do it myself'. What I did : tell postfix to be far more stricter as 'default' : for the incoming mail : No reverse host name ? => Hang up the phone. => You say "Paul' but your reverse lookup says "Jack" >= assign a big penalty to start with (this one has a identity crisis / split personality / other issue ) No SPF ? => assign a big penalty to start with. No DKIM ? => assign a big penalty to start with. No DMARC (and IPv6) => assign a big penalty to start with. Mail with added files that are forbidden, like exe, com, docx, etc etc ? => Drop it. Then, with the already scored penalties, filter through spamassassin. And amavis - and razor. and more. If the mail is a winner => off to the spam box it goes. We have a guy called fail2ban that analyses the main postfix mail log 24h/24. For every mail that comes in, and the simple server to server transaction 'stinks'or the mail looks like spam, that mail server gets blacklisted at firewall level. This is the result. And this one to check for the reason why as SSH connects, Apache2 connects etc is also treated. Check out the "Postfix tab for more details. After more then a decade, me doing close to nothing these days, 80 % of all mail is stopped right at the doorstep - reduced to a line in the mail log : Like : 2021-01-21 16:10:10 postfix : From host a.b.c.d : Hi - and bye. Take note : for me, blocking IPs based on a country is not possible, as our clients are from all over the world. Example : last month, some agency called Expedia (States based) started to use a bunch of IPv4, formerly known as "from Pakistan ....". What also happens is : I get mail from Egypt, Cairo. From a fried. LIves in Germany. Who forgot to shut down his VPN (he has a complicated live and many issues with things called "torrents"). Geoip IPv6 database will probably never exist as the one wouldn't fit in our galaxy. 25 of all our incoming mail is IPv6. And as aid in another thread this morning : my first IPv6 are already banned. Btw : I even added some domain names used by friends to my mail server, as I knew they would send and receive a lot of mails. That was just perfect to auto-train my anti spam AI. All this beauty is available of the selves, free, and keeps working over time. I use a dedicated IPv4 and IPv6 for each domain. This is VERY important. Also : self-hosted means for me : a 50 $ / month dedicated server in a big data center, as hosting behind an ISP line (our case) is a big no-no.

@gil said in Locking device to static mapping: @bmeeks Thanks for the info. I appreciate the point you are making You do still have some options, abeit they require more work on your side. My idea with VLANs and multiple SSIDs on wireless will work, but you need VLAN-capable switches and wireless APs. Also the ideas put forth by @gpfsenser will work.