@task Update: i discovered that adding a manual route to my WAN ip in my device works. I'm tring to make is automatic by using the push command in open vpn Custom Options: push "route X.X.X.X 255.255.255.255" But adding the push route breaks the vpn connection. Any suggestion? Thanks

@marcelloc I have installed the WPAD package, added the DNS host overrides in the DNS Resolver wpad pfsensedomain.local 192.168.1.1 wpad added the DHCP additional BOOTP. number: 252 type: string value: "http://192.168.1.1/wpad.dat" number: 252 type: string value: "http://192.168.1.1/wpad.da" number: 252 type: string value: "http://192.168.1.1/proxy.pac" pfsense webConfigurator is set to https with webGUI redirect selected However I am having issues downloading the wpad file http://192.168.1.1/proxy.pac This site can’t be reached https://192.168.1.1/proxy.pac 404 Not Found nginx http://192.168.1.1/wpad0/proxy.pac This site can’t be reached https://192.168.1.1/wpad0/proxy.pac the pac file downloads I seem to only be able to download the proxy.pac with https://192.168.1.1/wpad0/proxy.pac Am i missing something? UPDATE: I had the wpad listen port set to the proxy port 3128, changing it to port 80 now downloads the file

The two 00's - is your domain stanmore or stanmoore? You leave your description open, and then you try and hide it in the domain name? So not sure. if your server is 192.168.8.36 Then create a host override in pfsense to point whatever.domain.tld to this IP.. Create a CA, then create a cert with this CA. Trust the CA in your browser - and then use that cert on your server. Done.. NO proxy needs to be involved. Makes no sense to use the proxy unless you want outside people to get in, and to be honest you wan to offload the ssl to the proxy and not do it on the server. I have a few guides around here about doing just that - let me see if can dig one up and link to it. Here - walk through I did back in 2019 https://forum.netgate.com/post/831783 edit: To finish that off.. Here is CA trusted by my browser.. And here are 2 devices using certs I signed with my trusted CA. Switch and Nas. [image: 1618086861465-installed.jpg] Keep in mind that browsers have backed off on how long a cert could be good for - not that long ago you could make then for like 10 years and be done with it. But now browsers can have issue certs valid longer than say 1 year https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/ So for your certs you can only do them for that long - or your browser will complain - some of mine where done before those changes went into effect.. Other advantage of just doing it this way - is you can add in IPs into the certs via SAN, and then either name or IP works and your cert is trusted. switch via name or ip [image: 1618087230992-switch.jpg] Notice in the cert for my nas above - its lists subject alternative names for nas.local.lan and 192.168.9.10

@lgwapnitsky No, I moved to a dedicated host for HAProxy and just about to deploy I realized it doesn't have that robust of support for directory accounts. I use Active Directory. Also, since I asked pfSense 2.5 is came out and it's got a ton of new stuff: it now has the current (or very close to current) HAProxy, supports TLS1.3. I'll try again and come back if I'm successful, good luck to you too! :) ________ PS: If you're open to alternatives for authentication, take a look at Keycloak from (backed by) Red Hat. It does federation, clustering, it provides many clients (to integrate with). OpenID Connect, OpenID, LDAPS, SAML, hardwarekeys/tokens, socials, SMS, you name it, it does it all and it doesn't even need installation, you just run the WildFly (or Tomcat/JBoss/etc..) servlet. Just charge an iPad or 'cause you'll be doing plenty or reading. It's not hard though. :)

@sweety which version u have (squid and SG)? Can u show Bypass Proxy for These Destination IPs? Can u show the advanced options from squid(Integrations)? Regards!!!

@viktor_g excellent, thanks.

@viktor_g Updated, category filtering now works well. But still there is something broken: In the past, when I add/remove user from group ACL, it was enough just press Save&Apply. But now I have to restart SquidGuard service to apply new membership.

@viktor_g Updated this morning and tested now, so far is working fine as it was in 2.4.5, thanks @viktor_g .

@piba Okay, thank you for confirming. I will go with decoding and encoding the traffic. Blocking the traffic at the first possible stop and having one central place for the configuration seems the better option (for me).

What is your phone using for dns.. If not resolving the public fqdn your using? doh - dns over http, you been sleeping in a cave the last couple of years? You hear about the global pandemic? ;) doh and dot (dns over tls) are the latest craze to get you to send your dns to the big players, while telling you its more secure.. Because that big bad isp of yours won't see your dns queries.. Oh my gawd - they know you looked up amazon.com ;) Even though they still know you went to ip of amazon, and hey your https connection sent and sni that told them you going to amazon.. But oh my goodness - lets hide the dns query from them.. Anyhoo - browsers like to turn it on by default.. Phones for sure do, etc.. So if your phone is doing that it wouldn't be using your local pfsense dns to even see your host overrides. Also phones like to not use your local dns - android big on this.. you know they know better and even though you tell them via dhcp to use pfsense IP for dns, they like to use 8.8.8.8 anyway. If that is the case and not doing doh, you can just redirect the dns query going to 8.8.8.8 to pfsense. https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html One way or the other you really need to pick your poison here.. Do you want haproxy to send the traffic.. So your clients use the public IP to try and access. If your doing that you do not use nat reflection.. Nat reflection is for port forwards, not reverse proxies.. Either or - if your using host overrides - devices on your local network using your local dns, would never hit your wan/public IP to either be reflected or proxied. So your phone is on your wifi - right? And this is not behind some nat router doing your wifi? its on one of your lan1 or lan2 networks? Also why are you hiding rfc1918 addresses? Nobody gives 2 shits if your using 192.168.1 or 192.168.23.. They are all private.. They don't tell anyone where your at, Sure and the hell can not get to your network via that address.. I use 192.168.9/24 on my lan, and my current pc is 192.168.9.100.. Does that tell anything that you could use to do anything to me, or find out where I am, or anything? I use 192.168.9/24, and 192.168.3/24 for my dmz network - hey I have ntp server open to the public on 192.168.3.32.. There is zero reason to hide or obfuscate rfc1918 space.. My nas is at 192.168.9.10, and I also using 192.168.2 and .4 and .5 and .6 and .7 for other vlans.. And I also have a 192.168.10 network I use as san between my pc and nas that uses 2.5gbps interfaces.. But since I do not have a 2.5gbps switch I have that setup as a san.. Does any of that info really give away anything? Its rfc1918 - everyone on the planet is using it.. It doesn't route over the public internet. Is your wan of pfsense actually public, ie not a rfc1918 IP? 10/8, 192.168/16, 172.16/12 - pick your poison.. If your using haproxy there is little need for host overrides pointing public fqdn to your rfc1918 IP..

@dr1m Running on memory here.. afaik haproxy is 'subscribed' to carp events, and as such should be able to start soon after becoming master.. https://github.com/pfsense/FreeBSD-ports/blob/084b4ad9f65198720720f84d04eeed7c441ed49c/net/pfSense-pkg-haproxy/files/usr/local/pkg/haproxy.xml#L52 dont have time to check why that might fail now.. way past bedtime already here.. As for having haproxy run on both nodes, there isn't much of a downside besides that 'healthchecks' will be fired from both haproxy instances and might increase the load of the webserver a little bit..

@johnpoz yup, i had the default 2048, bumped to 4096

Redmine issue created: https://redmine.pfsense.org/issues/11680

Please elaborate. Noone would be able to help if the problem isn't well described.