His point is caching of http or https traffic in the hope of speeding it up for local access is pretty pointless. Unless your doing mitm on your https, there is nothing to cache. And http is pretty much gone anyway - and even if just http, its dynamic generated sites.. There is really nothing to actually cache. The browser caches stuff anyway that can be cached - since its on the end of the https tunnel.. Other than filtering traffic, there isn't much to thinking your going to cache all that much data with your proxy these days. Its not like the client is going to be downloading the 20KB logo image of some website 100 times a day.. The browser will cache that, etc.

Go to Diagnostics - States and reset your states. Existing states are not affected by a block rule change.

@hcurren Why not configure the IP of the docker machine as DNS server for the DHCP pool?

@nateliv Stay away from the Load Balancer because: https://redmine.pfsense.org/issues/9386 If you must have your load balancer on pfSense, HAProxy is the way forward. You can put one certificate on the front end and it can load balance X backends.

Which device has the issue? PC, android or iPhone?

@rainbowHash said in HaProxy Postfix ssl offloading: where to configure the haproxy backend on Pfsense to enable the send-proxy option You can manually write such a option in the advanced server pass-tru options text field. Either per server separately if you edit a server and expand the extra options part of each server. Or in the the box that applies 'to all servers' in that backend.

Thanks i was just wondering

not for https sites as far as i know. does duckduckgo have a dns safe mode?

@kiokoman Thanks!

under windows you can also modify C:\Windows\System32\drivers\etc\hosts and add it there

@KOM Thank You for the effort. At least I know it can't be done.

Try this setup a WPAD (make web browser use it ) Manual configure any device that cannot use a WPAD Use transparent proxy with MITM splice all to catch the rest https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3/178

You need to monitor it, see where it's really going and then block that.

@lido14 'Normally' IPFW is not running when only pfSense is used without captive-portal.. The quickest fix is probably to give pfSense a reboot.. Haproxy loads and configures IPFW if it 'needs' transparent-client-ip with its current config settings.. If none of the backends require this the IPFW related configuration code is likely completely skipped. It does not remember that it still needs to disable the old ipfw settings.... I guess i need to set a little 'flag' that transparent-client-ip was used and check that to remove the last rules if the current config doesn't use it anymore.. I'm not sure if unloading ipfw itself is possible.. i think there was a issue there...

Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?

It shouldn't cause any problems, but if you're unsure then wait until there is low traffic and then try it. It's easy enough to revert.