Redmine has been updated to reflect the testing done by @mcury so there is official guidance regarding treating this set up with dynamic routing.

I would take it a step further and make the declaration that if your firewall is running dynamic routing protocols (BGP/OSPF) then disable reply-to system wide and make sure you are using floating state policy. I wouldn't do it on a per-rule basis as that's not scalable - prone to error as you miss a rule with those advanced options set.

The bridge members are supposed to be 'learning', that's normal.

What firewall rules do you have?

How is the bridge filtering configured?
https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewalling

How are you testing?

Hmm, it appears lsof is a dependency of Telegraf: https://github.com/pfsense/FreeBSD-ports/blob/devel/net-mgmt/pfSense-pkg-Telegraf/Makefile#L17

How do you have it configured?

@periko what version of pfSense is this for? I think that the new version of Squid makes it such that cachemgr.cgi no longer works. I have not attempted this inside the new package. If you are running older software like 23.05.01 with Squid 5.8 it works. Sorry.. It did the same for me on pfsense version 24, some code needs adaption for this functionality to work again.

Ok try running: ls -ls /usr/local/etc/pkg/repos

That should show a symlink for pfSense.conf that points to the selected repo like:

24.03-RELEASE][admin@plusdev-4.stevew.lan]/root: ls -ls /usr/local/etc/pkg/repos total 1 1 -rw-r--r-- 1 root wheel 25 Apr 19 2024 FreeBSD.conf 1 lrwxr-xr-x 1 root wheel 55 Mar 18 12:49 pfSense.conf -> /usr/local/etc/pfSense/pkg/repos/pfSense-repo-0003.conf

When you change the update branch in the webgui that symlink should be updated.

Then if you check that repo it should be 24.11 like:

[24.03-RELEASE][admin@plusdev-4.stevew.lan]/root: cat /usr/local/etc/pfSense/pkg/repos/pfSense-repo-0003.conf FreeBSD: { enabled: no } pfSense-core: { url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-core", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes } pfSense: { url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-pfSense_plus_v24_11", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes }

I'm guessing your install is not showing that for some reason.

@ErrorHandler I’m not familiar with the game setup, but, see if your ISP router allows setting pfSense as its DMZ. This forwards all inbound packets to pfSense.

If the game requires uPnP, pfSense supports that, it’s under Services.

@Bob-Dig Thanks for the reply. Subsequent error messages appear to show the SMS is being blocked as spam.
(AUP = Acceptable Use Policy, CNCT = Concurrent Connections, MXRT = Max Rate)

Final-recipient: rfc822; XXXXXXXXX@mms.att.net Diagnostic-Code: smtp; 421 att-e2xms-ibgw-6001a.ext.cloudfilter.net cmsmtp 96.102.19.37 blocked AUP#CNCT Final-recipient: rfc822; XXXXXXXXXX@txt.att.net Diagnostic-Code: smtp; 451 4.2.0 <XXXXXXX@comcast.net> server temporarily unavailable AUP#MXRT

I likely have a ton of messages in queue and will wait for them to fail out and before testing again. Just leaving this for anyone who is having similar issues. Searches found many instances of this problem with other providers.
For example.:
Anyway, thanks again for the comments.

@Hyperion_Cyber Run an update in pfBlocker.

In general devices need to use pfSense and not DOH/DOT for DNS, or they bypass blocking. pfBlocker has a checkbox in DNSBL to block that.

@Bob-Dig

I found other configuration examples on GitHub: https://github.com/a4649/wireguard-multi-site

In this example, site A is the "hub". In each "spoke" site, the AllowedIPs contains the remote LAN of all other sites and the tunnel interface of the hub instead of the entire tunnel network. So it seems to me that it is not a "requirement" to have the entire tunnel network specified in the AllowedIPs in all the "spoke" sites.

The use case you mentioned is indeed very rare, but I couldn't really think of other reasons why the entire tunnel network is specified in each remote office's AllowedIPs setting.

@Maxpower said in Issue with ACME Certificates Refresh & Restarting HAProxy:

For this, I have configured the command /usr/local/etc/rc.d/haproxy.sh to restart HAProxy, as its described in the GUI

What exactly did you do here ?
Can you go into detail ?

I edited one of my DNSBL groups :

c32c8394-4a11-4916-b7f9-4fca099b6f91-image.png

and I've added, like you :

55f65d56-e053-456b-9da9-f9f02605ef18-image.png

I reload everything :

6617f34e-5132-4aa5-859b-b2a6adff3b65-image.png

On my test PC (192.168.1.6), I flushed my PC's DNS cache - just to be sure.
Now, the test :

a1406ebb-f5e4-47fc-86b7-c5abf21fb1a5-image.png

for the domain dnsbltest.com : same result.
My browser was unable to resolve both never.com and dnsbltest.com.

It's normal that an "browser error" is shown, and not the :

183d3533-fd19-4d9e-85d3-42c1b8f88bee-image.png

because "10.10.10.1" would only work for non TLS (non https) web access.
10.10.10.1 could not intercept https requests.

Looking at the pfBlockerng Alerts page shows that both DNS request were blocked :

1a072383-05a4-47cb-82f9-0c3b964347f0-image.png

@hajun29011 said in dnsbl is not working properly:

https://www.zenarmor.com/docs/network-security-tutorials/pfblockerng

zenarmor ? Who is that ?
Why not using the official docs and/or video's ??
This is a bit vague :

a44524f0-ab7a-4842-abef-e3c13fab6834-image.png

Here : https://www.youtube.com/@NetgateOfficial/videos

@viragomann

Thank you. I am new in networks. I thought that Local Networks means Tunnel network. I inserted 192.168.50.0/24 into Local Networks and it works.

@Gblenn

Hey thanks for replying.
I'm really struggling to make this work

Currently I have a split tunnel network I'm trying to setup here (essentially what I'm describing).

Out of desperation I tried tunneling all traffic from site A to Site B over the WG interface. I created a static route on pfsense (10.1.0.1) of 0.0.0.0/0 to be routed over WG interface and included 0.0.0.0/0 as allowed networks.

On pfsense at site B, I turned off blocking bogon or private LAN addresses.

The resultant however was the same. Site A Clients could all reach clients on Site B (tested with ping and ssh), however no Site A client could connected to the internet beyond the router. (which includes AT&T modem as this device sits on the external side of the WAN nic).

How do I get the WG interface at SiteB to route the connection out the WAN interface? Nothing is showing up being blocked in firewall logs

Sounds good and thanks again for helping out!

The options are still valid; they just can't have spaces between them otherwise it tries to interpret them is new switches.

yo uso este X4E N150 DDR5 lo uso para administrar dos conexiones de 1GB, pfblocker, squid, snort y sin problema, va perfecto, n150 es mucho más rápido que los celeron que menciones

I would still just use the default sizes. And I'd probably just use two drives in a zfs mirror.

@donpablo
You will need some upvotes to be able to attach files. But you could have described you settings with a bit more details.

So did you state the local networks in the server settings?
Or did you check "redirect gateway".

Did you have a firewall rule in place on the OpenVPN tab to allow access?
The wizard should have added it automatically though.

Are you able to ping the LAN IP of pfSense?

I have investigated it, and it turns out there was an exception in the browser so the certificate was ignored.

My solution, befor the certificate on the DydDns server being renewed, is to change https in the URL string to http. This will update correctly.

When the certificate is updated I will change it back to https.
Password is hash 256 so it should be ok to send.

The leak test shows the IPs of the DNS resolver in use. Since you are using Unbound directly it will show your public WAN IP address for any queries sent out of the WAN.

If you set Unbound to use only the VPN connections for outbound queries the leak test will only show the VPN provider. That might cause problems for any service that uses DNS checks, like Netflix for example.