• 0 Votes
    15 Posts
    218 Views
    JonathanLeeJ

    @johnpoz This even does this with the newest CE edition inside of UTM virtualized environment outside of the 2100s

    Screenshot 2025-07-17 at 10.15.51.png

    It is not just the 2100s this is set up for standard stuff everything else works with it just the status page

  • 0 Votes
    1 Posts
    387 Views
    No one has replied
  • 0 Votes
    33 Posts
    4k Views
    JonathanLeeJ

    @johnpoz I know KISS but I think the issue is I have Mac for all source and none for ffffffffffff broadcast set up….. maybe it’s now blocking that in 23.09

    So I should have each interface have a approve ffffffffff MAC address also

  • Squid and ACLs

    Cache/Proxy
    19
    0 Votes
    19 Posts
    4k Views
    JonathanLeeJ

    @mcury I also had to disable some ethernet rules that all the sudden showed a lot of activity

    Screenshot 2023-12-16 at 8.38.44 AM.png

  • 0 Votes
    27 Posts
    6k Views
    JonathanLeeJ

    Could it be set flags SYN ACK ? and or state type keep or sloppy ?

  • 0 Votes
    55 Posts
    16k Views
    HLPPCH

    @JonathanLee I block DNS over HTTPS to the firewall using unbound because I have unbound running DoT. My solution to the Nintendo griping about DNS was to route it out to 1.0.0.2. I was also having issues with unbound using the ephemeral ports I was using, interrupting my sensitive codel games so had change localhost's NAT outbound.

  • 0 Votes
    5 Posts
    794 Views
    JonathanLeeJ

    Screenshot 2023-06-15 at 2.40.04 PM.png
    (Blocked IPV6 as my ISP does not hand out IPV6 addresses only IPv4)

    Per Netgate docs
    "Ethernet rules can use Aliases for L3 source/destination matching but there is no support for MAC Address aliases at this time."

    This works and shows traffic. Each IP has its MAC recorded into the rule.

    Working config, Squid, Squidguard, Snort, Lightsquid, Auth-NTP, DNS over port 853, Clam-AV, UpNp for xbox alongside floating Queue CODEL this is functional and other ACLs are still working with this version. I have set the top line to block out all IPV6

    Test now running for 24 hours no issues.

  • Squid ACL regex

    Cache/Proxy
    2
    0 Votes
    2 Posts
    943 Views
    JonathanLeeJ

    @ciconet Here is how I did this, keep in mind I have approved specific site to only be spliced and not use MITM mode for those.
    First:
    Create a advanced config like this,
    Screenshot 2023-05-21 at 11.42.45 AM.png
    Second:
    Populate your file with the URLS you want to splice.

    Screenshot 2023-05-21 at 11.44.42 AM.png

  • HAProxy - route by domain name

    pfSense Packages
    2
    0 Votes
    2 Posts
    1k Views
    N

    @nasheayahu said in HAProxy - route by domain name:

    wwwkohanyimcom Host matches: no no www.kohanyin.com
    kohanyimcom Host contains: no no kohanyin.com

    I found the problem, my domain was spelled incorrectly... 😧

  • HAproxy-Devel config GUI bug

    Cache/Proxy
    1
    0 Votes
    1 Posts
    607 Views
    No one has replied
  • HAPROXY ACL match host and path

    HA/CARP/VIPs
    5
    0 Votes
    5 Posts
    6k Views
    C

    that looks like solution.

    Thank you for the quick response

  • 0 Votes
    6 Posts
    2k Views
    DaddyGoD

    @dr_tech said in Possible to block certain websites using URL ?:

    Is such a provision available ?

    Yes, I thought pfBlockerNG would be a good solution. 😉
    See the answer to your question at the attached link:
    https://forum.netgate.com/topic/138029/acl-s-support

    In particular, focus on the recommendation of @BBcan177 (maintainer and creator of pfBlockerNG)

  • 0 Votes
    4 Posts
    1k Views
    S

    Meanwhile i tried your 2nd suggested workaround, and after a while i got it to work.

    What have i done?

    turned off redistribution of connected networks (be careful, you might loose access to the device) under "OSPF Areas", i created Area 1 with the ID of 0.0.0.1 entered 10.1.1.0/24 under "Route Summarization" -> "Summary Range" -> "Summary Prefix
    ", this matches the subnet entered to OpenVPN under "Tunnel Settings" -> IPv4 Tunnel Network under "OSPF Interfaces" i set the ovpn interface to be in Area 1 marked it as "Interface is Passive", because vpn clients do not need to participate in OSPF and i changed the network type from "Not specified (default)" to "Point - multipoint"

    With this setting, on the LAN side the Catalyst L3 was able to see 10.1.1.0/24 advertised from the FW, and only that subnet was advertised. The firewall was able to see all advertised routes from LAN from the beginning (after auth and a few basic thing was set up).

    If i left the interface type on default or set it to point-to-point, there was nothing advertised from Area 1 , other types seemingly did the trick. From the working ones i picked P-MP which sounds OK for the VPN clients subnet.

    If i removed the summary from Area 1 config, and the if type was "p-mp" or any of the working iftypes from aboove, there was only a /32 host route announced with the ovpn server address, despite a few clients were connected. The iftypes which yielded no redistribution, still remained silent irregardless of the value of the summary network.