@tbr281 said in Block redirect: Just wish it would redirect it. Even "dirty websites" use TLS these days. Easy to recognize, their URL starts with https:// Without drastic measure on your LAN, that is, all your web visiting devices and pfSense, you can't redirect https://"dirty websites" to https://DuckDuckGo Your browser won't allow this. The test : is the host name "dirty websites" present in the certificate obtained ? will fail. Have a look : [image: 1669622454574-e2e336b4-a7bf-4b88-ab68-5e617416ed3b-image.png] That's doesn't look like "dirty websites" : your browser will refuse the connection. If it was possible, you would also be able to redirect https://some-bank-acess-you-use to https://some-bank-access-you-use, and because you control some-bank-access-you-use (and your site looks identical to some-bank-acess-you-use), now you get the access credentials. And five minutes later you can access https://some-bank-acess-you-use with the credentials you've obtained, and do what you want. The thing is, why would you ask if something if possible if you don't want it to be possible ? After all, https://"dirty websites", or https://facebook.com or https://some-bank-acess-you-use or https://some-bank-acess-you-use, for your PC, switch, pfsense, upstream routers of your ISP etc, its all the same : a connection to some server over port 443, TCP.

@jarrodsfarrell Did fix the DNS IPv4+6. Post filter is getting tripped so I can't edit my post.

vlan 0 is reserved

@johnpoz I have it done through the host now. I'll get the opt port setup later today I'm just not by the device to do so now.

@sub2010 I use the same config. domain.tld and matrix.domain.tld. I'm not sure about your srv record, I dont use one. For my certificate I use 1 certificate. In acme you can specify multiple domains for one certificate. Mine includes. *.domain.tld and domain.tld Get a cert like that, put it on your haproxy frontend and also put it on your matrix host and point your homeserver.yaml to it and restart matrix. The error is still saying your cert is expired, so I am assuming the cert you have on your matrix host that your homeserver.yaml is pointing to is expired.

@craigerr1 is P2P? Mobile? Have u open the rules in both sides to allow traffic on your firewalls->rules->ipsec? Regards!!!

@SteveITS From what I can tell, drivers are up to date.

Other than an update of pfsense actual version, there should never be a reason to have to reboot pfsense. Common issue where people believe this is the case in change in firewall rules, and not working as they think... This is most likely related to existing "state" for whatever trying your trying to change what happens with. And the reboot clears all this. But if you do have an existing state causing a rule not to function as you believe - you can either kill that specific state, kill all the states or just wait for them to time out on their own, etc.

@shaungehring This sounds similar to an arp cache issue we had. We could not connect, ping it, then all was good. The network team did something to the arp cache on a switch to resolve it. I do not have details as it was many years ago. Maybe that will get you in the right direction.

Technically you could do it by running pfSense as a virtual machine in Windows using hyper-V or VBox etc. But pfSense is a complete operating system, it cannot run as an application on your desktop. It expects to be running on it's own dedicated hardware but running virtualised can also work. Steve

VPN is much better way to access your resources from remote for sure ;)

@leonroy said in Can't create IPv4+IPv6 Firewall rule with an alias: What I ended up doing was sticking my PiHole IP address in an Alias as well and setting that as the Source alias. Not sure if that's the best way of doing it but it worked... If your PiHole should answer IPv6 and work with IPv6 it needs an IPv6 address. Without that makes no sense, then you can simply block all IPv6 alltogether. If your Pi has IPv4 and IPv6 then that's the right way, put both into the alias and use it in rules. That said I wouldn't work with invert rules but that's my approach.

@bbcan177 Thanks. I was hoping for a less involved solution. Though, I'll take what I can get.

edit: on the SG-3100 I have determined that I did not have the switch ports assigned/enabled to any vlans and after that it gave me DHCP on the lan ports and vlans. however I am still with the issue of some devices getting IP's and some not, on the same laptop over Wi-Fi nothing wired something. My travel AP does not support vlans so it has to be on the base level. and none of my non-Mac computers seem to be getting DHCP. And I don't know what caused it but I managed to crash my old router and ALL INTERNETs last night plugging in the new one to do a test. I went out and bought 4 manageed switches so I could break out all of my VLANs to test, and it was the only ez way to solve ingesting my multiple travel WAN VLANS ( local lan, Wi-Fi, Wi-Fi hotspot, wired LTE modem).

That's using a Netburst Xeon right? It's not going to be fast. I don't have much to compare it with but waaay back when I was running a P4 2.8 it was good for ~300Mbps. I would expect that pass 400Mbps using firewall and NAT only but maybe not much more. Try it and see. Steve

@alexandre-angeli said in IPSEC perdendo conexão: A IPSEC fica offline enquanto não usa, e comprovei o correto funcionamento, quando pingo ela "levanta" novamente. Hmmmm, mas: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html