Видео

Hi 99BBrad, Good to receive your message. After working with the RRAS + DUO setup we switched to using a Duo Network Gateway setup. We did this for many of the reasons you mentioned. The only downside to using DNG was that you needed a step up from the basic Duo user accounts. I believe we were paying $9/month per-user. The DNG setup still uses a Windows Domain Controller for Authentication along with the DUO multi-factor. The DNG server itself if pretty light weight, we built ours using their Linux template. You also need both internal and Internet DNS. And, some new rules on your firewall. For our deployment we used Cloudflare for Internet DNS (free) and pfSense (also free) for the firewall. There is no cost to deploy the DNG server(s) themselves other than the users will need a more expensive Duo account. And of course a Windows Server license (which you probably already have). Hope this information is helpful. And Best-of-Success with your project! Merry Christmas, Randy Graves

Yes, You can configure pfSense firewall rules specifically for IPv6 traffic. The way to do this is basically the same as creating an IPv4 rule, you just specify IPv6 instead. Hope this information is helpful to You. Best Regards. R.Graves

JackFruit, I think you are on the right track. I've read you comment a couple of time trying to visualize your network setup (I'm not sure I've got it). Setting Gateways (both Default and no-Default) will give you doorways to other networks. With the Gateways you also need an associated Routing Rule. If no Routing Rule is defined that applies to the packets destination then the Default Gateway is used. Lastly you will also likely need Firewall Rules. These rules are needed when pfSense is used as a Router/Firewall. If you are just using pfSense as a router then no Firewall Rules are needed. But when used as a Firewall/Router then rules are needed to allow traffic between the different interface, not just the WAN interfaces but also the LAN interfaces. I hope this overview helps and triggers something that you may have overlooked in your network setup. Best Regards, R. Graves

@@niccite Thank you for your reply and input. Really appreciated. To help you visualize better, following is the network topology of my network: i.stack.imgur.com/QjM3a.jpg

Rajanikanth, Because SSL certificates are now only valid for 1 year I have been creating my own using the free option of - Let's Encrypt. I use pfSense and the ACME package to help automate certification creation and renewal. In the past I used a free web tool called "Punch Salad". Punch Salad was/is a free web GUI frontend to creating SSL certificates with Let's Encrypt. For SSL certificates that will not be used outside my network I prefer to create my own self-signed certificates. These will only be good internally and not useful on the Internet. But the advantage of creating my own self-signed SSL certificates is that I can create them to last for 3, 5, or even 10 years. My favored tool for creating self-signed certificates is also pfSense. While not a direct answer to your question I Hope this information is helpful! Warm Regards R.Graves

@@niccite Glad you reached out. we are running are ERP system wichuses IIS without SSL. IIS is hosted in house with a static IP. what's the best approash to secure the communication.

@@rajanekanthvs6183 In a situation as You describe, I think I would use an ACME client for IIS and Let's Encrypt. I don't have the name off the top of my head, but I have recently used an ACME client to auto-renew a Let's Encrypt SSL certificate. The Let's Encrypt certificates are only good for 60 days so have a convenient auto-renew option is very helpful! The ACME IIS client I was using was free for education and personal use (sounds like yours is a business use). My 2nd option would be, depending on how many IIS servers you have, to go ahead an purchase an SSL certificate - A purchased SSL certificate will be good for 1 year and costs are reasonable. A 3rd option would be purchase a Wildcard cert and then you could use it on all your SSL enabled hosts. If the certificate is just for internal IT work and not for end users, then I favor a multi-year self-signed. If Users will be access the resource(s) then I favor either th 60 day Let's Encrypt free certificates or purchase a 12 month certificate - depending on how much work you want to do every 60 days or 12 months. Hope this information is helpful! Thanks for the Follow-Up. R.Graves NICCITE

Manuel, Thank You for taking the time to comment. I know the key-sequence doesn't work in every situation but Glad it worked for you!

Siowxsen, I'm understanding your question to be about using a self-signed SSL certificate on your ESXi 8.x server? If this is correct then Yes. I prefer using self-signed SSL certificates in a LAN environment as they can be created as valid for longer than 12 months. I typically create mine for 3-5 years. Here is a link to a video I use as a reminder on how to do this. ruclips.net/video/vZpAIKJ9jyA/видео.html . If I am misunderstanding your questions please let me know and ask again. Best Regards, R.Graves

Thank You! And Best Wished to You for 2024.

It makes sense to me that you would want to restrict/limit who can access your remote cameras. Not knowing your particular setup - GeoIP filtering has been especially useful to me with in-bound firewall rules. When I have internal IP addresses that should only be accessed from within my Country, I use a GeoIP Alias for my Country as the allowed Source for the in-bound rule. The only “gotcha” I have come across to-date are resources that tie into Cloud Services like AWS. Plex for example, uses AWS and their (Plex) source location changes based on where AWS resources are globally cheapest. Hope this helps and Best Wishes for 2024

​@@RKGraves Very insightful. Thank you for sharing. I've been noticing that my APPLETV is having trouble with PfBlockerNG on my network. Whenever I set it up, my APPLETV stops connecting through the WAN. Even more puzzling is that the issue continues even after I disable PfBlockerNG and reset everything multiple times. I've tried assigning a static IP address to my APPLETV, which seems to fix the problem temporarily, but then it stops working again after a few hours. This pattern repeats even if I change the IP address slightly. Despite completely removing PfBlockerNG, the problem persists. However, when I moved my APPLETV to my main LAN, leaving the VLAN, it started working properly. I haven't been able to find a specific whitelist for APPLETV, and when I check, there's an overwhelming amount of traffic trying to connect to it. I'm starting to think that Apple might be taking steps to avoid DNS sinking and VLAN isolation in their network setup. Have others noticed this too?

Amir, I have observed this before. In my case I need to prep the SAS drive by removing all existing partitions. Once I wiped the drive clean ESXi was then able to recognize it. The tool that I use for wiping drives is the Microsoft Diskpart tool. Hope this is Helpful!

Rodigo, (off the top of my head). On PF1 you generate the certificate for your domain . By then exporting a copy to Server1 and RTR you can bind the certificate to IIS (Server1) and the Web management interface on RTR. By doing this when Clients connect by https to these devices the certificate will be recognized as valid and the client will not receive an error message. Let me know if I am misunderstanding your question. RKGraves

Kim, Thank You for taking the time to comment and raise this question. I'll go back and re-visit this but here are my thoughts off the top of my head. I fully agree that pfSense by default denies all unsolicited inbound connection attempts. My thinking is that the "Deny - Tom Spammers" rule is there to block inbound requests that log as solicited due to some internal user initiated activity. You make a good point and I'll dig deeper into this. Best Regards, Randy Graves

BGK93, I’m away from a computer to verify but this is how I think I would approach it - I would do my enable/disable for the different GeoIP regions. Then I would create a new Alias and assign the GeoIP regions as members of the new Alias. If that doesn’t look promising another option might be to create a Firewall Allow Rule for each Region. Hope there is some help in this reply!

@@RKGraves Thanks for the reply. I will try that.

Hi Mike, I also have domain names registered with Google (domains.google.com) but am using Cloudflare.com for the DNS for those domains just for that reason. The pfSense ACME clients automates the certificate validation auto renewal for a long list of DNS providers. But last I checked Google DNS wasn't on the list. If you have a web site there are also ACME clients that can validate domain ownership & certificate renewal using http/https.

Alex, Thank You for Your Reply! Trust this message finds you well. Have a Good Weekend.

Thank You! And Thanks for taking the time to let me know. Have a Good Week!

Joseph, I don't know how this would integrate with vCenter. Yes, it does work well for standalone ESXi hosts. With the courses I teach, and students I work with, we use the free ESXi license. I have on my "to do" list to learn more about vCenter but not there yet. Have a Good Weekend!

@@RKGraves Thank you for the time to reply. We'll give it a shot in our vSphere environment.

You are Very Welcome!

Thank you for taking the time to leave a comment. Very-Glad the Video was helpful!

Thank You My Friend & Merry Christmas! Gracias mi amigo y Feliz Navidad

What does it do?

@@Gjunya אחי זה היה לפני חצי שנה מי זוכר

​@@gilmoshe854 my bad😂בכל מקרה הבנתי את הבעיה שלי הייתי צריך להשבית את ipv6 כדי שהחיבור הקווי שלי יעבוד על שבב הרשת של אינטל שלי

Hi Asrul, These videos come from projects students complete as part of the IT training. The CorpNet and DevNet networks are virtual networks created in ESXi. But they could also be physical networks - would make no difference to pfSense. Each student is assigned an ESXi server and build the network as you see in the videos. pfSense is a great product and I hope your project is going well. R.K. Graves

If adding ByPassTPMCheck doesn't help you, add those RAM and SecureBoot bypass aswell.

Mason, Thank You!

Hello Klaus, I use Let's Encrypt (letsencrypt.org/) certificates. They are free, but you need a tool to act as the front end for making the certificate requests and you need to have control of the domain name in order to add DNS records to prove domain ownership. As a front end for Lets Encrypt my favorite tool is Acme client for pfSense. For DNS Manual validation these might be helpful: pfSense ACME wildcard SSL cert using DNS Manual validation part-1 ruclips.net/video/Lu717Y-H0zw/видео.html pfSense ACME wildcard SSL cert using DNS Manual validation part-2 ruclips.net/video/K2VEJg1to2U/видео.html Many Cloud hosted DNS providers are compatible with the Acme tool in pfSense. This allows for automatic, rather than manual, certificate generation and renewal. Hope this helps, R. Graves North Idaho College