@johnpoz

The github ip's seems to have been removed from the list , the pfSense would only have logged those if they were in there.
dhylands.github.io has address 185.199.108.153
dhylands.github.io has address 185.199.110.153
dhylands.github.io has address 185.199.111.153
dhylands.github.io has address 185.199.109.153

https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHexceptionsIPv4.txt

Here i suppose

But as mentioned above .. It got us to dig a bit deeper in FF and DOH (prevention).

And i have learned a lesson in "blindly trust" external lists.

But it's only the 2'nd time in like a year, that i have had issues w. that list.
So it seems OK'ish

/Bingo

I am fin here too

Hmm, well likely something sent a gratuitous ARP for every IP somehow. Or pfSense queries everything but that would really only happen if you ran a scan.
As I said it's just odd though it's unlikely to hurt anything.

They were working on, more then we were able to see as I
am informed! The bugs where scaling up since 2022;

23.01 is announced for may 2023 with 5 open "bugs"

The change from PHP 7.x to PHP 8.1 is more then we might be thinking of because it is not "only" a version higher as many peoples are thinking from. And the
jump to FreeBSD 14 was also nice in my eyes.

And other things like TNSR, QAT, VPP, StrongSwan and
other`s came by site and last but not least as today there
are some versions and not like before only one 32Bit version was present.

All must be maintained, all must be updated and all must
be solved with patches (new patches system) and this is also "eating" manpower and time as I see it.

@michmoor what would it take you 3 seconds to know if pihole is not answering, or unbound is not answering?

if dns is not working and I query unbound, and it works - its pretty much a given that pihole is the problem ;)

I don't recall pihole ever going down btw ;) And while some users report issues with unbound - I can not recall the last time I had any issues with it, mine never restarts, unless I do it on purpose sort of thing. Nor does it just stop.. Both have been pretty rock solid if you ask me.. Then again I am not loading 47 million things into dnsbl, nor do I forward, and sure and the hell if I did forward it wouldn't be doing it over tls nor would I be having dnssec set if I forwarded. And I don't register dhcp clients either, where unbound needs to restart every few minutes because some update to a dhcp client ;)

And my isp is pretty much rock solid..

I always have a cmd prompt open, it takes what 3 seconds to do a dig directly to pfsense IP vs the default dns of unbound.

I currently show unbound up for 12 hours, I made some adjustments this morning to my static reservations for some lightbulbs and needed to change some names, so unbound restarted. Other than my changes I pretty sure unbound would be running for the last 20 and half days.. which is the time pfsense has been up.

@stephenw10 said in Installing MC on FreeBDS 11.3 (pfSense 2.4.5):

If it's a 3100 (armv7/v6) that makes it even more difficult.

It is simply impossible because indeed, the Netgate box has the arm CPU and I run pfSense in a virtual machine on Linux x64 i.e. compiled binaries are absolutely incompatible.
Either way, I upgraded 2.3.5 (running mc) to 2.4.4.3 and later to 2.4.5. Obviously I had to change the paths to pfSense repositories before each upgrade but eventually all worked out just fine.

I would like to thank Netgate staff for not killing the repositories with deprecated/outdated versions of pfSense and making them available to their users !

@andyrh ah sorry I thought that it ran the same is as the 2930m switches.

6000-WATT AC Power Supply for the Cisco Catalyst 6500 Series Chassis

Cisco Astec Aa23200 Power Supply 341-0077-04 Catalyst 6500 Series

@digiguy

pfSense Documentation

You could have a look in, if you find something you may interested or it is matching your needs or fitting the rest of
your network. If you find something configure it out following that docu.

@noplan said in Ideas how to block certain webs (youtube) for kid's PC with possibility to enabling it for some hours.:

time based rules

4ef62a83-acbd-41c2-a9ca-b04a60e9379e-grafik.png

configure your time range and add
looks like something like that
63cd6497-a933-4056-b845-7c965b2ea1a3-grafik.png

save

lets go build a firewall rule

but 1st set up an alias for all your kids devices if you have em put not togehter in a VLAN

90e4be13-0378-4f14-837d-72bd779846d9-grafik.png

then
7672a23d-3b1e-4284-90bd-0959cea50e21-grafik.png

Action= Pass
Source = ALIAS of your devices
DESTINATION = the pfB Alias pfB created
f4d9a175-3d18-4237-9fb2-c14e3f38f53d-grafik.png

Fire and forget !

could be usefull but think about it carefull
6c4c2155-1a73-4208-baf8-e54f29276800-grafik.png

if needed or not

17de044f-4c94-4be7-97c6-837b34d70a9a-grafik.png

**BUT IMPORTANT TO CHECK **

666900a9-6ef1-49e8-8f18-36f24d0948f7-grafik.png

db4967b4-ad2a-4043-9e5f-d140c4a55c43-grafik.png

so that should do teh magic

have fun and keep us posted !

@patch ok

Firewall Micro Appliance, 6 Port i225 2.5GbE LAN Fanless Mini PC Celeron N5105, No Ram No SSD Gigabit Ethernet AES-NI VPN Router Openwrt Barebone

£ 212.34

Micro Appliance 4 Port i226 2.5G LAN Fanless Mini PC Celeron N6005,8GB 2666Mhz DDR4 128GB NVMe SSD Gigabit Ethernet AES-NI VPN

£ 350.14

@keyser

@keyser said in ntopng helping you troubleshoot:

so it’s not worth much when it comes to forensics.

Oh i absolutely agree. Im just trying to see how much i can do on a budget of nothing. :)
Considering NTOPNG is the community edition and there really isnt much in the way of usefulness that can really be gathered by the traffic identification i figured it was neat that the flows Suricata saw NTOP saw and reported it. That certainly wont be the case all the time.

From what i can tell, ntop is really good at figuring out current top talkers.
For more historical data im looking at NFSEN but i cant get that to run on Ubuntu 20.04. Documentation is very dated.

I use PVE. Everything is very stable and no problems.

@backspacemild Thank you.

@yasa Instead of a prepackaged FreeBSD, couldn't you download and install pfSense ISO on the VM? I planned on doing this (just waiting to buy a bare metal Lenovo) with OpenStack on VMware ESXI. If your project is for your home/lab, alternatively, you could try TNSR since it's based on Linux and the cloud version (AWS & Azure) starts at $0.127/hr.

@afcarvalho said in Help on rules:

If I check the reverse option I am doing what?

This is, at least on the english language side, called "Invert" meaning the switcher of NOT.

Check the box and it will say the IP is NOT the value of what you entered then do something.

If you're using a language translation and it is stating something that does not mean 'opposite' or 'invert' or 'not' then please let us know by opening a redmine :)

@stephenw10 I have just watched the video and its actually might help another issue with a raid card I have been having problems with as well so again extremely appreciated now

Ooops! 😉

@elmojo It would be an additional network... you can have them that way but they're on different broadcast domains -- so things that require broadcast calls (like streaming devices, or backup solutions) don't work and require other tools to work like avahi.

I use VLANs and single interfaces and APs that support VLANs.

@keyser said in IPS external logging:

but rather just have full monitoring and alerting of usage, issues and downtime.

I use a combination of Zabbix and Graylog for email notifications. You're right, pfelk was more for visualization as i had more than one pfsense out there and wanted a central dashboard. In the end, to be honest, its more cumbersome to get it all set up and sorted out.

There is a project out there that i use personally.
https://github.com/VictorRobellini/pfSense-Dashboard

I got a nice visualization in Grafana. My current dashboard

42b3c220-d41f-4b48-8d35-8977d05de613-image.png

@peterkrautle I suggest comparing the .xml config file backups from each to see if there’s a difference.

@danielayer said in DNS Whitelist Project:

DNS Whitelist project

Easy answer : you can't.
Making a list with allowed DNS hosts is impossible as it will take unimaginable resources to store this file (or even creating it).
And the moment you have it, it's already outdated, as thousands of new hosts have been created, and some have expired.
"whitelisting" the Internet is like managing a list with all the phone numbers on planet earth.

The way doing things is using lists with sites you don't want to access 😊
( I know, I knew you meant to do that )

The good news is : these lists already exist.
That's one of the reasons why the pfBlockerng-devel pfSense project has been created.

Btw : small detail :

3fb52aa8-ffba-4b1c-b3a4-87e5f4a3ec92-image.png

Go for "Null blocking (logging).
Like this :

ca458a55-7caa-40b1-a421-1508be5a35c2-image.png

The idea of showing a web page that informs the user he wanted to visit a site that is blocked doesn't work for 99,99 % of all cases.
The 0,001 % are the sites that are still http (not https). The number tells you : they don't exist anymore.

@michmoor said in Graylog server on a raspberry pi:

The 'count' in your charts. Should we assume thats how many sessions were created on the firewall, i.e. how many times a packet hit that rule?

Based on what I've observed so far, this would be the same thing you would see in System logs > Firewall in Pfsense logs.

Since its a game, it is probably using UDP, right? I never played Roblox.. So I can't tell.

You can click the play button inside this chart to take a look at each of those entries to check.

@nollipfsense

Merry Christmas and all the best!

@pete said in New GPS for NTP server:

In the 1990's used a Trimble GPS that came from military surplus store that I purchased for next to nothing. It just had an antenna port and two RS-232 interfaces. Took a long time to get a sync with an outdoor antenna mounted on roof of two story house.

Very interesting! Thank You for information!

As I know there are TWO GPS systems: military and civil.

Military are more stable and more accurate. BUT only approved devices from military vendors contain electronic inside to able receiving and DECODING signals from military GPS system.

Am I right?

I am having similar issue with EcoBee thermostat. It happens only after firmware updates. Unfortunately there is no means to disable it. If I try to reconnect ecobee back to AP it fails.
The fix for me is to reboot the AP and things start to work.

@joeseph said in Custom build or...:

Thank you for the reply.

Yes, definitely will support as reviews are great!

By managed do you mean this for example? "TP-Link 8 Port Gigabit Easy Smart Switch (TL-SG108E)"
And can you explain vlan, dmz or iot?

[https://www.amazon.ca/TP-Link-Ethernet-Unmanaged-Replacement-TL-SG108E/dp/B00K4DS5KU?th=1](link url)

Yes, a smart switch (managed) like that will do the trick :-)