@jantypas said in A more up-to-date pfSense?:

Dare I say it, other than pf filters, what is BSD about pfSense that couldn't be ported to a modern Linux environment?

You've already heard of TNSR? There are a few things you scratch, why it's running on a Linux core (FD.io & DPDK and more). As SCLR was also mentioned besides TNSR a year or so ago, I was instantly thinking: Hmm.. 'pfSense 3.0' could very well be something along the lines of SCLR. Same fast core underneath with fd.io/dpdk with CLI, API etc. and "just" put a pfSense style UI on top (docked via API). So I don't think it impossible you get away with murder ;)

OTOH some have to see, that pfSense Devs already do and commit much of their stuff upstream into FreeBSD so... calling BSD dying etc. has been going on for years. It's still there :) Any way I think we still have much to see where this is headed.

Greets

The block function only works by source IP address. That's just how the utility was coded. It's original purpose was for blocking and passing items seen in the firewall log. From there, the most secure choice was to assuming blocking meant anything from that address, and for passing the most secure choice was to be specific and only pass to one IP address/proto+port.

A bridge is nothing more than a switch... If you need more ports on a L2, use a switch..

How about some details of what your trying to do exactly. What is this device/thing/whatever your trying to connect to a network? And what are the details of the network you want to connect to.

Is wireless involved? I can tell you most of the time - bridging would not be the right solution ;) Unless you are talking about bridging a wireless to wired??

Nobody can help you make a decision or even explain why you would want to do XYZ vs ABC without some details!

@harvy66 ryzern is leaps better than the failed design that was the construction series. The biggest issue is hardware support under BSD. There's not many server boards around for ryzen as AMD has positioned ryzen for the desktop. EPYC and threadripper are the cpus that support server boards. if you build a ryzen system do not use the onboard nic if it is anything other than intel or broadcom. those other winnics will cause issues with pfsense down the road..if not immediately.

@johnpoz said in LARGE IP SUBNETS.:

Optimal design of the lan is quiet often overlooked ;)
See it all the time.. But everything is connected at gig why I am I not getting gig.. The NAS is X*SSD in a raid 0, etc.
Well - lets see you have 100 users talking to all kinds of stuff intervlan with your 10 different vlans all on the same physical 1 gig interface... Yeah your router is a freaking BEAST and can see its not breaking a sweat... Your road between is just overused... Suppose to be able to go 55 on the highway as well, but when its crowded and over used.. Can you go 55 ;)

I have 10gb Uplink Modules for each of the switches, so no problem in that regard. I'm also having fiber run between 2 floors of the building. I might set up LAG teams for NAS however.

Got it, thanks.

thanks for your fast respond, i will check this out tonight and reply if my issue is resolved or not !

thanks !

https://www.netgate.com/docs/pfsense/book/ read it completely.

You don't need to split into different subnets, you can just Policy Route by source IP.
I highly recommend you to check out the great OpenVPN as a WAN hangout (https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html) to give you a general overview what's possible and how it's done.

-Rico

Can the tunnel network IP work as like a gateway?

Because I have another problem, that I can't reach the site-site vpn from another vpn.

Yes that is a normal behavior when the WAN gets switched.

-Rico

@sjady said in Help needed, custom Snort rule prevent me from starting the WAN interface:

Good evening everyone

Im having an issue where when i add a custom rule to my WAN interface(SNORT), i cant start the interface, not even the simplest ping rules work now despite having worked just fine all day. Trouble started after i started doing some test monitoring of some SMB traffic with the following rule:

alert tcp any any -> $HOME_NET[139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Not sure what went wrong, but the rule didnt work, and now my other custom rules dont either(as in they prevent me from starting the interface), awsome sigh..

Anyone who knows what has happend?

Your rule given in your post has a syntax error. There should be a space between $HOME_NET and the SMB ports string. Secondly, you are using a SID range that is not guaranteed to be unique. There can only be one unique SID for each rule loaded. You should generally start custom rules at a very high range like 5555 or 9999, etc.

Your rule should look like this:

alert tcp any any -> $HOME_NET [139, 445] (msg:"Home network SMB triggered"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Did you look in the pfSense system log for any error messages? I would expect one to be in there complaining about the rule syntax and/or duplicated SIDs.

@demonclaw said in Need Help Setting Up PF Sense Box For A Game Server On A DMZ And A PC on A Local Lan:

I some what under stand how to set up the rules I was just having trouble which interface .

Then read the book until you really know how firewall rules work, this will answer your question then.

We had a busy few months with releases of TNSR and pfSense, plus the holidays and the SG-1100 launch, so there wasn't much time to allocate toward them recently. Assuming there is a viable topic to cover this month, the current plan is to have one at the end of January as usual.

If your "wan" is only an intranet - may I ask why your natting? Normally doesn't make a lot of sense to nat rfc1918 to rfc1918 unless you have a overlap in space.. Which its always better to fix the overlap by using different space, etc.

@derelict Fixed the pictures, thanks. And Under Gateways I have 4 interfaces, WAN, LAN, OPT1 and OPT2.

I should rename OPT1 to L3_SWITCH and set the IP to 192.168.0.25 (an IP on VLAN 1).
And I should static route 192.168.0.0 to L3_SWITCH (192.168.0.25). Would I also have to do this for every other VLAN?

EX:
VLAN 10: 192.168.10.3 to L3_SWITCH (192.168.0.25)
VLAN 20: 192.168.20.3 to L3_SWITCH (192.168.0.25)
ETC or do I just need the route for 192.168.0.0?

Thanks,
MF

I would use VMware ESXi. It's free and best of class.