In the last 24 hours I've seen that whole subnet plus every single IP in: 52.192.157.0/24 112.175.120.0/24 112.175.124.0/24 I'm only seeing these on port 25, as that's all that's open. Found a way to identify the packets, though. They now fall into a fail2ban trap and are blocked at pfSense. EDIT: And last week it was the whole of 185.40.12.0/24, 185.40.13.0/24, 185.40.14.0/24 and 185.40.15.0/24. 185.40.12.0/22?

Thank you both for your efforts.

Thank's for the tips, I have never used VLAN before but I will definitely look into that right now. Just a few more questions: If I add a 4 port network pci card into my proxmox machine, is it possible to dedicate 1 port to a specific virtual machine? Maybe this way I can easily split the network traffic using the managed switch. My switch has 4 Gigabit SFP ports, will I have any benefits if I connect the hypervisor and the freenas machine to the switch using SFP port with a DAC cable? I mean I know it's still a 1Gbit port but I don't know if I will get benefits on speed using that. Thank you :)

@Gertjan said in Was My ISP on Phishing Expedition?: How can the ISP (want to) connect to a router's LAN address ? This upstream router, the one above pfSense, has a firewall , right ? Thank you Gertjan for responding! Yes, yes...it wasn't going anywhere. The only upstream above the pfSense is the cable modem...so, it wasn't going anywhere pass the NIC. @Gertjan said in Was My ISP on Phishing Expedition?: The IDS running on pfSense sees suspected DNS packets ... why ? Do you let 'unknown' DNS packets coming in ? Are you hosting a master or salve DNS server ? Because the NIC with IDS/IPS would see the packet before the firewall would. No, that's strictly forbidden. No, no master nor slave...just the edge pfSense does DNS. @Gertjan said in Was My ISP on Phishing Expedition?: My pfSense WAN interface uses the default rule : none. So, nothing comes in - except answers from stuff I asked for. I guess ... I'm not even "IDS", I trust my LAN devices. Same here...have highly trusted LAN govern by a new Mikrotik RB450Gx4; however, its default LAN is 192.168.88.1...but that's not its current custom IP address configuration that is 10.0.8.1. That's why I am curious why the connection attempt to that default address or to 10.8.8.1...none exist on my network. However, my ISP knew that I had the earlier Mikrotik RB450G when that was my edge router. What I am suspecting is my ISP was wanting to make it look as if I have Internet by issuing a private address to make the cable modem appear to be working by the link light blinking. I came to this conclusion because shortly after the intrusion event attempt, I received a call from the ISP that they were coming out to my home to test. It seems that they wanted to extract additional fee(s) for service. Of course, I am highly pissed...these are things they have done to the common uninformed person, and it's deceitful. Does my suspicion reasonable...makes sense?

@viragomann In the case of the second rule of any addresses on the CARP VIP again gw offline.

I have ran dd-wrt on all brands, never had issue one with it.. I did brink one once while drunk and put the wrong firmware on it, but recovered it with the paperclip trick.. The sg1100 would be a good choice for sure if your not full gig internet.. It can sure get close to that.. My house is that big either and I have 3 AP.. Users don't quite understand that having 1 single wifi router in the corner of your house under your desk is not the best source of wifi for the house ;) And yeah you have access to your attic - very easy to mount correctly ;)

Hi, thanks for response. About the Hardware: its a dualcore Intel cpu [image: 1569854859852-e51ea87f-c40b-401b-9c69-976c875895c3-image.png] The utilization does not change while latency issue. I pointed the "german" news site oute cause they user other cdn for adds then the american (i guess). Since i can avoid the issue by blocking the addvertisment it hints that way. dnslogs look clean. Also dnsresolution works fine so far. About the ISP topic: I can immediately solve the latency by unplug the pfsense from isp router and verify by connect my pc to it. Else it takes about 20 min to recover, also pfsense does work normal if i unplug the lan. So it looks the root cause sits on the client pc after opening this kind of sites. I cant reproduce this behaviour on the isp router when connecting my pc direct. About the fault topic: I do not blame my pfsense for that, but i would like to understand the issue going on and be able to debug such a network problem on my firewall.

@jacoventer You could try LACP, to be honest I'd use FAILOVER.

afaik there is no limit on how many users can be created, concurrent connection are another matter.

I'm also just learning, and I've watched about 20 hours of videos just to get to this point. Kerbal has the highest learning curve of any game I've ever played. I made it to Minmus and back, but got stuck on Mun. Right now I'm playing with a music mod so that I can add appropriate music to my situations. Nothing better than drifting through space listening to Ozric Tentacles (psychedelic space-rock), or the Gravity or Interstellar soundtracks.