@chasinreno It doesn't sound like the firewall itself failed you. What kind of bot was it? How did it come in? How and where did you find it?

The firewall CAN do AV scanning but if it was sent over an HTTPS connection then it would need to perform a MITM attack in order to be able to scan the download. AV scanning is best left to being able to view it in an unencrypted format, like directly on the PC. Paid AV has extra features like better scanning for fileless attacks, advanced script protection, or firewalls but I've found the real strength of the paid versions is the management, reporting, and support during an infection.

In this case it sounds like the firewall did its job. It found malicious traffic going across the network and stopped it. IDS/IPS protects network traffic by, essentially, profiles. It protects based on the reputation of the remote network and the type of traffic being sent. It doesn't determine whether that traffic is good or bad. For example, if I want to port forward for SQL queries but I've blocked that in my IDS, it will be blocked. It doesn't care if it is me (good) or an attacker (bad). In this case, you downloaded a file (a legitimate type of traffic) from a site not blocked via IDS/IPS (a site with a neutral or better reputation) but then that file began sending traffic the IDS/IPS didn't like (NOT legitimate traffic) maybe to a site that was blocked (perhaps a poor reputation. That's what's supposed to happen.

What appears to have failed you is your AV. It's best to figure out what got in and how, upload the infected files to virustotal (for crowdsourcing) and report it to the AV company. What was the infection and what was the AV you were using? When you upload it to virustutal it should give you a like. Post it here, I'd be curious to see what it was.

@velbon the only thing needed from pfsense is the config xml file.. Its very very small - do you not have a copy online with the pfsense ACB..

https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html

You should prob set that up going forward.

@DKenn Thanks, I did find out and it seems to have been ordinary spam, just formatted very well so the filter missed it. All good I hope

@rcoleman-netgate Yeah @smokethrower2 if you can install OpenWRT or something then this would make your life easier, otherwise just getting another AP is probably the easiest route to go (not saying there aren't other solutions though).

@Gertjan

It might have been pulled in, when i installed iproute2.
I did that in order to play with some VRF "lookalike" on linux.

/Bingo

https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/

@RobbieTT yes pps is a very important number true.. What I meant by wire speed is you can see gig (or what is expected on gig) you would never actually see gig, etc. Or 2.5 or 5 or 10, etc.

Your not going to see 2.5Mbps with imix was my point..

Thanks for the clarification..

@pV5 I would always favor getting a Netgate for two reasons.

Helps supports the project and how people get paid. reliability and security from a trusted source. Netgate is installing the software. Netgate is delivering the patches. Netgate updates the firmware. The supply chain is at the very least secured and its controlled by a known source - Netgate. The Quotom box is cheap but sketchy. Lots of different variables in getting that mini PC into the hands of consumers. Who updates the BIOS? Who updates the drivers? Even if you wipe the installed software and re-install pfsense yourself that doesnt mean you havent already been exploited.

@RobbieTT said in NTP = Amateur:

At £4000 to £5000

Pro is anti-cheap. 😊

@Phizix said in Are you a .1 or .254 guy ?:

I think in aliases it still generates a list of all of the addresses anyway. DOH!

Jep it does. It's just my inner monk/fanatic, that - with growing age - finds things like 172.20.12.64/26 much more satisfying then having a list of .60-.120 to set up as DHCP range and to have an alias to include the whole DHCP-range. Nothing wrong with using Aliases with .x-.y to auto-generate the list of IPs though, just my brain telling me "NO, that's much cleaner and more in line!" 😂
Also it is really practical when it comes to routing things via system routing table or IPsec P2 thingies to have them in CIDR boundaries but yeah, I totally get the decimal usage. Even still have it myself in my IOT VLAN with the whole bunch of WiFi Plugs and LEDs. The still have an order like 100-119 are plugs, 120-129 are dual-plugs, 150-159 are LEDs... yeah my brain hates and loves me for it 😁

@Phizix said in Are you a .1 or .254 guy ?:

It is interesting that we haven't taken to using pairs of hexadecimal values.

Actually... emm... I have - with IPv6 addresses and prefixes 🙈 Also matching trying to match those with IPv4 private IP counterparts for easier debugging and such...

sigh

Cheers :)
\jens