yet something else to ponder: Tried to unistall a package and it failed. >>> Removing pfSense-pkg-ntopng... pkg-static: Warning: Major OS version upgrade detected.  Running "pkg-static install -f pkg" recommended Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 1 packages (of 0 packages in the universe): Installed packages to be REMOVED: pfSense-pkg-ntopng-0.8.10 Number of packages to be removed: 1 [1/1] Deinstalling pfSense-pkg-ntopng-0.8.10... Warning: Module 'session' already loaded in Unknown on line 0 Warning: Module 'bcmath' already loaded in Unknown on line 0 Warning: Module 'ctype' already loaded in Unknown on line 0 Warning: Module 'curl' already loaded in Unknown on line 0 Warning: Module 'dom' already loaded in Unknown on line 0 Warning: Module 'filter' already loaded in Unknown on line 0 Warning: Module 'gettext' already loaded in Unknown on line 0 Warning: Module 'hash' already loaded in Unknown on line 0 Warning: Module 'json' already loaded in Unknown on line 0 Warning: Module 'ldap' already loaded in Unknown on line 0 Warning: Module 'mbstring' already loaded in Unknown on line 0 Warning: Module 'mcrypt' already loaded in Unknown on line 0 Warning: Module 'openssl' already loaded in Unknown on line 0 Warning: Module 'pcntl' already loaded in Unknown on line 0 Warning: Module 'pfSense' already loaded in Unknown on line 0 Warning: Module 'posix' already loaded in Unknown on line 0 Warning: Module 'radius' already loaded in Unknown on line 0 Warning: Module 'readline' already loaded in Unknown on line 0 Warning: Module 'rrd' already loaded in Unknown on line 0 Warning: Module 'shmop' already loaded in Unknown on line 0 Warning: Module 'sqlite3' already loaded in Unknown on line 0 Warning: Module 'ssh2' already loaded in Unknown on line 0 Warning: Module 'xml' already loaded in Unknown on line 0 Warning: Module 'xmlwriter' already loaded in Unknown on line 0 Warning: Module 'zlib' already loaded in Unknown on line 0 Warning: Module 'zmq' already loaded in Unknown on line 0 Warning: Module 'suhosin' already loaded in Unknown on line 0 Warning: Module 'xmlreader' already loaded in Unknown on line 0 Removing ntopng components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. [1/1] Deleting files for pfSense-pkg-ntopng-0.8.10: ........ done Warning: Module 'session' already loaded in Unknown on line 0 Warning: Module 'bcmath' already loaded in Unknown on line 0 Warning: Module 'ctype' already loaded in Unknown on line 0 Warning: Module 'curl' already loaded in Unknown on line 0 Warning: Module 'dom' already loaded in Unknown on line 0 Warning: Module 'filter' already loaded in Unknown on line 0 Warning: Module 'gettext' already loaded in Unknown on line 0 Warning: Module 'hash' already loaded in Unknown on line 0 Warning: Module 'json' already loaded in Unknown on line 0 Warning: Module 'ldap' already loaded in Unknown on line 0 Warning: Module 'mbstring' already loaded in Unknown on line 0 Warning: Module 'mcrypt' already loaded in Unknown on line 0 Warning: Module 'openssl' already loaded in Unknown on line 0 Warning: Module 'pcntl' already loaded in Unknown on line 0 Warning: Module 'pfSense' already loaded in Unknown on line 0 Warning: Module 'posix' already loaded in Unknown on line 0 Warning: Module 'radius' already loaded in Unknown on line 0 Warning: Module 'readline' already loaded in Unknown on line 0 Warning: Module 'rrd' already loaded in Unknown on line 0 Warning: Module 'shmop' already loaded in Unknown on line 0 Warning: Module 'sqlite3' already loaded in Unknown on line 0 Warning: Module 'ssh2' already loaded in Unknown on line 0 Warning: Module 'xml' already loaded in Unknown on line 0 Warning: Module 'xmlwriter' already loaded in Unknown on line 0 Warning: Module 'zlib' already loaded in Unknown on line 0 Warning: Module 'zmq' already loaded in Unknown on line 0 Warning: Module 'suhosin' already loaded in Unknown on line 0 Warning: Module 'xmlreader' already loaded in Unknown on line 0 Removing ntopng components... Configuration... done. >>> Removing stale packages.. Very close to just wiping it and reloading it.

In case anybody runs into this issue, it was caused by having the time sync services turned on in Hyper-V. We disabled the time sync services offered by Hyper-V (in the Hyper-V manager) and the issue went away.

Thanks for the reply, the issue re-appeared today. Here is the log of the WAN in question: Nov 27 14:35:08 dpinger: OPT4_WAN_DHCP_DHCP 8.8.8.8: Clear latency 497157us stddev 968654us loss 0% Nov 27 14:34:14 dpinger: OPT4_WAN_DHCP_DHCP 8.8.8.8: Alarm latency 517317us stddev 803024us loss 0% The mail messages stated that: _MONITOR: OPT4_WAN_DHCP_DHCP is down, omitting from routing group MainOut 8.8.8.8|10.11.1.2|OPT4_WAN_DHCP_DHCP|517.759ms|802.821ms|0.0%|down MONITOR: OPT4_WAN_DHCP_DHCP is available now, adding to routing group MainOut 8.8.8.8|10.11.1.2|OPT4_WAN_DHCP_DHCP|499.966ms|814.632ms|0.0%|delay_ I guess the WAN was ommited due to high latency, which occurs when a line is really busy. Maybe change the latency thresholds (200/500)? Best regards Kostas

Now that I understand, at least I think, that a tagged port is expecting tagged packets, instead of tagging them. No, a tagged port is an access port that accepts untagged frames and then tags them.  A trunk port accepts all frames, tagged or not.

@NogBadTheBad: Put your IOT equipment on its own subnet and do the following on the IOT interface:- 1st rule allow IOT net to this firewall DHCP, NTP, etc … 2nd rule block IOT net to LAN net 3rd rule allow IOT net to any Thanks for your advise, but here that was already the case, all IOT devices are in a different subnet and are rejected when trying to access any other subnet. Only a few selected subnets can reach this IOT subnet through a NAT rule.

Hi all, here are all the steps I´ve done to complete the PFSense installation on a GCP instance: References (Credits): Route Card: https://groups.google.com/forum/#!topic/gce-discussion/tPYonu9dwbc nlienard: https://gist.github.com/nlienard/0ca5aa8397af6e90d70f Desra Blog: http://desrablog.blogspot.co.uk/2017/11/using-t1n1wall-on-google-compute-engine.html Google Cloud Documentation The pfsense downloads contain a disk image inside, the instructions say that you extract it, rename it (to the convention gce expects) and compress it again.  you can do this in your cloud console or a linux system: wget https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img.gz gunzip pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img.gz mv pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img disk.raw tar -Sczf pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img.tar.gz disk.raw Create an image based on the file you uploaded to the bucket: Activate the serial console on the project: sudo ./google-cloud-sdk/bin/gcloud compute project-info add-metada –metadata=serial-port-enable Create an instance and add a second disk to it: Use the serial console to perform the install: sudo ./google-cloud-sdk/bin/gcloud compute connect-to-serial-port [INSTANCE_NAME] – zone [ZONE] Install the PFSense on the second disk: Create a snapshot from this disk you created: Create an instance from this disk: Use the serial to perform the setup: sudo ./google-cloud-sdk/bin/gcloud compute connect-to-serial-port [INSTANCE_NAME] – zone [ZONE] Using the shell, disable HTTP REFERER: "pfSsh.php playback disablereferercheck" from that point on, you can access the GUI with the external IP address provided on the instance. Hope it helps someone. Gustavo

@PiBa: There are a few issues i think :) The code you have 'creates' a run2 file, but im not sure how you execute that.. Seemed to be missing the Not enough includes, the $value does not modify the original use &$value to keep the reference to the original array value that needs to be modified. I would probably create a php file /root/script.sh that can be directly executed when given execute permissions chmod +x /root/script.sh Below code 'works for me' :) . #!/usr/local/bin/php-cgi -f require_once("globals.inc"); require_once("filter.inc"); require_once("util.inc"); require_once("config.inc"); global $config; $config = parse_config(true); foreach ($config[filter][rule] as &$value) { if (strpos(strtolower($value[descr]), 'pfb_dnsbl_allow_access_to_vip') !== false) { $value[disabled] = true; //unset($value[disabled]); print_r($value); } } write_config(gettext("Firewall: Rules - saved/edited a firewall rule.")); $retval |= filter_configure(); print_r($retval); Thanks a lot! Works well.

Hi, with pkg-static update -f and pkg-static upgrade -f i now was able to upgrade to pfsense 2.4.2 Thank you!

Hello, as I was reading it from 4 websites right now two things must be given that your device will be able to attack with a bad result for you. First of them is the firmware version shown by that tool shown under the download link above and the second point that must be given is the following, the ME unit must be enabled and configured or better so called "provisioned"! Your SuperMicro X11SSi-LN4F supports supports the following CPUs; (fat marks) Intel Celeron Intel Pentium Intel 7th/6th Generation Core i3 series Intel Xeon Processor E3-1200 v6/v5 series Please have a look at the Supermicro website for the following two things; BIOS update or latest BIOS version Install the lastest BIOS and have a look into the change log or release notes for ME bug fixes and patches IPMI update or the latest BMC/IPMI firmware version Install the lastest BIOS and have a look into the change log or release notes for ME bug fixes and patches Connect another HDD/SSD to your Mainboard and boot from there an installed Windows 7,8,8.1 or 10 and download the Intel tool shown under the link below, and run a test please. Intel SA-00075 detection and mitigation tool You will be getting out something like this here shown in the code block, it is copied over from the bigger Qotom thread because there were also some persons testing their equipment over. Then have to watch out for the following entries; Version: 10.0.25.1048 Based on my information it should be updated, because it is under the version number 3000 (<3000). The last four numbers are counting to get this information! Let us imnagine the ME version on your device will be shown as "11.6.27.3264" the it is counting as 3264 and this is over 3000 and save or an updated version that is not able to attack! Provisioning Mode: Not Provisioned But the other point is, that your device is not provisioned and that means; Based on the both ME functions variants named "Active Management Technology" (AMT) and "Intel Standard Manageability" (ISM) are attackers able to get over or using the network higher access rights, if that remote function is activated and configured (provisioned), yours is not provisioned!!! Security holes in many Intel systems since 2010 (german language) Risk Assessment Based on the analysis performed by this tool, this system is not vulnerable; the ME SKU is not affected. Explanation: If Vulnerable, contact your OEM for support and remediation of this system. For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689 or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075 INTEL-SA-00075 Detection Tool Application Version: 1.0.3.215 Scan date: 2017-11-24 15:09:59 Host Computer Information Name: DESKTOP-L7VJDFJ Manufacturer: To be filled by O.E.M. Model: To be filled by O.E.M. Processor Name: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz Windows Version: Microsoft Windows 10 Education ME Information Version: 10.0.25.1048 SKU: Consumer Provisioning Mode: Not Provisioned Control Mode: None Is CCM Disabled: True Driver installation found: True EHBC Enabled: False LMS service state: NotPresent microLMS service state: NotPresent Is SPS: False The ME unit is able to be completely deactivated or it is working in one of three available called "function modes" called "AMTSKU" from the SCS-Tool; Intel Full AMT Manageability Intel Standard Manageability Intel Small Business Advantage (SBA) If you are finding behind your firewall such devices that are effected too, you may block port at the firewall to prevent them to be attacked. (16992, 16993, 16994, 16995, 623 and 664), disable the ME function in the BIOS and/or update the BIOS and firmware too if you will be sorted right from the vendor, it must or should be showing then a number (the last four) over 3000 (>3000) this all will be able to help you out. On Windows based systems where nothing else will be nice helping out, you could also try out to deactivate the Local Manageability Service (LMS). my pfSense box is based on SuperMicro X11SSi-LN4F which is affected by the Intel ME bug. How do you find this out? Did you perform this test already? Is this a security problem from WAN side? The picture (from Intel) below is showing the "way" inside bypassing your overlying OS and it will be passing through without to be stopped then as I am informed. (Picture below) Sources: Intel patches remote hijacking vulnerability that lurked in chips for 7 years Remote access bug in Intel AMT worse than we thought, says researcher Sicherheitslücke in vielen Intel-Systemen seit 2010 Tipps zur Intel-ME-Sicherheitslücke SA-00075  

Hi, 99 % sure its a hardware failure, FreeBSD freaks out during its idle loop and knowing that this loop is by far the most executed code on every device, I consider it without bugs  ;) The only thing you can do : check out the RAM and storage of your device. edit : if possible - and if present, change the power block and use an UPS.

After investigating the error it wasn't the interfaces. I load the full backup without modifying the .xml and I reassign the corresponding interfaces without success so I create the interfaces one by one (not a big deal). Well, when I connect via serial appears a message DXE on startup: Available status code DXE status code available ESes:; 1 Once the message appears, it does not load anything else in the shell but I can connect via web. If a connect again via serial the shell doesn't show any information.

i reloaded the switch and router, rebooted all the servers and the app tables populated appropriately. thanks!

I just wanted to say thank you to the OP. I was having problems with remote syslog along the same lines. I spent about 3 hours troubleshooting, and your solution eventually resolved my problem. I haven't set up the alias/rules you suggested yet, since setting the IP of the syslog server, rather than the hostname, worked perfectly and is good enough for me. Thank you for posting your solution!

what should i do to connect my pfsense to my switch ? (just from modem to WAN and from LAN to my switch) Internet –- Modem --- WAN Port pfSense --- LAN port pfSense --- LAN Switch --- WLAN APs and/or other equipment such PCs or whatever. should i give my PCs in VLAN: LAN static ip dresses or will dhcp do that for me ? About how many device we will talk here? Up to 20 devices I would give all of them static IP addresses and let only for the WLAN and/or VPN service run the dhcp server then. should i allow wlan to access in lan if i want that people can print through my access point ? You will be able to st up a VLAN onl for the printer and let them then connect to only that VLAN too and not to the other VLANs with your private stuff inside. Work with radius and certificates for the private wifi and st up the captive portal with voucher system for all your guests. how can i set up my firewall to do the routing and not the modem ? A pure modem is not able to do a routing job. Only a router will be able to do so. You could try out to bridge that router into the so called bridged mode and let the pfSense then routing tha entire WAN and LAN (VLAN) part. (Would be my way do realize it) only if you own a Layer3 switch in your network, then that switch will be better for the entire internal LAN and VLAN routing it is mostly able to route it with wire speed and this too over all VLANs.