@murzik I don't use DNSBL or Squid but you might read this recent post about pfBlocker.

You could try looking at Diagnostics/System Activity, or run "top -o res" (sort by memory) at a command line, and see what is using the memory. I get:

PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 81511 root 10 20 0 381M 337M nanslp 0 586:13 1.49% suricata 89847 root 1 52 0 135M 47M accept 0 0:29 0.00% php-fpm 93096 root 1 21 0 133M 46M accept 0 0:13 0.29% php-fpm 11372 root 1 52 0 132M 45M accept 1 0:03 0.00% php-fpm 338 root 1 52 0 133M 45M accept 0 0:11 0.00% php-fpm 337 root 1 52 0 132M 44M accept 1 0:34 0.00% php-fpm 26574 root 1 52 0 59M 38M piperd 1 0:00 0.00% php_pfb 73546 unbound 4 20 0 68M 32M kqread 1 1:17 0.00% unbound 336 root 1 20 0 102M 25M kqread 0 1:25 0.00% php-fpm 37003 root 1 20 0 29M 9648K kqread 2 0:07 0.05% nginx 36796 root 1 20 0 29M 9644K kqread 3 0:03 0.00% nginx ...

@swemattias nic pass though to pfsense is simpler imo. Hardware off loading can also then still be used

You can re-install clean to wipe the drive. Open a ticket with us to get the recovery image if you need it: https://go.netgate.com/

But it will happen again if you have something configured to use space with no limit. Probably syslog-ng.

Steve

Something must have changed. I would look for something that has expired. Usually the cert but that would be proven by just using LDAP. So maybe the user?

Ok, you probably need to use NetFlow data then.

@steve_b

I am looking into moving the users and the certificates of the pfSense machines to a dedicated solution.

Thanks for the help with this issue!

@slu said in Export CA | Do I have to pay attention to anything?:

You mean the CN name or something like this?

Yes. Or someones email address etc. Something you may not want public.

Steve

@jkalber said in Issues after uploading backup config:

I do not have a backup of the current configuration unfortunately (the one that is running v21.05.1-RELEASE). So technically, the firmware should be the correct version on my backup - right?

It doesn't have to be. You should always be able to import an older backup file into a newer firmware version. What you are attempting should work.

If the firewall has come from some other place where anything could have been done to it I would definitely start out by re-installing 21.05.1 clean. Open a ticket with us to get the recovery image: https://go.netgate.com/

Steve

So you just need to redirect traffic to them in pfSense? You can just use port forwards for that. That's what Squid does if you set it to transparent mode.

Steve

@stephenw10
Ah!!! thank you very much, I found that in Services - DNS resolver - General setting - Network interfaces only LAN and localhost was selected.
Thanks a lots.

Yikes that is ugly.

If it's that badly configured, have you tried logging into that random device with default credentials and turning off DHCP? :-)

@stephenw10

Hi Steve

I submitted a post earlier, here

https://forum.netgate.com/topic/166622/i-need-to-restart-the-ovpn-tunnels-after-a-pfsense-reboot/2

@jlw52761 said in Alert Flooding:

I'm not sure where you are going with this in relation to the original question to be honest.

I explained (was trying to explain) why this won't work :

@jlw52761 said in Alert Flooding:

I don't think that we are worried about decrypting the TLS traffic, just looking at what the DNS query is and if it matches something in the block list then send back the IP defined in the local web server config instead of the actual IP. There's no TLS decryption needed, and even TLS sends clear text DNS queries.

Yes, the clear DNS requests (not DoH, as you can't decrypt it anyway) of a blocked domain name get blocked = replaced by 10.10.10.1
And No : the web browser was asking for, example, www.facebook.com (you blocked www.facebook.com) and your browser will not open the https::/10.10.10.1/.... instead to show the user that "www.facebook.com" has been blocked by the 'admin.

You can not redirect a https site ! Your browser wants a cert that says the site is "www.facebook.com".
Worse : https::/10.10.10.1/.... will return a self signed cert, not accepted at all by your browser.

Long story short : this works only for "http" sites :

86fbb4c8-d135-4c05-bef4-b63e2ab2c41d-image.png

.... and http sites don't exist any more.

Even shorter : don't use functionality. Just "Log and zero drop".

Read thru most however I have a protectli PFSENSE ( 2.5..2 ) box behind my ISP fiber modem.

In the setup i just put in my PPPOE username and password and it set it up and just works.

My ISP here in Dubai requires my wan to be connected on a certain port on the modem ( ONT4)

Otherr than that it just works and I am not a real technical guy.

Solved this issue. It appears that the most recent macOS update disabled the UART bridge used for serial comms. Re-installed the driver from Silicon Labs and everything is working.

@steveits lol you're amazing :D that's exactly it! Thanks a lot!! Cheers

@jimp and @JKnott

Thanks for the input. From my research so far, IPSec has seemed like the best solution for me. I will keep on reading, with a focus on IPSec.
Wireguard did seem like an interesting solution that I was seriously looking at before it was removed from FreeBSD and pfsense. Seemed like a pretty straightforward configuration that would have met my needs. Once the current package is further along in development it is something I would like to revisit.

Any further advice is still welcome. And I am sure I will have some more questions as I get closer to actually implementing.

Thanks again.

@mgcsec said in pfsense packet process order:

@stephenw10
thank you!
and then where are local services/plugins involved?
for example Nginx in that chain?
NAT=>FW=>Nginx=>NAT=>FW=>Upstream?

For some services, yes, this is the processing order. But for others such as the IDS/IPS packages, this is the processing order:

IDS/IPS => NAT => FW (for inbound traffic on WAN)
IDS/IPS => FW => NAT (for inbound traffic on LAN)

Do that have the same capabilities? Try: ifconfig -vvvma

Are those vmxnet NICs the pfSense VM has assigned currently?

If not try assigning one to something and see if that responds to large packets.

This seems likely to be an issue with the bxe driver or the NIC itself but we need to confirm that by, for example, showing vmx is not affected.

Steve

Hi Steve - Brilliant suggestion.

Evidently my password manager was pre-empting my updates. Now email works!

Thanks,

Neil

Aside from pcscd, you should also disable log compression when rotating on there.

Given the output from top, it was the log compression that was having trouble keeping up with the rate of logs being written at the time.

Status > System Logs, Settings tab, set Log Compression to None.

@johnpoz root cause analysis was suggested in a different forum.

Wire shark did capture vlan traffic on port going to ESX host. But pktcap-uw did not capture any on vmnic. Promiscuous mode was enabled too.

Switch configuration is correct.

Only data point which I still could not figure out is wireshark trace contains icmpv6 but not icmp dhcp discovery.

Neither ipv6 is enable on pfsense or unifi.

@rbarden
I use NTOP-NG.
But nothing is "free" in terms of cpu cycles or promiscious mode on the netcards.

/Bingo

thank you

That doesn't seem like a huge number for 5 mins. I would expect far more if you were actually being used as part of an attack. That seems like it could just be a bad DNS server configured.

Steve

You still have not shown us the log containing this error for context so we can only guess what is calling it. You must have something custom on that box.
To confirm you have removed the custom sysctls from Sys > Adv > System tunables?
sysctl.conf will just get rebuilt at boot.

Steve

@newuser2pfsense said in Packet Loss Restart Script:

The ONT power supply has been connected to a UPS

Ok, that is good thing.
It's ok that the power goes away, the ONT will restart when it comes back.
The real danger is what I call brown out or yellow outs. These can really 'f*ck' electronic.

@newuser2pfsense said in Packet Loss Restart Script:

I pressed the on/off switch for a hard shutdown

Please, do this never again.
Or do it at least a couple of time with your PC : remove the power cable or battery.
You will loose your file system, the system won't boot any more, and you have to be far better as a 'coder' to repair the situation. You most probably wind up res installing everything -- loosing all recent data.
pfSense is : the same big OS - the same big complex file system on the same hard drive. The same risks.

I can't proof it to you, but when the pfSEnse comes up and it connects, and it comes ups and it won't connect, it's not a pfSense issue.
Check the DHCP logs pn pfSense : you can see it sending DHCPdiscover (the dhcpclient process) messages .... but its not receiving any answers from from your ISP.
You could reboot pfSEnse - something that just creates a small pause, or remove the WAN cable for the same duration : if your ISP isn't ready, not listening or whatever, the chances of receiving an answer to the DHCP negotiation are identical.

Have a look at this :
https://forum.netgate.com/topic/64563/pfsense-auto-reboot-script-when-google-is-unreachable

It's a script - from 2014 (!!), so some retouching could be needed.

@gruensfroeschli
I know I am replying to an old thread. Someone might still encounter the same problem so why not share my experience. Afterall, OP did not back by to confirm a solution.
I have the same problem and I finally addressed it by changing the cable and the wall jack. I run 10Gbe on the WAN side of my PFsense and the cable is long and thru the wall. CCA - Copper Clad Aluminum is Cat 6 cable is the culprit. It is deceiving.

[A Look Inside Copper Clad Aluminum CAT6 Networking Cables]

I ended up using some pure copper cables which is 3 times the price. Then my keystone wall jacks are also not making good contact. You just can't go with the cheap stuff. It in turn would give u more headache.

@h0110
My Intel card is an old second hand one based on the 82571EB chipset so it uses the em driver.
You should easily be able to pick up a newer one that is supported by the igb driver.

Port wise a two port will do you fine if you are using VLANs with a capable switch as @stephenw10 suggested.

Can you ping6 to other internal hosts?

Is pfSense handing out those IPs via dhcpv6? That would imply it's receiving a prefix from the ISP.

Steve

@ev4nsp479 Do you have a spare switch you can put between them?
Comcast hardware sometimes will care if the MAC of your router changes unexpectedly, but powering off their router should start fresh.

Hmm, so if you just lose upstream connectivity there's not much pfSense can do. You probably need to find out exactly how it's failing. If the gateway is still responding try a traceroute when it's working and when it fails. Where is it failing?

@jimp
Thank you!! That got it.

I copied the files from the netgate fw up to my PC. I don't know why, but the netgate sg3100 did NOT have
UCD-DISKIO-MIB.txt
UCD-SNMP-MIB-OLD.txt
so I copied them from the net-snmp 5.9.1 source tarball.

I'm still missing the MIB for begemot.203
$ snmpwalk netgate-fw begemot.203 2>/dev/null
BEGEMOT-MIB::begemot.203.0.0 = INTEGER: 0
BEGEMOT-MIB::begemot.203.100.0 = STRING: "/usr/local/etc/rrdbot"
BEGEMOT-MIB::begemot.203.101.0 = STRING: "/var/run/snmp-regex.sock"

and this is wrong:
$ snmpwalk netgate-fw begemotIfMaxspeed 2>/dev/null
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.1.0 = Counter64: 2500000000 bps
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.2.0 = Wrong Type (should be Counter64): Timeticks: (100) 0:00:01.00
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.3.0 = Wrong Type (should be Counter64): Timeticks: (0) 0:00:00.00
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.4.0 = Wrong Type (should be Counter64): Timeticks: (100) 0:00:01.00

but I can live with that.

I can't tell if I'm missing some more MIB file[s] or the BEGEMOT-LM75-MIB is broken, but
$ snmpwalk netgate-fw sysLocation
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorTemperature ::= { lm75SensorEntry 7 }
Undefined identifier: lm75SensorEntry near line 153 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorParent ::= { lm75SensorEntry 6 }
Undefined identifier: lm75SensorEntry near line 145 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorPnpInfo ::= { lm75SensorEntry 5 }
Undefined identifier: lm75SensorEntry near line 137 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorLocation ::= { lm75SensorEntry 4 }
Undefined identifier: lm75SensorEntry near line 129 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorDesc ::= { lm75SensorEntry 3 }
Undefined identifier: lm75SensorEntry near line 121 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorSysctlIndex ::= { lm75SensorEntry 2 }
Undefined identifier: lm75SensorEntry near line 113 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorIndex ::= { lm75SensorEntry 1 }
Undefined identifier: lm75SensorEntry near line 105 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75Sensor ::= { begemotlm75Objects 1 }
Undefined identifier: begemotlm75Objects near line 64 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: begemotLm75Objects ::= { begemotLm75 1 }
Undefined identifier: begemotLm75 near line 58 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorIndex ::= { lm75SensorEntry 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorSysctlIndex ::= { lm75SensorEntry 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorDesc ::= { lm75SensorEntry 3 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorLocation ::= { lm75SensorEntry 4 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorPnpInfo ::= { lm75SensorEntry 5 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorParent ::= { lm75SensorEntry 6 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTemperature ::= { lm75SensorEntry 7 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensor ::= { begemotlm75Objects 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTable ::= { begemotLm75Objects 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: begemotLm75Objects ::= { begemotLm75 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensors ::= { lm75Sensors 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: loosTempSensorEntry ::= { lm75SensorTable 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTemperature ::= { lm75SensorEntry 7 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorParent ::= { lm75SensorEntry 6 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorPnpInfo ::= { lm75SensorEntry 5 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorLocation ::= { lm75SensorEntry 4 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorDesc ::= { lm75SensorEntry 3 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorSysctlIndex ::= { lm75SensorEntry 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorIndex ::= { lm75SensorEntry 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTable ::= { begemotLm75Objects 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensor ::= { begemotlm75Objects 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: begemotLm75Objects ::= { begemotLm75 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensors ::= { lm75Sensors 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: loosTempSensorEntry ::= { lm75SensorTable 1 }
SNMPv2-MIB::sysLocation.0 = STRING:

so I deleted BEGEMOT-LM75-MIB.txt and all the errors went away :)
$ snmpwalk netgate-fw sysLocation
SNMPv2-MIB::sysLocation.0 = STRING:

Thanks again!!

Thank you both (@SteveITS and @stephenw10). I sincerely appreciate your help. I'm grateful for the insight.

Matt

@stephenw10 Thanks Steve your reply is really appriciated I'll go down the update route hopefully reslove the issue
All the best, John

@csfshore As this doesn't appear pervasive, it must be something in my config. (Which is vanilla, honest 😊 )

When new release 21.09 is out, I will take it down to the bare metal and reinstall, unless I can figure out anything from the logs.