@mascot said in How to set TTL?: In this case my only option to have same TTL with "pf scrub" is to set it to maximum value of 255? (Side question: are there any downsides of having TTL=255?) Also, shouldn't there be possible some workaround to avoid looping? Like router somehow recognizing and ignoring packets if they are in a loop? Also, maybe for FreeBSD there is something like "iptables mangle" for Linux? Well, as I mentioned, on IPv6 255 indicates a packet that's intended for the local LAN only. Will a router pass it? Also, recognizing packets it's seen before, that would require saving the packets it already sent and then comparing them with any new packets. That might keep a router a bit busy. Also, if a router sees a packet with 255, the assumption can only be that the previous router decremented from 0 and sent it on, violating the rule that says packets with or decremented to 0 must be discarded. You're trying to defeat the entire purpose of MTU, which is to prevent a packet from being sent forever around a loop.

If can do if you run the Squid web proxy. Squid can send it's logs to a syslog server. Steve

Great info. That alone is helpful. I'm going to grab a packet capture on the syslog server and go from there. Thanks!

Thank you John. So do you see the GPS in the Dashboard? Checking here now only see the GPS in ntpq where as before pps, gps and internet NTP servers... /root: ntpq ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== oGPS_NMEA(0) .GPS. 0 l - 16 377 0.000 0.003 0.026 ntpq> Maybe I should switch it back? Switched it back..thinking it takes a bit for PPS to come up (was seeing it before) ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== *GPS_NMEA(0) .GPS. 0 l 12 16 1 0.000 0.028 0.000 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 0.000 0.000 23.134.96.254 252.74.143.178 2 u 1 64 1 41.763 0.186 1.522 eterna.binary.n 204.9.54.119 2 u - 64 1 28.596 3.498 2.029 ntp2.wiktel.com 212.215.1.157 2 u 1 64 1 29.253 9.657 1.283 45.32.75.249 (4 142.66.101.13 2 u - 64 1 65.164 2.326 1.400 ntpq>

Thank you very much.

Setup vlan 60 firewall rules to use your vpn gateway..

@thsalex What do you mean by the term "lock"? There is no "lock" with regards to either package. There are blocks, but those are implemented by placing the offending IP addresses in the pf (packet filter) firewall's snort2c table. This is a table that is created by the core pfSense code during initialization of the firewall. Any IP addresses placed into that table are blocked via a built-in firewall rule that references the snort2c table. The table can be cleared manually, automatically by a cron job, or by rebooting the firewall.

Most of those have so little RAM/CPU/etc that they could not effectively run pfSense. And most of them are not 64-bit x86 hardware, but various ARM platforms for example.

status-->system logs-->settings: Local Logging: [ ] Disable writing log files to the local disk

Someone here pointed out to me that one can add an "IP Alias" under virtual ip's, which does exactly what I want.

Hello, I would like to inform you that my problem was resolved. What was missing is adding the subnet of PC to the allowed subnets in SQUID Proxy Server. Thank you.

Your corp account uses the same domain to login? You can create a custom url for your mail... Then just block the normal url.

Too early to say. Probably a long time, we are finishing up 2.4.4-RELEASE right now, and haven't formally started on 2.5 in any way. It likely isn't going to be next after 2.4.4 either.

Ugh yeah, I know Realtek is crap. It worked for years up until recently though, it's like the latest BSD pfsense kernel driver just sucks exceptionally worse for Realtek. This card is pushing a crapload of traffic though because I have an NTP node running behind it. LAN side is running LACP on a dual port Intel with no issues. I do have a free port on the motherboard though, I may find another cheap Intel card off ebay and be done with it.

@mrpeterson Yes, it's a small case business class desktop computer. However, I bought it a few years ago and found it in a store flyer. I don't have a link for it. Regardless, it doesn't have that encryption support I mentioned, so I will have to replace it in the not too distant future.

@tim-mcmanus Couldn't agree more. At its core Tor is just a couple of proxies; a couple of ISP's to "strong-arm" and they've got you. I'm attempting to implement some security practices that make it a lot harder. More specifically 2 end-to-end encryption tunnels (via 2 different "reputable" VPN's and hopefully one of the Raspberry PI devices that turn a tor connection into a network connection, essentially meaning that I will have 8 hops rather than 3. The data itself is rarely ever sensitive in nature.

There is no command that will query the local database users in that way, you'd have to write your own script. You could use the changepassword script as a starting point. It is in /etc/phpshellsessions/ and you run it from ssh or console shell with pfSsh.php playback changepassword for example.

About what I figured. Thanks for the excuse to buy a new box!

Good to hear - yeah pfsense doesn't do anything with the traffic other than nat it.. Unless you were using proxy software pfsense doesn't modify anything.. When you get a new IP from your ISP you never know what the guy that had it before was doing ;)