Good day ando1, Much appreciated. Can it apply to pfsense version 2.4.5?

A Meraki switch is cloud managed and needs to be able to see the internet for it to work. Here is what the lights mean: https://documentation.meraki.com/Go/Meraki_Go_-_Decoding_the_LED_Light I would reset the Meraki switch to default and then connect to pfsense box. See restore button: https://documentation.meraki.com/MS/MS_Installation_Guides/MS_End_of_Sale/MS220-24%2F%2F48_Series_(EOS)_Installation_Guide I have number Meraki switches and if they cannot see the internet they do not boot.

@zer0systems said in Suricata Signature Group Header MPM Context Definition: @bmeeks I completely agree, and I've seen the documentation you linked, thank you. I've actually had great success with tuning Suricata thus far, there's just always that setting or two you wonder about (or would like to grasp a bit more). 32GB?, via Suricata alone? - perhaps with 1000 clients. On a 16GB box with all of Suricata's settings X4, including the available firewall states being increased by 400% your only using about 20% of that 16GB if provisioned properly - that's why they offer the adjustments. I also mean no disrespect, but offering the old "if you don't know" answer is disappointing. When you don't understand something, you try to understand it. If we didn't, no one would truly understand the marrow of anything, in this case being the MPM library. If I would be using Suricata's "defaults", or all of pfSense's for that matter, I would be wasting RAM, as in your 32GB explanation. Yet again, no disrespect, I really do appreciate any help or assistance, but "defaults"? I have seen a number of folks posting here who have crashed Suricata by tinkering with the settings, so just offering the advice in case you were not aware. Some users like to tweak things just because an adjustment is there. Same for Snort. Its MPM is especially sensitive to tweaking. The defaults are the best in pretty much every circumstance. If you want to experiment with different settings, you certainly are free to do so. And if you find one that works better, post back and share with the community. But the defaults are chosen by the creators of Suricata and Snort for a good reason -- they generally work best unless there is some peculiar extenuating circumstance in a given environment. I am the creator of the Suricata package on pfSense (and the maintainer of the Snort package). I put the various adjustments in the GUI because they are available as choices in the underlying binary's configuration file (suricata.yaml for Suricata and snort.conf for Snort). The documentation from upstream for both pieces of software is a bit lacking in terms of a full explanation for some of the configurable options. But the developers of the binary choose their defaults to yield optimal performance in most cases. I don't know in any detail what the various selections in the MPM do. I don't think anyone truly does except the guy who wrote that code in the binary.

I have no lack of understanding what the issues could be but that wasn't the question :). Either way, I appreciate all that input and I'm sure it will help the next person that finds this. In the meantime, I'm going to use it. Thanks.

I guess it has to match the format required by those services? There's nothing like that built into pfSense but I could imagine something that run on an internal host just to query the WAN IP and then serve it up as those services expect. UPnP should be able to pull the external IP from pfSense if it's enabled. Or maybe and SSH command. Steve

It may or may not be but the important thing is if your package repo was still set to 'latest stable' and not '2.4.4 deprecated' it will have pulled in incompatible libraries causing the errors you're now seeing. To be sure I would probably backup the config and install 2.4.5p1 clean. Or wait for 2.5 at this point and then install that clean. Steve

If the server is configured as SSL/TLS with a tunnel subnet larger than /30 then all values are passed from the server to the client when it connects. As long as the client in pfSense is not configured with 'do not pull routes' then it should get a route to 10.0.0.0/24 when it connects. You can check the system routing table to make sure though. Steve

Is this just a dupe of your other ticket? https://forum.netgate.com/topic/160507/pfsense-and-openvpn

@stephenw10 thanks.

@stephenw10 Hey Steve, Thanks for your answer. No, we do not have any VIPs define on that box. The host is connected to vtnet1 arp: 10.1.0.50 moved from 00:5d:73:1e:58:98 to ea:b5:54:89:1c:9c on vtnet1 arp: 10.1.0.50 moved from ea:b5:54:89:1c:9c to 00:5d:73:1e:58:98 on vtnet1 Ah and thanks for your hint: I was false, the mac is not the interface itself but the cisco asa interface. So i think I know where to search. Prox-arp on cisco This is what the routing is like. Default 10.1.0.50 (ea:b5:54:89:1c:9c ) -> 10.1.0.1 Cisco ASA routed 10.1.0.1 (00:5d:73:1e:58:98) But on 10.1.0.50 we do have a route for 10.1.25.0/24 via 10.1.0.2 which is vtnet1 on the pfsense. So the package from 10.1.0.50 should arrive on the pfsense via vtnet1 and should not pass the ASA. So it should be the proxy-arp on cisco which reply for arp query. There is a NAT rule on the ASA pointing to 10.1.25.2 on which i will disable proxy arp now for testing. This should resolve the problem and proxy-arp is not deeded since I use different networks on each segment. Thanks for your advise.

Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser. Steve

While I don't see UPnP as an enterprise feature ;) Since + will be free for home/lab use.. In that sort of network I can still seeing people using it. I wish the protocol in its present form should just die to be honest. It was and is a horrible solution..

@overcon The web server will send responses to the default gateway. So if the USG is set as default gateway response packets will not be returned to pfSense and you will have an asymmetric routing issue which breaks TCP connections. You can either set pfSense as default gateway on the web server and some other devices you want to use it, or you have to do SNAT on packets going to theme, so that pfSense traslates the source IP into its own LAN IP (masquerading). However, consequently you're not able to determine the real source IPs of accesses on these devices, which may be desireable though on web servers and alike.

@comet424 @azdeltawye do you set that script to run like every hour? No, that simple script just runs continuously. No crontab needed. The loop timer is set to 300 seconds which is 5 minutes. Five unsuccessful pings takes 25 minutes, reboot of the modem is another 5 minutes, so 30 minutes total for a full reset cycle. You could change the timer settings to whatever works for you, I just picked 5 min because it seemed reasonable... I still run that script on a RPi now but my ISP seems to be much more reliable and it hasn't had to reboot the modem in over a year now. Originally when I first implemented that setup I was being subjected to 70+ outages per year...

How are you connected to your work vpn? On your device? What does that have to do with running a vpn server on your router? So your running a ssh tunnel through your work vpn, to be able to get back to your home network?

@johnpoz Oh yeah Thx for inspiration!! Awesome... Not gonna play with config.xml

@stephenw10 That makes a ton of sense. Will try it out today.

@stephenw10 - I already knew what was blocking it, but it's not dropping anything in the log that helps much unless it's going through google analytics on the way... If it is, I'll live without it....

@amaanx5a said in pfSense becomes unresponsive: The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles. Even if I use a switch? No, if you use a bridge as a switch. There is a common misconception that bridging somehow requires less CPU cycles and won't affect firewall performance for some reason. Not really sure where that comes from but just to be clear it does. If you use a switch the traffic never goes through the firewall and it can happily use all it's CPU cycles for more important things like VPNs. And, yes, use OpenVPN for remote access if you can. It the very least move your webgui to a different port to reduce the drive-by connection attempts. https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html Steve