Euh ..... Read the log file : it shows what goes on : The watchdog finds unbound dead. One second later, dhcpleases found "etc/hosts changed size from original!" and want to restart unbound also ... [ edit : if you are using 'pfblocker ' and the like, this will take some time ... ] For the - maybe related "dhcpleases kqueue error: unkown" see, for example, see https://forum.netgate.com/topic/112302/dhcpleases-unbound-errors-in-the-logs [edit : dhcpleases does this probably to early ... unbound is about to be started - pid file not yet created => things get messy now ] Btw : restarting a process that goes flat out with a @KOM said in Praising Service Watchdog !!: segfault aka general protection fault aka memory access violation should not be restarted with the wacthdog. The problem should be solved. @chudak said in Praising Service Watchdog !!: What would you do to figure out why it's going on ? Applying the one big advantage of open software : look at the code : you can see what happens yourself ;)

Here is one of the reasons they are doing this https://www.cnn.com/2019/05/02/politics/china-pentagon-report/index.html

Hi, thanks a lot for claryfing this, I'll keep it disabled. BTW, I tried all the reccomendations I found in this page: https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html but still cannot get more than ~5.5 Gb/s from my Intel NIC (measured with iperf3 and multiple parallel streams). Is there anything else I could try or this is something I should actually expect from these cards ?

Maybe nmap? You certainly are running ever package under the Sun

For x86/64 based systems with a monitor I’ve mostly been successful using gparted (CD or USB) and the dd command. More recently I have been using pfSense VM’s on ESXi (Free). With Nakivo Backup (Free) you can backup 2 VM’s straight onto a Synology NAS (intel CPU only). With open-vm-tools running inside the pfsense VM i can do automated full backups every night without the need to shut down . Since the backups are snapshot based they only take a few seconds. (The first backup takes a few minutes). Restores only take a few minutes, too and you can select a different Esxi host as target. For the backups to work (esxi snapshots) you won’t be able to pass through phyisical NICs via vt-d, however i couldnt notice any performance impact using vmxnet3 adapters...

Interesting can you open a ticket with us at https://go.netgate.com we will get you the image file needed to reflash the unit. Thanks!

Pfsense doesn't know what the client OS is nor does it care.. Is your pc also wireless?

You can watch the traffic with Wireshark to get a clue. Also, if in doubt, remove pfSense from the equation. Do you have a cheap router you can drop in it's place?

No, just ignoring it.

Further information on both packages @johnpoz listed can be found in this sub-forum: https://forum.netgate.com/category/53/ids-ips. And here is some specific documentation created for the Snort package: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html.

Thank you, this was the problem...

If you used the wizard the match rules that put traffic in the queues will be on the floating rules tab. Create schedule in Firewall > Schedules. Edit the rule you want it to apply to and set the schedule there in the advanced section. Steve

Yes, VPN into pfSense and then access it from there is far more secure. If you are going to use port forwards you should definitely be using the secure server port (https). Steve

@stephenw10 I got it going. Literally every cable I tried was bad. I feel like an idiot haha. Thanks everyone

well when you manually set it only going to do ipv4? Turn off ipv6.. Does that make your issue go away? With ipv6 still off, set ipv4 to only 1 dns.. You sure this dns is working ;)

man - I'm embarrassed! I thought I'd disabled the proxy for testing but seems I hadn't. I disabled it, tests ran fine, re-enabled it and still worked - must have been a random glitch. thank you so much

Presumably to force you to purchased their VoIP offering. It should be relatively easy to do this by either handing the OpenDNS servers top client to use directly or by having clients use pfSense for DNS and have that forward to OpenDNS. In either case be sure to block or redirect DNS connections to other servers directly. Steve

@johnpoz said in Need to block PSIPhon app: openappid for psiphon I don't believe we have one for that in our detectors ruleset but you might be able to load one fro somewhere else. That is likely the only way you will block it and even then it's not guaranteed if that app is specifically designed to prevent detection. Steve

If you just want to test OpenVPN just setup a port forward to it on the edge firewall. You can use 1:1 NAT to forward all traffic to the test VM if you really need to. Apart from any other port forwards you might already have that is. Steve