@arbabnasir Why do you have as many states? Are you under attack? If not you may extend the state table size in System > Advanced > Firewall & NAT > Firewall Maximum States.

After some more digging it seems the tap interface is not set in promiscuous mode at startup as the tap device is missing. As I mentioned if I do some changes to the bridge, for example start packet capture and enable the promiscuous mode on the interface - the traffic starts. So the issue seems to be how to enable/create the tap interface early in the init process so it is put in promiscuous mode? Alternatively how to grammatically restart the bridge once the interface has been created?

@jimp said in 2.5.1: new VM install, a few UI glitches and bugs?: Something in the RA process must be triggering it to take the other gateway as default. That is somewhat moot though since you can't use DHCP/dynamic interfaces with HA if that's your ultimate goal. There isn't a way to make that work as-is, so you may have to forego IPv6 if you want these in HA or find a way to make it work static. I don't exactly plan to utilize them in a HA style setup (not the v6 part). But I find it strange, that it shows the 2nd IP6 as default with the globe, the system itself, the default route and everything (even a ping6, traceroute6 etc.) all default to the 1st WAN IP6 and are going out the WAN IF. So it seems that it's a displaying issue rather then RA or do I miss something? The gateway drop-down only shows up if it detects multi-WAN (e.g. multiple interfaces have gateways). If it doesn't show, then the only available gateway must be on a single interface. For static IPv4 perhaps you forgot to select the gateway on Interfaces > WAN for example. Interestingly you were right. I set up both WANs with their Gateways and configured the upstream. At some point one VM seems to have dropped it. I can see that in the config history but not why it happened. I reconfigured the WAN with missing gateway and the dropdown now shows as it should be. Weird though, that it was in (even shown in the config.xml) but somehow was dropped by something.

@mosae Ah, okay. Then we might have different issues. With me the login always succeeds, but I got permanent PL inside the vpn, like: Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=12ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=15ms TTL=126 Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=15ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126

@KOM The configuration has has grown more complex recently (several VLANs), but the kernel error has occurred before that even with a very basic configuration. There are some unusual devices on the network, e.g. two internal pairs of DSL modems for bridging two long distances, and some dubious switches, but so far, I could not correlate activity via these connections with the outages. I am sometimes connected via OpenVPN, but I could also not perceive a clear correlation with activity on that connection and outages. @dotdash For me it only occurs during rush hours, and I experienced it even on 2.5.0. I am now going to make tcpdump log the sender and receiver IP addresses of fragmented packages. Maybe that will give me some hints.

@jvcomputers You might want to take a look at this thread - same subject as yours, just with web gui vs ssh. I linked to the ASV document guide.. Ie guidelines that ASVs are suppose to use when scanning. https://forum.netgate.com/topic/163844/pci-dss-compliance-vulnerabilities-found-webgui Clearly stated in that doc.. "Temporary configuration changes do not require that the scan customer “white list” or provide the ASV a higher level of network access."

@nollipfsense One down side is I downgraded to 2.4.4 and it worked i put this on my production setup and it's not working. I confirmed all my settings were exactly the same as the 2.4.4. There is no traffic on the bridge interface but the ICMP is found on the vmx0 and vmx2 interfaces.

@kevin-scott-uk Sorry, never really did. I ended up making a python script that parsed the XML and changed the IF name to be compatible with the IF on the underlying OS.

I've the same on my new freshly installed pfsense. even not yet using pfblocker

@johnpoz Thank you much!!! For some reason it was coming unavailable when I searched for the link. The proposed solution was applied and seems to be working correctly. Thank you again.

@aziz-rahman said in Can anyone help me block mobile application like facebook, youtube, & other IM: @presbuteros thank you for your nice comment, can you please tell us how to block youtube,facebook and other mobile applications? Try to use ASN option from pfblocker , he will create aliase, after you will create your own rule on each interface you need to block using that alias [image: 1621337338841-whatsasn.png] My rule is to allow to certain ports so i won't be *(everything) . I would love to block the entire facebook but i am maried.

I stumbled upon the HomeKit-Avahi connection on Reddit in r/tradfri. Trådfri is IKEA’s home automation ecosystem. What I noticed was that with Avahi active there is a ton of pinging going on between the different devices. Not sure, what immediately causes it, but with Avahi inactivated it stops. Could Avahi essentially be producing some kind of a LAN-based DoS situation?

@mnemonikz Well, you have to do some testing. I mentioned a couple of things in my earlier post.

Hi, Indeed I want to disable/delete all default rulesets which are created by pfsense. If I cannot do this, can i set rulsets have the highest priority then the default ruleset? Please advice.

We discover workarround : MAC Spoof on physical interface VLAN take MAC Spoof and get DHCP Mac Spoof one L2TP L2TP UP, but DHCP down, then all down MAC UnSpoof on physical interface, apply MAC Spoof on physical interface, apply All UP correctly. But after reboot, DHCP stay DOWN, so L2TP DOWN. Any ideas ?

I did it with a Lan rule to reject all connections for that station with the wan gateway. Yes, this would accomplish the same goal. For some reason using tag is not working. You actually don't need to use tag.. Just make sure you are allowing the VPS group to have access to internal resources in case you need, and insert this rule above the reject rule.

Log in to view Wow, apparently Netgate login-gates images. For logged-out users, here's what firewall rule you've got to create (I recommend clicking the "Copy" icon on the existing rule on the LAN tab): Action: Pass Interface: OPT1 Address Family: Any (IPv4+IPv6) Protocol: Any Source: OPT1 net [this is what I'd forgotten to set] Destination: any Description: Default allow LAN to any rule