@mosae Ah, okay. Then we might have different issues. With me the login always succeeds, but I got permanent PL inside the vpn, like: Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=12ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=15ms TTL=126 Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=15ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126

@KOM The configuration has has grown more complex recently (several VLANs), but the kernel error has occurred before that even with a very basic configuration. There are some unusual devices on the network, e.g. two internal pairs of DSL modems for bridging two long distances, and some dubious switches, but so far, I could not correlate activity via these connections with the outages. I am sometimes connected via OpenVPN, but I could also not perceive a clear correlation with activity on that connection and outages. @dotdash For me it only occurs during rush hours, and I experienced it even on 2.5.0. I am now going to make tcpdump log the sender and receiver IP addresses of fragmented packages. Maybe that will give me some hints.

@jvcomputers You might want to take a look at this thread - same subject as yours, just with web gui vs ssh. I linked to the ASV document guide.. Ie guidelines that ASVs are suppose to use when scanning. https://forum.netgate.com/topic/163844/pci-dss-compliance-vulnerabilities-found-webgui Clearly stated in that doc.. "Temporary configuration changes do not require that the scan customer “white list” or provide the ASV a higher level of network access."

@nollipfsense One down side is I downgraded to 2.4.4 and it worked i put this on my production setup and it's not working. I confirmed all my settings were exactly the same as the 2.4.4. There is no traffic on the bridge interface but the ICMP is found on the vmx0 and vmx2 interfaces.

@kevin-scott-uk Sorry, never really did. I ended up making a python script that parsed the XML and changed the IF name to be compatible with the IF on the underlying OS.

I've the same on my new freshly installed pfsense. even not yet using pfblocker

@johnpoz Thank you much!!! For some reason it was coming unavailable when I searched for the link. The proposed solution was applied and seems to be working correctly. Thank you again.

@aziz-rahman said in Can anyone help me block mobile application like facebook, youtube, & other IM: @presbuteros thank you for your nice comment, can you please tell us how to block youtube,facebook and other mobile applications? Try to use ASN option from pfblocker , he will create aliase, after you will create your own rule on each interface you need to block using that alias [image: 1621337338841-whatsasn.png] My rule is to allow to certain ports so i won't be *(everything) . I would love to block the entire facebook but i am maried.

I stumbled upon the HomeKit-Avahi connection on Reddit in r/tradfri. Trådfri is IKEA’s home automation ecosystem. What I noticed was that with Avahi active there is a ton of pinging going on between the different devices. Not sure, what immediately causes it, but with Avahi inactivated it stops. Could Avahi essentially be producing some kind of a LAN-based DoS situation?

@mnemonikz Well, you have to do some testing. I mentioned a couple of things in my earlier post.

Hi, Indeed I want to disable/delete all default rulesets which are created by pfsense. If I cannot do this, can i set rulsets have the highest priority then the default ruleset? Please advice.

We discover workarround : MAC Spoof on physical interface VLAN take MAC Spoof and get DHCP Mac Spoof one L2TP L2TP UP, but DHCP down, then all down MAC UnSpoof on physical interface, apply MAC Spoof on physical interface, apply All UP correctly. But after reboot, DHCP stay DOWN, so L2TP DOWN. Any ideas ?

I did it with a Lan rule to reject all connections for that station with the wan gateway. Yes, this would accomplish the same goal. For some reason using tag is not working. You actually don't need to use tag.. Just make sure you are allowing the VPS group to have access to internal resources in case you need, and insert this rule above the reject rule.

Log in to view Wow, apparently Netgate login-gates images. For logged-out users, here's what firewall rule you've got to create (I recommend clicking the "Copy" icon on the existing rule on the LAN tab): Action: Pass Interface: OPT1 Address Family: Any (IPv4+IPv6) Protocol: Any Source: OPT1 net [this is what I'd forgotten to set] Destination: any Description: Default allow LAN to any rule

@akegec Thanks for your recommendation IBM's QRadar looks very promising, I tried the Community Edition (OVA file) on a temporary VM and it seems to have a lot more features than my expectations!! I am in the process of creating a dedicated machine that can run QRadar and have logs from all machines including IoTs forwaded to this machine. Thanks for pointing me in the right direction

@rnmixon Ugh! After restoring the new config everthing is working except for one situation: We have a virtual IP with two rules that pass port 80/443 to the IP (IP#1) of an internal web server. We also have a number of NAT rules that override the destination for some ports (90x2, 90x3, 90x4, ...) on that virtual IP, routing to different IPs (IP#2, IP#3, IP#4, ...) on the LAN. NONE of the NAT rules appear to be working, the firewall log shows traffic being blocked on (for example) port 90x2 as it tries to route to IP#1 instead of following the NAT rule to IP#2. This all worked on our original config when we were running pfSense 2.4.5 and also when it was upgraded to version 2.5.1 (though failover was now broken). I'm guessing when I merged in the changes from 2.5.1 config file into my old 2.4.5 config file I must have muffed something, however not sure what - the syntax of the changes all looked to be the same as the 2.4.5 syntax. Any ideas from anyone before I restore to the old config that's size weeks old and lose all my changes? Thanks much - Richard

@johnpoz Yep, makes sense, and works. Appreciate the pointers! I need to now test here, confirm that I don't need a cert to be assigned to a user - for it to work with OpenVPN. But that's just for me to understand Thanks again.