I haven't used cacti in years but I seem to recall a FreeBSD+pf or pfSense template around that hit the pf MIBs to track some things like that. If nothing turns up here, search on the Cacti forum.

Well if you dig deep enough you can do whatever you want. You could potentially add a line to the gateway down script that restarts the PPPoE link. It would likely take some trying to get it working as you want though. Steve

You want to be able to decrypt random SSL/TLS TCP traffic, inspect the packet contents and filter based on that? No, you can't do that, short answer. If you proxied the traffic in pfSense you might be bale to do it using custom rules in Snort/Suricata. I've never seen anyone do that though. Steve

It depends on the switches, cables, network load, etc. No you shouldn't lose that amount in your switches.

There is a whole section of the forum related to using the proxy if you have questions https://forum.netgate.com/category/52/cache-proxy It includes squid proxy and such but any questions you have about haproxy would go there as well. Here is some more info on the package https://www.netgate.com/docs/pfsense/packages/haproxy-package.html

I edited the title. Not sure if you can or not, I think that might be time limited. Anyway glad I could help. Steve

working now I have DNS Forwarder enabled not DNS resolver I removed 10.4.0.1 from DHCP Server DNS, and in general / system setup I kept adding the open dns thee under dNS Servers but changing the interface to AirVPN_WAN - opt2 . When I removed this and left both interfaces as WAN the Open DNS works

They don't give you any sort of gateway IP at all? In a point to point connection technically they don't have to but it would be very unusual. So do they give you the expected static IP via PPP or something random? Who are your ISP? Someone else must have hit this is they are reasonably big. You can try just setting any gateway IP and see what happens. As long as it's outside the WAN subnet it won't try to ARP for it. Steve

Ok, well at 100Mbps a VPN can potentially completely saturate that without huge processing power. Our SG-3100 will pass close to that with OpenVPN and much more than that with IPSec. The SG-5100 would give you plenty in hand for a WAN upgrade later. Both will pass 1Gbps between internal interfaces. One thing you can do here is just try it on any random hardware you might have with two NICs. Just use all VLANs internally. That will give you a good feel for what is required before you purchase dedicated hardware. Steve

@jimp It's there, just 0 bytes. Looking in /conf/backup I see backups from the day it went down and the previous day. All the backups are 244K up until the reboot it seems. 9:00 244K 10:00 244K 10:35 128K 10:35 0B Edit. I copied the last full config file into place and the unit booted up normally so it's running. I'm just concerned about what would cause that. This is the second device at this site that has had a corrupted config file. Once last summer and now this time. 2 different pieces of hardware and there's really nothing spectacular about them. WAN is DHCP. LAN is just 192.168.1.1 with a DHCP pool of 100-150. pfBlocker, Suricata and Squid are running. That's about it. Last device was 2.3.2. This one is 2.4.4 (which I'll update before putting it back into production). It's a little concerning.

Let's just say that if anyone is imagining: #Switch to layer 7 filtering - firewall_layer=3 + firewall_layer=7 ...then unfortunately they are very very wrong! Steve

Yes, absolutely. Thank you for pointing that out. From the reference: https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html In a remote log, the fifth field is: <tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug I need to figure out how to use that number from my syslog server, to lookup the rule description. So far, I'm closer, now using splunk to run a script: | script pfsenselookup 1000000105 where pfsenselookup.py is import sys import os matchstring=str(' '.join(sys.argv[1:])) os.system("ssh user@192.168.1.1 pfctl -vvsr | grep '^@' | grep '{matchstring}'".format(matchstring=matchstring)) For example, results : @11(1000000105) block drop in log inet6 all label "Default deny rule IPv6"

oh ok cool.. ill give that a shot too well ill tell her or ill practice it when she gives me her faulty hard drive... I did the conf folder and copied my older pfsense setup so hard drive is ready for her just to slide in the hot swap... but ill defently try that step too... I really appreciate the help great stuff (:

@konstanti said in Pass specific IP through to LAN, port forwarding, firewall rules: @akjim 64.4.23.126 !!!!!!! - port forwarding rule 64.4.231.126 - block !!!!! I am an idiot!!! I see that now, and after making the address correction it is working properly. THANK YOU so much for your guidance and assistance!!!

USB Ethernet devices are renamed ue0, ue1 etc, yes. It's not desirable to stop checking for them though. That is a physical interface. If it is assigned in the config and not present on the system the firewall should stop and ask the user how to proceed. Not doing so ends up in an unknown situation or potentially something worse like if you had multiple ue interfaces and one is unplugged you could start sending private traffic out of the remaining one if that became a different interface. The other interfaces in that list are those that built on top of a different physical NIC and may not have been created yet at the time of the check like ppp or vpns. There is no good way to handle this unfortunately. If the modem is in Ethernet mode you have to do something like this to avoid boot failure. If it's in PPP mode pfSense has no problem with the interface or device disappearing but the speed is limited to 3.5G (ish). It would be great to be able to use one of the other methods like MBIM but there is no driver in FreeBSD, yet. https://man.openbsd.org/umb.4 Steve

Um... yeah that would not have helped at all in this case. Traffic to any ftp server was already allowed and passing. Steve

Because the proxy allows traffic on those ports? You can always block it on the firewall. Steve

@jashaw30 that's all you've ever needed since that changed that you no longer need to use their kit. dhcp-client-identifier "woteveryouwanr@skydsl|woteveryouwant"