It's not included in pfSense. There's no easy way to add it outside installing it from FreeBSD with all the reasons that's a bad idea. https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html#concerns-warnings Steve

There have been a number of other threads detailing this sort of setup for other providers but it usually complex! Looking at the config he uses for Mikrotik it looks like he's just bridging the internal TV port with a vlan on the WAN side trunk. But I could be wrong, I don't use Mikrotik. Steve

Sure, on the INTERFACE SETTINGS tab for the Snort interface, you can choose to send logs to the system log (which is syslog). You can also configure some of the metadata tags that are attached. So go to the INTERFACES tab in Snort, and then either double-click on the interface line in the table or click the edit icon (the little pencil) on the right side of the table row to bring up the INTERFACE SETTINGS tab. Within pfSense you can configure the system logs to be sent to a remote syslog server, if you want to do that.

Yes, that is correct. If you assign the server as an interface you have to restart the instance afterwards for the new settings to apply. You almost always want to have the rules on the assigned interface tab and not on the group OpenVPN tab. That is required for policy routing to create the firewall states correctly. Steve

@bmeeks said in Am I being attacked?: The moral of this story (from the article) is don't open stuff like SSH on the WAN side of your firewall. It should be don't use ssh with a password. Use passwordless ssh instead. Ssh supports that. You create a public/private key pair, to allow access.

@noplan said in Rename network interface?: OPT13 .... I suspect you deleted and recreated interfaces quite often.

@stephenw10 Yes, I've tried deleting all the .rrd files in that folder, repeated the import of just the RRD Data from the old box with pfSense CE into the SG-3100. I can see the .rrd files get created in the folder, but still no data appearing on RRD Summary or Traffic Totals.

@stephenw10 said in SSL generation: cert with a longer lifetime that you control. Exactly openvpn does not care if the cert has a 10 year life.. There is little reason to change these certs for the sake of changing them, unless you feel they have been compromised. If so just revoke them and issue new. Or change them out on a schedule you come up with, but don't have to worry about if the schedule gets pushed here or there because its going to expire, etc.

@johnpoz My haprox cert is a wildcard cert *test.ca and in pfsense i created a Host Override as unraid.test.ca which points to the unraid server ip. By doing this, unraid.test.ca is only available via LAN as it is not registered on my domain dns. Also for my acme i have it set to auto renew that cert before it expires. Great suggestions, appreciate the tips :)

I got this working.. I created the opnvpn interface and then that showed up in the outgoing network interface under dns resolver which is had set as (ALL) and now everything works.

@stephenw10 said in all services fail to start all packages gone: Looks like this is the gw_leds script which it appears you're also running: https://forum.netgate.com/topic/165680/sg-3100-21-05-1-kern-ipc-maxpipekva-exceeded-see-tuning-7 Steve Thanks. I’ll follow that post.

I assume you mean you're not doing any internal routing but are still routing between WAN and LAN? Otherwise you would have to be bridging WAN and LAN. Either way in that setup both WAN and LAN are carrying the same traffic so it really doesn't matter which way you assign the NICs. Steve

When you put FQDNs in an alias like that they are resolved by filterdns when the ruleset is built. Anything that the firewall can resolve should work correctly there. Steve

@stephenw10 said in Bricked after Update 2.4.5-p1 to 2.5.2-RELEASE: Everything except checksum off loading should be disabled by default so I would look at LRO if you changed that. Steve I will leave the APU in place. The former device was cobbled together from spare parts anyway (but it worked for years...). Thank you for all the input.

Do you have consecutive sections of zeros replaced with two colons ?

The situation is largely unchanged. The pro services team can convert an existing config from another firewall but it's a manual process for them. There is no tool for doing it. Steve

Mmm, 2.4.2p1 is really old. With the release of 21.05.1 though there should be much reason not to be on that now. If you absolutely need Snort (and can't use Suricata) for some reason you might want to stay on 2.4.5p1. Steve

@stephenw10 thanks yea I worked out my problem. Because I has a rule at the bottom of floating that blocked anything I didn't specifically allow out, I then was allowing WAN to HTTP/HTTPS for Squid and it was quick matching. I had to rejig that block all rule to avoid HTTP/HTTPS so that it allows that traffic by default (No quick rule allow needed for WAN) and then I catch any bad traffic with the explicit deny rules. Seems to work now.

@stephenw10 Yes, ZFS after reinstalled 2.5.2. Bug seems to be known and would be fixed someday... as you said, its just cosmetic :-)