@mrjoli021 said in Suricata blocking Alexa: Could someone explain to me how to match the rule name to what I see in the "Wan Categories? If I look a the alert tab I am getting "ET CINS Active Threat Intelligence Poor Reputation IP group 16" According to the Wan categories I am not seeing anything remotely similar to the rule name. What am I missing? It's not always super easy to make that connection. In this case of this particular rule, it is coming from the ET CINS list of possible bad (or blacklisted) IP addresses. Here is a link to the source of this data: http://www.cinsscore.com/. So on the CATEGORIES tab there is an Emerging Threats rule set with ET CINS and I think there is also one called ET CIARMY or something similar. These are what I would characterize as "dumb" rules. I don't mean dumb as in useless, but rather "dumb" as in it is simply a list of IP addresses, and if the source or destination IP in a packet is in the list you get an alert. One problem with rules of this type is that the owners of IP blocks changes. And that is happening a bit more frequently now since the IPv4 address space has been exhausted, and therefore there is a lot swapping and trading going on for money among owners. So an IP block that might have been used by a spammer last month may, this month, be use by a CDN network that is distributing Amazon Prime, Hulu or Netflix streams. So these lists have to be taken with a grain of salt.

@jimp Thank you for the quick reply him - time to order our SG-5100s!

Redis would be a good choice for exporting the logs. A user contributed support for that into the Suricata package a little while back. Next time I update Suricata I will include a warning in the Help Text for the syslog export settings sections cautioning that the data will be truncated by the FreeBSD syslog daemon.

[image: 1588156483190-tec-to-rs485_contr_2.jpg]

Thought I would give a quick update on this for those who care :) I bought the i5 jobbie. A bit on the steep side in terms of price and spec but I had no other short-term solutions. Must say, it's a nice bit of kit. 6 Intel LAN (I do wonder if they fake though ), i5, I put 4GB RAM in and a spare 60GB MSATA I had. Setup was painless. I did a final backup of my existing one, installed pfSense and restored the backup. A quick interface remapping and I was done. Shut down, switched out and booted. It all worked :) Thoughts: Speedtest always showed around 290/300 over wifi. I now easily get 350-360. (Wifi is Ubiquiti kit) VPNs are faster. Much much faster. I always use PIA and peer locally but only ever got 70-80Mb/s down. Never an issues as I don't need more than that (other than speed test ) I now get full bandwidth. I got 340 to NL (I am not in NL....) So, a combination of faster CPU and AES offloading makes a massive difference. Odd thing though, I never saw the CPU peg on the old j1900 which lead me to believe it was ok. Acid test. Not once have the kids simultaneously gone "DaaaAAAAAaaaaaDDDD I'm lagging!" from across the house Likewise, myself and my wife have continued to work on video calls without issue. Could I have bought one of the £200 cheaper Atom ones and had the same result. Probably. Would I recommend this setup for someone? Sure. It's compact, neat, costs about the same as a self-build (but looks better) A gamble but it paid off (so far). Thanks for your help on this. Hopefully someone else reads it and benefits. FB

@xxnumbxx said in Home Network Layout, Traffic Shapping & More questions.: Web Filtering I want web filtering on LAN2 so the kids are not getting to porn sites and such. I have used this with untangle and found it to work great, is there something similar for pfSense? I have heard of Squidguard but not sure if this is the best route. I can suggest pfBlockerNG-Dev package. Spend sometime browsing here and post specific questions there: https://forum.netgate.com/category/26/traffic-shaping

We need more specifics to even begin to offer anything helpful. How is your network laid out?

Deleted from within the user manager

If you need to do it transparently you need to set Squid to listen on the OpenVPN interface so it adds the required port forwards. To do that you need to assign the OpenVPN server as an interface: [image: 1588078614099-selection_829.png] Enable the new interface, rename it if you wish. Then you can select it in Squid. Steve

@dennypage Agreed. I think it must be the YouTube mobile app caching the duplicates.

If that doesn't pan out, you can try switching back to sc: kern.vty=sc hint.sc.0.flags="0x180" hint.sc.0.vesa_mode="279"

Zabbix is just pulling the hardware interface name. You're going to have to look at aliasing it on the Zabbix side. How to do that would be a question for a Zabbix forum, not a pfSense one.

Hi @mehdii, have you tried to set the corresponding axis-unit?

@Tactis said in pfSense on OVH Dedicated with ESXi and one NIC: It's not the public IP assigned to your ESXi interface right? Yeah I think it is. That's how I'm connecting to it (the public IP). Well at first I wasn't able to, but I enabled the basic firewall (not the Cisco ATA option) in the OVH control panel on that interface, and let port 443 through, then I was able to. This doesn't make a lot of sense either, I would have thought with the firewall off I could connect just as much as if it were on with one port open. I'm flying blind as to how their infrastructure works. As long as it's not, you should be fine. Add another vSwitch and Port group in ESXi for your VMs, and do NOT assign an uplink NIC to that vSwitch. Connect the pfSense 2nd NIC to this vSwitch and setup the LAN. This way pfSense will act as the firewall between your LAN and WAN, with the public IP being the one you picked up from DHCP. I'll do that as I assume I'll need it anyway when I work through it. If you have a range of IPs available, it's probably still best to setup a static if you want to host any services here. Any additional IPs can be added to pfSense by going to Firewall > Virtual IPs and assigning them here. It is a static public IP, and I'm not sure why ESXi picked it up from DHCP. I'm also not sure how I could connect to ESXi to manage it in the first instance if it didn't pick it up from DHCP, because if I set ESXi as an internal static IP (like 192.168.0.X or whatever) their basic firewall doesn't seem to redirect ports to different IP's, so I'm pretty sure I wouldn't be able to get to the ESXi server. It's a weird and foreign setup to me.

Thank you Steve, against that bug, I have also reduced the firewall maximum entries to 65534. Bogon is also disabled. Might be the case with my ISP, I will ask in the dedicated ISP forums for advice on monitoring. There are a lof of pfsense users with Virgin Media in the UK. Helps to drop the ISP name in this thread as well, in case anyone else is going through the same pain.

@pooperman there is some issue with SSL handshake: [image: 1587921920369-1.jpg]