End-to-end encryption is most definitely diminishing the importance of IDS/IPS. And encrypted payloads can be the source of many false positives. The random encrypted data will occasionally match up with the tested bytes in a rule. There is also the issue of some admins misunderstanding the intent of some rules. For example, there are categories in both Snort and Suricata where the rules are designed to simply detect malformed network traffic. Not all malformed traffic is nefarious. It may just be the result of bad or inexperienced programming on the part of a developer. Some is the result of asymmetrical routing. So rules that detect this type of traffic are really for "information" purposes and do not necessarily belong in the block or drop action list. They usually should be left at ALERT and not elevated to DROP (or block if using Legacy Mode). False positives are the biggest pain with an IDS/IPS. Tracking those down can take a lot of work. In the old days, IDS/IPS was extremely useful. This was especially true when it could peer into the packet payloads. Also, back then, raw traffic rates were typically lower (granted so was CPU horsepower, but you still generally had more CPU power than Internet bandwidth back then). But now looking into payloads is usually not possible unless you use MITM. And 10G Internet traffic can cause even a powerful CPU to sweat bullets when trying to inspect that traffic against several thousand IDS rules.

@nollipfsense After installing NUT and then configuring NUT it all worked after Pfsense was rebooted. The key was to reboot Pfsense. Thanks for the help!!

@zwiebelspaetzle Mobile could be IPv6, could be a different web server entirely as they have multiple IPv4s. https://www.ssllabs.com/ssltest/analyze.html?d=www.podtrac.com&s=44.239.236.149&hideResults=on&latest looks pretty good but does show "Chain issues Incorrect order, Contains anchor". If the client had an issue with that, I would expect it to be a problem regardless of connection...but again could be different web servers.

@nollipfsense great - glad you got it sorted!

@idiotzoo said in Wan failover doesn’t work and bigger problems: Just the WAN failover to do some more testing with. Hello! All of my multi wan failover configs running on 21.05.2 cratered due to this: https://redmine.pfsense.org/issues/11570 I manually reverted this code change from this issue to get it working again. John

In a single WAN setup disabling the monitoring action is an acceptable solution. The gateway monitoring allows you to tune the latency and loss levels to match your WAN though. You should should be able to set levels that are not triggered in normal use but still do trigger if it actually goes down. The ISP supplied gateway does not have to respond to ping at all. And it if does it doesn't have to prioritise it. It's not that unusual to see the gateway drop pings when it's under load but still route traffic just fine. A lot of devices like that would have separate control and data planes and it's the control plane which would usually have to respond to pings to it's own IP. Setting a monitoring IP as some external site also gives you a much better idea of the actual state of your connectivity. Monitoring the gateway wouldn't show an outage at the ISP but upstream of the gateway for example. Steve

Thanks for your answers, very informative.

Thank you! smooth as silk, before restoring config I verified that the order of em0 em4 was associated in the same way and everithing is perfecly working. I only had do install some packages Nicola

polkit is not a part of pfSense, nor is it available in our package repository, either directly or as a dependency. Given that polkit is usually a part of a graphical console environment (think: X.org and similar) that is unlikely to have been installed on a firewall anyhow. That said, similar to the situation with log4j, we can't always control what people pull in manually from third party repositories, so maybe if someone did something really bizarre they might have to manually track down and install an update, but since it didn't come from Netgate, there isn't anything we can do.

You're welcome, glad to be of help.

The method is the same for any PCI-device you want to pass through. In the documentation, which I now suddenly understand, they have command line examples using a graphics card with sound chipset on it. They may show up as separate devices (IOMMU groups) but you might want to pass them both together... hence "All functionality"... Anyway, as you say, now I have a much better solution than renaming devices. Which is actually the way I tried to set it up a long time ago...

It's possible to do that. You have to use policy routing with a load-balanced gateway group setup with both remote side IPs as gateways. However that only works for multiple connections between the sites. For a single file transfer for example it will only use one tunnel. Steve

Yes open a ticket to get the latest reinstall image if you do bot have 21.05.2 already: https://www.netgate.com/tac-support-request We did put in place measure to prevent installing incorrect packages. I know that works in 2.4.5p1 from a clean install since I recently tested trying to break it. If you came from an older version that than though it may be possible. Steve

@stephenw10 Only when saturated. Yes for now, I figured I'd give it some time to see if the issue persists or was a coincidence. ok. If this works, its a decent temporary fix, but in the future I may have multiple IPs that could saturate the upstream.

@wellcomefit EDIT, replace ! with |

@stephenw10 I'll try it out!

@ryan29 said in Listening for WAN outages - possible?: @furom Something I find useful in your situation is to ping multiple IPs. It can help you get an idea of where the problem is. I usually do something like this from a workstation on the LAN: LAN GW - This can help discover issues with on-site cabling and equipment. This is the pfSense LAN IP. WAN IP - This can help discover issues with the firewall (ex: maxed out CPU). WAN GW - This can help discover issues with the ISP. ISP DNS - This can help discover issues with the ISP. 1.1.1.1 - This can help discover issues with the ISP or the Internet in general. If you have several days of stats from all of those, you can look at outages and see where the issue starts to occur (local vs ISP vs Internet). This was interesting, thank you! I like that it's simple, yet gives a broader view, Will give it a try. :)

@stephenw10 said in Get Swap Space Failed: Ok, did you check the memory usage history in the monitoring graphs? As I said, just restart the pfsense vm and everything worked again, then I sleep until work hours are over and I can log in to monitor... I don't like to touch anything when it's producing $

Hmm, just to be clear pfSense Gold was never a pfSense build/image. There was included with it a .ova image which you may be referring to. That is no longer built. Steve

@fejzulla-neziri It's all here : Virtualizing pfSense with Hyper-V This install uses 2 ( add a second NIC, it will expose the pfSense LAN to the outside, so you can hook up other devices like printer, nas, AP, other PC's. Is possible to use the doc so your setup uses just one NIC, this one which be reserved for pfSense, as the WAN. The host system (W10) can not / should not use this NIC. When you finished this setup, you can activate more VMs, and attach them to the internal LAN-hyper-switch.