@Gertjan thanks for reply! @Gertjan: Now, the other part : what comes back ? That's interesting and how would you check that ? @Gertjan: Start be removing things that tend to block things on the incoming side, like …. you have them both : Squid and Snort. I tried that, wonder after disabling something, would you expect that to take immidiate effect or you need to do something else? (delete stats maybe?)

https://forum.pfsense.org/index.php?topic=145990 Set firewall max table entries to 400000

Here is an example of devd.conf: https://forum.pfsense.org/index.php?topic=86064.msg727823#msg727823 how to automatically run usb_modeswitch either on boot That was explained in the last example I referred to! look for "shellcmd" in the post I mentioned earlier: https://forum.pfsense.org/index.php?topic=111787.msg622688#msg622688

Yeah if both sides say full-duplex that should not be an issue. What happens is the full-duplex side transmits and the half-duplex side logs an error because it can't receive while transmitting. You end up with very low throughput in one direction - from the full- to the half-duplex port. The other way generally works fine because the full-duplex side can always receive without issue. It's possible to drop ACKs but in general it appears to be a one-way problem. This is generally only an issue when one side is hard-set and the other side is set to autonegotiate.

I think it's "180 no scope". Memories.

Hi I following this tutorial https://www.youtube.com/watch?v=ov-xddVpxhc&index=2&list=FLrcgeSlhWx6u2OSVmULNtGw&t=498s I just want to set up my pc going through ISP instead VPN but not working.Can someone please check my settings and tell me what I doing wrong?        

But I assume you want new resolved IPs to be added to the list as they are seen right? Or are you OK adding the IPs manually via pfctl? Steve

Both of these are Known bugs: Table size: https://redmine.pfsense.org/issues/8417 And OpenVPN: https://redmine.pfsense.org/issues/8391 Chris

I've got a whole box of punch cards  :-[ They were very handy for levelling the billiard table.

Squid can't filter https, that is because ssl, and the reason ssl interception option on squid conf, but it doen't work(cause certificate issues) Nonsense.  It sounds like you don't have it configure properly. BTW squid can block https on non transparent proxy mode, which is silly because anyone with a brain can bypass it on non transparent mode It never occurred to you to block 80,443 tcp on LAN? Squid Guard block all option does what it says block everything even white listed sites, just tested it I'm pretty sure you can and you're doing it wrong. as it read block then allow and not allow then block, or there's a option to change which direction it get first(block/allow; allow/block) Sorry, what?  I don't understand what you're trying to say. Watch this: https://www.youtube.com/watch?v=xm_wEezrWf4

Thank you for your quick response and advice. I will ignore it.

Understood, I wouldn't mind understanding it better myself :)  But unfortunately I don't know why (or even if it is possible) to configure and use a VPN client connection without subsequently assigning an interface to it.  Hopefully someone more knowledgeable will drop by . . .

Sorry, the 10.0.2.10 is a NAT adress. I checked the settings on 10.0.1.200 (sap router) and the gateway was set to 10.0.1.1 and this is a miktrotik router so I changed the gw to 10.0.1.2 wich is my pfSense Telnet…Works niping...Works

In what way? Your question is a bit too vague. Can you be more specific about what you're wanting to do with the certificate? pfSense 2.4.3 can create certificates with SANs, and they work fine for things like the GUI. I'm not aware of any problems in any area of pfSense with using SANs.

You have upgraded your pfsense from 2.4.2 to 2.4.3 or just installed fresh 2.4.3 from scratch? Upgrade.  There is no reason to install from scratch. These things didn't happened on your pfsense? Did you increased variables in bogonsv6 file? No.  I waited a couple of weeks after release to let the early bugs get found before I put it in production.  When I saw the bogons issue, I increased my Firewall Maximum States before I upgraded so I would avoid the problem. I can't speak for other people's issues but it's working fine for me.

There's a FreeBSD port for it but based on little googling the pfSense package just wasn't maintained by anyone and was dropped. https://www.freshports.org/mail/spamd/ https://forum.pfsense.org/index.php?topic=100334.0

Since my last post I've tried: several cables several BIOS versions several combinations of BIOS settings (especially around the interrupts/serial console) almost all of the things on the boot problems page two hard disks ZFS/UFS 2 different versions of I350 firmware many combinations of loader.conf.local settings including disabling beastie_mode blanking out the SMBUS pins on the I350. All my experiments still end up with  "crash at the pfsense boot menu when there is traffic on the I350 during (or before) loading the kernel." The network configuration boots fine with a Watchguard X750e (but that is stuck on nano-bsd) Is there really nobody that can help? I did ask the mods several weeks back if they could move this thread to somewhere more appropriate - was there or did they not look? Is there any way to force the network ports to be disabled until the kernel  boots up? Thanks

@steve40: Hiya Meeks… I got all the suricata file matching stuff working ...thanks for your help I identify binary files and block them via an empty hash whitelist. Which basically turns the box into a carbon black operating at the gateway level.  Works like a charm. (as long as you got pass rules for microsloth and places you wanna get exes from) It all works like a charm UNTIL..... you go to download an executable from an HTTPS enabled site. So out of desperation I'm going to ask a stupid question Is there a way to intercept these files while passing through an HTTPS session? I've got MITM fully working but I'm guessing that suricata operates at the NIC card and Squid decrypts the packet way higher up the stack... I really really really don't wanna have to do virus checking via ClamAv By the way, I've got this whole setup running on a KVM hypervisor so I can get very creative If I need to thanks Suricata and Snort both work at the NIC card level (more or less).  When looking at the flow from the point of view of inbound traffic from the Internet, Suricata or Snort is the first thing the packet sees after leaving the NIC on the way into pfSense.  Any MITM stuff is farther down the line (or higher up in the stack if you want to think from that perspective).  So all Suricata is going to see is the raw HTTPS encrypted datastream. Bill