Dear @nogbadthebad , Asolutelly I have to upgrade to DEVEL than. :) Regards, Mucip:)

@maria-1 Your firewall rules are all wrong. Normally on LAN you do not want it to be too restrictive or else your users complain that things they need don't work. With that in mind, you would usually block what you want blocked and then allow everything else. You are trying to do the opposite where you try to allow some things and block everything else. Firewall rules are processed top-down, first match wins and no other processing is done. Start by putting an Allow All to Any rule at the bottom. Then start stacking your restrictions above it. I will go by your rules one by one: This won't be necessary since the Allow All rule at the bottom will handle everything. This rule is ok but could be better. Create a Port Alias called Admin_Ports and fill it with 22,80,443 and then use that alias in place of port 22 in your rule. That will allow only .21 to access pfSense via ssh or http/s. We will add a block rule later. Destination should be This Firewall if pfSense is your DNS server. There is a way to redirect all external DNS queries to pfSense if you want to capture all DNS. Add a new rule here that blocks LAN net to This Firewall This rule allows anyone to reach port 80 on pfSense. Inter-LAN traffic does not go to pfSense at all, so this rule only takes effect when someone tries to hit pfSense via tcp/80. It's not necessary and you can delete it. This rule is useless. What you want here is to create a Port Alias called Web_Ports and fill it with 80,443. You then create a block rule that blocks everyone from accessing anything via Web_Ports. Useless rule that should be deleted. Before, you were not blocking tcp/443 which is https and the way 99.999% of websites are served now. With tcp/80,443 blocked, nobobdy will be able to access any websites except through the proxy. You can create an IP alias to hold IP addresses of people allowed to bypass the proxy such as admins or management, and then create a rule directly above your tcp80,443 block rule to allow that alias to access anything.

@cmos_battery One thing to bear in mind is there's nothing magic about VPNs. They're just one way to establish an IP connection between sites. Once they're set up, you use then as you would any other connection. Years ago, things like frame relay and fractional T1s were used. These days, out in the real world, you might come across MPLS or QinQ VLANs, As for setting up VPNs, you have to know which one and the specifics depend on the brand. For example pfsense supports OpenVPN, IPSec and Wireguard VPNs. But the details of configuring IPSec, for example, on Cisco would differ from pfsense. I don't know that a class such as your is the place to learn more than general principles, though you may get into setting up one. But when you get out into the real world, you could easily find yourself working with another. The principles will remain the same, the but details may differ and you'd be expected to work those out on your own. One thing I complained about years ago was the schools teaching Windows and Microsoft Office, rather than operating systems and office apps, so that a person would have portable skills. It's sort of like a auto mechanic class teaching only one make of vehicle, as though the others didn't exist.

@keyser @bingo600 After some additional digging it seems it’s not related to Zabbix but rather unbound resolver in combination with pfblockerNG-devel 3.0.16 I started suspecting unbound because “top -SH” in I/O mode (press m) showed that unbound constantly was doing disk I/O I’m investigating further for now, but stopping pfblockerNG (which stops and reconfigures unbound) releases the allocated diskspace which then returns to the 25% it should be. Maybe it’s something related to the new python integration i pfblockerNG and Unbound. The Issue must have arisen when I upgraded to 21.05 from 21.02 I’ll close this thread and create a new one under the pfBlockerNG forum.

@steveits Yup. Unfortunately RealTek holds a huge market share for NIC chips, including in embedded devices and IT appliances, and in my case, the integrated NICs on the motherboard I'm using. Hard to avoid, therefore perhaps should be better supported in FreeBSD. I'm no stranger to FreeBSD and they are notorious for seemingly arbitrary and sudden driver breakages after updates and I'm not entirely convinced the problem wouldn't happen to Intel one day either. Unless they've decided that's the only card they test - which would be short sighted. Too bad this has to run on FreeBSD and not Linux but I do understand why.

@dlogan said in No traffic on WAN, gateway status down, errors "arpresolve: can't allocate llinfo for <WAN IP> on igb1: I have a WAN configured on IGB1 of an SG5100. How? PPP, DHCP, etc? Some hints on this in the logs?

Hmm, not sure why the ix NIC doesn't see it then.

That's a firewall rule and the destination is a public IP. You need a NAT rule too and that changes the destination to the internal target IP for the firewall rule. https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards Steve

@cza There is the ifconfig command to shut and open an interface, which might help. However, i also suspect it's a hardware issue.

@dilligaf said in Pfsense 2.5 stacks at boot with dots: I also fully understand already that ClamAV isn't going to see encrypted traffic. What I've should have mention where I wanted to go : ClamAV will see the traffic that all the process read and write to disk. What if : some key word(s) in this traffic (the config file to be written) doesn't please ClamAV ? Is there a way, as any (many) anti virus can do : exclude this file from being scanned ? Does the issue exists with ClaAV running and not with ClamAV stopped ?

@mrjoli021 if you plan on inspecting https traffic using squid that's not possible without doing a MITM unencryption of the traffic and even then your users are going to see warnings in their browsers even if you install your own certificates. This will just alarm your users and flood you with complaints. If you want to reduce the chances of your users connecting to malicious sites configure DNS to use the Quad9 servers.

@stephenw10 said in samba server: Nope. Is the short answer. Technically yes, but you shouldn't is the longer one. Steve thanx steve

@nogbadthebad Thanks Nog. I am thinking of testing moving an Apple TV to the IoT.

Thanks for your answers

@jcasale said in Issue with pfSense and having to restart constantly: Where should I look as to the cause of the problem? I looked at the systems logs and have not seen anything that stuck out. Was the Liva PC a wise hardware decision? If not, what hardware would you recommend? It seems that your backup is also corrupted and often it's caused by power failure. Its time for a clean install and clean configuration. No one can comment on your new hardware when you haven't stated what you bought.

@macusers First of all, again check your internet-facing IP on the LTE router. If this is not a real public IP, your ISP provides only a private subnet to you and there is nothing you can do. You will not get any traffic from the internet to your router, cause this is controlled by the ISP. In this case you can only use it for upstream connections.

@ducati0927 What turned out to be the problem? I have the same thing going on with a Spectrum modem right now.

Less important, but I am reducing cable usage on my switch by using 1 10GbE link instead of four 1 Gb links.