Hi! Sorry for late reply. No shaping whatsoever. I upgraded to 2.4.2, and the crashes stopped. But suddenly i had a crash again three days ago. I think i'm just going to do a fresh install. Regards Tommy

The most likely reason for the blocking to continue even after the rule is suppressed or disabled is that you had two instances of Snort running on the same interface, but one is in a sort of zombie state and does not see changes made within the GUI.  That process would continue with the original rules in place.  Rebooting the firewall will of course kill everything and start from scratch.  There should be only a single Snort process running on each configured interface.  You can check that using this command line: ps -ax | grep snort Sometimes multiple copies of Snort can happen if something causes the firewall to issue a "restart all packages" command while another Snort restart is already in progress (such as a rule update download).  Another way to get multiple Snort copies running on the same interface is using the Service Watchdog package.  Never use that package with either Snort or Suricata!.  It does not understand how to properly start Snort and Suricata, nor does it know how to properly monitor all the configured interfaces.  It will see Snort "down" during the restart from a rules update and thus issue its own "start up" command without knowing that Snort is already restarting.  Thus you can wind up with two Snort instances running on the same interface, but only one of them will respond to GUI changes. Bill

I just looked at the relayd conf man page and found this: https://man.openbsd.org/relayd.conf.5#PROTOCOLS Does that answer your question?

The looks like an Akamai CDN error page. https://community.akamai.com/community/cloud-security/blog/2016/04/07/why-is-akamai-blocking-me

You will be able to download the image once it's ready.

Hi, I managed to create multi ssid with my asus wireless router in AP mode with one VLAN bridged to the VAP. The two LAN devices attached to the wlan router are in static ip in my case 10.0.10.20 and 10.0.10.30 but I cannot still connect to the internet somehow. so is it better to invest into smart router and put it in between?

Yes after looking into it some more, I can see it is obvious that OpenVPN is the right way to go. Thanks for the replies.

makes sense now that you have told me :) thanks Bud

"We want to sell to our customers appliances with pfsense installed on them" Why would you not just partner with pfsense/netgate than?  https://www.netgate.com/partners/ While it might be legal since its open source to grab the code and compile it and use a different name, etc.  Got to be one of the most dick like moves I can think of..  If you do not like something pfsense is doing and you want to fork to work in a different direction ok then. But to just state that hey we like your product, but we want to sell it and not give you any of the money is just screaming hey we suck so bad, but like money - buy our shit its cheaper…  talk about asshattery at the highest level.. Why not just work with netgate/pfsense and everyone is a winner!!

nothing more nothing less with ^23$ then that is all you get Thanks All.  I don't recall (but my memory is getting worse) this was necessary in earlier version. But now that I know I'm all set.

I had to give up the pfsene project over the holidays as these network cards could not handle the load. So i have ordered an Intel dual port Nic the 4 port i have is either dead or is version 1.0 so it didn't work in my box. Any ho thanks for the link even though i thought i knew lots :) i did learn a lot from the posts very informative.

@robatwork: I had tried 8.8.8.8 as the monitor which also failed.  …. As far as I know, "8.8.8.8" has been set up to reply to ping. But this "8.8.8.8" can be far away for you - just count the 'hops' (actually : a router). You should know that every 'hop' has the right to throw away traffic that it thinks is "useless" because, example, its overloaded. And guess what : ICMP is just the protocol that gets thrown away if needed. A gateway monitor IP should as close as possible - often this is a device from your ISP.

@gelcom: Thanks. It worked perfectly! The only point is that there is no place in pfSense where I can see which freeRADIUS users are logged in the VPN. This is not clear to me. What's the difference with this additional NAS-Identifier==strongSwan Yes the only issues is the not being able to see who's logged in via Status -> IPSec -> Leases, the only way is looking in the logs. RE NAS-Identifier==strongSwan I also use freeradius for WPA Enterprise Auth, if you add NAS-Identifier==strongSwan to the check items it basically says this user can only connect if the NAS-Identifier is strongSwan. You can use radsniff -x from the cli to see whats going on, the capture in green is when I connect to the wi-fi, the blue via vpn. 2017-12-28 13:47:46.598198 (25) Accounting-Request Id 90 igb0:172.16.1.11:37599 -> 172.16.1.1:1813 +5.827 User-Name = "andy" NAS-IP-Address = 172.16.1.11 NAS-Port = 0 Framed-IP-Address = 172.16.2.41 Called-Station-Id = "A2-2A-A8-98-9D-8C:L-Space Radius" Calling-Station-Id = "D0-4F-7E-85-D9-BE" NAS-Identifier = "802aa8969d8c" NAS-Port-Type = Wireless-802.11 Acct-Status-Type = Start Acct-Session-Id = "5A44C1A4-0000000F" Acct-Authentic = RADIUS Connect-Info = "CONNECT 0Mbps 802.11b" Authenticator-Field = xxxxxxxxxxxxxxxxxxxx 2017-12-28 13:50:02.817587 (7) Access-Request Id 222 lo0:127.0.0.1:26931 -> 127.0.0.1:1812 +0.014 User-Name = "andy-ipad" NAS-IP-Address = xx.xx.xx.xx NAS-Port = 47 Service-Type = Framed-User State = 0x3011d33a3212c931f791fe04904119c2 Called-Station-Id = "xx.xx.xx.xx[4500]" Calling-Station-Id = "172.16.2.41[4500]" NAS-Identifier = "strongSwan" NAS-Port-Type = Virtual EAP-Message = 0x020300061a03 Message-Authenticator = 0xa5eed6c6557dcb0727c1fc852dd6873f NAS-Port-Id = "con1" Authenticator-Field = xxxxxxxxxxxxxxxxxxxx

Re-installing and restoring my configuration worked and now I can see packages, thank you.

The DNS forwarder (dnsmasq) uses the option –stop-dns-rebind by default, which rejects and logs addresses from upstream nameservers which are in the private IP ranges. In the most common usage, this is filtering DNS responses received from the Internet to prevent DNS rebinding attacks. Internet DNS responses should never come back with a private IP, hence it's safest to block this. There are some cases when public DNS servers have private IP address replies by default, though it is not recommended. In those cases, DNS rebinding can be disabled or an override may be placed in the DNS Forwarder Advanced Settings box as follows: rebind-domain-ok=/mydomain.com/ Note this is automatically overridden for domains in the DNS forwarder's domain override list, as the most common usage of that functionality is to resolve internal DNS hostnames.

Just enable the descriptions in the firewall log settings… Or just view the full rules with https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset And you can see which rule that number shows up on.. [2.4.2-RELEASE][root@sg4860.local.lan]/root: pfctl -vvsr | grep 1000000110 @23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state @24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state @25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state @26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state @27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state [2.4.2-RELEASE][root@sg4860.local.lan]/root:

Yes. The one thing you may not do is resell pfSense (like bundled with your hardware). Using it is not restricted in any way. Supporting the project with a Gold Membership or through buying pfSense/netgate hardware is a plus, of course.