What version of pfsense are you using?

So after further digging, I found that my Unifi system in its previous update automatically turned on "Wireless Meshing" between 2 of my 50 WAPs. Both are hardwired, so there is no need for meshing, so no problems occurred the first 3 weeks after the update (therefore I never suspected it), but if one WAP gets overloaded with traffic and misses its heartbeat, it creates a temporary wireless bridge to reconnect and then creates a network loop. For some reason the switches RSTP setting isn't picking up the loop and its making its way all the way up the food chain to the pfSense box since the wireless bridge resides on a VLAN and needs routing through to the LAN. Since I took off the Wireless Meshing setting, everything has cleared up. I'm hopeful that this was the root of the problem and the peacefulness continues. I'll keep you guys informed and I appreciate all the help!

finally after 30 minutes in shell mode he was able to do the update and went up normally and now I can access the dashboard ... thanks everyone!

Yup. And if you find anyone bypassing your GPO somehow, grab a wrench and go pay them a visit.

Hi Steve. Thanks for your reply. To be honest, I might need some help with this one as I didn't get the redirect settings in SquidGuard to work. I am able to get SquidGuard to block unwanted sites (e.g. ad sites, porn sites, etc.); but, for some reason, the "Use SafeSearch engine" checkbox never worked for me - I had to add a couple of entries in DNS Resolver to force safe search for Google and Bing. When I remove those DNS Resolver entries, uncheck the "Use SafeSearch engine" box and try to create my own "Safe Search" rewrite, it doesn't work. E.g.: Rewrite Rules: Target URL: google.com Replace to URL: forcesafesearch.google.com Opt: Redirect For some reason, this causes the URL to become forcesafesearch.google.com to be forcesafesearch.forcesafesearch.google.com. If I try using the IP address, the system comes back with www.<ip address>. To say I'm doing something wrong would be an understatement. I apologize for my lack of knowledge, but I'm still learning and any suggestions you can provide would be greatly appreciated. Thank you.

@mascot said in How to set TTL?: In this case my only option to have same TTL with "pf scrub" is to set it to maximum value of 255? (Side question: are there any downsides of having TTL=255?) Also, shouldn't there be possible some workaround to avoid looping? Like router somehow recognizing and ignoring packets if they are in a loop? Also, maybe for FreeBSD there is something like "iptables mangle" for Linux? Well, as I mentioned, on IPv6 255 indicates a packet that's intended for the local LAN only. Will a router pass it? Also, recognizing packets it's seen before, that would require saving the packets it already sent and then comparing them with any new packets. That might keep a router a bit busy. Also, if a router sees a packet with 255, the assumption can only be that the previous router decremented from 0 and sent it on, violating the rule that says packets with or decremented to 0 must be discarded. You're trying to defeat the entire purpose of MTU, which is to prevent a packet from being sent forever around a loop.

If can do if you run the Squid web proxy. Squid can send it's logs to a syslog server. Steve

Great info. That alone is helpful. I'm going to grab a packet capture on the syslog server and go from there. Thanks!

Thank you John. So do you see the GPS in the Dashboard? Checking here now only see the GPS in ntpq where as before pps, gps and internet NTP servers... /root: ntpq ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== oGPS_NMEA(0) .GPS. 0 l - 16 377 0.000 0.003 0.026 ntpq> Maybe I should switch it back? Switched it back..thinking it takes a bit for PPS to come up (was seeing it before) ntpq> pe remote refid st t when poll reach delay offset jitter ============================================================================== *GPS_NMEA(0) .GPS. 0 l 12 16 1 0.000 0.028 0.000 0.pfsense.pool. .POOL. 16 p - 64 0 0.000 0.000 0.000 23.134.96.254 252.74.143.178 2 u 1 64 1 41.763 0.186 1.522 eterna.binary.n 204.9.54.119 2 u - 64 1 28.596 3.498 2.029 ntp2.wiktel.com 212.215.1.157 2 u 1 64 1 29.253 9.657 1.283 45.32.75.249 (4 142.66.101.13 2 u - 64 1 65.164 2.326 1.400 ntpq>

Thank you very much.

Setup vlan 60 firewall rules to use your vpn gateway..

@thsalex What do you mean by the term "lock"? There is no "lock" with regards to either package. There are blocks, but those are implemented by placing the offending IP addresses in the pf (packet filter) firewall's snort2c table. This is a table that is created by the core pfSense code during initialization of the firewall. Any IP addresses placed into that table are blocked via a built-in firewall rule that references the snort2c table. The table can be cleared manually, automatically by a cron job, or by rebooting the firewall.

Most of those have so little RAM/CPU/etc that they could not effectively run pfSense. And most of them are not 64-bit x86 hardware, but various ARM platforms for example.

status-->system logs-->settings: Local Logging: [ ] Disable writing log files to the local disk

Someone here pointed out to me that one can add an "IP Alias" under virtual ip's, which does exactly what I want.

Hello, I would like to inform you that my problem was resolved. What was missing is adding the subnet of PC to the allowed subnets in SQUID Proxy Server. Thank you.

Your corp account uses the same domain to login? You can create a custom url for your mail... Then just block the normal url.