I have unchecked the option last night and made some changes where i knew before the connections will be dropped and all connections remained active! Thank god it was that simple. I haven't checked the number of states before, i wouldn't risk the dropped connections for that anymore. I don't have any packages installed. Thank you for your help, this solved my case.

[image: 1535644318002-56505a32-dc30-4b9e-97a2-f2bb6a9981d5-image-resized.png]

I have a pfSense VM setup for just this. It's WAN is inside my usual lab network, but in its outbound NAT it translates anything that leaves (except its own WAN address). Then on the LAN side I have the rules allow any/any and I add VIPs to the LAN that mimic the "ISP" side of the statics I am testing. If the VMs on the inside have VPNs or DynDNS I try to block those in the LAN rules before firing them up so they do not interfere.

There are some backwoods providers out there that give customers a /32 WAN IP Address with a gateway outside of what would otherwise be their subnet. It's ugly, but it happens. As @Derelict said, no matter what we pick as the default it will be wrong more often than it is right. Using /32 as the default is less likely to break something than using /1 as the default, and any value in the middle is a wild guess.

You can open an issue on Redmine under https://redmine.pfsense.org/projects/pfsense-docs/issues I went ahead and fixed that one though. It should show up shortly. Thanks!

@nogbadthebad said in pfsense android 5: Does it work if you disable squid ? No This problem did not occur in Pfsense version 2.2.4; I think it could be a problem of squid version 0.4.43_1 or squidGuard version 1.16.4

come on, talk to me

As a short-term fix disable Snort HA sync on the SYNC tab in Snort on the master firewall, and then reboot the slave firewall. That will stop the problem for now. That PHP file is created on the slave firewall by the master when "syncing" a Snort configuration from master to one or more slaves. That PHP file contains a series of commands for the slave to execute. Instead of rebooting, you can also try killing all those php-cgi process IDs. They are all trying to execute the same PHP file and likely stepping all over and blocking each other.

It depends how you're filtering traffic. And whether that system is setup to filter on the interface your AP is connected to. The tablet might be using a different DNS server for example if you're using pfBlocker. Steve

Thanks @TheNarc I think what I was seeing was actually a PC soft-phone trying to connect via the WAN (outside the VPN) because it must have been provisioned that way, not one of the phones. And since the soft-phone has the same extension as one of the desk-phones, it appeared to be that one phone.

@msf2000 Hmm, looks like my post wasn't as clear as I thought it was, never mind. The problem is not about user mixing up and lowercase, it's about the LDAP authentication that (seems) not handling casing correctly. Both 'SuperAdmin' and 'superadmin' authenticate correctly when using Diagnostics - Authentican. That diagnostic also returns group membership but only for 'SuperAdmin' and not for 'superadmin'. .... but I should have searched a bit more: uid is not case sensitive by default but memberUID is (standard 389-DS schema) - odd but that's the way it is which explains the results I'm getting.

@grimson said in Higher pings from ethernet than wifi: Just ping pfSense or your cable gateway, if the pings are normal your cables are OK. Also, defective hardware, including cables, will produce errors which you can see in the ping results.

whoa, just noticed I never responded... what did you end up doing? To answer your question: Should we give the new subnet a different Vlan than the current (Server subnet)? In general, yes, it's a good idea to have your workstations on a different VLAN than your servers. There are many reasons... one example would be... let's say one of your workstations gets infected and it's trying to infect other devices via broadcast discovery... well... the infection won't spread to your servers because they're in a different broadcast domain. Personally, I use different VLANs for everything... workstations, servers, printers, wireless, management, etc. It makes auditing easier and can help you with deployment, etc if you start implementing things like SCCM. Although, this may also be overkill depending on your environment and what your objectives are. My performance vs security comment had to do with where to terminate your VLANs (switch vs firewall).

I don't think so. To do that you would need to proxy the LDAP traffic and pfSense is not capable of that. Via the GUI at least. However you could probably do it via something else that you could port forward to and change the certificates without bothering Windows. Steve

@msf2000 Okay I have no idea what “OPT1” means as I’m a business owner not a network expert. What’s the benefit of doing this? I do not care that much about security, I need performance. If OPT1 is just some security thing I will likely not use it. I’m not building a Pfsense to be a firewall, although I know it has one built in which is nice, I’m building is to be a more stable platform than DD-WRT, something that can support 1gbps speeds, 30k connections without crashing every few hours. Also the Amazon link is a significantly better CPU than the SG-3100. I’d much prefer having an Intel processor than ARM. There’s also no mention of the type of NIC’s in the Netgate product. The Amazon one has all Intel NIC’s, which I greatly prefer to Realtek.

are these all on the same subnet? pretty sure under the DHCP settings, you can define the DNS for that subnet. Where you would run your regular DNS to your other computers, then anything going to the Kids network could run the OpenDNS servers.

That was it! I had not entered the gateway on the switch! Thanks for the help! It seems that I have a lot to learn, I was sure I had something configured wrong with pfSense

Not that I'm aware of

@signalz said in Var out of space, or is it?: I'm having a problem with /var supposedly running out of space. It's configured for 60MB, on the dashboard it shows 108% CPU usage, but du -mhs /var says it's only using 30MB. The DNS service crashes constantly and watchdog can't always restart it. I stopped snort as a temporary fix. I've had it set up for a while so I don't think that's causing the problem. My most recent changes on this box were a change to an alias used by snort's passlist and adding services to watchdog to monitor. Why is /var out of space but really not? Snort can use quite a bit of space in /var for its logs, especially on a busy network and if you have lots of Snort rules enabled and firing. What kind of hardware are you running on? Why is /var so restricted? That is where all of the logging happens.