I can't give any better technical over what is applied above but I can give my experiences which, in and of themselves, show why you should do it right.

I use OpenHab and buy a lot of tat from China via AliExpress, BangGood etc - anyone who will post to the UK :)
For the most part I try flash my own or other Open Source firmware on it. There is more of a chance of prying eyes then. I have near-full automation from heating to all lights, presence and motion detection, wifi location tracking etc. All these features require one or many little things which I obtained from China / Ebay / AliExpress etc.

My setup is a VLAN - both on wired and wifi - for IoT stuff. This is blocked to the internet other than specific devices which I allow out. Said devices are the OH controller, Alexa and, urm, nothing else :)
Inter-VLAN routing is managed by pfSense and only specific clients can route between the two.

I bought a cheap tablet as a wall-mount-dashboard from China. £50 for a 10.1 inch Android jobbie recently.
I was looking at the logs a few days ago trying to work something out and noticed a large amount of hits on my deny-all rule. The tablet is constantly trying to phone-home. There are bursts of traffic to an IP in China. The traffic is over https so I cannot - for now - see what it is. I will try using ssl-strip one of these days when I get some time.
A few of the LED controllers also call home constantly.

All in all, you need to separate everything off from your main network.

Use a propper controller such as OpenHAB, HomeAssisant, Domotix etc to controll the smart home. Do not rely on each item because you cannot truly own them

Try, where possible, to use items which you can flash your own firmware on. Often this adds a large feature set and is maintained.

Do think Security-First

Of course, none of the above is as bad as having a Samsung Android table - they're the worse culprits :(

Is that a single firewall or an HA cluster?

Was it working OK and then suddenly stopped?

Is it reachable locally on LAN or a management interface, or completely disconnected?

You could try a completely fresh reinstall with pfSense 2.4.3 rather than 2.4.2. Even if you don't have a backup, the installer can recover the configuration from the hard drive using the recovery option on the first screen of the installer.

keep in mind it does not prefetch everything every queried.  It just renews a record that is queried if the ttl is 10% of life or left.

You prob want to turn on the serve ttl 0 option as well if your having delays with resolving.

Problem found!
The issue turned out to be with the upstream firewall.
It had the 12.x network with DHCP on a vlan that apparently these were aware of, and they were using WAN rules.
Removing the vlan and rebooting fixed it!
Thanks!

@Gertjan thanks for reply!

@Gertjan:

Now, the other part : what comes back ?

That's interesting and how would you check that ?

@Gertjan:

Start be removing things that tend to block things on the incoming side, like …. you have them both : Squid and Snort.

I tried that, wonder after disabling something, would you expect that to take immidiate effect or you need to do something else? (delete stats maybe?)

https://forum.pfsense.org/index.php?topic=145990

Set firewall max table entries to 400000

Here is an example of devd.conf: https://forum.pfsense.org/index.php?topic=86064.msg727823#msg727823

how to automatically run usb_modeswitch either on boot

That was explained in the last example I referred to!
look for "shellcmd" in the post I mentioned earlier: https://forum.pfsense.org/index.php?topic=111787.msg622688#msg622688

Yeah if both sides say full-duplex that should not be an issue.

What happens is the full-duplex side transmits and the half-duplex side logs an error because it can't receive while transmitting. You end up with very low throughput in one direction - from the full- to the half-duplex port. The other way generally works fine because the full-duplex side can always receive without issue. It's possible to drop ACKs but in general it appears to be a one-way problem.

This is generally only an issue when one side is hard-set and the other side is set to autonegotiate.

I think it's "180 no scope". Memories.

Hi I following this tutorial https://www.youtube.com/watch?v=ov-xddVpxhc&index=2&list=FLrcgeSlhWx6u2OSVmULNtGw&t=498s I just want to set up my pc going through ISP instead VPN but not working.Can someone please check my settings and tell me what I doing wrong?


But I assume you want new resolved IPs to be added to the list as they are seen right?

Or are you OK adding the IPs manually via pfctl?

Steve

Both of these are Known bugs:

Table size:
https://redmine.pfsense.org/issues/8417

And OpenVPN:
https://redmine.pfsense.org/issues/8391

Chris

I've got a whole box of punch cards  :-[

They were very handy for levelling the billiard table.

Squid can't filter https, that is because ssl, and the reason ssl interception option on squid conf, but it doen't work(cause certificate issues)

Nonsense.  It sounds like you don't have it configure properly.

BTW squid can block https on non transparent proxy mode, which is silly because anyone with a brain can bypass it on non transparent mode

It never occurred to you to block 80,443 tcp on LAN?

Squid Guard block all option does what it says block everything even white listed sites, just tested it

I'm pretty sure you can and you're doing it wrong.

as it read block then allow and not allow then block, or there's a option to change which direction it get first(block/allow; allow/block)

Sorry, what?  I don't understand what you're trying to say.

Watch this:

https://www.youtube.com/watch?v=xm_wEezrWf4

Thank you for your quick response and advice. I will ignore it.

Understood, I wouldn't mind understanding it better myself :)  But unfortunately I don't know why (or even if it is possible) to configure and use a VPN client connection without subsequently assigning an interface to it.  Hopefully someone more knowledgeable will drop by . . .

Sorry, the 10.0.2.10 is a NAT adress.
I checked the settings on 10.0.1.200 (sap router)
and the gateway was set to 10.0.1.1 and this is a miktrotik router so I changed the gw to 10.0.1.2 wich is my pfSense
Telnet…Works
niping...Works