Humm. Interesting.

Stop the ntpd daemon in the GUI, goto shell access, and launch :

date

Note the time. Is it ok ?
Change the time with date. An hours or so.
The question is : the issue happens again, at what time ?
If the source of the issue comes from pfSense, the time will change. If the source is from somewhere else, like your PC that start a packet hail storm at 01h08, then it will still happen at the real 01h08.

Install the Cron package if you didn't do so already.

What does

ps ax

shows ?

And another shell access in parallel :

top -t -ocpu

Yesterday I performed the setup and I have to say nxfilter is running pretty well on my PFSense box. The instructions above are outdated. This is how the installation is performed (on latest PFSense version)

General > Advanced

Disable HSTS Disable WebConfig redirect TCP port Disable DNS Resolver Change PFSense Port

#FreeBSD 11 repos is found on

http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/

#install packages
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/wget-1.19.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/alsa-lib-1.1.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/freetype2-2.8_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/fontconfig-2.12.1,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/xproto-7.0.31.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libfontenc-1.1.3_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/mkfontscale-1.1.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/mkfontdir-1.0.7.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/dejavu-2.37.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/giflib-5.1.4.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/java-zoneinfo-2017.c.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/javavmwrapper-2.6.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libX11-1.6.5,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/kbproto-1.0.7.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXau-1.0.8_3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXdmcp-1.1.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libxcb-1.12_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libpthread-stubs-0.4.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/xextproto-7.3.0.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXext-1.3.3_1,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/fixesproto-5.0.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXfixes-5.0.3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/inputproto-2.3.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXi-1.7.9,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/renderproto-0.11.1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXrender-0.9.10.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libICE-1.0.9_1,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libSM-1.2.2_3,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXt-1.1.5,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/recordproto-1.14.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXtst-1.2.3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/openjdk8-8.152.16_3.txz

#get nxfilter

/usr/local/bin/wget http://www.mediafire.com/file/waa0sgqzabur2pb/nxfilter-4.2.1-p1.zip

#unzip

tar xzvf nxfilter-4.2.1-p1.zip

#change permissions

cd /bin
chmod +x *.sh

configuration -

/nxfilter/conf/cfg.default

listen_ip = xxx.xxx.xxx.xxx
http_port = 80
https_port = 4443
start_tomcat = 1
cluster_mode = 0
master_ip =
slave_ip =
blacklist_type = 5

Then you can fire up your config with startup.sh -d or use the script in this post.

@new-to-netgate:

Hi,
I'm running 2.4.2p1 on my own hardware.  It's been running fine for a year or so.  A few days ago I found an error message at login alerting me that there was a crash, and giving me a choice to report it to developers (did that).

The problem is now drop down menus don't work.  Here's what's in the crash :

amd64
11.1-RELEASE-p6
FreeBSD 11.1-RELEASE-p6 #8 r313908+a5b33c9d1c4(RELENG_2_4): Tue Dec 12 13:51:24 CST 2017    root@buildbot2.netgate.com:/builder/ce-242/tmp/obj/builder/ce-242/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[22-Jan-2018 21:29:46 America/Vancouver] PHP Parse error:  syntax error, unexpected 'if' (T_IF) in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 1771

No FreeBSD crash data found.

Suggestions welcome :)

That line in the code on Line #1771 is for the download of Feeds. I don't see any issues with the code and can only assume that that you had a hard drive failure or a file corruption issue… I would just suggest a reinstall of the package.

For NAT: Create your own outbound NAT rules and switch to manual mode.

Your limitations are going to be how big your internet pipe is, how you configure the lan side, etc.  I personally would not put 1000 devices on the same segment - because that ends up being a lot of broadcast noise..

There will be a limitation of your state table, etc. If you only have 1 public IP to nat too that could end up being a limiting factor even if you had a 10ge pipe to handle traffic, etc.

But you could have 1000's of clients behind sure..

@johnpoz:

How does your blocking their C&C prevent that?

It doesn't always but it depends on the variant - for example CrytoLocker will stay dormant (and does not encrypt files) if it cannot reach the designated C&C server.

Has that kept it out?  No.  But you now have a hit on your DNSBL which you can use to isolate an infected machine.

@alex1962:

[Mon Jan 22 15:41:06 CET 2018] 'www.cybercrimine.com' is not a issued domain, skip.

Can't use https://crt.sh right now - better check with that site when it comes up again.

@alex1962:

if I analyze the start of pfsense I see a lot of faied pullup errors.
can it be connected?

Don't know what you mean.

@Derelict:

That or I suppose someone is trying to spoof ARP for an interface address. You would need to handle that in your switching gear.

Diagnostics > Packet Capture for ARP on that interface and see what you see.

No. I think this is caused by my own ignorance.  :D

I use lots and lots of local names.. You shouldn't be using .local - states that right in the notes for when setting up your domain under general settings.

Do not use '.local' as the final part of the domain (TLD), The '.local' domain is widely used by mDNS (including Avahi and Apple OS X's Bonjour/Rendezvous/Airprint/Airplay), and some Windows systems and networked devices. These will not network correctly if the router uses '.local'. Alternatives such as '.local.lan' or '.mylocal' are safe.

I would turn off register dhcp… Just have it register reservations.. All devices you want to resolve most likely should have the same IP - so just setup a reservation for them, etc. so they always get the same IP..

@johnpoz:

Yeah you can see for sure that IP is part of the ntp pool.

http://www.pool.ntp.org/scores/95.211.224.12

Yeah…that's my biggest gripe with a lot of the blacklist type of IP lists.  They mix up the good guys and the bad guys sometimes, and it is frequently difficult to get mistakes fixed.

Bill

@pronten2:

Ok i will try i will update you later tnx

Nothing to "try" actually, it's disabled by default, so a user can use the same login ID on multiple devices already.
See image.

multiple.PNG
multiple.PNG_thumb

@triangleman:

@Harvy66:

Probably easier to re-install and restore your config from backup. You backup, right? And using ZFS would probably help prevent this in the future, at the cost of more memory.

I'm all-for preventing this from happening again and will look into ZFS,
but re-installing after a mere power failure seems a little much.

Surely there's a way to use the 'recovery mode' from the CD to run FSCK on the disk right?
I looked into it, FSCK does run, but i don't know how use it for this.

I'm not familiar with UFS. Most modern filesystems don't trash committed data, only data or metadata changes that are in-flight run the risk of corruption. My pfSense box has experienced 3 unexpected power failures in the many years. Never had an issue, but could just be lucky or you could be unlucky or something pathological.

Yep, right before going in and setting it manually because it wasn't working either for some reason.  I'm just gonna restore it to defaults and go through the setup again.

I also tested this with another appliance with nearly no changes to the default configuration, but I get the same result.

If anyone could tell me where i've might made a mistake that would be really appreciated.

Thanks. That seems like a good starting point.

I looked the script /etc/rc.newwanipv6 and it looks like I have two options:

a) Modify the script to call my script as well. But then I might have to change that file after every upgrade of pfsense, I'm assuming.
b) At the end of the script, there is a function to restart packages. Maybe I could package my script, so it will be called from there automatically? Will have to investigate this a bit more…

Well stated Gertjan - but would like to clarify one small part..

Your not limited to the 1 (one) lan side port with vlans..  If you have multiple ports you can use them for multiple lan side networks..  As long as you have a switch you can connect your multiple ports from the router as different networks tagged or untagged.

Router ports or interfaces are very valuable on a router - trying to bridge them to put in the same layer 2 network is waste of time, effort to end up with a more complex setup and less performance..  You might only do such a thing when you want to connect interface types…  Say you had a fiber connection on your router and you wanted this fiber connection to be in the same L2 network and as normal copper ethernet network.

Or if you wanted to split the same L2 network but be able to firewall beside your split ends..

There are for sure uses of bridging interfaces on your router - but unless your doing something that is a bit more complex and requires such a setup... It going to be a much better idea to get just a vlan capable switch when you need more "ports"  leverage your routers interfaces as switch ports via bridging them not a good idea almost ever.

If you need a few ports in the same network and you want them to be on your router box - get say the sg-3100, it has a 4 switch ports that you can use a switch in the same network or break them out as individual vlans, etc.

But you can for sure get a 8 port get switch that is smart and easy to configure for like $30... If you want multiple interfaces on the same network - your way better off getting a switch then trying to bridge your very useful router interfaces.. It would be better to let those interfaces just sit unused for future use then try and leverage them as switch ports.  If your ocd and don't like these router ports left open - then use them in a lagg to your shiny new switch ;)  Be it your using 1 network or multiple vlans.