Nice run time!
Last machine I ran updates on had 102 days on it, but then had to reboot it for the update  :'(

The problem was the wireless connection of WAN interface. Today I bought a 10 m cat 5e ethernet cable and made a wired wan link. EXCELLENT results, no logs about wan link up/down, 5 hours with no crashes (x86 firewall) at all and almost no suricata alerts. It's amazing! Next task, upgrade hw to x64 and go for 2.4.2p1 version.

Thank you all for the help

Jami

Thank you for the link, even has 2.4 GROK patterns!  Much appreciated.

" -LAN 100.1.1.200/24"

So your
NetRange:      100.0.0.0 - 100.41.255.255
CIDR:          100.40.0.0/15, 100.0.0.0/11, 100.32.0.0/13
OriginAS:      AS19262
Organization:  MCI Communications Services, Inc. d/b/a Verizon Business (MCICS)

Or this /24 has been routed to you by then?  Why would you be using public IP space like that if you don't own it.  Or is that suppose to be a 10 and you just typo'd it a bunch of times?

in vmware have you changed the vms network interface to point to the new dmz vswitch ?

also have you run the ethernet cable direct to the esxi servers interface or via a switch because if this switch carries anyother traffic ie non dmz traffic youll want to vlan the two ports to segergate these or run it on a seperate switch or direct cable ?

hi there

unfoutuantly i have the same issue as you and have been trying this lately but also am having no luck

on the upside (if you can call it that) i can have the vlans working ssid assigned, so not radius assigned but one ssid per vlan and this all works here as i have it now

basially the differences between our setup and yours is such i have a dedicated interface on the pfsense for vlan trunk seperate to my lan interface to main switch (also handles the vlans) so pfsense to switch two cables one lan one all vlans as a tunk port (i did this as the pfsense is routing to and from lan to vlan and wanted some more bandwidth

the in the unifi i have the ssid set to vlan as you do and on the switch config the vlans are set on the ports bettween aps and pfsense as tagged vlans

one las this reading around it looks like you do not set the vlan id for radius assigned vlans i noticed that in you config you have an ssid with a vlan

hope somehow this helps or someone comes along to put us both right ill keep tinkering in the meantime
one thing i did find on the subject though is this :- https://community.ubnt.com/t5/UniFi-Wireless/I-need-help-setting-up-dynamic-vlan-assignment/td-p/1661658

I've done something similar with all my IoT devices. But I've gone a bit further: All of them are in a VLAN having any outgoing traffic to any other network (WAN, LAN, etc.) rejected by default. Only my defined list of rules are allowed.

I've even redirected all DNS queries to pfSense (NAT TCP/UDP port 53 to 127.0.0.1), so they can't even use any freely chosen DNS server like Google Public DNS. All DNS traffic is sent to pfSense so I can log DNS queries and find out which hosts they are trying to reach (and maybe open them in the firewall if required).

In my case I'm using Ubiquiti UniFi Access Points which allow to create multiple WiFi networks with different VLANs, so even wireless devices can be restricted to a specific VLAN. 8) I'm not sure whether that is going to work with DD WRT.

"Windows domain, then the domain is added automatically"

that is a simple search suffix, and all OSes can be setup to do that.. But its not going to do it in your browser.. It would be done on the dns query..

There is zero reason to put in just a hostname for a cert.. .Try an get a CA to sign off on that ;)

Whether home or business, if I could only choose one package to install it would be pfBlockerNG. First, DNSBL is fantastic (think built-in Pi-hole). Yes, the default WAN rules will already block everything if you don't have any forwards. But as motific and others have alluded to, even then, if you deny both directions (LAN and WAN) via the IP component your internal clients will get blocked when trying to communicate with known bad addresses. The alerts/reports will show this activity as well. This is a pic of the alerts on the new version, but the older version had similar functionality. On this particular firewall, if the LAN interface shows up in the list of "denies" I need to investigate the cause of the alert.

pfblockerng-alerts.png
pfblockerng-alerts.png_thumb

Agree with johnpoz and marjohn56. If you need helping setting up DMARC (and SPF/DKIM), a group and I put together a technical guide at the link below if you are interested. It also has an associated testing guide which walks you through the process of discovering your authoritative nameservers.

https://www.linuxincluded.com/implementing-spf-dkim-and-dmarc/

I have the same issue, have not found a way to remedy it  :(

@robi:

If you'd change all the clients, you could easily do the job with OpenVPN inside pfSense.

robi, what do you mean by "change all the clients"?

Thanks for all of the pointers from everyone. I decided to forgo the VLAN multi SSID feature of the TL-Link AP and move it over to the LAN. I do have a Ubiquiti NanoStation loco M2 that I thought that I would swap with the TL-Link, but until I can understand the VLAN process, I will save that for another time.

I am kind of getting further.

I tried once more but rebooting with both LAN and WAN disconnected ie. yanked the cables out.

It seemed to boot properly.. just trying to restore each bit in turn now and seeing how it goes…..