Thanks, that explanation also confirms what I read here:

https://www.openbsd.org/faq/pf/filter.html

ctrl-f tcp flags

This doc cleared up my confusion on tcp flags a lot.

The diagram was more for me to talk to while I tried to explain to my friend.  Not much useful content.

Sent you a PM.

Thank You Grimson…. It is working..

The following command helped....

gpart recover da1
gpart set -a active da1

regards,
Ashima

@aadder:

I can understand that.  I'm curious when they might clear up the issue.  It's been 3 days.  I would hate to see sourcefire have the same issue at work.

I believe this was identified as an error in one of the volunteer-maintained OpenAppID rules.  That rules package was created and is maintained by an individual in Brazil.  The pfSense team just recently moved the hosting site from a Brazilian University over to pfSense infrastructure.  The text OpenAppID rules are not maintained by the Snort VRT.

I was under the impression this rule typo had been corrected a couple of days ago.  You could try reaching out to the pfSense team for more information, or temporarily turn off the OpenAppID rules and see if the error goes away.  I think it will.

Snort has one failing compared to Suricata.  With Suricata, when a rule syntax error is encountered, the binary will print an error message but then skip the offending rule and load the others.  Snort, on the other hand, will print an error and exit when encountering a rule syntax error.  This behavior is baked into the underlying binary and is not something the pfSense GUI package can influence.

Bill

For https checks with host to work, it requires SNI. The load balancer is very, very basic and cannot do that.

HAProxy is only recently gaining that ability. I'm not sure if it's in the haproxy package yet, but it might be there, or in the haproxy-devel package.

Check the cache/proxy board here under packages.

can a pc can ping 192.168.178.1? if not, then your routing/firewallrules are wrong.
should the telephones connect to the fritzbox? if yes: is that option enabled on the fritzbox? can you see something in the errorlog on the fritzbox or on the phone?

do you have specific rules to allow traffic from the phones to the fritzbox? or do you allow all for testing?

WINSCP is the easiest method.

Can you try with this patch applied?:

.../files/usr/local/www/haproxy/haproxy_listeners_edit.php              | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php b/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php index 7f2d2af..1647034 100644 --- a/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php +++ b/net/pfSense-pkg-haproxy-devel/files/usr/local/www/haproxy/haproxy_listeners_edit.php @@ -361,7 +361,7 @@ if ($_POST) { } if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) { - $input_errors[] = "The field 'Client timeout' value is not a number."; + $input_errors[] = sprintf(gettext("The value '%s' in field 'Client timeout' value is not a number."), $_POST['client_timeout']); } }

Port 5224 is Plesk license updates (outgoing connections only).. Do you run that on your network?  Also listed as HP vm console port, etc.

udp 123 would be anything setting time.. A lot of apple devices will point to apple for time hard coded.. Many things could have ntp coded… My freaking smart lightbulds like to got to uk.pool.ntp.org etc.. Even when I hand out local ntp server via dhcp.. They don't care they are hard coded - and Im in the US.. So I juts redirect that fqdn to my local ntp server IP via host override.  As to icmp - again many things might ping something out on the net to see if they have internet access..

In your home network seems pointless to not allow outbound for devices you trust to run on your network.  If your curious or paranoid then log it and look into what the traffic is..  I log all my iot devices outbound access.. They normally do dns queries to hard coded 8.8.8.8 for example, they phone home to amazon CDN on https, etc.  If I saw them sending traffic to china might be a bit perplexed and look into that for sure.

Your 16385-6 is Apple FaceTime, Apple Game Center (RTP/RTCP)

Trying to block ports is going to turn into a wack a mole game.. Oh shit this doesn't work, open that.. Oh shit that doesn't work open this.. Oh why do my iot devices not work on the schedule I set - well shit I was blocking them from setting time, etc. etc.

Option 8 console, du -sh command / directory

Interesting discussion…and scary! Your sprinkler needs Internet access? I get it...but wow!

How about this for an approach:

I would look at grouping devices by trust and damage that can be done if they are hacked. i.e. if your sprinkler is hacked you get a wet lawn vs your cameras hacked and they can look inside your house and put your family online!

Maybe put your cameras on their own VLAN with very restrictive rules, specific alias IPs, limited ports, snort IPS, etc...

Sprinkler, thermostat, TVs, A/C Reciever, wireless printer(No internet access), wireless light switches on thier own.

I have a printer which I don't trust as far as I can spit...so I don't give it any internet access. I group it in my IOT VLAN and access it thru polcy rules from other VLANs,

Email/banking devices give their own VLAN.

Alexa maybe its own VLAN...thats another scary device.

I think the balance you will need to look at is manageability, security, usability and privacy. Keep it simple...

Follow up questions would be:
Do you have cable running thru the house or is wireless your only option? That would drive the number of SSID vs using a switch and hardwire.
How big is your house i.e. do you need a big range?
Do some of these devices need to be on the same segment to control?

Open to feedback...

Ok, I just got my Cisco WAP121… and everything is running super smooth. When you fire up the AP the first time, you are presented with a config wizard; I simply entered VLAN 40 when it asks for the wireless VLAN. Didn't have to touch anything else. And now everything works perfectly. This makes me positive the D-Link DAP-1353 is either broken, bugged, or doesn't comply to the networking standards.

At least the time spent on this "project" wasn't entirely wasted. I've honed my VLAN'ing skills, and learned a couple of new tricks :)

AP only needs to be vlan capable when you want to run different SSIDs on different vlans

I figured I'd need VLAN to separate the web interface from the guests, so I'd be able to config/snmp without having to access their network directly. Could this be done differently, even without VLANs?

One thing about shielded cables.  They're supposed to be grounded at one and only one point.  If they're not grounded, the shield is ineffective.  If grounded at more than one point, ground loops may occur.
However, given that just moving the cable causes failure, it's likely a poor connection somewhere.

Rule of thumb, when something fails, cables and connectors are the likely suspects.

Thanks both. I feel so silly for not thinking of starting a new pcap with a small count  :o

@jimp:

If it is this issue, then you must upgrade to pfSense 2.4.2 or later. Once you are on 2.4.2, you can edit the LDAP server entry on pfSense and for the Peer Certificate Authority, set it to Global Root CA List

This is a great fix BTW!
Fingers crossed that it migrates to FreeRADIUS package too :)

Thank you John, V3lcr0, and marvosa, for the incredibly helpful replies above.

I've taken time to read carefully and try and learn from and understand all the points made, which is why this reply has taken some time.  I now realise that my question was, as you said, poorly worded and a bit too clueless. I didn't actually know the right question to ask. I think I have a much more specific focus and a bit more of a clue now. Thank you for the effort in helping me.

I've posted my more focused question in a new thread under "wireless" so this one can drop to the end and not accidentally confuse anyone who finds my OP unhelpful. :)  It should be more "to the point".

Is it a way to extract all settings, and then reinstall pfsense and re-deploy the settings? Or something like that?

Thank you very much Stewart! This topic is now solved! :)