@stephenw10 based on observation over the past day (or so) it looks like a one-time thing.

/usr/local/etc/wireguard -Rico

That setting has nothing to do with clients.. That has to do with how pfsense resolves.. It just what you want pfsense to do when it needs to resolve - say resolve an IP in the firewall logs, or asking for alias fqdn, or checking for its own update. Clients asking unbound - that has no effect on. But with how you have it now - pfsense would not be able to resolve any local resources.. It could have a hard time working out what client is at say 192.168.1.43 for example in your firewall logs..

@potjoe said in How to route promiscuous traffic ?: because you should not see traffic on private subnets go through the firewall. Nope. Because you cannot have the same subnet on two interfaces, it breaks routing, so traffic there should all be on o9nbe interface and the two devices talking to each either directly. But here you are in fact trying to workaround some ISP requirement where you have two devices in the same subnet on different interfaces. I still don't expect to see it on the firewall because they should just ARP for each other and fail. I'm not sure how that TCP session can ever establish. The only way I can see this working is be bridging and that would probably break numerous other things. What exactly is this device on the LAN? Does it have to be on the LAN? Steve

@overlord73978 Stay healthy

There is an entire sub-forum here dedicated to the Snort and Suricata IDS/IPS packages. Here is a direct link: https://forum.netgate.com/category/53/ids-ips. At the top of that forum page you will find a number of Sticky Posts describing the various operating modes and how to configure them. This one should get you started: https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions. Note in the linked post that not all hardware NICs support the netmap kernel device required for inline IPS operation. If your NIC does not support netmap, then you will have to switch to Legacy Blocking Mode.

Another option here, if the files are small, is to use the Filer package. That includes additional files in the config file so they will be restored if you have to re-install completely. Steve

Ok, so your public IPs are in the same subnet I assume? Does the TP-LInk actually get a public IP or is it port forwarded from the Comcast router? I would still suggest using a single pfSense instance with just a modem in front of it if you can. Steve

@rico That has literally never worked for me until now. Thanks!

@jimp Thank you for the reply. I have previously researched the solutions you suggest. First, X-Forwarded-For does (obviously) not work when using TCP forwarding in HAproxy. The proxy cannot add an extra header to the HTTP request if the request is encrypted. HAproxy tries to solve this using the PROXY protocol, but that does not work with Microsoft IIS (any version). HAproxys transparent IP is an advanced source IP spoofing that requires a very specific setup in regards to the internal servers remote gateway settings. It won't work with our current setup. We could possibly change our server to make it work, but really - all this extra work for what? Just a much more complicated setup with extra load on our firewalls, larger attack surface (proxy vs NAT) and a non-standard hack to route return traffic (when using transparent clientIP). Relayd is very simple and much more secure by design. Even if there is a problem with the SSL implementation in relayd it is only used for the internal checking of server status (I assume), so it wouldn't be a serious threat to our servers. Since relayd is simple, we can probably write a small script and have it run every second or so. Checking the server status with curl and modifying an NAT alias with aliasmod would actually be pretty similar to relayd in our case. I'm just a bit annoyed by the assumption that HAproxy can do what relayd does, because that is just plain wrong.

No its not it just turn off because of non interaction.. It just goes poof off.. Can be hours into watching, or just a few minutes.. Sometimes seen it happen a few times in a row.. If you look up the tv brand - you see quite a few people complaining about.. But wonder if it is power related. Not going to hurt to have a ups on it ;) When it shuts down for normal reason you see icon in top right showing power down.. When this happens its just "poof" off.. Like you pulled the plug or something.

@ahmetakkaya I agree with noplan...you can and should do this with 2 VMs on a single machine. The Omada controller is free to download for Windows or Linux (https://www.tp-link.com/us/support/download/omada-software-controller/). There are many choices of VMs for Linux...take your choice. Then install Pfsense on a separate VM. You just have to spend some time configuring the interfaces. You really want to keep the firewall separate from other software.

It's not included in pfSense. There's no easy way to add it outside installing it from FreeBSD with all the reasons that's a bad idea. https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html#concerns-warnings Steve

There have been a number of other threads detailing this sort of setup for other providers but it usually complex! Looking at the config he uses for Mikrotik it looks like he's just bridging the internal TV port with a vlan on the WAN side trunk. But I could be wrong, I don't use Mikrotik. Steve

Sure, on the INTERFACE SETTINGS tab for the Snort interface, you can choose to send logs to the system log (which is syslog). You can also configure some of the metadata tags that are attached. So go to the INTERFACES tab in Snort, and then either double-click on the interface line in the table or click the edit icon (the little pencil) on the right side of the table row to bring up the INTERFACE SETTINGS tab. Within pfSense you can configure the system logs to be sent to a remote syslog server, if you want to do that.

Yes, that is correct. If you assign the server as an interface you have to restart the instance afterwards for the new settings to apply. You almost always want to have the rules on the assigned interface tab and not on the group OpenVPN tab. That is required for policy routing to create the firewall states correctly. Steve

@bmeeks said in Am I being attacked?: The moral of this story (from the article) is don't open stuff like SSH on the WAN side of your firewall. It should be don't use ssh with a password. Use passwordless ssh instead. Ssh supports that. You create a public/private key pair, to allow access.

@noplan said in Rename network interface?: OPT13 .... I suspect you deleted and recreated interfaces quite often.

@stephenw10 Yes, I've tried deleting all the .rrd files in that folder, repeated the import of just the RRD Data from the old box with pfSense CE into the SG-3100. I can see the .rrd files get created in the folder, but still no data appearing on RRD Summary or Traffic Totals.