Ha, no problem. 😉

The thought was more of a "defense in depth". If something gets through pfsense, the second firewall may catch it (or vice versa).

I will take another crack at it tonight by shutting off NAT on the internal firewall.

Thanks for the timely responses all.

Openappid in Snort is the only option for filtering at the application layer. If it does not detect the traffic as anything other than https there's not much you can do.
There probably are blocklists available for most of that though. I would try installing pfBlockerng-dev and look at the feeds there.

Steve

I mean just what configuration have you made to enforce Google safe-search.

Redirects in Squid/Squidguard?

Local DNS overrides?

Configured in Google Chrome locally? Or something in Google remotely?

Steve

Yes, setting the other router to whatever bridge mode it might have available would affect anything using it directly.

Really you should look at using pfSense instead of that router and having a separate wireless access point behind it. You may be able to use the ISP router for that purpose:
https://docs.netgate.com/pfsense/en/latest/wireless/use-an-existing-wireless-router-with-pfsense.html

It depends what sort of connection you have and whether it has a separate modem.

Steve

thanks, you are very helpful and sorry for me beeing so untalented 🤕

Thanks, it is working now.

It would be via the site A end of the site-to-site tunnel. If you add it as a remote network in the OpenVPN config that will be set for you.

Steve

@stephenw10
Ok and that was exactly what i observed :) Thanks again!

Ok. Thank you :)

i just reinstalled it and everything is working great now.
thank you!

Thanks everyone it worked....

@stephenw10 thank you, that was actually very helpful. Initially I've enabled the DNS Forwarder, but I selected the VIP in interfaces and checked Strict Binding. Now when I rethinked I chose LAN from interfaces with Strict Binding enabled and it works after reboot I can verify using dig that everything works as expected.

@stephenw10 said in Dashboard overuse cpu:

Hmm, that does seem excessive, unless each of those cores is running at 100MHz or something!

What widgets do you have on the dashboard?

That looks like it's from the firewall logs widget. Are you logs files set to a huge size?

Steve

Thank you, finally after cleaning the system logs and those of pfblocker the use of the cpu is back to normal.

Most every time I've had a system shut itself down mysteriously it was due to a BIOS overheat event. Might be something that only happens under load, and happens very fast.

yup, for sure, thanks again for your help!

I doubt it. This post is four years old, and that user has not logged in since November 2017.

@OpenWifi said in Which software to use for bot detection over Lan:

I believe this means clients on the lan would not be able to send mail!!

Again, you admin a firewall. There is no such thing as "Wondering" and "Believing". Things happens because you let them happen. And things that you do not want, you stop. You are the boss.
A boss doesn't "trust" or "believe".

Maybe this is new to you :
Mail clients like Outlook Express, Outlook (Office) or Thunderbird should not use port 25 to send mail.
They are set up to use (as stated) above : port 587 or port 465. These two port permit some one to send mails, if they can authenticity themselves first == have an account at that mail server.

Like : you can not send mail using mail.gmail.com on port 25 : gmail does not allow this. gmail is not an open relay. You should use 587, no, better : port 465.

For historical reasons, ISP's allow that you use their mail servers so you can send your (not your unkown visitors !!) send mail to some one. This is an exception. Do understand that the ISP knows who you are : you are using their "land line" to connect to their services.

@stephenw10 is correct. It seems the DNSBL feature of pfBlockerNG is intercepting the attempted domain-to-IP lookup made by your phone and instead of sending your phone the real IP of the domain it is redirecting your phone to the internal web page hosted by the DNSBL code. That's what the 10.10.10.1 address is.

This is the problem that can result from using tools that use IP blacklists as the basis for their block decisions. Many of these lists are not always 100% accurate, and they sometimes tend to broad-brush when marking IP subnets as malicious. What I mean by that is they can unintentionally blacklist an IP address that is actually OK but just happens to be located within a larger block the blacklist is marking as bad. Of course it is also possible that DNSBL is flagging the IP block because it serves up ads.