@jimp Thank you! It worked.

It was so simple I feel stupid. I knew it was something stupid simple but missed, I missed it because it shouldn't have been selected anyway.

0_1529460870419_62e9c012-ecb1-4646-bb58-82ca00de6abe-image.png

At first his ISP thought he was going over his rated speed, but we traffic shaped and determined that was not the problem. His ISP now thinks it is the PPPoE Keep Alives not being recieved thus terminating his line. How would he got about mitigating this on the SG-1000?

Here is what the ISP said,
alt text

And here's what the routes look like after manually assiging the DNS servers in the GUI, assigning them the default gateway, and unchecking "Allow DNS server list to be overridden by DHCP/PPP on WAN"

Internet: Destination Gateway Flags Netif Expire default 10.251.253.33 UGS xn0 10.251.251.67 10.251.253.33 UGHS xn0 10.251.251.252 10.251.253.33 UGHS xn0 10.251.253.32/27 link#5 U xn0 10.251.253.55 link#5 UHS lo0 10.252.252.245 10.251.253.33 UGHS xn0 104.43.216.101 10.251.253.33 UGHS xn0 localhost link#2 UH lo0 172.19.0.1 link#2 UH lo0

Now traffic from the other side of an IPSEC tunnel can reach the DNS server IP addresses.

Ok, well try setting 8.8.8.8 as the DNS in System > General setup and set Unbound to forwarding mode.

Steve

Did you every figure out how to ignore alerts for IPv6 ICMP and multicast? I have a similar setup with the same issues on the WAN side. My provider refuses to turn off IPv6 on the cable modem. I have "Allow IPv6" unchecked in System -> Advanced -> Networking. I also have "IPv6 over IPv4" tunneling unchecked.

I also don't understand why despite a firewall blocking everything unless allowed, we still see alerts for ICMP?

My setup differs in that although I am using Suricata with blocking turned on, I am not in Inline Mode, not Legacy Mode. I am only using Snort Personal rules with the pre-set "Balanced" IPS Policy set and nothing else, yet.

I see lots of things that I want to start messing with in System -> Advanced -> System Tunables to further turn off support... but I definitely don't fall into the pre-requisite "Advanced Users" category.

However, my end goal is not to just suppress alerts and therefore allow IPv6 packets, but to just drop all IPv6 packets and not log any pattern alerts or logs in any system.

If my provider or anyone wants to talk on IPv6 I want it to be a black hole of nothingness for them to waste their time on and not bug me about it.

I have an HP switch that I setup an access list to drop all IPv6 on my LAN side, but that doesn't stop the thousands of alerts in the Suricata logs on the WAN port. Just stops all of the alerts on the LAN side. This is working perfectly, because anyone that leaves IPv6 enabled on their device just drops at the switch so I never hear about it on pfSense.

Can I do something similar to this on the WAN side?

ipv6 access-list "drop-all-v6" 10 deny ipv6 ::/0 ::/0 vlan 444 name "YO_MAMA" untagged 1-48 ip address 172.25.1.2 255.255.255.0 ipv6 access-group "drop-all-v6" vlan-in exit

look in pfsense arp table.. Do you see the IP is it on the mac you setup the reservation for.. If so then it would show up as online, if not then it would be offline.

Your last one there is showing online

Keep in mind I was pinging my AP from another segment, so it had to talk to pfsense (its gateway) to answer. So pfsense would need is mac in its arp table. If the AP was on the same network as I was pinging from then pfsense would have not learned the mac address and would show it offline. Have pfsense ping the device, or have the device talk to something that would require it to talk to pfsense.

Hello Friends,

I'm having the same issues... created a post here: https://forum.netgate.com/topic/131916/pfsense-with-ha-closing-sessions-when-apply-any-rule

Anyone have solved this issue? is this a bug?

Then export aliases from both, open the files up in a text editor, splice in the new content, and restore.

Thanks

No what I saying is that is how you could flag traffic in windows. Then you should be able to route that traffic with whatever specific marker you put.

There is no other way I know of to tag or mark traffic coming from a specific application other than with dcsp.

You can route traffic in pfsense really easy based upon source IP, source port, Dest port, dest IP, etc. And then you can tag that traffic for other rules to process, etc. But that is not what you asked - you asked per application how to mark the traffic.

So for example you could part traffic that is coming from your browser with af11, and traffic coming from say application XYZ with af12.. Then you could tag traffic coming from IP of your box with af11 as browser, and traffic with af12 as application and then route it based on those tags i pfsense rules.

This way even if going to the same dest IP, you could could tell what is browser traffic and what is application traffic.

Yeah a regression is a possibility. But as you say, I would have thought this would have caused somebody else issues as well previously. Anything you manage to find is appreciated, thanks for looking at it.

That setting makes no difference to the firewall log it only affects Suricata logs in the System log.

You can still see the Suricata logs by going to the logs tab in Services > Suricata.

Steve

@jimp Updating :) 2.3.6.a.20180612.1214 [pfSense-core] Done! Thanks again!

Bob

A patch to FreeBSD -HEAD has been issued and we are evaluating. More information soon, pfSense development snapshots will be first to have this fix