Agree with what others have already posted: you need to either significantly trim the rules you have enabled in Suricata or else bump up the RAM in the machine to at least 4 GB - and 8 GB is even better. But even with 4 GB of RAM, you will still want to carefully select the Suricata rules you enable. And as mentioned, once your box starts using swap space, performance goes quickly into the toilet.

In most configs you can simply reassign them in the gui and away you go. But you can imagine how that might not be so easy if you have, say, a lagg pair of NICs with VLANs on that and a PPPoE WAN on one of those. Editing the config directly can be easier in that situation. Though it also opens the possibility of user error. Steve

Thanks @viragomann and @Derelict, really appreciate the input. I'll go with the new build as a HA pair (although addresses currently in use would allow for HA to be slotted in without hassle), to make it as clean as possible. I will do a restore to a new VM in a dev environment though and see how nicely that works to know if it's a get out of jail card for future for a quick HA conversion. Thanks

What you're seeing there is the output from the SoC bootloader ROM when it has nothing to load into memory at boot. That means, for whatever reason, it cannot load uboot from the SPI chip. It's possible to attempt to recover from that by uploading a special uboot image over the serial console. It's not a straight forward procedure! If the SPI is damaged somehow it would help. Its extremely unusual to see the SPI contents corrupted during normal running because nothing ever writes to it. Only during a firmware upgrade and even then only if then includes a uboot update. I think this would be the first time we've seen it in the field. To give you an idea of what's involved the procedure for the standard Espressobin is shown here: http://wiki.espressobin.net/tiki-index.php?page=Bootloader+recovery+via+UART Steve

Yes, you can do that. You will find there are some additional delays at boot and on some pages in the web interface when there is no valid WAN. Especially if the WAN is set to DHCP and has to timeout pulling a lease. Steve

@stephenw10 Yeah I bet ;) Other then curiosity on what it is, and how it got there being the biggest question. I would wipe this box for sure.. This is clearly not something you setup. And everything points to nefarious use.. The IPs are hosted vps, and you got some weird ass PTR setting nasa.gov - yeah ok ;) And the one IP is a tor exit node..

@rcoleman-netgate Thanks ! Now that you mention it I do remember the seeing the long strings there. And I'm just realizing those are numbers, not hashes. It "only" took me about 3-4 years. :) Thanks again!

From https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html [image: 1667399977099-12ce405c-644d-42de-bab4-cdecd0e33864-image.png] Combined with what @jimp said above: pfSense is not vulnerable at all /Bingo

Anything that causes the pfSense built-in script "restart all packages" to execute would automatically restart Snort (since it is an installed package). The "restart all packages" script can be triggered by several events within pfSense (for instance, your WAN IP cycling to a new value or the link going down and then back up). If you truly do not want Snort to ever start on an interface, go to the INTERFACE SETTINGS tab for that instance and uncheck the Enable checkbox. That will disable Snort on that interface.

As long as you don't assign any IPs on it you should never see any traffic there directly. Though as I say it's common to see that assigned with an IP in the modems subnet in order to access it. I use that. Just make sure the default gateway is set to the PPPoE WAN if you add another gateway. Steve

@aaronouthier said in More pfSense woes.: Some Netgear routers support it. Name one - link to this feature in the docs.. Same with that usb AC1900 card.. I don't see that mentioned about it, I would think such a feature would be crazy mentioned all over the place.. Dual band routers and cards is very common - joining the connection for a big fat connection is not.. The same SSID on both bands, again very common. But you don't actually connect to both of them at the same time and get additive speed.. This is not a thing.. Just because you have the same ssid on both your 2.4 and 5 doesn't mean the bandwidth is used and shared at the same time by a single client. The client will connect to which one is the better choice.. All of my ssids are common for both 2.4 and 5.. Client actually only using 1 of those.. You can use band steering to try and get a client to pick one vs the other. But again your not using both at the same time. edit: My controller is offline currently due to upgrade of my nas disks that is in progress. But I can show you the logs where say my wifes phone as she moves about the house moves from using 5ghz to 2.4.. Or moves from one AP to another.. The client is the one that makes a decision on what is the better choice, the 2.4 or the 5.. But if you have a way for a dual band router and dual band client to leverage both bands at the same time for a "fat" connection - your rich man, rich!! This is currently not a thing that is for sure..

No. Support contracts are not paid development so it would make no difference here. There are large number of moving parts currently and development time is at minimum. I didn't see much of a response previosuly. Let me retry.... Steve

@diggy Because of the nature of internet security, bug fixes, and repairs and exploits only a few version of pfSense Community Edition are available through https://pfsense.org/ You don't want to run a version of pfSense that has an exploit in it that was fixed years ago. Small packages are rarely updated in the same way you would find in an Ubuntu LTS build.

@stephenw10 It actually worked. I just had to change GW from 192.168.1.253 to the VIP 172.16.250.10. Thanks for your help...

@gertjan thanks! yeah seems this "spam" country thinks this is a good site to link farm.. To the question asked - No your not going to install pfsense on a cisco router ;) hehehe edit: We should prob just black hole that whole country.. I don't recall ever seeing anything but spam from that country, that country and their neighbor have a thriving spam economy.. But your not going to do it here, not on my watch ;) hehehe But will give them the benefit of the doubt.. Since at least it is in the appropriate section for such a nonsense sort of question..

Hi Steve Apologies, been a bit busy the last couple of days. Just wanted to say thanks for the suggestions, I'll have a look at the CPU usage when we are seeing packet drops next and if I find anything definitive I'll update the thread.

@zenmasta typically windows defender gets picky about non-subnet traffic and blocks it... but not usually traffic from the same subnet. So if you're routing traffic you could look into how to expand the "home" networks that Defender will allow through.

Ok so to be clear you have all three pfSense NICs connected to the same switch? And it's an unmanaged layer 2 switch? You should be able to make that work. Mostly. But you will need to be sure you have outbound NAT rules in place to avoid asymmetry.

Try this: Create a virtual IP in the same network as your modem, in this example I'll use 10.0.0.1 as an example: Where you read MVNETA1, use OPT1. [image: 1667220357172-21afc87d-3859-4254-8f4a-a133318fe22a-image.png] Create an Outbound NAT, in this example I'll assume your LAN is 192.168.0.0/24: [image: 1667220477215-679fd839-79df-4488-8a88-d9aeda5484e3-image.png]