@Sergei_Shablovsky there are ways to do rate limiting in pfSense e.g. https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#maximum-number-of-established-connections-per-host

Does Suricata have a rule for that?

Issue resolved, this WAS NOT Pfesnese related so please delete this post as I do not have the correct permissions to do so (I just tried to delete the post).

The network interface was missing from OMV even though I can connect to it, odd. I added the network interface, part of this configuration needed the DNs server address adding, I did this and everything is working ok now.

Odd as all devices should be using Pfsense for DNS but hey, it's working, so I ain't complaining.

Apologies if I took up your time.

Regards

Trebz

@flat4 that drawing - that is not mine.. Believe Derelict is the author, I just saved it because its a great drawing to show use of downstream L3 with L2 switches as well.

Pretty sure that is just old copy of visio.. Or at least old icon set.. Could prob create a prettier looking one ;)

@johnpoz
Greetings.
I'll tell you my solution to the same problem.
After reading the recommendations on the link
https://docs.netgate.com/pfsense/en/latest/troubleshooting/filterdns-thread-errors.html
set kern.threads.max_threads_per_proc to 4096.
The problem with determining IP addresses remains.
Set kern.threads.max_threads_per_proc to 8192.
Oh miracle! The lists are working.
In fact it turned out that:
screen-2024-03-26-16-35-32.png
The number of filterdns threads turned out to be more than 4096.

@ngpfskrak

This info :

dee7b8a0-74d4-4275-b0f7-90a8b92b82bd-image.png

tells me that you can try something that would work 100 % and I'm 100 % sure.

Reset pfSense to default.
Change just one ( 1 ) thing : the password.
Nothing else.

So :
Do not change WAN settings.
Do not change LAN settings.
Do not change DNS settings. This also implies : do not add / enter / touch - don't even look at DNS - do nothing.

Also : do not import your saved config, as this would bring you back to square one : "Cannot access internet".

As you already might suspect : pfSense, out of the box, works ( ! 😊 ! )
This means you could give a pfSense to "Grand Ma" and she would have a working set up after hooking up the cables and power.

And don't worry, you won't loose anything, as you can always can import your saved config, and your back at the subject of the thread.

Thanks for the tips... it looks like it was a combination of things on an old Windows 10 Dell laptop that I had left running unattended for a couple weeks. Somehow something had crashed so hard I had to force a power cycle. I think the crash was triggered by a Windows update - when I restarted it went through the usual "please wait while we finish updating your machine because we don't know how to actually install software properly" reboot cycle.

The clue was that something was trying to contact Teamviewer and I remembered I had that installed on that machine from an old job. More recently I installed Tailscale as an overlay network, and apparently it defaults to an APIPA address when it's not connected.

21:10:02.592148 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)
21:10:03.596669 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)
21:10:05.610651 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)

Thanks again!

@johnpoz

@spgeise said in Traffic seems to be ignoring rules:

@NightlyShark

NTP was always configured in the pfSense, with all interfaces included. It just refused to function on the VLAN25 interface. Strangely enough, specifying the VLAN25 address wasn't enough. Once I set the port to 123 I started to get some hits.

e09dfb7d-db40-419d-b6b1-256608af74b7-image.png

We'll go with this for now. 😆

Yes sir, thank you!

Soon as I made the network on the LAN side of pfS a Private VLAN in the VMware Virtual Distributed Switch, all the problems go away. I no longer see that private subnet (that's supposed to be private) on the rest of the network.

Again, thank you!

@NightlyShark said in YouTube blocked when logged out:

@harms32 Also, after removing it temporarily, did you perform an

ipconfig /flushdns

and

netsh winsock reset

and reboot?

No I did not. But I will keep it in mind if the problem comes back.

As of right now, everything works.

Thanks again @NightlyShark

@PnoT Last reply, another reason (beyond the multitude of reasons that have to do with established network topology practices) that a PfSense OpenVPN endpoint benefits you, is that, OpenVPN inside of a FreeBSD jail cannot (I think) use the AES-NI HW acceleration offered by modern CPUs for cryptographical (AES) operations. PfSense will just breeze through it. (If PfSense itself is in a VM, you need to peruse the Hypervisor's documentation to find how to enable AES-NI passthrough for the VCPUs to the PfSense VM).

@Gertjan Oh god... I replied to you before, while meaning to reply to the OP and never checked... facepalm

@ myself Hahaha, for whomever didn't realize it, this is what an unnecessary rant looks like. Let it serve as an example of what NOT to do in this forum. Please, read the forum rules.

@siwik75 Ports open on LAN are not the same ports that need to be open on WAN. Each INTERFACE has its own 65535 ports. Thus, the ports need not only be open on .53, but also on PfSense WAN. "But I used NAT rules, and port forward and..." doesn't matter. NAT and port forward are processed before the firewall rules, and WAN has a deny all in rule. So, on that interface, the packet arrives, it's dest ip changes from 10.0.1.11 to 10.0.0.53, but that doesn't cause WAN to show any sympathy, because the direction is IN. It just coldly shoots down the packet. You can see this if you activate the option to log default deny rules (in the firewall logs options tab).

@johnpoz This felt like a honeypot to anyone else?

@viragomann

Update:

After your comment that OpenVPN client needs no special treatment from pfSense and there is no activity in captured packets w.r.t 1194 port. It got me thinking there is an issue with host machine it self and after checking all settings, like DNS Config, netplan and few others.
Culprit was gateway defined in netplan. I know its stupid but that was it. I changed it to pfSense IP and everything started working again.

Thank you for replying on this thread !!

@JonathanLee I doubt it’s a false positive, but rather a bot that’s just trying to find an unpatched server by trying all IPs. It doesn’t mean it will work.

@johnpoz Thanks a lot for your comment @johnpoz
I added www.reddit.com, reddit.com and reddit.map.fastly.net to my alias. In the table it shows me the following IPs:

IP Address 146.75.121.140 151.101.1.140 151.101.65.140 151.101.129.140 151.101.193.140 199.232.189.140 2a04:4e42::396 2a04:4e42:200::396 2a04:4e42:400::396 2a04:4e42:600::396

But somehow this must incomplete. I just tried to open www.reddit.com and it did not work. In the error message it shows the IP of my VPN provider...