@johnpoz You just don't get the different in working on layer 3 and layer 2. It is why you have default gateways and default routes and they are different. ThAT SEEMS TO BE OVER YOUR HEAD. Your firewall to the world is going to be layer 3. You are lost in pfsense and you can't see the forest for the trees.
Go away John please do not reply to my threads. I will try not to post any more here.

And yes I ran a small team of network people a long time ago. I had over 4000 PCs and around 50 locations so get over it.

You ran me off last time and I went back to Cisco over pfsense. Look back in the threads years ago.
Plus pfsense was having routing issues or slowdowns on routing as I was doing layer 3 back then at home. Version 2.8 is fast now which is good. Having a connection of 10gig reduces your latency whether you run full 10gig or not. I have 1 gig of data on a 10gig connection. I think this is best you can do now for home. I have a Cisco 10gig layer 3 switch I plan to install soon. So I can push the extra data bandwidth.

@wc2l said in Teams Issues:

teams.microsoft.com works just fine.
Host "msg.teams.microsoft.com" could not be resolved.

Same for me.

edit : while waiting, read also C:\Program Files (x86)\Microsoft Teams Network Assessment Tool\Usage.docx - this is a Microsoft tool with a manual / notice .... ( 😊 )

@Wolfgangthegreat
...and to @comet424

I wasn't able to perform the 2.8.0 update this weekend, but when I got to the school this morning, it worked perfectly!

I appreciate the support from both of you, and from Netgate.

The backup/standby pfSense instance is back in place and ready in case I have a hardware failure, or a failure of the gray matter between my ears!

My best to all of you.

@ThePowerPig
So add an additional rule to allow access to internal subnets (best to create an RFC 1918 alias for this purpose), but at least for the IPs you want to access from the device in question, and move this rule up above of the policy routing rule.

Ah OK I see, the names threw me!

I had the same issue today after CityFibre went down. The PPPOE connection does not restart, luckily I can SSH in from the FTTC line and reboot it. Then it works fine. But if the ISP drops the connection, it's either access the GUI and click Connect or reboot.

@njaimo There's a note on https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html

Python Module Order:

Controls the position of the Python module in the DNS resolution process. If DNSSEC is disabled, this option has no effect. Pre Validator: The script is run before DNSSEC validation. Post Validator: The script is run after DNSSEC validation.

Since we normally forward (to Quad9) we disable DNSSEC.

@reberhar Piece of cake.

Really fast with no problems.

@stephenw10
Very true.
kea2unbound requests unbound a copy of it's local 'DNS' cache so it can check what has to be removed before it adds new DNS (& PTR) info, if needed.
When Python mode isn't used, this local unbound cache can get very big.

edit :
To see it :

/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf list_local_data | wc -l

If pfBlockerng is used without Python mode (also !), this cache can be very big.
Reading, writing and parsing huge data streams with PHP creates classic "don't do that" situation.

Btw, @cmcdonald (kea2unbound author, right ?) : what about a warning message in the log system when kea2unbound detects that the option Python Module under "Services > DNS Resolver > General Settings" is disabled ?
The unbound config is already loaded, so checking would be easy :

Disabling this option by itself is probably not an issue, but if pfBlockerng is installed and it uses DNSBL feeds, then things will go downwards very fast. See here :

Memory exhaustion in kea2unbound when pfBlockerNG DNSBL is enabled in "Unbound mode" instead of "Unbound python mode"

Or, as proposed in the bug comments : remove the "Unbound or Python" option completely in pfBlockerng, making Python mode default.
And what the heck, why not remove the

73568b2a-ae4c-4d4c-965a-47218552a089-image.png

option also ?! Activate it by default. Not sure why it needs an option to disable it.

Yes, it's in the RC.

It restarts ntpd because that page has the external ntp server settings on it. But nothing there looks like it would affect the firewall... 🤔

@coxhaus I no longer care either because the source code does not seem compilable for the average use. I used to have fun with compiling many years ago as a former smoothwall user.

While it may be preferable not to give the source away, the fact that pfsense if forked from an open source project (monowall) two decades ago may still require this. (I am not a legal expert on open source licensing.)

To bring this back to the title of the topic, this is solely about the release of an iso of the full compiled v2.8.0 for direct installs, not asking for anything more.

What gets logged when you run that in 2.8?

Because 10.60.0.252 is the server end of the VPN tunnel at pfSense. The local DNS resolver (Unbound) listens and responds on that IP and that is where the override is set.

Where as 8.8.8.8 is Google's DNS service that knows nothing about any local overrides you might have set. When clients use that DNS server is bypasses any local DNS overrides.

@stephenw10 Thanks for letting me know there were backend issue, I think it would be helpful if Netgate posted an announcement when there are issues, maybe some details, and an ETA to restore service.

It would save a little headache for some of us.

@rasputinthegreatest well blocking and not log would just be any any udp to that ff0e::c address or port 1900 anything, etc. And don't have it log.

As to the scanners - that is a pfblocker alias I have.. And put that in a floating rule.

scandeny.jpg

Mmm, anything further down the ruleset can get changed at reload by changing rules higher up.

@jc1976 said in Squid on 2.8:

upgrade an issue developed between suricata, pfblocker, and unbound. when i disable the two packages, all works fine

Let's consider :
If you leave the 'unbound' (the resolver) settings to "all default", the way you found them when you first installed pfSense.
You remove / don't install the extra stuff = suricata and pfblocker.
Then : no issues what so ever.
Right ?

This means your issue isn't "pfSense 2.8.0" or the upgrade. Its an 'ordinary' package settings issue - call the admin 😊

Tell you boss that suricata can only filter non TLS traffic **, something that doesn't exist anymore. Check for yourself : who visits http (port 80) sites these day ? Who collects mail using port 110 ? Who sends mail using port 25 ?
Imho : suricata, for what it's worth, can't do much these days, it can 'see' the data payload in the packets. Everything is TLS these days.

** It is possible to do TLS filtering, but that demands a 'proxy' setup, making you a real expert.

pfBlockerng is blocking you, DNS or something else ? That's any easy one, and rather simple do debug.

@johnpoz I see, thanks for explaining and the help!

I have already solved the problem by using the Python library. You can delete my post. Thank you for your help)