Fix is to set swapoff on the other drive with a cron job no code is adapted. I am going to update my unofficial guide

@stephenw10 I suppose it was static routing before wasn't it, so no outgoing NAT rules...

@stephenw10 - Excellent! Patch worked. Glad I wasn't imagining things.

@stephenw10 getting it to fit will be a challenge, with the cable I should be able to add nonconductive tape on the bottom of it and Velcro it, the other straight adapters would be too long it would hit the back, and the 90 degree one would work but put the drive directly over the cpu and memory with the added heat that would cause issues. I am thinking about velcroing it to the top side where it is close to the vented area, adding a heat sink or something to it.

@stephenw10
My only thinking is you don't want to bridge any pfsense interfaces, use layer 3 routing in a larger network between interfaces. Layer 2 has a lot of baggage. The same if you are using slow communication lines. Route over them, layer 3 instead of bridging them, layer 2. At least it was that way 20 years ago with a network of 4000 Windows clients. I would think the principles would still apply for the fastest speeds on large networks.

TIL about the System Patches package and path strips. Thanks for your help @stephenw10 . We're back in business.

@johnpoz Yep. There's also the challenge of reliably identifying and redirecting or blocking DoH traffic, assuming redirection even makes sense. I'm not running DPI, and relying on a canned list of DoH servers for identification feels fragile.

Mine is a residential network. I run standard port 53 DNS internally and unbound DoT for external resolution, mostly for privacy reasons. If there are clients on the network using DoT or DoH, I guess some privacy objective is still met ... but probably not mine :) Devices like that are (likely) on untrusted VLANs though.

@XrayDoc88 normally the firewall rules when you enable something only allow the network the device is on.. private and public just modes windows will put the firewall on, if its using the public policy it will block any inbound, etc..

if your remote nettwork is say 192.168.20/24 and your local network is 192.168.10/24 you would go into the rules and allow the 192.168.20 network.. Or for that matter just turn off the firewall on the host.

@CatSpecial202 said in DUID and IPv6 - static IP mapping best practice:

@JKnott
about 4 hours ago

@JKnott It mentions this in the article

If the O-flag is set to 1, it indicates that DNS information is available via DHCPv6. The router is basically telling the nodes to auto-configure an address via SLAAC and ask the DHCP server for DNS information.

Isn't it the DHCPv6 that will always have to provide that? SLAAC doesn't do this it just tells the service where to look.

Here's a capture of the relevant bits:

bb8c6efa-998f-4d0b-8e65-b7c310a1927c-image.png

You'll see that the O bit is not set, which means DHCPv6 is not used. SLAAC provides all you need, including the DNS address.

@stephenw10 this is the version.

f9eb94ca-1424-4854-bdc4-165547285749-image.png

Do you have SWAP enabled? What size is it if so?

@mer it’s on a external drive so if someone grabs it and takes it my credit card etc is not on the drive, it’s not internal that was FreeBSD recommendation to use Eli for external usb swaps

Well, not sure how to fix it. Or help diagnose. Please let me know if I can provide more info on this one to help me fix it. Thanks!

@chrcoluk said in PSA: If you are using DHCP options with Windows 11 and DHCP/networking ceased to function after upgrading to Windows 11 24H2 ...:

, I use option 43 to make sure Netbios is disabled

Ah - ok that use case seems like it would be more common on a user machine vlan..

@Mission-Ghost Update went smoothly having no packages installed. Re-installed the packages and that went smoothly including picking up the package settings from before.

Now testing it overnight with some traffic.

I'm not aware of any limit. I'd expect that to work.

@FWright Your option b wouldn't work.

If your untagged network on pfsense is 192.168.10/24 then why would you think you could create a vlan with that same network..

You have few ways to go about this, either change your pfsense untagged network to something other than 192.168.10 or change your vlan 10 IP range..

I too like using an vlan ID that matches up with the 3rd octet.. its an easy way to remember what the vlan ID and network is.. Why not use say 192.168.30/24 vs 10, and use the vlan ID 30.

You could change your untagged network to say 10.10.10 or 172.16.10/24 and then you could use 192.168.10 on your vlan 10.

Or use one of those other network on your vlan 10.. As mentioned its not actually the vlan 10 that is the problem, its that you have overlapping networks.

@jra9511 said in Common rules for various interfaces in Suricata with Pfsense:

Thanks for the answer, really what we want is to see how to apply the same file that contains several rules to all the configured interfaces, otherwise we have to edit the rules in each interface and copy them. We try to do it through the MGMT SID but it gives us a warning that the file is found but the rule is not loaded, we clarify that we are not using any of the default rules that suricata comes with, we use one called custom rules to adapt it to our environment and avoid false positives

No, there is no common file. On pfSense, each configured Suricata interface has all of its files contained within a unique subdirectory underneath /usr/local/etc/suricata/. The contents of custom rules are actually stored as Base64 encoded data within the config.xml firewall configuration file and then written out to a text file in the interface's subdirectory when needed. Any changes you might make to those local files will be overwritten by the GUI code the next time any setting is modified within the GUI.

I don't know what your pfSense experience level is, but some new folks are not aware that pretty much every configuration parameter is stored in the config.xml file and then written out to the various text files in /etc/ and /usr/local/etc/ and other locations when the user clicks Save. That means any changes made directly to these system files are not persistent as the files are recreated using the config.xml contents when changes are saved.

@Gertjan,

Merci de ton retour.

Mais les IgcX sont les port réseaux du LAN ils sont en RJ45.

Pour la partie publique/WAN il y a les interfaces wan1 et wan2. Chaque interfaces wanX ont deux ports : RJ45 et SFP.

J'ai vu que le les ports IgcX ont bien ceci :

supported media: media autoselect media 2500Base-T media 1000baseT media 1000baseT mediaopt full-duplex media 100baseTX mediaopt full-duplex media 100baseTX media 10baseT/UTP mediaopt full-duplex media 10baseT/UTP

Ce qui m'étonne puisqu'il est censé avoir 4 ports 1Gb, pas plus.
Les specs officiels de chez netgate :

Network Ports: 6 Independent 1G and 2.5G Flexible WAN/LAN Configurations. Use a combination of 6 ports for maximum flexibility - with 1 and 2.5 Gbps WAN capabilities across RJ45 and SFP ports, as well as 4 discrete, unswitched 2.5 Gbps LAN ports

Par contre en regardant mieux je vois qu'il y a deux types de ports Ix :

les Ix (sans doute) SFP : supported media: media autoselect media 2500Base-KX les Ix (sans doute) RJ45 : supported media: media autoselect media 10baseT/UTP media 100baseTX media 1000baseT

Mais plus loin dans la doc il est écrit :

(2) Auto media detect 1 Gbps (RJ45 copper / SFP fiber) Combo WAN ports (4) 2.5 Gbps RJ-45 "direct" (unswitched) ethernet LAN ports

Ce qui veut dire que le débit max sur un port SFP serait de 2,5G Max ...
Bon en soit c'est pas mal.

Je vais chercher, mais il semble qu'il vaille falloir tester ....

ToF.

Yes just disable all the outbound NAT rules that have destination port 500 in them. They are not needed and just make it more difficult to read.

Those firewall rules look good. As long as you are testing from a client inside the QNCNet alias and the EXPRESSVPNNEWJERSEY3_OVPN4 gateway is up traffic should go via the VPN.