You can certainly do that -- mine is higher than default, but it won't help with any "bad pkt" errors if that's what you're trying to solve. Really what you would be doing there is buying yourself a larger buffer if Suricata starts falling behind -- you've set aside more RAM in case of a backlog of packets.

@telescopedepth I appreciate people's goodwill. I understand you, also networking's jobs. you can learn enough, trought forum and community, as I do... If you really want, nothing is impossible! Meanwhile I'll reading some nice book like this Some page for a day, it's easy to follow and full of good pratice, for me. Regards. (Indeed pfSense book it is) Finally I need to thank so much pfsense team for this pretty nice gift, I dicovered few days ago, pfsense book for everyone is a must to have. Cool!

Oh, not at all! The 10.x segment I'm multihoming is coming directly FROM the pfSense firewall, and it's blocked for the Internet except for one port, SMTP (sending warning mails if someting stalls). The only possible vector is the wifi, and that has a very long passphrase in Norwegian that isn't possible to do wit brute force for a few million years. So yeah, there is the WPA-2 vulnerability, but they would have to be very close to the house to access, and my mastiff would probably start barking then.

@stewart I too would like to get to the bottom of why this is occurring. It's my nature to understand all that I can. Currently I have a couple of projects going so for the moment I will leave this be for the next couple weeks as the issue is not a high priority right now.

@johnpoz said in NAT not opening on custom Ports: see my edit... Put a box on your wan network of pfsense and do your testing... As you can see from that edit - that site is not very reliable for what your speed is or should be.. Here just started download of file from one of my servers in the NL... I have a 500mbps connection seeing 53MBps down... My connection is fine - but that scott iperf showing junk.. You sure this was for me? I don't think i've mentioned anything about scottlinux?

Just buy a power consumption meter. You need measurement on a daily/weekly basis, not spot measurements As for the ups... Its nice, however consumes electricity and it won't show total consumption As for using a clamp meter or a multimeter for power measurements, well, leave that to profesional electricians. Definitely not worth the hassle/danger.

You mean setting that still gives no serial console? And serial console is enabled in System > Advanced > Admin Access? That is the standard location for com2 but it might not be there on that hardware since they decided to use com2 as the console. Check the BIOS for any reference to the I/O location. Other than that I'm not sure what more we can do. You could try some other OS to see if that is able to use the console. Steve

@johnpoz I based my assertion, on a bad assumption. I asked for expert help. When nobody could tell me I missed something, there seemed only one explanation. No need for the kiddy stuff, we are all just trying to get this open source tool working for ourselves, correct? Apologizes to the team for bug talk.

@dimadur Рад , что помог . Удачи .

Thanks! On my OpenVPN tab I simply make a rule for each VPN subnet Im controlling. I have ten different tunnels coming into this location alone besides a roadwarrior setup.. I do think the OP could simplify his setup a bit in this fashion. from one of our spur sites.. Ive since tightened up the road warrior rule and thus done away with all the blocking rules.

I got an e-mail from Hyperoptic today saying that apparently IPv6 is disabled pending a firmware update they are currently working on... not sure if was just being fobbed off but that was enough discouragement to make me leave playing for a few days. I will try again then. I wonder if this is a firewall issue really but I tried a bunch of frankly scary things there too and nothing helped.

I got a Rule that sorts out traffic trying to connect to my LAN from the radio network. For the rest its fine since i run the other network anyway

testing out to the internet for iperf not really going to be a valid test... Test from your lan to your wan network.. Put a box on your wan and a box on your lan and run iperf between them.. Once you go out to the internet you have to many variables to rule out just something on net is problem.. Rule out your local hardware first. By testing local!!

ran a online update and all seems good. I came from 2.4.2 Nice to dhcp6 status screen fixed Nice to see I no longer need my custom patch for ntp status screen as base pfsense now allows it to wotih global noquery set. Nice to see my patch no longer needed for queue status screen refresh as base pfsense implemented custom refresh interval. Cpu utilisation is notably down I assume from the faster php 7.2. Also nice that unbound got updated, I was going to put a request in for it but was done anyway.

The bottom line is if you need Active FTP clients behind a firewall and the services provided by the FTP_Client_Proxy service are not a good fit, pfSense is not for you. The availability of certificates has nothing to do with the fact that when a client requests a file, it tells the server where to connect to and that reverse server-to-client connection has to be opened on the client side firewall. Or firewall(s) in your case. SSH has been around for 20+ years. SFTP for 15+. They still insist on using FTP.

I just updated to 2.4.4-RELEASE-p1. I will continue to monitor and see if this makes a difference.

@johnpoz The sniff was done on the WAN interface. The floating rule must have been incorrect as it was not allowing all traffic out from the LAN bridge to the WAN (besides http/s), but was letting traffic in and to the DVR. Since the pfsense web configurator port itself is not part of the LAN bridge, it seems that's why it was accessible from the outside but nothing else was. I will recreate the rule tomorrow to show that it was the cause and post results. Either way, that rule was the only difference between a very similar working setup and this setup. I tested (refreshed) between each configuration change and nothing worked until I deleted the floating rule, which was the last change to make so that this setup matched the working setup. Sorry for the noob problem, but each new solved problem is a new learning experience and one that will not be repeated again.

Hi, Again!, I have a little question about the above configuration! I calculate mtu over ipsec tunnel and enable 'Enable MSS clamping on VPN traffic' with 1486 value! over the ipsec tunnel clinets can see 2 lans without any problem. but gre or l2tp/ipsec connection seems to have mtu problem. my clients on the remove lan uses windows l2tp/ipsec connection to connect to anther vlan on the main site over the Cisco-pf ipsec tunnel. but can not access some services like https or big object like images on http. it seems that mtu problem!? BTW, my ipsec tunnel on the cisco side runs over PPPoE connection. I set 'ip mtu' and 'ip tcp adjust-mss' in pppoe interface! Any help ?!

Добрый. @JonnyDy Вариант с Openvpn на pfsense2 не рассматривали? Один порт для всего. Зы. И отдельно развернуть в локальной сети https://guacamole.apache.org/ Будет использоваться как единая точка входа в корп. сеть. https://www.cb-net.co.uk/linux/debian-8-6-proxy-guacamole-via-nginx-using-https-and-fail2ban/

anyone got any further ideas?? as soon as i take the PFsense box out of the loop everything works fine with no issues. put PFsense back in and i get the same issues, is there any "logging" i can turn on or post that would help with a diagnosis?

@bbcan177 said in Snort doesn't know about SRC-DST pairs thus unable to whitelist anything: To overcome those certificate errors, create a new DNSBL Alias and add those domains to the customlist at the bottom. Then select the "Disable Logging" and set the Group Order to Primary. Then run a Force Update... This assuming that you are on pfBlockerNG-devel. This will nxdomain those domains and also disable the logging of those domains. I did this already, thanks, I'm following your subsection on this forum also reddit... It worked, but then again it's not very much elegant solution... Especially that you can't add ALL possible sites there obviously and this list is getting bigger and bigger every day -it's a manual only process.. So yeah, not elegant at all..

@sigi said in 2.4.4 ICMPv6 Firewall Rules?: @beremonavabi Maybe you should go once to cli or "Diagnostics / Command Prompt" and execute "pfctl -s rules" this will help you understand about hidden rules.. Thanks. According to that: Shell Output - pfctl -s rules ... pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state ... That makes much of this discussion moot. It looks like fSense defaults to allowing (with various restrictions): Packet Too Big Destination Unreachable Echo Reply Echo Request Neighbor Advertisement Neighbor Solicitation Router Advertisement Router Solicitation Oddly, of the Neighbor Discovery subset, it doesn't default to allowing Redirect. I wonder why? Of course, if it defaults to allowing those ICMPv6 subtypes into the system, why not those other "must pass" subtypes: Parameter Problem (invalid IP header) Time Exceeded?

@johnpoz I'll cross my fingers!

The most likely thing there is you're hitting something really obscure that passes in php 5.6 but not in php 7. I would have expected some error though but it may simply interpret it differently. Steve

Suporteita muito obrigado pela sia ajuda e sua disponiblidade. consgui ultrapassar alguns dos erros seguinte esta documentação. creio que com mais calma poderei ultrapassar o resto. obrigado.

@be1001 said in OpenVPN Verbindung zwischen pfsense und Mikrotik: Firewall der Microtik ist offen Daran gibt es keinen Zweifel? LG