@Gertjan Mind posting your unbound config? Also, are you running on an SG-1100 also? ## # Server configuration ## server: chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 1 hide-identity: yes hide-version: yes harden-glue: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes module-config: "python validator iterator" unwanted-reply-threshold: 0 num-queries-per-thread: 512 jostle-timeout: 200 infra-host-ttl: 900 infra-cache-numhosts: 10000 outgoing-num-tcp: 10 incoming-num-tcp: 10 edns-buffer-size: 4096 cache-max-ttl: 86400 cache-min-ttl: 0 harden-dnssec-stripped: yes msg-cache-size: 4m rrset-cache-size: 8m num-threads: 2 msg-cache-slabs: 2 rrset-cache-slabs: 2 infra-cache-slabs: 2 key-cache-slabs: 2 outgoing-range: 4096 #so-rcvbuf: 4m auto-trust-anchor-file: /var/unbound/root.key prefetch: no prefetch-key: yes use-caps-for-id: no serve-expired: no # Statistics # Unbound Statistics statistics-interval: 0 extended-statistics: yes statistics-cumulative: yes # TLS Configuration tls-cert-bundle: "/etc/ssl/cert.pem" # Interface IP(s) to bind to interface-automatic: yes interface: 0.0.0.0 interface: ::0 # Outgoing interfaces to be used outgoing-interface: _removed_ outgoing-interface: _removed_ outgoing-interface: _removed_ outgoing-interface: _removed_ # DNS Rebinding # For DNS Rebinding prevention private-address: 127.0.0.0/8 private-address: 10.0.0.0/8 private-address: ::ffff:a00:0/104 private-address: 172.16.0.0/12 private-address: ::ffff:ac10:0/108 private-address: 169.254.0.0/16 private-address: ::ffff:a9fe:0/112 private-address: 192.168.0.0/16 private-address: ::ffff:c0a8:0/112 private-address: fd00::/8 private-address: fe80::/10 # Access lists include: /var/unbound/access_lists.conf # Static host entries include: /var/unbound/host_entries.conf # dhcp lease entries include: /var/unbound/dhcpleases_entries.conf # Domain overrides include: /var/unbound/domainoverrides.conf # Forwarding forward-zone: name: "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 forward-addr: 2001:4860:4860::8888 forward-addr: 2001:4860:4860::8844 # Unbound custom options server: include: /var/unbound/pfb_dnsbl.*conf local-data: "_vlmcs._tcp.domain.com 3600 IN SRV 10 0 1688 pfsense.domain.com" ### # Remote Control Config ### include: /var/unbound/remotecontrol.conf # Python Module python: python-script: no-aaaa.py

@johnpoz Today I received 2 new NanoHD's. I am surprised by the weight, although the small size of the Nano (btw this high weight in comparison to it's size meaning positive, somehow weight corresponds to quality, kinda old fashion ;) ) Did a firmware update, went good. For now I have to get familiar with all the possible settings (seem a lot) and look and feel, like when it is applying new settings it uses the term "provisioning" and when it is finished it goes to "connected." I see there is an option "allow meshing from other access points" and it's enabled by default... didn't know it had mesh...might be interesting when in future there no UTP somewhere... When I change the transmit power for 5G from auto to high under Radios then I went to Radio 11N/A/AC and I see: Transmit Power 20 dBm / 23 dBm (EIRP) Does this means it transmits at 20 of the possible 23? Then I would have expected, as I set it to high is would be 23/23 And I see WiFi experience, don't know what that is, and why it is on 99/100? Tomorrow I will set it up and configure them and hopefully I will replace my current setup (an Engenius 1750H), but that is for tomorrow as today time is a challenge. Could be I have some more Q's kudos fot he advise so far.

@Gertjan On my install, if I enter subdomains like you have in the domains list they do not get filtered out. I have to enter them with a trailing "." character for them to be evaluated by the script. domains = [ "smtp-relay.gmail.com", "youtube.com.", "googlevideo.com.", "ytimg.com.", # "netflix.com.", # "netflix.net.", # "nflxext.com.", # "nflximg.net.", # "nflxvideo.net.", # "nflxso.net.", ] Non-authoritative answer: Name: smtp-relay.gmail.com Addresses: 2607:f8b0:4001:c05::1c 209.85.144.28 However, with the trailing dot on each line, the listed name, and all subdomains appear to be filtered as expected. domains = [ "smtp-relay.gmail.com.", "youtube.com.", "googlevideo.com.", "ytimg.com.", # "netflix.com.", # "netflix.net.", # "nflxext.com.", # "nflximg.net.", # "nflxvideo.net.", # "nflxso.net.", ] Non-authoritative answer: Name: smtp-relay.gmail.com Address: 209.85.144.28 Non-authoritative answer: Name: i.ytimg.com Address: 172.217.164.246

@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0: With i350 Netmap works by default, no tinckering from your side whatsoever? Yes, no problem. @NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0: I don't mind recompiling the kernel, but your steps from that thread are accurate? That's the instructions given to me by Vincenzo. @NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0: Did you got the change to do a speed test on Fiber? Not yet ... I am planning on moving in December to an area with fiber. @NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0: I am asking you because you said it's a lot of waiting, trial and error,etc, and I don't want to reach step 5 for example, and see it's "a no go", but if Luigi explained it to you, then it must work, right? As I had said earlier, Vincenzo went out-of-his way to explain everything to me and it is correct as far as I know. Also, I was very lucky to find that Thunderbolt 2 PCI enclosure used on eBay for $78.

Just for anyone else who might ask this question. I found the following work well Corsair CMSX16GX4M1A2400C16 16 GB (1 x 16 GB) Vengeance SODIMM DDR4 2400 C16 1.2V Memory What threw me initially was that on boot up, the internal fans went to full RPM and I assumed that the bios wasn't posting. I left it for about 5 minutes and then the system returned to normal state and booted ok. There is no delay on subsequent boots. Perhaps the system needed time to reconfigure itself, who knows

I don't really know, if it was listed as available in the package manager I would guess it would work... But bmeeks is the guy that would know for sure.. But what I can tell you is the 4 rules don't have those - so that would explain why you don't see them if your pulling the 4 rules..

@erbalo said in Do not have the Automatic Firewall Rules!: pfBlocker all of the block rules You'll need to live with how pfBlocker does the rules, you cant have it operate in a differnet order depending on the interface. You could actually get pfBlocker to create aliases and hand craft your firewall rules. Not exactly sure how you expect the rule with the arrow to work if its on your LAN interface.

Appears to affect physical hardware as well. I have been investigating unexplained CARP state changes between a HA pair with Netgate C2758 hardware. The CARP state change is always preceded by a filter reload. Thanks @jimp and team for tracking this down. Looking forward to 2.4.5-p1 to fix.

Got it ... it's dmesg | grep igb0 [2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root: dmesg | grep igb0 igb0: <Intel(R) PRO/1000 PCI-Express Network Driver> mem 0xa1000000-0xa10fffff,0xa1104000-0xa1107fff at device 0.0 on pci7 igb0: Using 1024 TX descriptors and 1024 RX descriptors igb0: Using 4 RX queues 4 TX queues igb0: Using MSI-X interrupts with 5 vectors igb0: Ethernet address: a0:36:9f:09:b0:3c igb0: netmap queues/slots: TX 4/1024, RX 4/1024 igb0: link state changed to UP igb0: promiscuous mode enabled igb0: link state changed to DOWN igb0: link state changed to UP igb0: link state changed to DOWN igb0: link state changed to UP igb0: link state changed to DOWN igb0: link state changed to UP igb0: link state changed to DOWN igb0: promiscuous mode disabled igb0: link state changed to UP igb0: <Intel(R) PRO/1000 PCI-Express Network Driver> mem 0xa1000000-0xa10fffff,0xa1104000-0xa1107fff at device 0.0 on pci7 igb0: Using 1024 TX descriptors and 1024 RX descriptors igb0: Using 4 RX queues 4 TX queues igb0: Using MSI-X interrupts with 5 vectors igb0: Ethernet address: a0:36:9f:09:b0:3c igb0: netmap queues/slots: TX 4/1024, RX 4/1024 igb0: link state changed to UP igb0: promiscuous mode enabled igb0: link state changed to DOWN igb0: link state changed to UP igb0: link state changed to DOWN igb0: link state changed to UP igb0: link state changed to DOWN igb0: link state changed to UP igb0: promiscuous mode disabled igb0: promiscuous mode enabled igb0: promiscuous mode disabled igb0: link state changed to DOWN igb0: link state changed to UP igb0: <Intel(R) PRO/1000 PCI-Express Network Driver> mem 0xa1000000-0xa10fffff,0xa1104000-0xa1107fff at device 0.0 on pci7

I did more testing (ISO downloads, not speedtests; 20 MB/s max) and found out that, if I am not connected to any VPN (NordVPN), I only get half download speed. if I am connected via a VPN-Client on Windows, I only get half download speed. if I am connected via the VPN-Client in pfSense I get fullspeed. if I am directly connected to the Modem and don't use pfSense at all and also not connected to any VPN, I get fullspeed. So something is seriously flawed on WAN, maybe in all the senses (and or with virtualization). Its very sad.

@bobbenheim should dpinger be low and without variation when CODEL works ok? thanks

@RobertTheSwede WOW, that is dumb. I have a /56 and have used prefix ID ff for my VPN without issue. Works fine. Their policy should be everything in that /48 prefix should be forwarded to the customer. Also, it's extremely unlikely there would be any traffic for an unused prefix, as there is nothing to trigger it.

@Operations said in How do i revoke a user certificate from PFSense?: I created a list and revoked the user certificate (CA under System > Cert Manager, Certificate Revocation). Did you also add that CRL to the OpenVPN server settings?

It depends, if you notice unusual patterns while browsing the internet, then yes, you are probably hacked.

Is this some kind of joke? Windows 7 is an eol OS Virtualbox has quite some overhead. In general it is a bad idea. at least from the availiability point of view. If resources are adequate depends on what else the host os is doing. How much do you value 1800 angry voucher holders?

@rubenmv Como idea: Revisa que el cliente dhcp no tenga ningún firewall activado ni antivirus. Revisa tabla de rutas en pfsense Revisa traceroute desde pfsense Prueba en el cliente a asignar ip estática manual en lugar de dhcp.

@JonathanDO Hola. Al ser un equipo applicance de Netgate, creo que quizás, es sólo una idea, puedes consultar al fabricante o al vendedor si lo que ocurre está dentro de lo normal o hay que seguir alguna configuración concreta en pfsense.

@riftor_77 said in Predicting resources used by packages: Thanks for all the responses so far. For context, I set up my system similar to pfSense baseline guide with VPN, Guest and VLAN support and then added pfBlocker and Suricata on top. My question is actually how to calculate what changing each of those many variables will add or subtract from the resource load. I want to find it my ideal settings, calculate how much resources everything takes, and then build my system to those specifications. For example, if I am using pfBlocker and I add another feed, how do I calculate the additional CPU and RAM usage that adding that feed will require? Let me know if I am clearly explaining my request. Why not simply run a controlled test and see for yourself? Measure CPU and RAM usage while running traffic through the box with iperf without that additional feed enabled, then repeat the exact same test with the feed enabled. You can even do it several times and compute an average. I doubt you see very much of a change, though. Just remember to reset the states in between the tests to be sure the firewall acutally inspects the test traffic against the entire rule chain and does not use an existing state established during the first test to bypass a bunch of rules in the second test.

@Rico said in OVPN export to iOS fails: Yeah NM, I see Gertjan is also using udp4 in the config like TO. You bet it is ! I'm actually VPN-into-work just to get my iPhone 'multistacked' ^^ All this over an UDP IPV4 link of course.

@IsmaelPA Vc consegiu resolver o problema? estou exatamente com o mesmo erro.

From the Diagnostics / Command Prompt menu, I used ^ifconfig^ The output is among other things. ix0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether 6c:b3:11:3b:bb:90 hwaddr 6c:b3:11:3b:bb:90 inet6 fe80::6eb3:11ff:fe3b:bb90%ix0 prefixlen 64 scopeid 0x1 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (10Gbase-SR <full-duplex,rxpause,txpause>) status: active and ix0.14: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6> ether 6c:b3:11:3b:bb:90 inet6 fe80::6eb3:11ff:fe3b:bb90%ix0.14 prefixlen 64 scopeid 0x15 inet6 2001:984:a874::1 prefixlen 64 inet 192.168.14.1 netmask 0xffffff00 broadcast 192.168.14.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (10Gbase-SR <full-duplex,rxpause,txpause>) status: active vlan: 14 vlanpcp: 0 parent interface: ix0 groups: vlan So, my verdict in the previous mail was probably not correct. No idea what is wrong, one thing is for sure .... it does not work Louis

Did you run Manual Outbound NAT before your added the new OPT interface? In manual mode you need to care about the outbound NAT yourself. However, switching to automatic and back to manual will also create the rules for all Interfaces. Personally I like to have Hybrid Outbound NAT. -Rico

Hi, I have 150 proxy users in my network, running on old dual core E5200 & 3GB RAM. CPU usage is avg 5%, RAM 20%, so your HW should handle it. But Squidquard is weak point, by default it set url_rewrite_children 16 startup=8 idle=4 inside Squid advanced options. It's not enough for my users (not enought "processes"), so had to modify it like url_rewrite_children 128 startup=64 idle=32. But ANY time I set something inside Squidquard and press Apply, then default is back and have to set it again... You will probably need to set higher values (not sure what is max) to handle 600 users. BTW, I also use Squidquard with Microsoft AD, but this functionality will be gone soon, refer to this.

You can set it and see the interface status at the command line from ifconfig. For exmaple: [2.5.0-DEVELOPMENT][admin@apu.stevew.lan]/root: ifconfig re0 re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> ether 00:0d:b9:37:30:10 media: Ethernet autoselect (10baseT/UTP <half-duplex>) status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> [2.5.0-DEVELOPMENT][admin@apu.stevew.lan]/root: ifconfig re0 promisc [2.5.0-DEVELOPMENT][admin@apu.stevew.lan]/root: ifconfig re0 re0: flags=28902<BROADCAST,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> ether 00:0d:b9:37:30:10 media: Ethernet autoselect (10baseT/UTP <half-duplex>) status: no carrier nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Steve

@dmd1234498 said in Unable to see computers on LAN over OpenVPN: What is the difference between tun and tap? Effectively, it's the difference between a switch and router. A switch creates a flat network, where everything is in the same subnet. A router creates separate networks, with different subnets. A TAP tunnel bridges and a TUN routes.

@zsing82 said in Script not executing... command not found: Debian boxes. BSD is a whole different animal Actually, for the most part Linux and BSD are similar, in that they're both Unix variations. However, there are some differences, but nowhere near the difference between either and the Windows shell commands.

@Gertjan said in Ethernet devices being assigned WI-Fi Range IP addresses - How do I keep the subnets separate?: Most probably I didn't understand the question ... That makes two of us. I have a notebook computer here which I use on either Ethernet or WiFi. It gets different IP addresses, according to how it's connected. That's entirely normal. If WiFi is on a different subnet, how could an Ethernet device, get an address from the other subnet, unless he has something configured wrong.

The boot log from the Watchguard OS may contain clues about how the switch is configured, so that would be good to see. If you can avoid overwriting the original OS so we can refer back to it later that would be good. I believe it should boot from any mSATA device. Or even USB if there is no SATA device present. Steve

@Gertjan Hi, yes I do. For example "porn" but then obvious porn sites are not blocked.

Will walk you through the process. Backup old router Restore from backup. Interface mismatch, will select correct sg1100 interfaces. Save Everything is working, interfaces are loaded correctly. Reboot Get prompted to set vlans. All interface settings are gone.