@Philippe-Lang Some other guy was just complaining about slow speeds downloading the installer so maybe it's that mirror having issues.

@cheapie408 if you killed all the states, and you can still go somewhere - then your rules are not blocking what you want to block. You sure the states were killed off? Look in the state table - if there is a state, then your rule didn't block it, or it wasn't killed when you thought you reset it.,

@dennypage FWIW that doesn't happen currently even with pf. The route-to rule is based on the interface's source address with any destination that's not in the interface's subnet. Still, a rule can be created that applies to the correct traffic. Given the feedback, it sounds like the issue isn't that a route should not exist, but rather some route is needed to allow pf to force the traffic. That's effectively the workaround @stephenw10 showed. Any potential undesired behavior from that kind of solution needs to be considered.

@Gertjan said in Torrents Resulting in WAN Packet Loss: @planedrop said in Torrents Resulting in WAN Packet Loss: Anyone heard of an ISP not just throttling torrent traffic, but nuking an entire network due to torrents being detected? Officially ? Never Have ISP being suspected of filtering and limiting ? All the time. Of course they do. Because we all would do the same thing when we detect that the little brother was gobbing the entire home network as he was coping the entire pirate bay content on his laptop. So, most of us just pulled his plug, or put him behind a limiter. The ISP is/does the same thing, just one set higher. I'm not saying it's ok or even justified, but maybe torrent traffic makes them nervous. Pulled the monitoring data for PPS, figured it would be easiest to just show it, the first is my PPS graph and the second is my packet loss and latency graphs for the same time period, so they do line up (not that that's surprising). Maybe this many pps was overwhelming the ISP? [image: 1754589413839-53bd4add-ab59-48dc-996d-29688de6618a-image.png] [image: 1754589426274-e663c251-371c-44d7-bd5f-d72358752557-image.png]

What? This smells like spam now!

That error is from the PPPoE module so it won't show if you're not using it even if they are still arriving. Not much we can do here without more data. I suggest trying to capture these rogue packets on the WAN in a pcap.

@NRgia said in Suricata on Pfsense: @bmeeks Hello Bill, as others have stated, the code did not reach the final version of pfSense 25.07. Can you check with the developers? Thank you Sorry, but I am no longer able to actively maintain the IDS/IPS packages. You will need to directly address this with the Netgate team through the pfSense Redmine bug/feature reporting system here: https://redmine.pfsense.org/projects/pfsense.

@ahole4sure said in SSH with public key and new macbook pro: could you possibly send a screenshot of what all is in your config file? :) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet. Include ~/.orbstack/ssh/config # my firewall, e.g. pfSense, non-standard port # and specify which ssh private key to use Host firewall-at-home 192.168.1.1 User root Port 20022 IdentityFile ~/.ssh/id_rsa HostName 192.168.1.1 # my Synology DS920+ Host ds920plus User admin # default settings for hosts not matched # in above rules Host * User jane

@cezarq said in DHCP6 server and gateway not working with ISP modem in bridge mode: If I uncheck this option the WAN gets a /128 IPV6. That's entirely normal. You don't need a global address on your WAN, but it's useful for setting up a VPN, etc.. I'd recommend you uncheck it.

said in Forum change?: white on white in the Unread list Also "Off-Topic & Non-Support Discussion" I see. BTW re: my iOS Safari comment, that might be an iOS thing? I think I've seen it on other web sites occasionally. It's oddly annoying but easily fixable by pinching or swiping left to "scroll" right.

@stephenw10 said in Cannot update SG-2440, the repo won't verify certs: Check the system clock is close to reality. Try running certctl rehash if you want to try upgrading. As stated in my original post, certctl returns "command not found". I did check the clock and it was within seconds of the correct time. Thanks for the suggestions.

Thank you Stephen! Will do.

OK try at the command line: pfSense-repoc -ND What error is shown? Send me your NDI in chat and I can check what it should be seeing.

Given that it's already in Intel's branch I'd expect it relatively soon. It's not like igc for example where there was no driver. There is work on going to include it and it looks like it's imminent: https://reviews.freebsd.org/D50067

@Popolou my guess is a typo.. It might of been me that added that, not sure any mod or admin can adjust the blacklist. We get a lot of spam (a lot!).. When it comes from a IP that does not seem to be a normal sort of user IP space, it can be added to a locally maintained black list. Do you know when it started blocking? I know that I have not added that any time recent that I recall. Anyone else that might happen across this thread - feel free to PM me if you feel an IP your coming from is mistakenly black listed. While I can check and modify the locally controlled blacklist - stuff from akismet is less easy to manage, its more of a blackbox sort of filtering and really have no control over that. But you would be amazed at how much spam still gets through. I don't think I have gone a day without deleting some spam, most days its multiple posts.. Not that long ago we had to resort to mod approved first time posts because it was just a flood of constant spam coming in. That has been removed after akismet started working again. In trying to keep a spam free space for users to enjoy, mistakes can be made. But yeah starlink is prob not a good platform to be spamming from to be honest. But vpn/vps and hosting sites are for example. I can only assume a typo on the mask cut off more IPs than were wanted to blocked. If it was me, I do apologize for the inconvenience.

Hmm, not really a significant number there. Nothing that would cause throttling to that extent. What about the PPPoE parent interface? Which I assume is ix0? Try: netstat -i and ifconfig -v ix0

Do you see blocked traffic on secondary? It sure looks like it's failing to authenticate there. Are you using a complex password? Are you using the admin user for the xml sync?