@dennypage, @maximushugus, @louis2, @jeffscott

Good news!

I have the PIMD version I did compile yesterday working !!
Including the related pfSense gui.

Not I think I can make it running the way it should in the coming week(??).

Note that at this moment I still have the following issues:

The warnings at compile time. Surely NOT OK!
=> I do not have the knowledge to fix this. but it does not be blocking. The man directory issue.
=> I have no idea how to solve that. My actual work around is removing the manual files from package definitions (NOT OK) Pimd does not run using the GUI.
=> At this moment I have to start pimd from the command line in debug mode and restart pimd after each config change. However pimd is running and I can access my media server.
pimd -n -f /var/etc/pimd/pimd.conf --disable-vifs -l debug=all the firewall rules are not yet as they should be, for the test I just opened too much.

So I have to sort out things in the coming week/weeks. But I have good hope that I can solve points 3 and 4.

If someone can solve points 1 and 2, it would be highly appreciated!!

Update auf 2.8 hat jetzt auch funktioniert, danke

Gruß

@JonathanLee said in Seeking Insight on IPV6 Suricata Alerts – "Excessive Retransmissions" and "Wrong Direction First Data":

SURICATA Applayer Wrong direction first Data

Here is the link in the Suricata docs for this stream rule alert: https://docs.suricata.io/en/latest/rules/app-layer.html#applayer-wrong-direction-first-data.

The short version of the story is that even today, after several attempted fixes within Suricata, the coders of client/server software apps seem to still be able via crappy coding to craft network flows that trip up the Suricata parser. This is basically a harmless error.

As @SteveITS said, the best thing is to disable all the Suricata stream event rules. They are informational anyway and don't necessarily indicate malicious traffic.

Yup, what I missed here is that whilst it's not hitting the default block rule it's in fact also not hitting your custom rules. It's actually the hidden block all v6 rules that are added when you unset 'allow IPv6'.

@dennypage Hasn't been a problem.

loopstats.jpg

@maximushugus

I tried to compile pimd for actual FreeBSD15 current, however I am facing issues which I can, given my limited knowledge of c, git and pimd internals, not solve.

At least I did not manage that up to now despite significant effort.

starting a tool like ^script^ and then compiling the source etc, you can see the warnings and some errors in the script generated file. In the file warnings and an error

related to e.g. not longer supported macro's and and a fatal error related to ^man^ which should be an absolute path
I tried to fix the ^man^ error using ^ConfigureOptions="--mandir=/usr/local/share/man",

That does remove the error but not in such a way that there are man8 packages in the stage directory / distribution file or package.

For that reason I did build a package without man files, and installed that pimd package on actual pfSense plus version.
It does not work. Main problem it can not find the interfaces see pfsense systemlog

I would have prefered to test on a fresh pfSense system, however netgate does not make an iso available :( I do not like that, however I do understand netgate!

Troglobit has a significant newer pimd version ^pimd-dense^ which can perhaps been an pimd alternative.
I do not know the difference in functionality!

So ^we have a problem^ !!

Some options:

support from someone with higher c and git knowledge able to solve the actual warnings and man issue in the code try to compile pimdd which because more recent probably has less compile issues and perhaps even has a freebsd ports creating a couple of VM's with the media player. One for each VLAN which needs media files

@Zermus said in crowdsec:

It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it.

I always viewed ELK as overly complicated. Graylog is much more manageable, although the console isn't as nice. Work in progress.

@Gertjan those 3 name server might be just his isp dns.. that first on is fibreop and the others are aliant - which are the same isp - with the fibre one being for their FTTH.

Yeah if you want to use those - you should have unbound forward to them - but I see little benefit to forwarding for dns, just let unbound resolve is better option imho.

@semara turn x forward mode off unless this is behind another router or something.
If you want transparent no certificates turn off ssl intercept

@microserfs and what IP was that - clearly your current IPv6 address is not block that I show you connected with.. And the only other IPv4 I see you using is not blocked.. You would have to let me know what IP you were coming from that was blocked.. Send it to me via PM if you don't want to make it public.

@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system:

ln -s -F /nvme/LOGS_Optane/snort /var/log/snort

Also you can do this with suricata.

/var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

@SteveITS It looks like it is detecting ipv6 better

already is showing alerts

Screenshot 2025-07-12 at 10.39.56.png

It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it

@georgelza said in multiple ISP/WAN interfaces:

I want to make it as simple as possible, without me becoming their IT department....

Well, you ARE their it department.

Leave it as it is, if it works why fix it?

Hmm, interesting. I can't say I've noticed that. But also I wasn't looking for it specifically. 🤔

@zikou Please follow this: https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

@raspier The 2100-MAX runs Snort really well but it wont do SO objects. It does everything else. See Snort SO rules I have a paid subscription with a code and everything but the SO rules never populate do they show up on your 1100?

Screenshot 2025-07-11 at 16.34.49.png

"Your Netgate 2100-MAX uses an ARM64 CPU (Marvell ARMADA).

❗ Important Limitation:

Snort SO rules are precompiled binary modules. Cisco/Sourcefire only provides precompiled SO rules for x86_64, not ARM.

That means SO rules are not available on the Netgate 2100, 3100, 1100, or any ARM-based device." So how does your show up???

Most commonly new sensors appeared because an update had new drivers that exposed them. The chipset PCH sensor was pulled into base for 23.09 (I think!) for example.

I’m sorry didn’t fully explain - config file exported to exact same dell server with same intel nics and exact same Cisco 3500 switch and unfi ap both instances are identical
My only problem that needs a solution is how do force the use of either my vpn dns servers or ones I chose on things connected to my vpn client as the way it runs now is that dns leak testing displays my isp address which is fixed (at least in uk can’t tell if Comcast is fixed)
I can use dedicated dns on browsers and also on devices buts not very satisfactory.
Unfortunately I’m not anyway a networking expert just having to find my way around stuff - thou when I built it years ago it did exactly what I needed but something changed either with Pfsense or Nordvpn service (been there to find solutions but no help) anyways thanks for the help!