Short lockdowns of pfSense protected servers



  • Dear pfSense community,

    We are happily using pfSense version 2.2.6 with Snort installed to protect a few DNS, web and mail servers. This whole environment is located on a vmware esxi server, meaning that pfSense is running as a virtual machine along with the other servers. Overall it works as intended.

    We have a minor challenge which i believe is located in Snort. The challenge is that servers behind our pfSense server is kind of locked down for a short period of time - like 1-2 minutes - meaning that nobody can reach that server aswel as itself probably can't reach anything outside the pfSense server (the wan). The virtual machines that are getting locked down are registrered as offline at our external monitors but not with the internal (behind pfSense) monitor - often the lock down is so short, that we can't confirm it ourselves. Moving the servers outside the proctection if the pfSense server "solves" the problem, but we are not interested in doing so.

    The problem is usually happening with our two DNS servers which randomly are offline at different times a day. The period between the lock downs can be everything from a few minutes to several hours, which makes me suspect that some kind of limit is reached within Snort/pfSense in regards to the incoming traffic at that given moment.

    Does some kind of lock down function exist? - I know Snort will block attackers, but it is currently set to 3 hours of ban time, which is not the case here.