Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - GemeenAapje

Pages: [1]
IDS/IPS / Re: Suricata Inline high CPU with no rules
« on: February 22, 2018, 03:21:29 pm »
:-(  I take it back.  2 minutes later it's back to 200mbps.  I think just restarting the interface fooled me/it for a moment while all the rules etc were being loaded.

So I'm back to a 200mbps limit now and don't know how to increase it

IDS/IPS / Re: Suricata Inline high CPU with no rules
« on: February 22, 2018, 03:09:10 pm »
Ok I've "Fixed" it, I suppose.  Changed this...

Detection Engine Settings
Max Pending Packets

Back from 4096 to 1024

Now CPU goes to 90% but is able to maintain full 500mbps with 90% CPU and all rules enabled

Just FYI

Anyone any advice or tips they would be greatly welcome

IDS/IPS / Suricata Inline high CPU with no rules
« on: February 22, 2018, 02:50:22 pm »
Hi guys

As per the title of this post, when I enable Suricata in inline mode, even with all rules disabled, the CPU runs mega high.

I have a 500mbps glass fibre, but when I enable Suricata it gets limited to 200mbps both ways.

Disabling Suricata and I get my full speed again (more actually, I'm hitting around 600mbps both ways).

So, I was going to try and figure out which rules were pushing the CPU so high, starting by disabling them all, but even with all disabled or all enabled it gets capped around 200mbps.

Am I doing something wrong?


IDS/IPS / Snort - prevent blocking self
« on: February 07, 2018, 03:56:07 am »
Hi guys

I'm trying to configure snort to add some additional security to be web server.

At the moment I'm running it and monitoring the alerts without blocking.

My web server is within my home network and I'm running snort on pfSense router on the WAN interface only. Is this correct practice?

One thing i see, for example, is when I'm using Deezer that I see my own external IP flag up as accessing iTunes, for example "ET POLICY iTunes User Agent"

Before I enable blocking, I really want to be 2000% sure that my own IP is never going to be added to the banned list, blocking my web server from accessing the outside world.

Any advice greatly welcome.


General Questions / Re: VLAN WAN dies when PPPoE is enabled
« on: January 30, 2018, 05:36:19 am »
It's fixed!  2 things fixed it (in my opinion).

1) Removing the modem/router box from my ISP in the middle.  Today my ISP provided a media converter for glass fibre to RJ45 so I don't need their modem router anymore.  Even though I had PPPoE Passthrough enabled on their modem, I have a feeling it was somehow blocking my own router getting through.

2) Setting trunking on the VM switch port/group.  I would never have thought of that! Thank you so much

It's now working beautifully.  500Mb down and 750Mb  upload with an MTU to google of 1500.

Thanks so much. 

PS: if anyone is interested in my settings I can try to write them down, just reply here and let me know if there's interest in it.  Running pfSense on Esxi VM directly via F3100 media converter to xs4all glass fibre

General Questions / Re: VLAN WAN dies when PPPoE is enabled
« on: January 30, 2018, 02:21:36 am »
Great tip, thank you.  I didn't know about 4095.

But sadly it still doesn't work.

What MTU should I set on the VM virtual switch / VLAN WAN interface in pfSense / PPPoE tab in pfSense.

Right now I have it as 2000 (VM) - 1512 (VLAN) - 1500 (PPPoE).

My ISP does support the large packets.

I've experimented with much lower MTUs also without success.

For the pfSense setup.... should I have just 1 WAN and 1 LAN adaptor?  The wan being PPPOE0(vmx0.6) - email@address
Or should I have 2 separate adaptors for WAN, one for the VLAN/NIC and one for the PPPoE?
If the 2nd.... how should it be configured?  I tried everything.

Would you be happy to post some screenshots with sensitive info hidden?


General Questions / VLAN WAN dies when PPPoE is enabled
« on: January 29, 2018, 06:24:02 pm »
Hi guys
I'm trying to setup pfSense to work with my new internet provider (XS4ALL in the Netherlands).

Here internet is being run over VLAN 6.

I've followed some handy configuration instructions I found online, but for my setup it fails.

I can enable the interface with VLAN 6, runs fine and shows "up".  It can also get a DHCP IP address.

But when I switch the PPPoE the link goes down and refuses to come up.

I tried various MTU settings but the only way I can get the interface back online is to remove PPPoE and set it back to static/dynamic IP again.

It's a VM running:
2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:45:26 CST 2017
FreeBSD 11.1-RELEASE-p6

It's on a HP Proliant 380 G9 using on-board 1gbps LAN card.

I've set the port switch in ESXi to be on VLAN 6 also.

Really hope someone can help me.


IDS/IPS / Re: Unknown snort rule
« on: July 21, 2017, 04:06:00 am »
Found them!  OpenAppID rules, I had them all enabled.

Logs cleared and back to normal


IDS/IPS / Unknown snort rule
« on: July 21, 2017, 02:44:31 am »
Hi all
I'm new to pfSense and Snort but have spent the best part of a week playing with the system.

Since adding Snort we've found lots of weird behaviour, like Netflix just stopping half-way through a movie etc.

Looking at my logs I see many alerts for things I wouldn't expect - like it's blocking HTTPS for example.  The rule mentioned is nowhere to be found (Googled a lot before posting here).

For example...
07/21/17-09:35:29.838333 ,1,70856,1,"https",TCP,,37191,,443,56737,Misc activity,3,
07/21/17-09:35:29.838333 ,1,70542,1,"netflix",TCP,,37191,,443,56737,Misc activity,3,
07/21/17-09:35:29.838802 ,1,70856,1,"https",TCP,,37191,,443,56738,Misc activity,3,
07/21/17-09:35:29.838802 ,1,70542,1,"netflix",TCP,,37191,,443,56738,Misc activity,3,
07/21/17-09:35:29.839073 ,1,70856,1,"https",TCP,,37191,,443,56739,Misc activity,3,

If I look for the rule numbers I cannot find them online.

Why would HTTPS be being blocked? It makes no Pfsense ;-)



NAT / Re: Urgent help: pfsense login on WAN port!
« on: July 20, 2017, 04:31:59 am »
Thank you so much for replying guys.

In the end I removed the Load Balancer router from the setup. Now I'm just using one of my VMs for IIS and one for SQL.

I had everything set correctly in my opinion. Port redirection etc turned off.  Port was also running on a nonstandard port (444).

I do believe browser caching was a problem, because even when I had completely fixed it I still had customers complaining they were not able to login to the website. When I asked them to send the URL to me I could clearly see it was redirecting to port 444.

I've now completely blocked port 444 as the first WAN rule in the firewall. But how can I fix everyone's browser cache for that redirection problem?  If pfSense has set clients to bounce from 80>444, everyone will now be getting a 404 error (not good for business!)


IPsec / VPN Newbie question - which VPN to use?
« on: July 20, 2017, 04:27:17 am »
hi all

can someone please help me.... how do I decide which VPN setup to use?

Purpose: Need to access my home network from Windows 7-10 and Android. Nothing else is important.

Needs to be as secure as possible - i.e. that nobody can brute-force it within a reasonable length of time.

I cannot understand which is best to use. For example IPSec IKEv2 / EAP-MSCHAPv2   vs   OpenVPN

Any idea where I should start?


NAT / Urgent help: pfsense login on WAN port!
« on: July 17, 2017, 04:28:13 am »
Hi guys

I desperately need urgent help please.

I have the following setup...

PfSense as router > another pfsense as load balancer > 2 VM's (web farm) running IIS 10.

There are multiple websites on the VMs.
Port Forward/NAT is enabled on the router pointing to the load balancer IP  (ports 80 and 443)
The load balancer splits the traffic over 2 web servers.
Both pfSense devices are listening on port 444 (as https) and not 443, to save confusion/conflicts.
The WAN port should NOT have pfsense web GUI available at all, and is disabled.

Here's the problem...
SOME of my sites work  fine and show perfectly normal (from outside the network accessing via the WAN link).
But some show the pfSense login!!!!  It even forwards my port 443 to 444!!!!  What the hell?  Nowhere do I have it set to do this, nor should the login be available to WAN clients!

I can see this when accessing via the Google PageSpeed test for example. I see pfsense as the thumbnail/screenshot for one site, but not for other sites.

I'm freaking out and need help asap please.


Pages: [1]