pfSense Support Subscription

Recent Posts

Pages: 1 ... 6 7 8 9 [10]
Russian / Re: Suricata и 1gbps
« Last post by werter on Today at 07:04:54 am »
Did you remember to disable all the hardware checksumming on the Advanced Network tab in pfSense?  You must turn off hardware-based checksums, TCP segmentation offloading and LRO (Large Receive Offloading) when using Inline IPS Mode.  Hardware checksumming is on by default.  If you make changes to these parameters, you need to reboot the firewall for them to take effect.
Найдено по фразе suricata high cpu usage pfsense

Какие пакеты еще установлены?
General Questions / dns resolver port for pfblockerng
« Last post by ozlecz on Today at 07:00:43 am »
dns forwarder=port 53
dns resolver=port 55

by default dns resolver is enabled for pfblocker and is port 53. Since it is now changed to port 55, is there anything in pfblockerng configuration to be changed.

thank you
Portuguese / Re: Bloqueio por aplicativo
« Last post by Tomas Waldow on Today at 06:36:08 am »
Mais próximo será o Snort com Openappid, mas só app mesmo não.
OpenVPN / Re: Site to site between 4 offices
« Last post by Jamerson on Today at 06:04:39 am »
OK so on each client side you need:

Remote Networks:,

On the server instance for the first office you need:

Remote Networks: Remote networks on that side of the connection

Same for the server instances for the other two offices.

Firewall rules on the OpenVPN tab or the assigned interface tabs have to pass the desired traffic from the remote sites.

this correct,
on each office has on the openvpn interface allow any to any, but the issue now is internal from the client side which can't reach the server.
i see we have a floating rules on the client side, would this be affecting the routes? and also we are using a multi WAN on this office.

thank you for your continue support
2.4.2 still cannot be saved on host reboot.
2.3.X works perfeclty on the same hyper-v host (2012 R2)

I don't know is it problem of hyper-v, pfsense or freebsd 11.1?
not really big problem because host reboot is always under control.
Having a similar problem here with 2.4.2_1 on 2012R2, but I just configured the host to shutdown pfSense rather than trying to save state.  I also use fixed memory rather than dynamic, since it (either FreeBSD or Hyper-V) doesn't seem to honor it.  I've recently had pfSense marking the disk as dirty and going into a reboot loop after recognizing the hn interfaces.  Restore a checkpoint and back to working.  Not complaining, just offering feedback.
Russian / Suricata и 1gbps
« Last post by borg on Today at 05:19:28 am »
Здравствуйте. На днях поставил гигабитку и выяснил что суриката на 2.3.4-RELEASE (amd64) на VM  начинает дропать пакеты и сбрасывать скорость примерно на половину, а то и больше. На 100 мегабитах все нормально. Выделил Intel(R) Xeon(R) CPU E5620 @ 2.40GHz 4 CPUs: 2 package(s) x 2 core(s) и 8гб озу, цпу прямо таки уничтожается сурикатой, больше добавлять не пробовал, оставил только в sid-enable.conf emerging-scan.rules и в dropsid.conf emerging-scan.rules pcre:"pcre:balanced-ips\s*drop". Сталкивался ли кто нибудь с настройкой сурикаты под гигабит? Заранее спасибо
I have the same issue, have not found a way to remedy it  :(
[Edit:  Oops, I didn't read the entire thread first.  You already bought a beefy Poweredge T30 a couple months ago.  Woot.]

If that's overkill, what about using something like ESXi to run pfSense (and other services) in a virtual machine? I know it's possible, but is it a good idea (in the eyes of the pfSense community)?
I'll add my two cents to this one.  One of the lessons learned at a past company (when we lost power to the datacenter because of catastrophic UPS failure duriing a UPS test on a Monday at noon (go figure...idiots in charge), and recovery took 12-24+ hours... losing millions of $$$) was that critical infrastructure (such as our DNS servers and Domain Controllers) were 100% virtualized.  And the back-end storage arrays for all these virtual servers?  Since the array lost power abruptly it had to go through a lengthy disk check, which took hours.  Meanwhile, since none of the servers that *were* up and running had any DNS, they were sitting ducks and useless.

Lesson learned:  Virtualization is awesome, but don't virtualize 100% of your critical infrastructure.  Always have at least one physical device per infrastructure type.

This is probably apples and oranges compared to a home environment, but if you want to virtualize pfSense in ESXi or any other hypervisor, just be aware that if the physical host fails or has to be rebooted (etc), your pfSense router, firewall, DNS, DHCP, and any other critical services will be down during that time.  So for highest availability, have at least one physical pfSense device, and feel free to virtualize the others.  Or have two virtual pfSense instances on two separate physical ESXi servers.

Totally overkill answer, especially for home.  But it was a painful lesson learned and one I will always think about when I implement infrastructure, even at home.  :P
Side note:  PPTP was publicly known to be insecure no later than December 2004.  Can I ask why you're still using it in ~2018 instead of a commercial TLS VPN, OpenVPN, or IPsec?
Pages: 1 ... 6 7 8 9 [10]