The pfSense firewall runs on a micro PC Gigabyte GA-Z77N / Intel i5-3550 (Ivy) - 3.3Ghz / GSkill DDR3 16GB - 2133Mhz / Samsung SSD 830 128GB / 2 onboard RealTek 8168/8111 + 4 port NIC Intel PRO/1000 uname -a FreeBSD fw.ahlawat.com 12.2-STABLE FreeBSD 12.2-STABLE d48fb226319(devel-12) pfSense amd64 Comcast Business Internet Single Static IP address Comcast provided/mandated router (disabled wifi) - ip 10.1.10.1 username/password(default):cusadmin/cusadmin
legal.intel_ipw.license_ack=1 legal.intel_iwi.license_ack=1 kern.ipc.maxmbufmem=11658912768
dhcp6c_enable="YES" dhcp6c_config="/var/etc/dhcp6c_wan.conf" dhcp6c_pidfile="/var/run/dhcp6c_igb0.pid" dhcp6c_interfaces="igb0" dhcp6c_flags="-n" filebeat_enable=yes filebeat_conf=/usr/local/etc/beats/filebeat.yml
interface igb0 { send ia-na 0; # request stateful address send ia-pd 0; # request prefix delegation #request domain-name-servers; #request domain-name; #script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please # ignoring upstream domain info #send rapid-commit; # does not work with Comcast }; # na first and then pd - the allocated pd is routed to the na address id-assoc na 0 { }; id-assoc pd 0 { prefix ::/59 infinity; };
# Automatically Generated, do not edit # Generated for DHCPv6 Server lan interface igb1.1 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix fd01::/48 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous off; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS fd01::5 { }; DNSSL ahlawat.com { }; }; # Generated for DHCPv6 Server opt1 interface igb1.2 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix fd02::/48 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous off; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS fd02::5 { }; DNSSL ahlawat.com { }; }; # Generated for DHCPv6 Server opt2 interface igb1.5 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix fd05::/48 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous off; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS fd05::5 { }; DNSSL ahlawat.com { }; }; # Generated for DHCPv6 Server opt3 interface igb1.9 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix fd09::/48 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS fd09::5 { }; DNSSL diyit.org { }; }; # Generated for DHCPv6 Server opt5 interface igb1.10 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix fd0a::/48 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous off; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS fd0a::5 { }; DNSSL datavpc.com { }; }; # Generated for DHCPv6 Server opt12 interface igb1.48 { AdvSendAdvert on; MinRtrAdvInterval 5; MaxRtrAdvInterval 20; AdvLinkMTU 1500; AdvDefaultPreference medium; AdvManagedFlag on; AdvOtherConfigFlag on; prefix 2001:470:f835::/48 { DeprecatePrefix on; AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; AdvPreferredLifetime 14400; }; route ::/0 { AdvRoutePreference medium; RemoveRoute on; }; RDNSS 2606:4700:4700::1111 2606:4700:4700::1001 { }; DNSSL diyit.org { }; };
#!/bin/sh #exit ping -c 1 -qo 96.120.89.189 > /dev/null 2>&1 ping6 -S fd01::5 -c 1 -qo 2606:4700:4700::1111 > /dev/null 2>&1 if pgrep -q dhcp6c && ping6 -S fd01::5 -c 2 -qo cloudfare.com > /dev/null 2>&1 then # echo "Everything good - IPv6 is working." else if ping6 -S 2603:3024:3f6:0:a236:9fff:fe10:9d24 -c 2 -qo cloudfare.com then ping6 -S fd01::5 -c 2 -qo cloudfare.com if pgrep dhcp6c then echo "IPv6 not working - dhcp6c running, terminating ..." killall dhcp6c sleep 10 fi echo "IPv6 not working - dhcp6c not running, launching ..." /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_igb0.pid igb0 pgrep dhcp6c ping6 -S fd01::5 -c 2 -qo cloudfare.com else echo "comcast IPv6 down" fi fi
Disabling hardware check summing on PFSENSE ->SYSTEM->ADVANCED->NETWORKING stops all suricata stream errors. So you don't need these entries in the suppress file #SURICATA IPv4 invalid checksum suppress gen_id 1, sig_id 2200073 #SURICATA UDPv4 invalid checksum suppress gen_id 1, sig_id 2200075 #SURICATA UDPv6 invalid checksum suppress gen_id 1, sig_id 2200078 #SURICATA zero length padN option suppress gen_id 1, sig_id 2200094 Current suppress file content: #SURICATA ICMPv4 unknown type suppress gen_id 1, sig_id 2200024 #SURICATA STREAM Packet with invalid timestamp suppress gen_id 1, sig_id 2210044 #SURICATA STREAM Packet with invalid ack suppress gen_id 1, sig_id 2210045 #SURICATA STREAM SHUTDOWN RST invalid ack suppress gen_id 1, sig_id 2210046 #SURICATA STREAM excessive retransmissions suppress gen_id 1, sig_id 2210054 #SURICATA Applayer Detect protocol only one direction suppress gen_id 1, sig_id 2260002
Interfaces/WAN (igb0)
DHCP6 Client Configuration
Configuration Override (checked)
Configuration File Override (/conf/dhcp6c_wan.conf)
# a copy of the file above - on boot this file is used to seed the v6 configuration
RECOVERY from BAD config
reboot into single user mode - reset and boot menu option
cd /conf
mount -u -rw /
cp config-last.xml config.xml
OR
cp backup/config-xxxxxxx.xml config.xml
sync
mount -u -r /
exit
# mbuf.sh suggested settings:
kern.ipc.maxmbufmem=11658912768
kern.ipc.nmbclusters=1423207
kern.ipc.nmbjumbop=711603
kern.ipc.nmbjumbo9=210845
kern.ipc.nmbjumbo16=118600
kern.ipc.nmbufs=9108525