“Are your pfblocker floating rules applied to all interfaces?”
The WAN is set as the incoming and for the outgoing all interfaces are selected in pfBlocker so yes.
Oke that is a good idea to add the ip range in pfblocker and put it on top of everything. So i just did that a minute ago i added the ASN to a custom ip block list and put that on top of the ip lists. And enabled the log function in that list
“If this is already the case …” Well the range 126.96.36.199/24 is already in one of the pfBlocker (PRI1) list but i put a new custom blocklist above that and all other lists just for this range on itself and block both incoming and outgoing and enabled logging. So I will see what this is going te let me see in de logs.
My domain on the internet is hosted on a dns server of a dns provider. My local domain is hosted on my own bind9 server. My local bind9 in dmz is not reachable from the internet. I have in pfSense unbound a domein override for my local domain so ubound talks to bind9 in dmz wen is needs to lookup my local domain. My local bind server does not talk to outside servers no forwarders nothing it is solely authoritative server for my local domain nothing else. I am not using it as caching server to query any internet domain or whatever all that happens on the pfSense unbound (dns resolver).
Even if bind would want to connect something on the outside it could not get out because pfSense is blocking all outgoing traffic on the DMZ interface.
I have monitored every interface of pfSense and also DMZ with wireshark for any incoming or outgoing connections from or to 188.8.131.52/24 and also monitored the .casa tld. I suspected RSPAMD could be the culprit because rspamd hit a lot of domains wen it updates its database but i find nothing wen i monitor it with wireshark for hours while the cyber.case is still doing what is does on the wan every 20-60 minutes. I don’t see nothing on the dmz interface and nothing on any other interface either and i monitored every interface for hours to be sure i could not have missed anything.
Besides of all this after all this monitoring i also used Tom’s tip to use pfTop. With pfTop nothing shows up while cyber.case is doing what it does on the WAN. So a lot of questions marks here as you can imagine.
An encrypted tunnel? I could not think of where and how this would exist on my network. And could hide itself this well but who knows. Maybe some day i find something somebody hacked my network or something i don’t know i would be hugely amazed if i would discover that.
I have no ACL’s on unbound.
Yes i even have thought of it to create a pfSense system on my proxmox server so i did and still have it for backup or testing stuff.
After creating this virtual pfSense machine and started setting everything up i immediately saw the cyber.casa ip’s showing up again. I didn’t use a config backup i started with a clean empty pfsense vm and started setting everyting up from the gound up, there was no change with the bare metal pfSense.