@moh10ly the link is no longer available

@johnpoz @johnpoz Below is my configuration for EAP-tls but I am unable to connect to wifi for windows radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run db_dir = ${raddbdir} libdir = /usr/local/lib/freeradius-3.2.3 pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no regular_expressions = yes extended_expressions = yes log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes msg_goodpass = "" msg_badpass = "" msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = no # Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL allow_vulnerable_openssl = yes } $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE ${confdir}/mods-enabled/ } instantiate { exec expr expiration logintime ### Dis-/Enable sql instatiate #sql daily weekly monthly forever } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/ EAP EAP eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 DISABLED WEAK EAP TYPES MD5, GTC pwd { group = 19 server_id = theserver@example.com fragment_size = 1020 virtual_server = "inner-tunnel" } tls-config tls-common { # private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem ca_path = ${confdir}/certs ca_file = ${ca_path}/ca_cert.pem # auto_chain = yes # psk_identity = "test" # psk_hexphrase = "036363823" dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" cipher_server_preference = no disable_tlsv1_2 = no ecdh_curve = "prime256v1" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 #name = "EAP module" #persist_dir = "/tlscache" } verify { # skip_if_ocsp_ok = no # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } tls { tls = tls-common # virtual_server = check-eap-tls } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no include_length = yes # require_client_cert = yes virtual_server = "inner-tunnel-ttls" #use_tunneled_reply is deprecated, new method happens in virtual-server } ### end ttls peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no # proxy_tunneled_request_as_eap = yes # require_client_cert = yes MS SoH Server is disabled virtual_server = "inner-tunnel-peap" #use_tunneled_reply is deprecated, new method happens in virtual-server } mschapv2 { send_error = no identity = "FreeRADIUS" } fast { tls = tls-common pac_lifetime = 604800 authority_identity = "1234" pac_opaque_key = "0123456789abcdef0123456789ABCDEF" virtual_server = inner-tunnel } } /usr/local/etc/raddb/clients.conf client "wifi" { ipaddr = 192.168.0.1 proto = udp secret = '123456789' require_message_authenticator = no nas_type = other ### login = !root ### ### password = someadminpass ### limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } default server default { listen { type = auth ipaddr = * port = 1812 } authorize { filter_username filter_password preprocess operator-name cui AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED auth_log chap mschap digest wimax IPASS suffix ntdomain eap { ok = return updated = return } unix files if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { ### sql DISABLED ### if (true) { ### ldap ### if (notfound || noop) { reject } } } -daily -weekly -monthly -forever # Formerly checkval if (&request:Calling-Station-Id == &control:Calling-Station-Id) { ok } expiration logintime pap Autz-Type Status-Server { } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap Auth-Type MOTP { motp } Auth-Type GOOGLEAUTH { googleauth } digest pam unix #Auth-Type LDAP { #ldap #### ldap2 disabled ### #} eap Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter } } } preacct { preprocess ACCOUNTING FOR PLAIN MAC-AUTH DISABLED acct_counters64 update request { &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" } acct_unique IPASS suffix ntdomain files } accounting { cui detail ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) { datacounterdaily datacounterweekly datacountermonthly datacounterforever } unix radutmp sradutmp main_pool ### sql DISABLED ### daily weekly monthly forever if (noop) { ok } pgsql-voip exec attr_filter.accounting_response Acct-Type Status-Server { } } session { radutmp radutmp } post-auth { if (!&reply:State) { update reply { State := "0x%{randstr:16h}" } } update { &reply: += &session-state: } main_pool cui reply_log sql DISABLED ldap exec wimax update reply { Reply-Message += "%{TLS-Cert-Serial}" Reply-Message += "%{TLS-Cert-Expiration}" Reply-Message += "%{TLS-Cert-Subject}" Reply-Message += "%{TLS-Cert-Issuer}" Reply-Message += "%{TLS-Cert-Common-Name}" Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" Reply-Message += "%{TLS-Client-Cert-Serial}" Reply-Message += "%{TLS-Client-Cert-Expiration}" Reply-Message += "%{TLS-Client-Cert-Subject}" Reply-Message += "%{TLS-Client-Cert-Issuer}" Reply-Message += "%{TLS-Client-Cert-Common-Name}" Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" } insert_acct_class if (&reply:EAP-Session-Id) { update reply { EAP-Key-Name := &reply:EAP-Session-Id } } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { operator-name cui files attr_filter.pre-proxy pre_proxy_log } post-proxy { post_proxy_log attr_filter.post-proxy eap Post-Proxy-Type Fail-Accounting { detail } } }

@victorrhoden00 reinstall the package remove that file redownload the black list

@parry said in packages do not work after update from pfsense 2.5.2 to pfsense 2.6.0: Does this mean 2.6 is no longer supported 2.6 is no longer supported https://docs.netgate.com/pfsense/en/latest/releases/versions.html

@johnpoz Ahh.. Thanks. Will look in to those.

@keyser i think i understood this in the first place, the thing is that from all the videos and the guides that i watched and tried i cant semm to understand where to import the pf sense host to send the data.

@keyser thank you that fixed it

This post is old but for anyone interested, I confirm the issue too: with RAM Disk, ntopng configuration is reset when a "normal" reboot of pfSense occurs (even if Periodic RAM Disk Data Backups is set). pfSense v2.7.2-RELEASE package ntopng v0.8.13_10 in pfSense (ntopng-5.6) And contrarily to what I read in other posts questioning usefulness of RAM Disk settings, from my limited understanding, I think it's quite useful on my setup: I have a "low cost" box (Beelink EQ12 with a 512Gb SSD). They don't specify the TBW of the disk but I estimated it quite low from SMART health status. After 3 or 4 months of use, SMART indicates disk reached 15% of its lifetime. With 13.1 TB of Data Units Written (raw value 25,742,265), we can approximate the TBW to around 85 TB, which means the SSD is of a very low quality. This does not bother me because I specifically looked for a low cost, "just enough" box for pfSense. By comparing SMART measures before and after enabling RAM Disk, I found 3.7/sec vs 0.2 / sec for Data Units Written and 46.2 / sec vs 0.9 / sec for Host Write Commands. I concluded RAM Disk makes a huge difference in my setup. Between RAM Disk and nTopNG, there is no doubt I prefer to keep RAM Disk.

I know what your thinking, Big deal, I got logs in pfSense, But here the issue is, most often you will be running your AP in bridge mode and having pfSense hand out the DHCP addresses, and if your in bridge mode not much info on whats connecting to the NAS internally behind the firewall is ever seen on the firewall logs. This gives you a level of visibility not normally seen within pfSense unless it is configured. Again if you can do it with one AP you can do it with an alias for many APs on a bigger network. This gives you more information into possibile mac spoofing and unauthorized access. If you use remote access and Dynamic DNS for your network, you can see the firewall logs and the AP logs as well.

same situation for me

@aes4096 said in Error updating repositories: I solved it using the command certctl rehash thx. this saved me from setting up everything from scratch. Initially I tried to view installable packages and wondered as the list was EMPTY. Then I tried the update process via command line and got multiple errors like: pkg-static update pkg-static: An error occured while fetching package Unable to update repository pfSense pkg-static clean pkg-static: Repository pfSense-core missing. 'pkg update' required The trick then was to use the debug option: pkg-static -d update Here I got an SSL certificate problem: self-signed certificate in certification chain solved it with your hint above! Thx

@kiokoman Thanks for the reply. This is just buggy app design by the NFL for use on the Roku platform. For now, I will just cast from my iPhone when I want to - that app works without fail. Thanks again.

This breaks connectivity from windows terminal openssh which is at OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3 currently in win11. No one-click way to get that updated. Also putty 0.62 didn't work but the latest 0.80 does work fine from windows. Just a heads up. /Lars

[23.05.1-RELEASE][admin@t]/root: pkg-static upgrade -fy pfSense-repoc Updating pfSense-core repository catalogue... pkg-static: An error occured while fetching package pkg-static: An error occured while fetching package repository pfSense-core has no meta file, using default settings pkg-static: An error occured while fetching package pkg-static: An error occured while fetching package Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg-static: An error occured while fetching package pkg-static: An error occured while fetching package repository pfSense has no meta file, using default settings pkg-static: An error occured while fetching package pkg-static: An error occured while fetching package Unable to update repository pfSense Error updating repositories! [23.05.1-RELEASE][admin@nst]/root:

I encountered another problem with the upgrade, the upgrade to 2.7.1 or 2.7.2 not offered. I readed https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html (Repository Metadata Version Errors) I solved it in this way: From Diagnostics > Command run command: env ASSUME_ALWAYS_YES=yes pkg-static bootstrap -f Then Navigate to System > Updates Set the Branch to Latest Development Snapshots Wait for the page to refresh Set the Branch to Latest stable version And done! Now im running on 2.7.2 After upgrade The Avaible Packages are displayed.

@jimp thank you for looking into this ticket. Maybe my certs are to old, we can reproduce this on two different systems.

@mpatzwah said in HAProxy and RDP: I would like to use for example rdp1.mydomain.de connect to 172.30.30.101 rdp2.mydomain.de to 172.30.30.102 rdp3.mydomain.de to 172.30.30.103 I guess, all these host names are mapped to a single public IP. Then how do you think, they could be differed in the RDP protocol? When I switch to Type=tcp rdp works but i can´t use the rule "hosts matches" or "host contains" Yeah. The host... ACLs target to the host header, which is part of HTTP. Hence it is only available in an HTTP frontend, which is capable to read the header information. is there any way to get this working ? You shouldn't do a naked RDP connection over the internet anyway. So consider to set up a VPN server and go over the VPN, so there is no need use a single IP for multiple RDP servers.