So checking those boxes, adds these lines to the generated config

acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^edge\.117pd\.xxx\.us(:([0-9]){1,5})?$ acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^bbc-911\.xxx\.us(:([0-9]){1,5})?$ acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^bbc-revere\.xxx\.us(:([0-9]){1,5})?$ acl aclcrt_https-edge var(txn.txnhost) -m reg -i ^flasktestapp\.xxx\.us(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend flasktestapp_ipvANY if aclcrt_https-edge

This line

use_backend flasktestapp_ipvANY if aclcrt_https-edge

Is only added if a default backend is selected.

If I have a backend for each of these hostnames, it seems that I still need to create an ACL for each to use for backend selection.

So I guess I still don't see the point of checking those boxes and creating the aclcrt_https-edge acl .

@bmeeks

@bmeeks said in Are there any default packages?:

@TangoOversway said in Are there any default packages?:

I'm trying to eliminate as many variables as I can to narrow things down.

It won't hurt anything to remove those packages if you desire for troubleshooting. If you don't use them, then you won't create any new problem by removing them.

I was just saying that in the normal case (that is, when not trying to eliminate possible problems), leaving them installed should be fine.

Got it. Thank you!

@smokers

Browsing on the pfSense host is not supported by the package. The package is designed for managing mDNS advertisements only.

Configure Avahi like this:

Check the box that says "Enable the Avahi daemon" Select "Allow Interfaces" as the "Interface Action" Select your LAN and IOT networks in "Interfaces" Do not check the box that says "Disable IPv4" Check the box that says "Enable reflection" Do not check the box that says "Enable publishing" Do not put anything in "Advanced settings"

You are done. If you want to know if the service is running, look at Status / Services.

Avahi will allow you to discover mDNS services across the LAN and IOT segments. You will need nDNS publishers and mDNS subscribers in these networks to confirm operation.

If you are a iPhone or Mac user, Discovery.app is a good tool to see what is being advertised. I can't speak to Windows or Android.

@viktor_g said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

Please see https://redmine.pfsense.org/issues/10474

Thank YOU SO MUCH ! ;)

In office we have a lot of appleTV and w/o this suppressing mail/pushover would be filled in a day…

Good luck in coding!

This is in Diagnostics → Crash Reporter:

Crash report begins. Anonymous machine information: arm64 14.0-CURRENT FreeBSD 14.0-CURRENT aarch64 1400094 #1 plus-RELENG_23_09_1-n256200-3de1e293f3a: Wed Dec 6 20:59:18 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/obj/aarch64/8ra4gn87/var/jenkins/workspace/pfSense-Plus-snapshots-23_ Crash report details: PHP Errors: [14-Feb-2024 23:41:45 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('Netgate pfSense...') #3 /etc/inc/notices.inc(151): notify_all_remote('Netgate pfSense...') #4 /etc/inc/config.lib.inc(239): file_notice('config.xml', 'Netgate pfSense...', 'pfSenseConfigur...', '') #5 /etc/inc/config.lib.inc(695): restore_backup('/cf/conf/backup...') #6 /usr/local/www/pkg_edit.php(233): write_config('[notes] Success...') #7 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:41:45 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('PHP ERROR: Type...') #3 /etc/inc/notices.inc(151): notify_all_remote('PHP ERROR: Type...') #4 /etc/inc/config.lib.inc(1168): file_notice('phperror', 'PHP ERROR: Type...', 'PHP errors') #5 [internal function]: pfSense_clear_globals() #6 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:42:24 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('Netgate pfSense...') #3 /etc/inc/notices.inc(151): notify_all_remote('Netgate pfSense...') #4 /etc/inc/config.lib.inc(239): file_notice('config.xml', 'Netgate pfSense...', 'pfSenseConfigur...', '') #5 /etc/inc/config.lib.inc(695): restore_backup('/cf/conf/backup...') #6 /usr/local/www/pkg_edit.php(233): write_config('[notes] Success...') #7 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:42:24 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('PHP ERROR: Type...') #3 /etc/inc/notices.inc(151): notify_all_remote('PHP ERROR: Type...') #4 /etc/inc/config.lib.inc(1168): file_notice('phperror', 'PHP ERROR: Type...', 'PHP errors') #5 [internal function]: pfSense_clear_globals() #6 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:43:03 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('Netgate pfSense...') #3 /etc/inc/notices.inc(151): notify_all_remote('Netgate pfSense...') #4 /etc/inc/config.lib.inc(239): file_notice('config.xml', 'Netgate pfSense...', 'pfSenseConfigur...', '') #5 /etc/inc/config.lib.inc(695): restore_backup('/cf/conf/backup...') #6 /usr/local/www/pkg_edit.php(233): write_config('[notes] Success...') #7 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:43:03 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('PHP ERROR: Type...') #3 /etc/inc/notices.inc(151): notify_all_remote('PHP ERROR: Type...') #4 /etc/inc/config.lib.inc(1168): file_notice('phperror', 'PHP ERROR: Type...', 'PHP errors') #5 [internal function]: pfSense_clear_globals() #6 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:43:59 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('Netgate pfSense...') #3 /etc/inc/notices.inc(151): notify_all_remote('Netgate pfSense...') #4 /etc/inc/config.lib.inc(239): file_notice('config.xml', 'Netgate pfSense...', 'pfSenseConfigur...', '') #5 /etc/inc/config.lib.inc(695): restore_backup('/cf/conf/backup...') #6 /usr/local/www/pkg_edit.php(233): write_config('[notes] Success...') #7 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:43:59 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('PHP ERROR: Type...') #3 /etc/inc/notices.inc(151): notify_all_remote('PHP ERROR: Type...') #4 /etc/inc/config.lib.inc(1168): file_notice('phperror', 'PHP ERROR: Type...', 'PHP errors') #5 [internal function]: pfSense_clear_globals() #6 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:52:39 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('Netgate pfSense...') #3 /etc/inc/notices.inc(151): notify_all_remote('Netgate pfSense...') #4 /etc/inc/config.lib.inc(239): file_notice('config.xml', 'Netgate pfSense...', 'pfSenseConfigur...', '') #5 /etc/inc/config.lib.inc(695): restore_backup('/cf/conf/backup...') #6 /usr/local/www/pkg_edit.php(233): write_config('[notes] Success...') #7 {main} thrown in /etc/inc/util.inc on line 3748 [14-Feb-2024 23:52:39 US/East-Indiana] PHP Fatal error: Uncaught TypeError: array_path_enabled(): Argument #1 ($arr) must be of type array, int given, called in /etc/inc/config.lib.inc on line 1264 and defined in /etc/inc/util.inc:3748 Stack trace: #0 /etc/inc/config.lib.inc(1264): array_path_enabled(-1, 'notifications/s...', 'disable') #1 /etc/inc/notices.inc(379): config_path_enabled('notifications/s...', 'disable') #2 /etc/inc/notices.inc(662): notify_via_smtp('PHP ERROR: Type...') #3 /etc/inc/notices.inc(151): notify_all_remote('PHP ERROR: Type...') #4 /etc/inc/config.lib.inc(1168): file_notice('phperror', 'PHP ERROR: Type...', 'PHP errors') #5 [internal function]: pfSense_clear_globals() #6 {main} thrown in /etc/inc/util.inc on line 3748 No FreeBSD crash data found.

@nambi Sure, any DNS filtering option that you are comfortable with, and find easy to use would do.
But you still need to make sure you are doing your best to block “alternative DNS options” for clients which gets somewhat more difficult if you do not use pfBlockerNG.
Don’t let clients use OpenDNS servers directly. Set up DNS Resolver in pfSense and forward it OpenDNS. Then you can still create a NAT destination rule that catches all rogue DNS client requests and forwards it to the built in resolver (using OpenDNS).
Then all you have to do is figure out how to easily block most/wellknown DNS over HTTPS/TLS servers - that will get a little hard without pfBlockerNG (where it’s quite easy)

@CZvacko said in Squidguard + Whitelist + regex:

use regex

since 2.7.2 above regex stopped work, now I use below

(.*office365\.com.*)|(.*office\.com.*)

It can also match a url like below, it doesn't bother me too much, someone can improve my regex...
HACKoffice365.com
office365.comHACK

@christopherbradski

Just following up that I figured this out and that the CLI doesn't behave exactly like the UI when adding packages. Anyways, you can check the results of my effort here: https://github.com/christopherbradski/pfsense-addons

@Gertjan thanks for all the work done above.

You are absolutely right this was an oversight on our side and yes we've decided, as per the same analytical process you went through, to use SQL as a back end instead of files and ditching pfsense altogether.

The appeal of pfsense was that it is almost he only decent GUI to manage freeradius which help with the adoption internally.

Thanks a lot for the reply.

@jecker it’s probably this:
https://docs.netgate.com/pfsense/en/latest/backup/zfsbe/space.html

Just ignore the size shown and delete a few old ones.

same problem here with flip flop notifications for a server that uses a bridge on its interface.

MAC are all lower case here, as reported in the notification.

package version 0.2.1

I switched back to using the ISC DHCP server. Now arpwatch is working properly again. It seems the new DHCP server was the problem.

@izanatos It seems as if
/cf/conf/config.xml
refers to files like:
/usr/local/pkg/freeradiussettings.xml
and
/usr/local/pkg/freeradiusclients.xml

As far as I can tell, those files do not contain configuration and are merely a template for the web GUI. So the question is/remains where can we find the configuration? I've been searching for known values but I could not find any.

I'm sure I still have to learn a lot about how pfSense works and interacts with installed packages. Suggestions are welcome. :-D

@SteveITS said in Package Manager is down on my end, it is the same for others?:

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors

Thanks again, this fixed it!

There are number instructions posts, but none about how to get rid of the "permission denied" line

Hey, I have a free radius server that support eap tls 1.3.
I send an eap tls authentication using Windows 11 and see by wireshark that packet are really eap tls 1.3.
but then when i do it using MacOS / iphone / android that support eap tls 1.3 by default (as wrote in apple and android forums) i see an Client hello of 1.2 without the extension of support version and the authentication is by eap tls 1.2.
Anyone saw this issue/ know if they are really support authentication of eap tls 1.3 ? I use same certificates for all of the clients and install them.
Thanks, Nir.

@moh10ly the link is no longer available

@johnpoz
@johnpoz

Below is my configuration for EAP-tls but I am unable to connect to wifi for windows
radiusd.conf

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-3.2.3
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
regular_expressions = yes
extended_expressions = yes

log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_goodpass = ""
msg_badpass = ""
msg_denied = "You are already logged in - access denied"
}

checkrad = ${sbindir}/checkrad
security {
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = no
# Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
allow_vulnerable_openssl = yes
}

$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
auto_limit_acct = no
}

modules {
$INCLUDE ${confdir}/mods-enabled/
}

instantiate {
exec
expr
expiration
logintime
### Dis-/Enable sql instatiate
#sql
daily
weekly
monthly
forever
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

EAP

EAP

eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096

DISABLED WEAK EAP TYPES MD5, GTC pwd { group = 19 server_id = theserver@example.com fragment_size = 1020 virtual_server = "inner-tunnel" } tls-config tls-common { # private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem ca_path = ${confdir}/certs ca_file = ${ca_path}/ca_cert.pem # auto_chain = yes # psk_identity = "test" # psk_hexphrase = "036363823" dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" cipher_server_preference = no disable_tlsv1_2 = no ecdh_curve = "prime256v1" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 #name = "EAP module" #persist_dir = "/tlscache" } verify { # skip_if_ocsp_ok = no # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } tls { tls = tls-common # virtual_server = check-eap-tls } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no include_length = yes # require_client_cert = yes virtual_server = "inner-tunnel-ttls" #use_tunneled_reply is deprecated, new method happens in virtual-server } ### end ttls peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no # proxy_tunneled_request_as_eap = yes # require_client_cert = yes MS SoH Server is disabled virtual_server = "inner-tunnel-peap" #use_tunneled_reply is deprecated, new method happens in virtual-server } mschapv2 { send_error = no identity = "FreeRADIUS" } fast { tls = tls-common pac_lifetime = 604800 authority_identity = "1234" pac_opaque_key = "0123456789abcdef0123456789ABCDEF" virtual_server = inner-tunnel } }

/usr/local/etc/raddb/clients.conf

client "wifi" {
ipaddr = 192.168.0.1
proto = udp
secret = '123456789'
require_message_authenticator = no
nas_type = other
### login = !root ###
### password = someadminpass ###
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}

default

server default {
listen {
type = auth
ipaddr = *
port = 1812
}

authorize {

filter_username filter_password preprocess operator-name cui AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED auth_log chap mschap digest wimax IPASS suffix ntdomain eap { ok = return updated = return } unix files if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { ### sql DISABLED ### if (true) { ### ldap ### if (notfound || noop) { reject } } } -daily -weekly -monthly -forever # Formerly checkval if (&request:Calling-Station-Id == &control:Calling-Station-Id) { ok } expiration logintime pap Autz-Type Status-Server { }

}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
Auth-Type MOTP {
motp
}
Auth-Type GOOGLEAUTH {
googleauth
}
digest

pam unix #Auth-Type LDAP { #ldap #### ldap2 disabled ### #} eap Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter } }

}

preacct {
preprocess

ACCOUNTING FOR PLAIN MAC-AUTH DISABLED acct_counters64 update request { &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" }

acct_unique

IPASS suffix ntdomain files

}

accounting {

cui detail ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) { datacounterdaily datacounterweekly datacountermonthly datacounterforever } unix radutmp sradutmp main_pool ### sql DISABLED ### daily weekly monthly forever if (noop) { ok } pgsql-voip exec attr_filter.accounting_response Acct-Type Status-Server { }

}

session {

radutmp radutmp

}

post-auth {

if (!&reply:State) { update reply { State := "0x%{randstr:16h}" } } update { &reply: += &session-state: } main_pool cui reply_log sql DISABLED ldap exec wimax update reply { Reply-Message += "%{TLS-Cert-Serial}" Reply-Message += "%{TLS-Cert-Expiration}" Reply-Message += "%{TLS-Cert-Subject}" Reply-Message += "%{TLS-Cert-Issuer}" Reply-Message += "%{TLS-Cert-Common-Name}" Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" Reply-Message += "%{TLS-Client-Cert-Serial}" Reply-Message += "%{TLS-Client-Cert-Expiration}" Reply-Message += "%{TLS-Client-Cert-Subject}" Reply-Message += "%{TLS-Client-Cert-Issuer}" Reply-Message += "%{TLS-Client-Cert-Common-Name}" Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" } insert_acct_class if (&reply:EAP-Session-Id) { update reply { EAP-Key-Name := &reply:EAP-Session-Id } } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { }

}

pre-proxy {

operator-name cui files attr_filter.pre-proxy pre_proxy_log

}

post-proxy {

post_proxy_log attr_filter.post-proxy eap Post-Proxy-Type Fail-Accounting { detail }

}
}