@paanvaannd said in Unable to modify (i.e., install, remove, or reinstall) packages via Web interface + Snort installed but not showing up in Web GUI:

Thank you for taking the time to help and explain, @bmeeks!

Per your and others' comments in that linked thread, I'm not hopeful that Snort/Suricata would have much hope of working on my SG-3100 even after 2.5.2 rolls around (I'd link directly to your comment but I can't figure out how to copy a permalink on this site...) so I may just upgrade to the SG-6100 since it's Intel-based.

Yes, the SG-3100 is not the best choice right now for the IDS/IPS packages. It is due to the 32-bit ARM processor chip in that box. Because of the 32-bit ARM processor and the lack of Rust support for it, it is not possible to run any version of Suricata on that hardware newer than 4.x. That is two versions behind, and no longer supported by the Suricata team.

I did everything the manual says.

So I did add 127.0.0.1 as a NAS/client.

And I did not add Class := "admins" as a reply-item. I tried now but it does not change the result. Still getting "Authentication error". And radsnitch produces the same (type of) output.

But thank you for the suggestion.

@nogbadthebad /usr/local/etc/raddb/mods-config/files/authorize[19]: Entry does not begin with a user name is the error I get with the " instead of '

"network" MD5-Password := "redacted"

Service-Type = Administrative-User, Cisco-AVPair ="shell:priv-lvl=15" Class := "admins"

Here is my user file for that user

Solved. ended up needing to have a comma at the end of each line other then the last line.

@victorrobellini The mac addresses are there, I've just censored the last three hex pairs for the sake of privacy. Same for the WAN IP. There's nothing wrong with the influx data, and as I mentioned previously, I was able to fix the problem by moving the value mappings under the Field tab to the Overrides tab in order to explicitly apply them to the Status field - which it sounds like you've implemented in the latest update.

@gertjan Yup I am on 2.5.1 - just saying since 2.5 I have not really seen as many package updates as I used to. Seems like the updates are just slow - nothing is broken, thanks for pitching in.

@johnpoz You were right, you need to de-select any interfaces in the tftp proxy so it looks like this, then it works correctly.
10ca2c63-d318-4302-8cab-b45a93d8a166-image.png

You need to be specific on what exactly conf thing you want exposed to be able to edit.. From your post I really have no idea what you set in the conf.

@gertjan Yea, it's one of the first things on my list when I can afford anything.

@lightningbit said in Any mail from the pfsense appliance has "Arpwatch Notification" in the subject line, even when it is from a completely different package:

I assume this is a bug? or is there another way to fix this?

The issue is already known, and a solution is in the pipeline : read https://redmine.pfsense.org/issues/11366

@drumsergio said in Arpwatch - Telegram notifications:

https://redmine.pfsense.org/issues/11972

There should be a new section on the Arpwatch service page to select whether to send notifications via e-mail or Telegram.

The destination of notifications is set up here : System > Advanced > Notifications
Notification can be mailed and/or telegrammed and/or Pushovered (whatever that might be).

Btw : You can 'have it' right now :
Edit :
/usr/local/arpwatch/sendmail_proxy.php

Close to the last line :
Replace :

send_smtp_message($message, "{$config['system']['hostname']}.{$config['system']['domain']} - Arpwatch Notification : {$subject[1]}");

For :

$message = $config['system']['hostname']}.{$config['system']['domain']." - Arpwatch Notification : ".$subject[1]." - "; /* or something else - I didn't test with Telegram */ notify_via_telegram($message) ;

@user172643

Thanks, but to be clear, does VPN provider C really see both my unencrypted traffic and my home IP?

VPN Provider C (last hop, hop3) sees only encrypted traffic from VPN Provider B (hop2) and not your WAN IP.

Internet provider (WAN IP) sees only encrypted traffic from VPN provider A (hop1).

Did I get this wrong, is there a difference between nesting and cascading (i thought these were the same)?

Some VPN providers advertise different technology with multihop. You have to ask the VPN provider how this works.

Nested VPN (tunnel in tunnel) is described here.

You can check the traffic over SSH with these commands:

WAN:

tcpdump -i vtnet0 -vnn port 1149 # change vtnet0 and port 1149

VPN1:

tcpdump -i ovpnc1 -vnn

VPN2:

tcpdump -i ovpnc2 -vnn

VPN3:

tcpdump -i ovpnc3 -vnn

I am not an expert in routing. I'm sure others can contribute as well.

I have edited the first image in post 1. Maybe you understand it more clearly now.

@kom
Thanks for the info. I was not aware of tip or cu. I'll check them out. Thanks for the warning about installing external packages as well!
👍

@stephenw10 Yes, I think 5GB is already enough. I will try your solution, but I created a new machine in VirtualBox and freshly installed Pfsense there, and it works perfectly. All specs are the same, which is weird.

@egeekial said in speedtest CLI dying out:

The new Ookla FreeBSD version works fine.

Hi,
Is this Version also working with the Speedtest Widget?
Thanks
fireodo

I use the pfSense Check with SNMP and CheckMK Client at the moment. But I'm trying to figure out, if theres a better way like checks over SSH.

Very sad, that theres no agent installation over the package manager :(

Just as a followup:

As I've read somewhere in forums that bind 9.16.12 is supposed to have a memory leak (which might have caused my crashes) I've manually updated bind to the current 9.16.15 where this was fixed:

pkg add -f https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/bind916-9.16.15.txz

I've never had issues since this update.

9.16.15 is not available via package manager yet (no idea how long this takes before the package is updated in the pfsense package manager).

What are you trying to accomplish exactly.. Why do you think you should bridge all your networks together?

Why are you trying to use a tap vpn connection? The only point to such a setup would before allowing for L2 discovery.. Ie broadcast and multicast? Why would you want/need that?

Do you want to control traffic between your wireless network and your lan?

@vukuze said in Error node_exporter 0.18.1_1:

I am not some kind of pfSense guru and my advice may be wrong, but here is my solution of the same problem:

mkdir -p /usr/local/etc/rc.conf.d cp /usr/local/etc/rc.d/node_exporter /usr/local/share/pfSense-pkg-node_exporter/node_exporter.sh

My node_exporter 0.18.1_2 on pfsense 2.5.1 gave me the same could not open error. I used these commands verbatim and after reboot the service started up and the metrics were exposed as expected. Thank you

@whitetiger-it said in Some questions about APCUPSD:

I have to display pop-ups, send an email and send a message with Telegram. So I have to use a script, but I can't get it to start when the state changes.

Sorry - I have no Idea ...

@dilan123

Looks like it's all working again today! You might want to see if it's working for you too.

Hello,

this was not the trick!
Removed the Database and reinstalled the Zabbix-Proxy and the Zabbix Client
Nothing changed - the Problem is still there.

@mg85 thanks, i do have Auto Optimize enabled but not the second.

Also i previously had this working under PIMD once the SONOS controller cached the SONOS devices ip addresses so i don't think its firewall rules.

To be honest i have given up on this for now. I believe i did try with my Sonos One wired into one of the switches to try and determine whether unifi was to blame and i don't think it worked. So i feel it may be more than unifi.

I'm also questioning whether IOT stuff and Sonos devices need seperate VLANs anyway. it was a nice little project but i'm not certain its worth the effort given the large number of ports i have seen people posting about need to have open even once multicast is working. Actually on that point, i'd be interested in understanding people's driver for segregating SONOS devices like this.

Hope to give this another try at some point. Ta

@steveits I have been encountering the same issue and finally digested this setting in /usr/local/etc/apcupsd/apcupsd.conf:

# The ONBATTERYDELAY is the time in seconds from when a power failure # is detected until we react to it with an onbattery event. # # This means that, apccontrol will be called with the powerout argument # immediately when a power failure is detected. However, the # onbattery argument is passed to apccontrol only after the # ONBATTERYDELAY time. If you don't want to be annoyed by short # powerfailures, make sure that apccontrol powerout does nothing # i.e. comment out the wall. ONBATTERYDELAY 6

The onbattery condition is immediately logged to the apcupsd event log and syslog, but the email notification is withheld until the ONBATTERYDELAY has transpired to eliminate unnecessary notifications for brief transients. I see that your outages were only on second long, so they would not have satisfied the default 6-second condition.

If you want to be notified of brief outages, you might create a powerout script in /usr/local/etc/apcupsd/ similar to the onbattery script.

Galen

@whitetiger-it
You may want to look at MRTG. I'm sure someone has adapted it for UPSs (either APCUPSD or NUT).
MRTG
I have a FreeBSD NAS (Xigmanas) which has UPS monitoring that looks a lot like MRTG. Maybe you could spin up a minimal VM with it and monitor that way? The NAS uses NUT to monitor pfSense as slave, which in turn uses APCUPSD to monitor the USB-connected APC on the host... Simple! :/
a3a9005e-b53a-4829-aaa5-3e13bbf5de0b-image.png

https://redmine.pfsense.org/issues/11802

@nogbadthebad
Cool, looks interesting. Thank you. I'll try.
Yes, the Google OTP is per user, so it looks like I'll have to create every user twice (not huge effort).

@skogs yes correct. But I am not doing the 2.6 devel release. The other day a new snapshot nuked my 2.6 devel lab install. It is absurd that this is still not fixed. Luckily pfsense is free ad I am glad I don’t have the plus appliances. Then again a similar fix was released within days for pfsense Plus for this same multi wan bug….makes you wonder 💭

My advice stay on 2.4.5 -p1 as long as you can. I am doing the same. I am using pfblockerng there but only ip blocking. I moved to dedicated AdGuard Home server on a raspberry pi for dnsbl blocking.

Really no one had similar issue with this?

@jahonix said in After an Installation Recovery, "Freeradius Package Won't Start":

https://forum.pfsense.org/index.php?topic=129649.0

Go to:

Services->FreeRadius

EAP(Tab)

Scroll down to: Certificates for TLS

SSL CA Certificate-> Select Certificate(If you dont have need to create it System->Cert. Manager)

SSL Revocation List-> Select Certificate

SSL Server Certificate

Start FreeRADIUS service

Has anybody had success running check_mk 2.0 agent on pfSense 21.02?

Do steps look exactly as described here:

https://forum.netgate.com/topic/131967/check_mk-on-pfsense-2-4-w-update-persistence

?

That post is almost 3 years old.