Moved this to packages since the questions you are asking are more relevant to the FreeRADIUS package support for Google Authenticator than OpenVPN.

It can be used multiple times, it's no different than manually entering the OTP configuration in a similar tool such as Authy or Bitwarden manually, but more convenient. No time limit, it's just a QR code version of the user configuration data. No. Nothing in pfSense directly. Other RADIUS servers may have options for things like that. Check around for things like daloradius which may have plugins for what you want. You can then point the auth at that external RADIUS server and let it handle the user auth and OTP.

Any time you rely on the user to "self-register" or similar terms for their own VPN setup, it's weakening security. Yes, managing users and VPN configurations is a chore, but anything that makes it substantially easier almost certainly makes it more open to attack or abuse.

@bingo600 After some additional digging it seems it’s not related to Zabbix but rather unbound resolver in combination with pfblockerNG-devel 3.0.16

I’m investigating further for now, but stopping pfblockerNG (which stops and reconfigures unbound) releases the allocated diskspace which then returns to the 25% it should be.

Maybe it’s something related to the new python integration i pfblockerNG and Unbound.

The Issue must have arisen when I upgraded to 21.05 from 21.02

I’ll close this thread and create a new one under the pfBlockerNG forum.

The question was solved.Thank you all very much!!!

@paanvaannd said in Unable to modify (i.e., install, remove, or reinstall) packages via Web interface + Snort installed but not showing up in Web GUI:

Thank you for taking the time to help and explain, @bmeeks!

Per your and others' comments in that linked thread, I'm not hopeful that Snort/Suricata would have much hope of working on my SG-3100 even after 2.5.2 rolls around (I'd link directly to your comment but I can't figure out how to copy a permalink on this site...) so I may just upgrade to the SG-6100 since it's Intel-based.

Yes, the SG-3100 is not the best choice right now for the IDS/IPS packages. It is due to the 32-bit ARM processor chip in that box. Because of the 32-bit ARM processor and the lack of Rust support for it, it is not possible to run any version of Suricata on that hardware newer than 4.x. That is two versions behind, and no longer supported by the Suricata team.

I did everything the manual says.

So I did add 127.0.0.1 as a NAS/client.

And I did not add Class := "admins" as a reply-item. I tried now but it does not change the result. Still getting "Authentication error". And radsnitch produces the same (type of) output.

But thank you for the suggestion.

@nogbadthebad /usr/local/etc/raddb/mods-config/files/authorize[19]: Entry does not begin with a user name is the error I get with the " instead of '

"network" MD5-Password := "redacted"

Service-Type = Administrative-User, Cisco-AVPair ="shell:priv-lvl=15" Class := "admins"

Here is my user file for that user

Solved. ended up needing to have a comma at the end of each line other then the last line.

@gertjan Yup I am on 2.5.1 - just saying since 2.5 I have not really seen as many package updates as I used to. Seems like the updates are just slow - nothing is broken, thanks for pitching in.

@johnpoz You were right, you need to de-select any interfaces in the tftp proxy so it looks like this, then it works correctly.
10ca2c63-d318-4302-8cab-b45a93d8a166-image.png

You need to be specific on what exactly conf thing you want exposed to be able to edit.. From your post I really have no idea what you set in the conf.

@gertjan Yea, it's one of the first things on my list when I can afford anything.

@lightningbit said in Any mail from the pfsense appliance has "Arpwatch Notification" in the subject line, even when it is from a completely different package:

I assume this is a bug? or is there another way to fix this?

The issue is already known, and a solution is in the pipeline : read https://redmine.pfsense.org/issues/11366

@drumsergio said in Arpwatch - Telegram notifications:

https://redmine.pfsense.org/issues/11972

There should be a new section on the Arpwatch service page to select whether to send notifications via e-mail or Telegram.

The destination of notifications is set up here : System > Advanced > Notifications
Notification can be mailed and/or telegrammed and/or Pushovered (whatever that might be).

Btw : You can 'have it' right now :
Edit :
/usr/local/arpwatch/sendmail_proxy.php

Close to the last line :
Replace :

send_smtp_message($message, "{$config['system']['hostname']}.{$config['system']['domain']} - Arpwatch Notification : {$subject[1]}");

For :

$message = $config['system']['hostname']}.{$config['system']['domain']." - Arpwatch Notification : ".$subject[1]." - "; /* or something else - I didn't test with Telegram */ notify_via_telegram($message) ;

@kom
Thanks for the info. I was not aware of tip or cu. I'll check them out. Thanks for the warning about installing external packages as well!
👍

@stephenw10 Yes, I think 5GB is already enough. I will try your solution, but I created a new machine in VirtualBox and freshly installed Pfsense there, and it works perfectly. All specs are the same, which is weird.

I use the pfSense Check with SNMP and CheckMK Client at the moment. But I'm trying to figure out, if theres a better way like checks over SSH.

Very sad, that theres no agent installation over the package manager :(