Well, I realized after typing it was probably a better idea if I had placed the question on the Avahi Forum. @tman222 , thanks for the input. As it turns out just as I was diving in to try to tackle the issue, a day after I posted it, it all started working with no additional changes...

Hi all - just thought I would follow up and bump this to the top to see if anyone had any idea where in the FreeRadius package configuration I would need to make an adjustment for the Framed-MTU attribute. Thanks again for your help, I really appreciate it.

We were a bit late on twitter, we don't do RSS feeds, nor really have much on our blog for service issues.

We are hoping the delay on twitter has been corrected.

https://www.netgate.com/docs/pfsense/development/submitting-a-pull-request-via-github.html start from there.

@cheonne

not working for me

with the result that the OS seemed to totally mess up the interface names.

$ ifconfig -l [...] tnc0 $ ifconfig tnc0 ifconfig: interface tnc0 does not exist $ ifconfig (considered as spam by akismet)

For some strange reason ifconfig does not show an interface name in front of the colon. It than occurred to me that maybe a bloody carriage return character is involved. And indeed

$ ifconfig `printf "tnc0\r" ` (considered as spam by akismet) [...]

The reason for the \r was this one...

$ file /usr/local/etc/tinc/tinc-up /usr/local/etc/tinc/tinc-up: ASCII text, with CRLF, LF line terminators

while the default tinc-up script (when the text field is left empty) is
/usr/local/etc/tinc/tinc-up: ASCII text

This is the actual problem that caused all the trouble and that definitely needs to be fixed in the tinc package for pfSense.
As a workaround I added comment signs # at the end of each line, to the \r character is not appended to the interface name, e.g.

ifconfig $INTERFACE name tnc0 #

After a reboot the interface was finally named correctly, however, after adding the "tnc0" interface in the web interface the next boot hang with

Warning: Configuration references interfaces that do not exist: tnc0

and the interfaces have to be manually reassigned first.

I than finally noticed that renaming of the interface isn't actually necessary and the problem was that the \r was also appended to the group name, i.e. "pkg_tinc\r".
My final working tinc-up script thus reads

ifconfig $INTERFACE 192.168.21.7 netmask 255.255.255.255 # ifconfig $INTERFACE group pkg_tinc # route add -host 192.168.21.7 -interface $INTERFACE # route add -net 192.168.18.0/24 192.168.21.7 #

(sorry for the partial postings, but as a single post it was considered as spam by stupid "akismet")

Who wrote the stunnel package?

Why is only ip 127.0.0.1 accepted and not other IPs in "Listen on IP" field?

Hi,

Just a wild guess : try setting up from LAN (it still has the default rules ? ).

pss if i make a query like:
dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30
;;##

[root@temis ~]# dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45248 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;30.24/29.178.55.200.in-addr.arpa. IN PTR ;; ANSWER SECTION: 30.24/29.178.55.200.in-addr.arpa. 1200 IN PTR ksmg.bicsa.cu. ;; AUTHORITY SECTION: 24/29.178.55.200.in-addr.arpa. 1200 IN NS ns1.bicsa.co.cu. ;; ADDITIONAL SECTION: ns1.bicsa.co.cu. 1200 IN A 200.55.178.28 ;; Query time: 287 msec ;; SERVER: 200.55.136.19#53(200.55.136.19) ;; WHEN: Fri Jan 18 14:20:58 2019 ;; MSG SIZE rcvd: 120 ;;##

as i said if make a query: dig @ns2.bicsa.cu -x 200.55.178.30 it are refused
so i missing some think ? or is is the correct behaivour or i had the name zone incorrect.. or i don't has been making the query correctly... sorry thanks in advansed.

@john-the-ripper said in Which rules should be active is there enabling WAN and LAN interfaces on SNORT?:

I am new to computer networking. I would like to setup SNORT for my small office.

I was wondering what is the difference between enabling SNORT on WAN and LAN and

Which rules should be active is there enabling WAN and LAN interfaces on SNORT?

Thanks for your help in advance.

Put Snort on the LAN interface only. Putting it on the WAN will just log a bunch of junk the firewall is going to drop anyway. Plus, as @NogBadTheBad said, on the WAN all of your LAN host IP addresses will show in alerts "after NAT", meaning they will have the WAN's public IP. This is not very helpful when you are trying to determine which local host triggered the alert.

As for which rules, I suggest you do this to use a Snort Team provided IPS policy.

Get a Snort Subscriber Rules account. There are free and paid versions. You have to register for both. The difference in the two is explained at the link you will find on the GLOBAL SETTINGS tab in Snort. You can also use this link.

After you get your Snort Oinkcode, enable the Snort Subscriber Rules by clicking the checkbox and paste your Oinkcode into the box provided on the GLOBAL SETTINGS tab.

Go to the UPDATES tab and click Update to get a fresh copy of the Snort rules. Be sure to wait until the pop-up modal dialog auto-closes before leaving the page. It will take several seconds to a minute or more to download the rules.

Now click on the INTERFACES tab and add your LAN interface to Snort if you have not done that already. Leave things at their defaults initially. I recommend you do not enable blocking initially to give you some time to see what alerts your network generates. If you turn on blocking right away, expect some false positives and some headaches caused by blocking what are really OK things (those false positives). Save the new interface. You should get returned to the INTERFACES tab.

Cilck the edit icon for your LAN and then click on to the CATEGORIES tab. Click the checkbox to "Enable IPS Policy" and then choose the "IPS - Connectivity" policy in the drop-down. Let that be it at first. That is a good starter set of rules put together by the Snort team. Click Save on the page.

Return to the INTERFACES tab and click the "start" icon to start Snort on the LAN. Hover over the icons to see a pop-up tooltip of what each icon does. Wait for Snort to start. The icon will turn into a green gear when Snort is running.

You're done for now. Let it run like that for a week or so to give you a chance to see what kinds of alerts you get. Decide if you are getting any false positives (those are very likely with some of the HTTP_INSPECT rules), and suppress or disable the false positive rules. There are numerous threads here about setting up Suppress Lists and which rules to disable in Snort. Search for them to get some Snort tuning advice from other experienced Snort users.

After you get the rules tuned up, then you can go to the INTERFACE SETTINGS tab again for the LAN and enable blocking. Remember when you make changes on the INTERFACE SETTINGS tab, you need to restart Snort on the interface for the changes to take effect.

Do a radtest to verify its working:-

root@unifi:~# radtest -4 andy password 172.16.0.1 1812 ClientSharedSecret
Sending Access-Request of id 181 to 172.16.0.1 port 1812
User-Name = "andy"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.16.0.1 port 1812, id=181, length=34
Class = 0x61646d696e73
Service-Type = Administrative-User
root@unifi:~#

https://support.microfocus.com/kb/doc.php?id=7014552

You could also do a radsniff -x on pfSense.

I reinstalled the package and it's there.

Screenshot

I don't know why it wasn't in the first place but thanks for the help!

@luisenrique said in Help with bind package and dynamic dns server by my own and ecme package:

https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html

To get you started : check out the link again. Read everything several times.
Using a script or program (like nsupdate) locally, or remotely, works great but every bit counts here : one slightest error and your ko.

The big hint is here https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html - the last line :
And that should be it. Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC2136 DynDNS service is now working. Should anything not work as expected, check the system log and/or the log on the name server.

The last 6 six words will gie you the solution : check out bind's log files (they have to be set up of course).
They tell you how the update went, and what failed.

@jimp Ok, thank you!

@brailyn
Well.. ssl/https uses 'mode tcp'. And haproxy will not send the errorfile in that case.
To make haproxy respond with a http error response, you would need it to 'offload' the ssl traffic with a certificate. Or if you can supply haproxy with the certificate you could still pass the main traffic as-is with the sni frontend and send it to a second 'local frontend' that does the decryption of the https request if a backend is down to serve the error reply.. Together with a nbsrv acl to switch to that second 'error frontend' if the webserver is down.

My bad.
I had a proxy URL configured. Removing it has solved my problem.

Thanks for you help everyone.

Ricky

In case somebody is still having this issue:
https://forum.netgate.com/topic/139262/query-forwarding-in-bind9-is-not-working