@CZvacko said in Squidguard + Whitelist + regex:

use regex

since 2.7.2 above regex stopped work, now I use below

(.*office365\.com.*)|(.*office\.com.*)

It can also match a url like below, it doesn't bother me too much, someone can improve my regex...
HACKoffice365.com
office365.comHACK

@christopherbradski

Just following up that I figured this out and that the CLI doesn't behave exactly like the UI when adding packages. Anyways, you can check the results of my effort here: https://github.com/christopherbradski/pfsense-addons

@Gertjan thanks for all the work done above.

You are absolutely right this was an oversight on our side and yes we've decided, as per the same analytical process you went through, to use SQL as a back end instead of files and ditching pfsense altogether.

The appeal of pfsense was that it is almost he only decent GUI to manage freeradius which help with the adoption internally.

Thanks a lot for the reply.

@jecker it’s probably this:
https://docs.netgate.com/pfsense/en/latest/backup/zfsbe/space.html

Just ignore the size shown and delete a few old ones.

same problem here with flip flop notifications for a server that uses a bridge on its interface.

MAC are all lower case here, as reported in the notification.

package version 0.2.1

I switched back to using the ISC DHCP server. Now arpwatch is working properly again. It seems the new DHCP server was the problem.

@izanatos It seems as if
/cf/conf/config.xml
refers to files like:
/usr/local/pkg/freeradiussettings.xml
and
/usr/local/pkg/freeradiusclients.xml

As far as I can tell, those files do not contain configuration and are merely a template for the web GUI. So the question is/remains where can we find the configuration? I've been searching for known values but I could not find any.

I'm sure I still have to learn a lot about how pfSense works and interacts with installed packages. Suggestions are welcome. :-D

@SteveITS said in Package Manager is down on my end, it is the same for others?:

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors

Thanks again, this fixed it!

There are number instructions posts, but none about how to get rid of the "permission denied" line

Hey, I have a free radius server that support eap tls 1.3.
I send an eap tls authentication using Windows 11 and see by wireshark that packet are really eap tls 1.3.
but then when i do it using MacOS / iphone / android that support eap tls 1.3 by default (as wrote in apple and android forums) i see an Client hello of 1.2 without the extension of support version and the authentication is by eap tls 1.2.
Anyone saw this issue/ know if they are really support authentication of eap tls 1.3 ? I use same certificates for all of the clients and install them.
Thanks, Nir.

@moh10ly the link is no longer available

@johnpoz
@johnpoz

Below is my configuration for EAP-tls but I am unable to connect to wifi for windows
radiusd.conf

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir = ${confdir}/certs
run_dir = ${localstatedir}/run
db_dir = ${raddbdir}
libdir = /usr/local/lib/freeradius-3.2.3
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
hostname_lookups = no
regular_expressions = yes
extended_expressions = yes

log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes
auth_goodpass = yes
msg_goodpass = ""
msg_badpass = ""
msg_denied = "You are already logged in - access denied"
}

checkrad = ${sbindir}/checkrad
security {
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = no
# Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
allow_vulnerable_openssl = yes
}

$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_queue_size = 65536
max_requests_per_server = 0
auto_limit_acct = no
}

modules {
$INCLUDE ${confdir}/mods-enabled/
}

instantiate {
exec
expr
expiration
logintime
### Dis-/Enable sql instatiate
#sql
daily
weekly
monthly
forever
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/

EAP

EAP

eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096

DISABLED WEAK EAP TYPES MD5, GTC pwd { group = 19 server_id = theserver@example.com fragment_size = 1020 virtual_server = "inner-tunnel" } tls-config tls-common { # private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem ca_path = ${confdir}/certs ca_file = ${ca_path}/ca_cert.pem # auto_chain = yes # psk_identity = "test" # psk_hexphrase = "036363823" dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" cipher_server_preference = no disable_tlsv1_2 = no ecdh_curve = "prime256v1" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 #name = "EAP module" #persist_dir = "/tlscache" } verify { # skip_if_ocsp_ok = no # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" # use_nonce = yes # timeout = 0 # softfail = no } } tls { tls = tls-common # virtual_server = check-eap-tls } ttls { tls = tls-common default_eap_type = md5 copy_request_to_tunnel = no include_length = yes # require_client_cert = yes virtual_server = "inner-tunnel-ttls" #use_tunneled_reply is deprecated, new method happens in virtual-server } ### end ttls peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = no # proxy_tunneled_request_as_eap = yes # require_client_cert = yes MS SoH Server is disabled virtual_server = "inner-tunnel-peap" #use_tunneled_reply is deprecated, new method happens in virtual-server } mschapv2 { send_error = no identity = "FreeRADIUS" } fast { tls = tls-common pac_lifetime = 604800 authority_identity = "1234" pac_opaque_key = "0123456789abcdef0123456789ABCDEF" virtual_server = inner-tunnel } }

/usr/local/etc/raddb/clients.conf

client "wifi" {
ipaddr = 192.168.0.1
proto = udp
secret = '123456789'
require_message_authenticator = no
nas_type = other
### login = !root ###
### password = someadminpass ###
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}

default

server default {
listen {
type = auth
ipaddr = *
port = 1812
}

authorize {

filter_username filter_password preprocess operator-name cui AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED auth_log chap mschap digest wimax IPASS suffix ntdomain eap { ok = return updated = return } unix files if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { ### sql DISABLED ### if (true) { ### ldap ### if (notfound || noop) { reject } } } -daily -weekly -monthly -forever # Formerly checkval if (&request:Calling-Station-Id == &control:Calling-Station-Id) { ok } expiration logintime pap Autz-Type Status-Server { }

}

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
Auth-Type MOTP {
motp
}
Auth-Type GOOGLEAUTH {
googleauth
}
digest

pam unix #Auth-Type LDAP { #ldap #### ldap2 disabled ### #} eap Auth-Type eap { eap { handled = 1 } if (handled && (Response-Packet-Type == Access-Challenge)) { attr_filter.access_challenge.post-auth handled # override the "updated" code from attr_filter } }

}

preacct {
preprocess

ACCOUNTING FOR PLAIN MAC-AUTH DISABLED acct_counters64 update request { &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" }

acct_unique

IPASS suffix ntdomain files

}

accounting {

cui detail ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) { datacounterdaily datacounterweekly datacountermonthly datacounterforever } unix radutmp sradutmp main_pool ### sql DISABLED ### daily weekly monthly forever if (noop) { ok } pgsql-voip exec attr_filter.accounting_response Acct-Type Status-Server { }

}

session {

radutmp radutmp

}

post-auth {

if (!&reply:State) { update reply { State := "0x%{randstr:16h}" } } update { &reply: += &session-state: } main_pool cui reply_log sql DISABLED ldap exec wimax update reply { Reply-Message += "%{TLS-Cert-Serial}" Reply-Message += "%{TLS-Cert-Expiration}" Reply-Message += "%{TLS-Cert-Subject}" Reply-Message += "%{TLS-Cert-Issuer}" Reply-Message += "%{TLS-Cert-Common-Name}" Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" Reply-Message += "%{TLS-Client-Cert-Serial}" Reply-Message += "%{TLS-Client-Cert-Expiration}" Reply-Message += "%{TLS-Client-Cert-Subject}" Reply-Message += "%{TLS-Client-Cert-Issuer}" Reply-Message += "%{TLS-Client-Cert-Common-Name}" Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" } insert_acct_class if (&reply:EAP-Session-Id) { update reply { EAP-Key-Name := &reply:EAP-Session-Id } } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. # sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { }

}

pre-proxy {

operator-name cui files attr_filter.pre-proxy pre_proxy_log

}

post-proxy {

post_proxy_log attr_filter.post-proxy eap Post-Proxy-Type Fail-Accounting { detail }

}
}

@victorrhoden00 reinstall the package remove that file redownload the black list

@parry said in packages do not work after update from pfsense 2.5.2 to pfsense 2.6.0:

Does this mean 2.6 is no longer supported

2.6 is no longer supported

https://docs.netgate.com/pfsense/en/latest/releases/versions.html

@johnpoz Ahh.. Thanks. Will look in to those.

@keyser i think i understood this in the first place, the thing is that from all the videos and the guides that i watched and tried i cant semm to understand where to import the pf sense host to send the data.

@keyser thank you that fixed it

This post is old but for anyone interested, I confirm the issue too: with RAM Disk, ntopng configuration is reset when a "normal" reboot of pfSense occurs (even if Periodic RAM Disk Data Backups is set).

pfSense v2.7.2-RELEASE package ntopng v0.8.13_10 in pfSense (ntopng-5.6)

And contrarily to what I read in other posts questioning usefulness of RAM Disk settings, from my limited understanding, I think it's quite useful on my setup: I have a "low cost" box (Beelink EQ12 with a 512Gb SSD). They don't specify the TBW of the disk but I estimated it quite low from SMART health status. After 3 or 4 months of use, SMART indicates disk reached 15% of its lifetime. With 13.1 TB of Data Units Written (raw value 25,742,265), we can approximate the TBW to around 85 TB, which means the SSD is of a very low quality. This does not bother me because I specifically looked for a low cost, "just enough" box for pfSense.
By comparing SMART measures before and after enabling RAM Disk, I found 3.7/sec vs 0.2 / sec for Data Units Written and 46.2 / sec vs 0.9 / sec for Host Write Commands. I concluded RAM Disk makes a huge difference in my setup. Between RAM Disk and nTopNG, there is no doubt I prefer to keep RAM Disk.