I am about to give up on the Avahi package.

After uninstalling it and waiting for a day, I reinstalled the package and then my hardwired desktop on subnet A was able to discover and manage/cast to the Chromecast devices on subnet B.  Then a day later, with no changes, the desktop can no longer see the Chromecast devices.

The only thing that would have changed is that unbound was restarted by pfBlockerNG DNSBL over night.

I uninstalled the Avahi package and will try again one more time.

FRR found and fixed the issues last year.  After discussion with our security experts when we ran across these issues we decided to not issue a CVE

@johnpoz:

if your goal is to just strip out netflix AAAA you can do that much easier with a python script you can get running in unbound..

https://forum.pfsense.org/index.php?topic=134352.0
Netflix and HE.net tunnel fixed using Unbound python module

That is… not what I would call "much easier", given how much hand-hacking is required.  The nice feature of the DNS method is that it's all standard packages, entirely controlled via the webconfigurator, using built-in features (Unbound's domain overrides and BIND's AAAA-stripping).  The only tweaking by hand that I've done is to work around what strikes me as a package misconfiguration, in that neither resolver can be told to listen on a different port for remote controls.  The fact that Unbound's configuration includes the defaults at the end rather than the beginning seems to me to be a bug, but I don't want to have that fight.

And in fact, I bet that somebody really good at BIND configs could accomplish the same thing using only named, no script fiddling needed, and turning off Unbound entirely.  (I am not that person.  I've spent too much of my life being pissed off at BIND.)

But it's good that there are multiple ways to solve Netflix and other organizations' stupidity!  The people who love getting their hands into scripts will prefer the method you linked.  I was that person when I was younger, but I don't want that kind of thing on my homelab anymore.  :-)  I do like that Unbound can use python that way now.

@Napsterbater:

Unrelated, safe to ignore. pfSense/kernel does not currently support TCP Fast Open, which is all that warning is telling you.

Yeah, I just this morning found a discussion on a mailing list describing how ISC's configuration on this feature is really, really braindead.  It's apparently turned on/off by what the kernel on the build machine can do, and there's no way to control it other than editing the generated header file, e.g., post-config sed script.  Anything at runtime not matching what the build machine used ends up reported as "unexpected error".

Come to think of it, stuff like this is why I stopped using BIND…  auuugh I drank heavily to purge the memories of those years now it's all coming back noooo

@slkamath:

I tried running the below command, after that package manager is not showing.
echo 'dnsthingy:{url: "https://storage.googleapis.com/downloads.dnsthingy.com/pfsense/pkg/'uname -m'",enabled: yes}' > /usr/local/etc/pkg/repos/dnsthingy.conf
I tried this before upgrade and tried after upgrade to 2.4.2-RELEASE-p1. No luck. SO i think problem with the command.

You are poking files into /usr/local/etc/pkg/repos …
Something coming from "googleapis.com" ....
"dnsthingy"  :o
At least I'm sure now something isn't working well.

@        IN NS  10.15.1.1.
@        IN A  10.15.1.1

Sorry but pointing NS to IP address not valid… Nor is that a valid SOA..

Both of which would be a FQDN and then sure an A record for that name pointing to the IP..

Install 2.4.2_1 and restore your configuration.

Contact the support team at https://customercare.netgate.com and someone can help you track that down.

Unfortunately that one is a bit generic so it's hard to say. It looks like some kind of connectivity or DNS issue from the firewall itself. Though if you can install the package it should have good working connectivity to all of the pfSense servers.

First, make sure that you can check for updates and that pfSense is fully up-to-date as well.

Also try NOT attaching the system log.
I have had problems with the system log containing stuff the parser does not like and the script fails.

–
Genghes

This has been fixed now. I was finally able to reproduce the original issue.

I'd also like to know how to configure this on an amd64 setup.

Is it a simple matter of copying over the relevant .ko files into /boot/kernel and configuring loader.conf?

I don't need 'much' in the way of video features, just blank the screen after a timeout, and wake it when there's local keyboard activity.  Don't need resolution control, hardware acceleration or any of that.

thanks -flo- it worked.  :)

Well there you go then.. He has everything he needs to run guest wifi and vlans..

Hi,

What about upgrading your pfSense first ?

@MichaelB:

Upgraded to the latest Snort version.

Now it seems like the full_syslog_full is working, but ONLY if you send it to a remote syslog server. So you can't send full events to a local syslog. I just modified my grok rules to be able to catch syslog events forwarded from the local system to a remote syslog (via status => system logs), but that format is different when you send them directly from snort to a remote syslog.

I think it should work, I'll modify the grok rules later today. However, to improve consistency with other logs forwarded via the system, perhaps it is a good idea to also allow "local full syslog complete" .

In other words, now I have:

output log_syslog_full: sensor_name snort.WAN, server 192.168.2.2, protocol udp, port 514, operation_mode complete, payload_encoding hex, log_facility LOG_USER, log_priority LOG_INFO

Which gives a different format on my remote syslog server then when using the following in combination with remote logging via the status => system logs setting:

output log_syslog_full: sensor_name snort.WAN, operation_mode complete, payload_encoding hex, log_facility LOG_USER, log_priority LOG_INFO

Kr,
Michael

I did in fact code it so that full packet capture only works to a remote syslog server.  It is not a good idea to fill up your local firewall system log with full packet captures, so I elected to not make that available.

Bill

Hi bmeeks

I have checked my settings and I do not have the RamDisk setting on. As I am new to pfSense can you list the steps to check? So far I have uninstalled Snort and them installed again keeping my original settings.

There may be something that I have checked that is interfering with the download. Not sure what it is through.

Using NUT on pfSense you have a couple of options:

Directly monitor the UPS via SNMP

The NUT client can talk to a remove apcupsd server.

Given a choice, I would choose option 1 as this works regardless of whether the Windows system is functioning or not.

I can't speak to apcupsd on pfSense.

" a field for HTTP options to be injected into the header. "

No as it states its where you put in options to passthru to the frontend.. This common theme on all packages and or services in pfsense.  There are gui settings for the obvious stuff… but more advanced features can be put into a custom box that are added to the conf file, etc.

Look fired up a frontend - put your option in the box, check out the cfg file..  See attached pic

you can also put that option in global or default section, etc.

frontendoptions.png
frontendoptions.png_thumb