Flattened Device Tree. It's a file that describes the hardware devices and locations that an OS uses.

@jamesg246 said in WPA2-Enterprise (EAP-TLS) User Authentication finally works on Windows 10 - how to use Computer Authentication and strip out "host/" in username?:

@Finger79 I have this working with Computer authentication, but only with the Check Client Certificate CN option disabled in EAP settings. If I enable this, it stops working.

That's interesting. The "Check Client Certificate CN" option in EAP settings doesn't seem to do anything to me. Thread here with the Redmine bug report linked: Longstanding FreeRADIUS EAP-TLS security bug on validating client certificate common name

In other words, even with "Check Client CN" enabled, I can completely delete the FreeRADIUS Users table and clients can still connect. Strange behavior.

The only way to peer into encrypted traffic (which is darn near 100% of web and email traffic these days) is to use a MITM (man-in-the-middle) proxy certificate system. That means installing trusted certificates for your proxy on all clients (PCs, laptops, and phones) that you wish to monitor. The MITM intercepts and terminates a client's outbound connection to some website, decrypts the traffic, then the proxy establishes its own connection on behalf of that client to the original website. Traffic returned is re-encrypted using the proxy's certificate and sent back to the original client. For this to work without browsers throwing security errors, the proxy's certificate presented to the clients must be trusted and verifiable by the clients. And the clients must be configured to send all outbound requests to the proxy.

Doing this on a home system is very difficult and basically not really worth the effort to implement and maintain. There are "for sale" commercial systems that are cloud-based and handle the MITM interception for you. But again, this requires a customized configuration on each client. It's not something that just happens by magic by purchasing some service.

And attempting to virus scan encrypted traffic is a complete waste of effort. How would you scan encrypted traffic for a virus? After all, the data bits are scrambled up to appear as random data specifically so that nobody other than the final receiving client who has the decryption key can unscramble and read them. So, say you put a hardware virus scanner on your WAN, how is it going to make sense of encrypted traffic? That's why antivirus solutions work best at the traffic endpoints. Only there can they see unencrypted traffic by hooking into the client OS at a point after where the browser or other application has already decrypted the traffic and it is again cleartext.

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN:

Yes wireless clients will be isolated from each other is that is set on the access point. They would not be isolated from wired devices on the VLAN that AP is bridged to.

What exactly are you wanting to isolate?

I was just finally responding to Nikos... but I do Client Isolation on my WAP clients on my IOT VLAN... and all my wired IP Cameras are on that VLAN as well. I just have rules to to isolate the wired stuff in pfSense itself.

Linksys e8450 looks like nice device. 😃

Yeah, I got some back channel info that one of the OpenWRT Devs is now coding for MediaTek and that some of the Linksys/Belkin stuff was going to get "extra" attention. They do seem have potential but there is a UBI memory hack from DangoWRT that works... but is suddenly causing devices to die.... almost like they've had a Covid shot too many.😉

Anyway... long story short, I'm having an issue getting the DSA build you and I worked on configured under Openwrt 23.05.3. Either I forgot the process, or it isn't going to work... I've even tried editing in the info in the tar backup Network file. I'll figure it out or I'll send you an e8450/rt3200 🙂

JP... yes, I'm hearing you in my head... unify, unify, unify. But I really need 4 ethernet ports on two of my remote WAPs with backhaul.

UAC was supposed to protect against that. But people kept complaining about annoying prompts so Windows made the default security level for never OSes "medium" which doesn't ask about built-in programs running with Admin priviledges,

Instead they now use safe screen stuff that looks a program trying to run on up on the internet to determine if it should display an additional prompt.

Basically just turn UAC to high first thing on a new PC and never have an issue like the one displayed.

@elvisimprsntr Not for me)) But anyway thank you for tip

@NollipfSense said in My French Brothers, Is This Fake?:

Is it real? @Gertjan

I'm not sure at all.
I'm 700 km away from Paris, and why I approach Paris it's always at FLT 30.

From what I know, the guy isn't that popular in France.

I've looked around (the net) a bit, and could only find references on a site called "tiktok".

edit : closing the wheel with some kind of sheet will make sensitive to the slight bit of wind. Apply some basic physicals rules and you'll know it's fake.

@johnpoz said in Do you use dhcp reservations?:

@JonathanLee said in Do you use dhcp reservations?:

I do not want any mac address cloning going on.

Who is going to clone your macs?

Hackers. Black hackers.
Or cyber warriors from China, Iran, russia. (They are in 120-180ms distance from Your data ;)

And for what purpose?

Steal money. Or steal some info about Your clients to steal MUCH MORE money from them.
2.
Make damage for Your country.

Mac cloning is only a thing if they are already on your network..

Because around 80% of devices at home, work and office are connected by WiFi, airsnort, fake DHCP server for MITM doing work well.

I would love to hear your theory how anyone could use that to do anything? That doesn't already have full access to my network anyway..

Hm. Are You serious? I do not believe that You say that…

BTW, I prefer to using “IP reservation “ feature ONLY as some sort of helpful feature in administration and of pf rules work.
And THIS IS NOT AS A SECURITY BARRIER any way!

When planning infrastructure each one need to keep in mind that MAC/IP - NOT MAKE DEVICE TRUSTED, this is just ID.
And like Your passport w/o photo or biometric chip,- may be stealing by someone.

One of the basic rules nowadays must be: EACH DEVICE MUST HAVE OWN SERTS. NO SERTS,- NO ANY RIGHTS, NO ACCESS ANYWHERE !

Am I wrong?

Done.
YEAH!!! my color CRT is back yeah!!! I loved this thing as a kid.

Screenshot 2024-06-28 at 23.13.27.jpg

@stephenw10

Noted on this, will do.

Thank you!

There is a chat facility that serves that function. It's generally better to keep things public though so others can benefit or contribute.

There is a long thread discussing third-party package building here: https://forum.netgate.com/topic/169749/pfsense-compile-requirements-for-3rd-party-software. There are other similar threads in that Development sub-forum.

Like @Gertjan stated, the best way to start is by analyzing an existing package that is similar in form and function to the one you wish to create. Packages on pfSense are either GUI-only, or they may have both a GUI part and then an underlying binary component that typically runs as a service (or background daemon). In that latter case, the GUI portion of the package is used to create the necessary configuration files and environment for the binary piece and then launches the binary piece as appropriate.

GUI packages are stored in the FreeBSD-ports repo of pfSense and will have pkg-pfSense- as their name prefix. The package will be stored in the appropriate subfolder of the ports tree (sysutils, security, network, etc.). The base URL for the pfSense FreeBSD-ports repo is on GitHub here: https://github.com/pfsense/FreeBSD-ports.

GUI portions of packages are typically written in PHP with a sprinkling of JavaScript if needed. There is an old XML framework for creating package GUI templates, but it is used less and less these days. Here is a link to the official package development docs that describe the XML template format: https://docs.netgate.com/pfsense/en/latest/development/develop-packages.html.

@ionoci said in pfSense Netdata - Verified and Working Elegantly !:

@KrPacMan I got it working on 2.7.2
In /usr/local/etc/pkg/repos/pfSense.conf + /usr/local/etc/pkg/repos/FreeBSD.conf

FreeBSD: { enabled: yes }

after that installed packages:

pkg install pkgconf bash e2fsprogs-libuuid libuv nano pkg install json-c py39-certifi py39-asn1crypto py39-pycparser py39-cffi py39-six py39-cryptography py39-idna py39-openssl py39-pysocks py39-urllib3 py39-yaml pkg install netdata

BIG thank you! I got some version mismatch during the installation but it worked anyways! I'm so very happy to get it working.

@murdof

Probably because your looking at forum messages that are 8 years old, from 2016. pfSense 2.2.6 is very ancient now.

@stephenw10 yeah it can work - but for one it would be flooding his syslog server, and 2nd for what valid reason would you want such a short lease..

lets do the math, every 5 minutes log to syslog.. Or every 12 hours..

so in 24 hours we would have 2, vs 288 ;), 1 week we have 14 vs 2016.. 2k junk entries in my syslog = why?

Why would the ISP want their clients renewing dhcp every 5 minutes... That just seems insane.. Lets say I have 100k users.. That is lot of renewals for zero point.. Unless they over over booked, and not all their users can be on at the same time?? Because they don't have enough IPs to hand out?

@ericafterdark I'm actually one of the authors of ctrld. If you're into fancy DNS routing, you may dig this article on how to use ctrld with pfSense, and what you can accomplish with it, especially if you use Control D as an upstream. https://github.com/Control-D-Inc/ctrld/wiki/pfSense-and-OPNsense-Operations-Guide

@michmoor said in who will offer free bgp transit and peering to me?:

@yon-0
You mean IPsec with BGP?
And you policy route over the vpn tunnel to me and I route you out my internet?

use gre sit wiregaurd openvpn all is ok. peering or transit. where are your network point.?