@MeisterBlocker said in Cert Manager Layout:

I already asked this question last year in the german forum and had not received an answer yet.

Because there was/is none. But after having dozens of pages of posts, you could've asked again after some time - no problem with that. ;)

As for huge deployments with high 3 digit or 4 digit numbers of certificates, I'd definitly go another route as to manage it on pfSense. After all, you only need the CA and a server cert to run the server part. You can/could deploy/script yourself another way to create/generate your config files (e.g. a generic config with links to generic named files that can be bundled with the certs). I'd assume with that high count of VPN connections, you don't manage the users on pfSense either but use some other auth like Radius or LDAP

@lytledd said in Web Interface login issue:

Is there a remote system that pfSense tries to access

Yes ...
(all depends if it tries to refresh the version info - packages updates - the copy right notice at the bottom of the is often refreshed)

@lytledd said in Web Interface login issue:

and is down

As seen a couple of weeks ago : this actually happened.

@lytledd said in Web Interface login issue:

Running under ESXI

I'm using pfSense on dedicated hardware for a decade or so. Experimenting with it running under Hyper-V @home since a couple of month and I can confirm : this opens up another boat load of possible issues.
When you use an 'external' syslogger (another VM instance for example) you can see all the http GUI requests coming in. You'll be knowing that the GUI works, but that PHP is busy 'doing something' == probably waiting to time out "something".

@Gertjan Yeah we will have one from now 😄

Thanks for your help ;)

you can do a simple scp command to backup the full xml somewhere - so that is very simple to script.. But just pulling out the aliases and then the hard part would be the partial scripted restore.. Of just that section..

Its been discussed in the past, have never seen anyone do it. And its not built in sort of feature.

How many changes to aliases do you make? That this is something you would want to script?

You do understand you can point alias to some other location, and just use a common location you update right... The url table function, and have it update every so many X days

urltable.png

@xoomdust said in 1x1 Pixel on login:

That's probably what it is. I'm guessing SSH is not enabled by default? I can't SSH in.

Nope. You need console access then.

Ouch, could not find anything with the search function and overlooked this thread you linked.
Thanks for clearing it up.

-Rico

@forbidden_magic said in Web GUI Issue (pfSense_2.4.4-p2):

but it tells me that the address is already in use and fails to bind.

By who / what process ?

edit : enter console mode, option 8 and run this command :

ps ax | grep 'nginx'

kill any nginx 'master' process.
Using the kill command followed by the process ID.

Use also

sockstat -4l | grep ':80'

to see which process is bound to the port 80.

Kill them all - and retry option 11.

Your WAN is RFC1918? You need to uncheck Block private networks and loopback addresses then.

-Rico

@JeGr Sorry for taking so long to reply.

Broken link came from navigating to the "Status" --> "Monitoring" page in my pfSense router, then clicking on the "?" icon in the top right of the page. That links to "https://192.168.1.1/help.php?page=status_monitoring.php", which seems to redirect to "http://docs.pfsense.org/index.php/No_Help_Found", which then redirects to "https://docs.netgate.com/pfsense/en/latest/index.html". I was expecting documentation about the "Monitoring" page. I guess I'm still just a n00b but I was expecting the redirect to something that actually pertained to the page I was looking at.

I don't know how the "documentation" and the "book" differ in the origin of their content. I erroneously thought they originated from the same place because their visual layout was / is nearly identical. I had to compare the URLs side-by-side to realize I was looking at a different body of documentation. We can consider this issue resolved.

@kom Hi
Yeah, it's a little weird, I'll look for a phone with a newer version of android and do the test. Thanks.

forget my question.
I should read the whole doc before asking...

https://docs.netgate.com/pfsense/en/latest/usermanager/locked-out-of-the-webgui.html#ldap-authentication-problems

@gertjan thanks! I've checked that post but it seems in that case he's waiting quite a few of seconds. I'm waiting here like a 2 seconds or so to load the main web page, while the others are loading almost instantly.

In any case I've tried removing the DNS (I had 1.1.1.1 and 8.8.8.8 on General setup) and disabled automatic updates checker. Still same problem. I'm guess this is just normal 🤔

1st & 3rd fields are my email address, so From: and Notification:

@dam034 said in Bind webGUI only to certain interfaces:

The pfsense machine WAN IP is private, and I'm now trying from another pc in the same LAN as pfsense's WAN interface.
Is there any mistake?

No mistake at all.
Look at your firewall rules.
The first rule is put in place 'automatically' when you check this option on the WAN interface.
Here it is :
0_1551249981391_1d0b3dca-7a30-4529-a723-1c0b7dbcce20-image.png
So, when this box is checked - yours is checked - local IP's like (192.168./16 10/8 etc) are blocked.
The counter in front of your first rule indicates it is blocking "something".
These must be your attempts to use your phone to connect to the GUI.

When you use your phone, you use some real WAN IP (an address IPv4 that is addressable on the Internet).
The connection comes in on your first router, probably the one your ISP gave to you, or some other upstream device.
This device NAT's to the pfSense WAN IP - and this IP is a "RFC 1918" class IP.
pfSense, according to your instructions, blocks these IP's.

Btw : before you ask : the second rule will not bother you, although it's a nice exercise to know who's triggering that rule ^^

I'd be tempted to create student001 to student100.

You may be able to get clever and create student001 via the GUI, do a backup and take a text editor to the XML file to create the other 99 accounts.

<config> <sortable></sortable> <varusersusername>student1</varusersusername> <varuserspassword>student1</varuserspassword> <varuserspasswordencryption>Cleartext-Password</varuserspasswordencryption> <varusersmotpenable></varusersmotpenable> <varusersauthmethod>motp</varusersauthmethod> <varusersmotpinitsecret></varusersmotpinitsecret> <varusersmotppin></varusersmotppin> <varusersmotpoffset></varusersmotpoffset> <qrcodetext></qrcodetext> <varuserswisprredirectionurl></varuserswisprredirectionurl> <varuserssimultaneousconnect></varuserssimultaneousconnect> <description></description> <varusersframedipaddress></varusersframedipaddress> <varusersframedipnetmask></varusersframedipnetmask> <varusersframedroute></varusersframedroute> <varusersvlanid></varusersvlanid> <varusersexpiration></varusersexpiration> <varuserssessiontimeout></varuserssessiontimeout> <varuserslogintime></varuserslogintime> <varusersamountoftime></varusersamountoftime> <varuserspointoftime>Daily</varuserspointoftime> <varusersmaxtotaloctets></varusersmaxtotaloctets> <varusersmaxtotaloctetstimerange>daily</varusersmaxtotaloctetstimerange> <varusersmaxbandwidthdown></varusersmaxbandwidthdown> <varusersmaxbandwidthup></varusersmaxbandwidthup> <varusersacctinteriminterval></varusersacctinteriminterval> <varuserstopadditionaloptions></varuserstopadditionaloptions> <varuserscheckitemsadditionaloptions></varuserscheckitemsadditionaloptions> <varusersreplyitemsadditionaloptions>Class := &quot;admins&quot;</varusersreplyitemsadditionaloptions> </config>```