Hello Guys, I did had the same problem before, notice the pfsense was routing the tracfic to the wrong gateway check your configurations under System-->Routing make sure the pfsense is pointing to the correct gateway let me know if that help Thanks.

@aramp1 Good work! Bravo

@crbon said in SSL_ERROR_NO_CYPHER_OVERLAP when trying to connect to webgui: When the access the same IP 192.168.1.1 from my PC (running Bitdefender AV) I get the SSL_ERROR_NO_CYPHER_OVERLAP error message instead, and there is no way to bypass it. So that means the AV (Bitdefender in this case) is messing with the connection/certificate as a defense mechanism? (I have ntopng installed as per @jgravert 's reference to the other thread) Defiantly Bitdefender Scan SSL (Encrypted web scan) is active. You may need to flushdns, cache, then restart your browser after turning off Scan SSL in Bitdefender. I had to in order to get mine working again. Alternatively if you get new CA and Certificates then install them on your PC it shouldn't matter if Scan SSL is active. If that doesn't work you may need to completely remove Bitdefender from the PC then reinstall it.

I restored a backup and then was careful to not enable DNS Forwarder while DNS Resolver was already enabled.

Ah, I've changed that over thanks, and yeah ill suggest to the customer to use openVPN, then we dont need the other IP for his server.

@nelsonjhone thank you for trying to help me. I found out what was going on. I figured out that this may be caused by wrong time on my server. For a few versions of PFsense it was showing wrong time. It was always one hour behind, although a correct timezone was selected. I checked BIOS time, I replaced the CMOS battery... I started digging on the Internet and found a guy with similar problem. His solution was setting services -> NTP to both interfaces LAN and WAN. This finally fixed my time and.... traffic graphs. THNX for helping

Humm. Was about to edit my post but @johnpoz was to fast. Again, I took a user "001", etc etc see my image above. So, I checked the manual (/usr/local/www/systemuser_manager.php and /etc/inc/auth.inc where the function local_user_set() lives) and put this function in debug mode (adding $debug=1; at the start of the function). Logging should became more verbose. Then, I did the thing one shouldn't do, I edited (deleted the line) the user "001001:*:2057:65534:002:/home/001:/sbin/nologin in /etc/passwd. (and removed /home/001001/ also). From there on : I had more vebose logs ***, no more problems. I could edit - and edit again - re-edit, delete, create, edit. I removed the debug line. Still, all ok, the error vanished. [image: 1542381913338-3e69659d-5bb7-45aa-b2ee-2256c5fe2ba6-image-resized.png] Curious. I have this feeling that I touched the /etc/passwd file (system == FreeBSD maintained) and after that all was ok again. I can't explain .... ** more verbose logs in the ....... captive portal log - not the system log ... edit : I rebooted. Could edit a user just fine. Strange - but solved

Has anyone tried to reproduce the bug?

hi; ok i had to do this for https filtering in pfsense i generated the key in pfsense and downloaded it then sudo to ca certs folder made new folder renamed key to .crt file and a etc /cert area then did sudo update-ca-certificates (ubuntu 18.04 based distro) to import and it worked with the message no perm key found or the like, because before doing this you can go nowhere in the net with out that key /crt in or the perm . so I killed https filter and went back to stock squid but still maybe having av scanner issue on fresh install pf 2.4.4 . A lot has changes for me with squid and the setup so still getting pass the new stuff. swore I read https filtering has to be on now as fixed clamav scanning issue I may be wrong but it is a good thing

~ Solved yesterday. Due to tiredness some FW and NAT Rules were not configured correct.

thanks to you. i'm reasonably proficient with BSD, but pfsense definitely saves some time even with such glitches. thumbs up for the nice work.

Then you'll probably have to reinstall. You might have added a space in there incorrectly and wiped out the entire drive. You might connect with ssh or scp and see if /conf/config.xml is still there. If so, grab a copy, or at least try https://www.netgate.com/docs/pfsense/backup/automatically-restore-during-install.html#recover-config-xml

Thank you for the info. I just applied the patches using the System Patches package and the configurator seems to work fine.

So It's now all working after a reboot. I don't know exactly what change made the difference. What I did was disconnect the downstream router, reset factory defaults, set up the interfaces using autodetect, and then configured the interfaces through WebGUI. After configuring the interfaces, I copied the two default rules from LAN to OPT1. I made an error first then corrected it. At this point LAN worked fine but I had no internet on OPT1. Just so the family would have internet, I reconnected the downstream router since I ran out of time to work on it. When I came back to it later, I rebooted pfsense and everything now works. I thought I had tried that the night before, but I may not have after correcting errors in the copied firewall rules from LAN. (When I copied the rules I changed the interface from LAN to OPT1, but I forgot to also change the destination from LANnet to OPT1net.) Thanks so much for all your help! Here are the settings in case it helps someone else: (Anything related to IPv6 or DHCPv6 is likely irrelevant for me as I don't think my connection supports it) Interfaces/WAN: IPv4 - DHCP IPv6 - DHCP6 Interfaces/LAN: General Configuration: IPv4 Type - Static IPv4 IPv6 Type - Track Interface Static IPv4 Configuration: IPv4 Address - 192.168.1.1/24 IPv4 Upstream Gateway - None IPv6 Configuration: IPv6 Interface - WAN IPv6 Prefix - 0 Interfaces/OPT1 General Configuration: IPv4 Type - Static IPv4 IPv6 Type - None Static IPv4 Configuration: IPv4 Address - 192.168.3.1/24 IPv4 Upstream Gateway - None Services/DHCP Server/LAN: Enable - checked Range - 192.168.1.100 to 192.168.1.199 Services/DHCP Server/OPT1: Enable - checked Range - 192.168.3.100 to 192.168.3.199 Services/DHCPv6 Server&RA/LAN/DHCPv6 Server Enable - checked Range - ::1000 to ::2000 Prefix Delegation Size - 48 Firewall/Rules/OPT1: Edit Firewall Rule: (for first rule) Action - Pass Interface - OPT1 Address Family - IPv6 Protocol - Any Source - OPT1net Destination - any Edit Firewall Rule: (for second rule) Action - Pass Interface - OPT1 Address Family - IPv4 Protocol - Any Source - OPT1net Destination - any Settings for Verizon G1100 router: My Network/Network Connections/Broadband Connection/Settings Internet Protocol - Use the Following IP Address IP Address - 192.168.1.200 Subnet Mask - 255.255.255.0 Default Gateway - 192.168.1.1 My Network/Network Connections/Network/Settings Internet Protocol - Use the Following IP Address IP Address - 192.168.2.1 Subnet Mask - 255.255.255.0 IP Address Distribution - DHCP Server Start IP Address - 192.168.2.2 End IP Address - 192.168.2.199

Hi, Please ignore this post. it seems 3rd time lucky on installing this. Unfortunately nothing intelligent to say on how this was resolved. i must have either made a mistake in one of the setting during the first 2 installs in Virtual Box (cant imagine what though). or something is messed up on my system or installation off VirtualBox but its resolved. apologies to anyone having spend time reading :-)

@grimson said in Overly long string in System Information tab: @occamsrazor said in Overly long string in System Information tab: You can disable the Version information completely in the widget settings, or disable only the update check in the update settings. Some RTFM is in order here. Thanks, am aware you can disable the version information pane entirely, and also the update check. I don't think I or the OP want to lose that functionality. We are just talking about the length of the "Version information updated......" string. My comment "Or I'd personally be happy to have the option not to show that info at all" referred only to that string itself - not the pane as a whole or the update check functionality.

Thanks, I do have a backup from right before the attempted update. Was just curious if there was some way to do it via SSH as well.

I think there’s an option in the advanced settings regarding an HTTPS feature called HSTS (HTTP Strict Transport Security) that will tell the browser to always use HTTPS when going to that host. I believe HSTS is enabled by default when HTTPS is enabled. You may need to find where in your browser you can go to clear the HSTS setting for your pfSense hostname and/or IP address in order to access it without HTTPS. Or as suggested, you can always use a different browser.

FreeRADIUS should be passing Class as a string by default unless the OS you installed it on does something it shouldn't in its distribution. FreeRADIUS on pfSense returns Class as a string and we do not alter any of the dictionaries or config to force it to be that way. Fix your FreeRADIUS instance and it will work fine.