I haven't used the link since the test.
I found my client VPN did not allow access to the the network devices GUIs.
If I have the VPN OFF, I can access all network devices from the clients.

- ISP router - 2.5GB LAN | 2.5GB WAN - pfsense - 2.5GB LAN - 192.168.2.2 | 2.5GB WAN - 192.168.2.4 - OpenWRT - 2.5GB LAN1 - 192.168.4.1 | - 2.5GB switch - | - 2.5GB clients -

@lcs said in Rule tab size:

Usually this happens when I type some long name in any of the fields, but that's not usually the case.

Actually that's always the case. There's a length limit and when all combined fields exceed that limit it wraps.
Look at your images, the single lines have asterisks so that would not exceed the limit.
Drives me crazy too.

What's wrong with the standard photos?? They work great !! You can add anything you dream of

Screenshot 2024-02-18 at 21.32.49.jpg

@wamo PowerD only manages power at the mainboard and downstream component level, not what's upstream. A power supply will always take a certain amount of watts for itself even disconnected from the board. I would run PowerD at 'Adaptive' if I were you. It both upscales and downscales very quickly. 'Minimum' will lock it at the lowest CPU frequency, regardless of load, hurting performance. 7W is nothing, that's a single old-style Christmas tree bulb.

@DeLiver I'll test again, so far it hasn't done it for me on the NTP status page though, which is only 3 entries long for me.

@johnpoz I'll describe in another post how I setup the ACME thing; works just fine on one machine, by the way. Used a non-privileged user with sftp into a chrooted enviroment. So unless chroot and/or scponly are broken, this should be rather safe an approach, at least safe enough for a machine which needs its admin interface open to the internet anyway, because it's on a colocation site far away from where I'd have physical access. (The machines mostly act as VPN-based routers, FW is just an added bonus)

So DNS is way too complicated, until it's migrated, as it's still self-hosted on an old computer, and the various automated DNS interactions aren't an option there...

While this might be possible it would only be viable for hardware sold by Netgate directly, so it would end up most likely being a plus-only feature.

We aren't going to take on the massive amount of tech debt involved in detecting non-Netgate/competitor hardware and maintaining an image database and so on.

We already have images of our own hardware, though, and the detection is already in place.

When you have HA and XMLRPC config sync setup the certificates from the primary overwrite the secondary -- that is normal/expected, and not a bug.

What you do in this case is add all certificates on the primary node, allow them to sync, and then choose the appropriate certificate on the secondary node after that sync finishes.

This typically means using the same cert on both nodes and having its properties allow both hostnames/addresses to work, but you can use separate certs as well so long as the certificates are managed on the primary only.

@aiignorance

We have been using Pfsense platform for eight yers now and the more Certificates per User we have the more slowly Widgets are working - this is the problem.

Now we have 1200 certificates for users in Pfsense :)

PHP does not use threading and runs on a single core, so maybe performance of PHP is over for the process.

Thank you. I was able to confirm it was a false positive.

Compliance isn't an issue here.

For it to be a problem it has to be proven to actually be a problem, which hasn't happened.

Whatever scan is flagging it is giving bogus results, it's a false positive.

If you want to alter the source to shut the scanner up, that's up to you.

Side note extra learning

“Edit In Place

Editing the configuration in-place is also possible in a variety of ways. The general procedure is:

Edit /conf/config.xml
Run rm /tmp/config.cache to clear the configuration cache
Reboot, or use the GUI to save/reload whichever part of the firewall utilizes the edited settings”

Ref:
https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html

While the proposed solutions here involve directly editing the /conf/config.xml file with scripts, it is important to note that modifying the /conf/config.xml file directly is a delicate operation and should be approached with caution.
If you choose to install such scripts, be sure to create a backup of the /conf/config.xml file before making any changes.

I had a similar task to install tailscale certificates on the pfSense firewall and created some scripts to import that certificates on pfSense, using acme-command.sh of the acme package.

Github Repository

I might extend that repository with the great ideas and examples of that thread on demand.

@rickandaj Now is something for a feature request?? Maybe yeah wan/lan are special.. But others called just optX where you can change the name on them, etc. but they are always still referenced as optX

Fixed it. It was my PC that needed reboot. All is fine again.

@jimp

Hummm.
"vin" is wine here (French).
Corrected the post .... thanks.