It was immediately after the eclipse did its thing.

@Derelict:

You might consider a different authentication source instead of the firewall local users.

Users probably shouldn't be enabled to make changes to a firewall's configuration.

It sounds like you have much greater design problems than admin being called admin.

?

They can only change their user accounts password, wouldn't really call that changes to a firewall.

Especially seeing how that is what Jimp, is highly recommending be done lol. In not only my other thread with similar questions, but a ton other on the forums.

A different Auth source is all fine and good, except now that is more hardware, to do something I can already do with the Local. Sure if I had 1000s of usernames needed, I would do that, for the 35 rooms, not even close to worth it lol. So what other options is there? To run the different auth server on the same box? Well now I have to Visualize the PFsense and Auth server, which is even more of a security issue.

Even then, adding a MYSQL server and using Radius, just adds more security vulnerabilities, More OSes means more issues.

I have concerns about them accessing the GUI as well, that was brought up in the other thread. Jimp is assuring me, its fine, no matter where I go with what there is going to be an issue, its just deciding on the lesser of the evils.

Thanks. The crap color was driving me crazy.

I have an N3150 with 1.6GHz speed, but a boost speed of 2.08GHz.  Does pfSense ever make use of the 2.08GHz speed?  I cannot tell from the dashboard, as the clock speed goes away above 1.44GHz or so.

Also, it would be nice if the speed was just always displayed, instead of the page jumping up and down as the speed display comes and goes.

@jimp:

@spiorf:

because if I can get a certificate for "pfsense.lan", anybody can, and so there is no point  in verifying certificates or using https at all.

Which is not true for the reasons I stated. Nobody else can get a certificate for my firewall hostnames, because they could not pass the required validation.

And LE may be complex at first, but it almost forces you to setup automation. Changing keys every 3 months is more secure and is already done by sites covering ~30% of TLS transactions.

You are right. Sorry, english is not my native language.  What i really meant was " if i COULD get…". I know you can't.

As i already said, I know how complex LE is, and i already use it from the beginning, setting up the required automation. And i love it!

But you know what certificate transparency logs are, do you? Because I want to keep my internal hostnames private. Even more in a company.

This is a good and private security model. And can secure also IP addresses. While LE cant.

Everyone can do it the way he wants, but right now, you can do it your way from the GUI, while I can't (without an ugly hack).

@albgen:

Checking the gui of nginx you will find that is NOT compressed. I dont know where did you see this but the standard is compressing only css (period).

I was comparing this part of the nginx setup with your finding :

...                 gzip on;                 gzip_types text/plain text/css text/javascript application/x-javascript text/xml application/xml application/xml+rss application/json; ....

Then I found https://stackoverflow.com/questions/23939722/nginx-gzip-not-compressing-javascript-files : this explains what you are seeing - and what needs to be done  ?

Hello,
reistalled pfBlockerNG and I'm having issues with aggregate process, it just sucks one core al 100% for MANY minutes (I killed it after 7:54 at 100%) with just ONE blocklist.
I tried downloading it in P2P format and CIDR format, no change: agregate process seemes totally stuck.
List is I-Blocklist level1.
I know it's big, but in CIDR format it's just 4.2 MB and pfBlockerNG should be able to handle it.
Any help?
Thanks

Alberto Tarantino

It means you did a search (ctrl-F) in your browser and it is highlighting the results. You must have searched for 192.168.40

Still work in progress.

As I am a little bit OCD there are a few continuity issues with the current dark theme that need a little tweaking so thanks to your help (InQuize) I have now been able it scratch that itch!

What I needed to do was convert the colours I wanted to decimal from hex and then substitute them in the already formatted colour scale in the file d3.min.js,

so,
Al=[2062260,16744206,2924588,14034728,9725885,9197131,14907330,8355711,12369186,1556175].map(xn),

became,
Al=[38536,16777215,2924588,14034728,9725885,9197131,14907330,8355711,12369186,1556175].map(xn),

ChEeSy

i noticed if i change the global.inc file update the name it will update the login text too but still the same issue with open vpn so i will see what i can find in that package

The dynamic view is completely generated by javascript so it doesn't have access to all of the same information.

It may be possible to bring it into parity with the main system log, but it's not currently an open feature request that I'm aware of. You can make a feature request ticket (target=Future) at https://redmine.pfsense.org/

Yes, so long as you disable the GUI redirect that occupies port 80 by default: System > Advanced, check "Disable webConfigurator redirect rule" and save

And remember that running OpenVPN on TCP can be problematic and slower than UDP, any loss outside the tunnel is compounded by the inner and outer TCP connections attempting to resend, etc, etc.

In some cases it's necessary though, to get around restrictions in other remote networks.

You might still run into some issues if anyone remotely does protocol enforcement. With non-HTTP traffic on port 80, it might be dropped by a filter or proxy in between the client and your firewall.

root and admin cannot be separated, it's the same account but with two different names.

Like johnpoz said, if you want someone to use a different GUI password, then create them a different user with their own username, and don't use 'admin'.

as a workaround to this, less than ideal but works :)

i want to have HAproxy listen on port 80 and 443 which is why this request came about so i disabled https for the webgui and set the http port to a random port

i then used HAproxy to terminate the SSL for the firewall admin interface and then pass back to the admin interface port for the firewall hostname

now i can also add other listeners to create an SSL terminating reverse proxy gateway to internal resources as i wanted to do in the first place.

not keen on the webgui either being HTTP only or requiring HAproxy to be working to access but its not a huge trainsmash for me in either case

It turns out the problem was you MUST authenticate to do an extended search.  There is no indication of denied access as anonymous user in a normal 389DS setup.  So, of course I assumed the search was permitted.  :-[

I posted revised instructions in the documentation sub-forum.

Same here, all ipv6 shown as remote.

I updated to Sierra 10.12.6 & Safari 10.1.2 today and gave 2.3.4-RELEASE-p1 (i386) another test.  Sure enough the graph rendering problem went away.  Thanks for the tip NogBadTheBad.

here you find a german blog entry. maybe the screenshots do help somebody else.

https://www.hagen-bauer.de/2017/07/pfsense-radius.html

And sure you can open from lan you wan IP and the gui, unless you create rules to prevent that.. As stated already post up your lan rules.