@zippydan I don’t think you understand how Radius works. The exchange with radius is done between the “authenticator” and the Radius server. The Authenticator in your setup is OpenVPN. Pfsense’ Radius setup knows nothing about how/what data is passed between Radius and OpeVPN - Nor does it know anything about what encryption it might have.
So what you are asking would require pfSense’s “test authentication” module to have a full authenticator featureset. Not a simple task, and certainly a lot of code for no real benefit. But it would be nice if it at least had a PAP/Chap/Chapv2 selectorbox for the test as the last two are standard hashmodules where all the code is readily available and would be easy to implement.

@swinster ah!!!! there you go - that is why not return of the handshake - but syn,ack... Odd that is was nice enough to send a fin ;)

@viragomann said in Access to GUI - VPN:

@MrGamecase
Of course. All access should use the CARP VIP. Likewise all internal devices have to use the respective CARP as default gateway to go to the internet or other network segments.

I got ya, Slowly understanding CARP😁

Thankyou for your help this evenig VERY much apreciated

thank you so much

So, the GUI is listening on :

10013a38-08ea-42c3-abcd-3f3938bdbeb1-image.png

@shadragon said in Update from 2.7.0 to 2.7.2 - No WebGui:

The fw is set to only accept LAN connections from one ip so even http would work for me at this point

Easy to put a pass rule on LAN for testing ...

Just to be sure : get another browser ...

Btw : self signed cert : How to ignore invalid and self signed ssl connection errors with curl

I haven't used the link since the test.
I found my client VPN did not allow access to the the network devices GUIs.
If I have the VPN OFF, I can access all network devices from the clients.

- ISP router - 2.5GB LAN | 2.5GB WAN - pfsense - 2.5GB LAN - 192.168.2.2 | 2.5GB WAN - 192.168.2.4 - OpenWRT - 2.5GB LAN1 - 192.168.4.1 | - 2.5GB switch - | - 2.5GB clients -

@lcs said in Rule tab size:

Usually this happens when I type some long name in any of the fields, but that's not usually the case.

Actually that's always the case. There's a length limit and when all combined fields exceed that limit it wraps.
Look at your images, the single lines have asterisks so that would not exceed the limit.
Drives me crazy too.

What's wrong with the standard photos?? They work great !! You can add anything you dream of

Screenshot 2024-02-18 at 21.32.49.jpg

@wamo PowerD only manages power at the mainboard and downstream component level, not what's upstream. A power supply will always take a certain amount of watts for itself even disconnected from the board. I would run PowerD at 'Adaptive' if I were you. It both upscales and downscales very quickly. 'Minimum' will lock it at the lowest CPU frequency, regardless of load, hurting performance. 7W is nothing, that's a single old-style Christmas tree bulb.

@DeLiver I'll test again, so far it hasn't done it for me on the NTP status page though, which is only 3 entries long for me.

@johnpoz I'll describe in another post how I setup the ACME thing; works just fine on one machine, by the way. Used a non-privileged user with sftp into a chrooted enviroment. So unless chroot and/or scponly are broken, this should be rather safe an approach, at least safe enough for a machine which needs its admin interface open to the internet anyway, because it's on a colocation site far away from where I'd have physical access. (The machines mostly act as VPN-based routers, FW is just an added bonus)

So DNS is way too complicated, until it's migrated, as it's still self-hosted on an old computer, and the various automated DNS interactions aren't an option there...

While this might be possible it would only be viable for hardware sold by Netgate directly, so it would end up most likely being a plus-only feature.

We aren't going to take on the massive amount of tech debt involved in detecting non-Netgate/competitor hardware and maintaining an image database and so on.

We already have images of our own hardware, though, and the detection is already in place.

When you have HA and XMLRPC config sync setup the certificates from the primary overwrite the secondary -- that is normal/expected, and not a bug.

What you do in this case is add all certificates on the primary node, allow them to sync, and then choose the appropriate certificate on the secondary node after that sync finishes.

This typically means using the same cert on both nodes and having its properties allow both hostnames/addresses to work, but you can use separate certs as well so long as the certificates are managed on the primary only.

@aiignorance

We have been using Pfsense platform for eight yers now and the more Certificates per User we have the more slowly Widgets are working - this is the problem.

Now we have 1200 certificates for users in Pfsense :)

PHP does not use threading and runs on a single core, so maybe performance of PHP is over for the process.

Thank you. I was able to confirm it was a false positive.

Compliance isn't an issue here.

For it to be a problem it has to be proven to actually be a problem, which hasn't happened.

Whatever scan is flagging it is giving bogus results, it's a false positive.

If you want to alter the source to shut the scanner up, that's up to you.