What is that 192.168.1.1 IP? Your LAN IP, or?

The squidGuard -> Log -> Filter Log page.  The table is black writing on a dark grey background.

That's .table .table {

On the Firewall -> Rules pages, if I hover over the links (like the entries in the States table) again it is black writing on a slightly less dark grey background.

Popovers.  Those are popovers.

This is so odd.

I am not sure if the GUI was updated yesterday, and I didn't check our group privileges before, so I'm not sure if Config: Deny Config Write was present there before. Anyway, it's working now! Thanks a lot for the time. :D

@jimp:

@johnpoz:

As to putting wifi and lan same layer 2 - lets agree to disagree here.. They really should not be on the same network - for what reason should they be? So your guests and your devices that use wifi all same network. IoT as well?

It's terribly convenient in many cases. It makes things like chromecast, printing, and other AV/file sharing much simpler. Sure, most of that can be isolated and done in a separate subnet, but there is a good case for bridging wireless in some cases. Particularly in homes. In businesses, not so much.

I'm spoiled having a UAP at home, I have an SSID in my LAN, and a couple other isolated SSIDs for testing and guests that land in other VLANs.

Yup the problem I had when I put the WiFi on it's own subnet I broke UPnP/DNLA for the WiFi devices.

Managed to remove the bridge by a moving some of the other device to other rooms and connected the LAN port to a LAN port on the Timecapsule.

Thanks azekiel, your script has solved my problem.

HA in uncheck mode all the time.

Update: after obtaining a mini USB console cable I did some digging around and during the boot processes some folders were failing to be symbolically linked. Also noticed some other weird commands failing such as a reboot so thinking there might be some gremlins from the 2.2 to 2.3 upgrade from a while back. I ended up just grabbing the config reloading and restoring.  I have not yet went back to update 5 but all seems to be working well now.

Also thanks to Gertjan for the suggestions.  Would have been nice to stick to troubleshooting out this issue but discovered openvpn service wasn't running as well.

Hi,

You are aware that
https://192.168.0.1:443
is a dirty.
https implies (it that is enforteced now) that you should use the domaine mane (that points to the IP 192.168.0.1) and this domaine name should be declared in the certifcate that the GUI uses …..
Using an IP for https is ... well .... not good to start with.

Example: my local domain is called "brit-hotel-fumel.net".
My pfsense host anme is aclled "pfsense".
I combined the two to pfsense.brit-hotel-fumel.net (and yes, I bought the domaine name brit-hotel-fumel.net on the Internet) so (example) startssl.com gave a a valid, signed and trused certificate.
I installed the certificate on my pfsense and all is well.

You can also use 'self made' certificates, you'll be seeing the message "can't trust that one" ones.
Of course, using a certificate that dates from 2006 will never work Instruct pfSense to make a new one.

@dotdash:

This complicates my SOP of typing random garbage.

You and me both. I looked at changing it briefly, but that's not all that straight forward with the way password fields are handled.

It probably ought to just generate something random on the back end, it was originally done that way so you could have a primary or secondary that was running on a stock BSD and switch CARP between them. But I don't think there is anyone who actually does that.

Simply take the patch mentioned in the redmine bug 4423 for offset, and apply the same idea to frequency:

--- rrd.inc.old 2016-07-01 16:29:15.917333000 -0400 +++ rrd.inc    2016-07-01 16:23:52.048739000 -0400 @@ -912,7 +912,7 @@                                 $rrdcreate .= "DS:sjit:GAUGE:$ntpdvalid:0:1000 ";                                 $rrdcreate .= "DS:cjit:GAUGE:$ntpdvalid:0:1000 ";                                 $rrdcreate .= "DS:wander:GAUGE:$ntpdvalid:0:1000 "; -                              $rrdcreate .= "DS:freq:GAUGE:$ntpdvalid:0:1000 "; +                              $rrdcreate .= "DS:freq:GAUGE:$ntpdvalid:-1000:1000 ";                                 $rrdcreate .= "DS:disp:GAUGE:$ntpdvalid:0:1000 ";                                 $rrdcreate .= "RRA:MIN:0.5:1:1200 ";                                 $rrdcreate .= "RRA:MIN:0.5:5:720 ";

Works for me; but as before you have to rm /var/db/rrd/ntpd.rrd and then recreate it (In services/ntp/settings, uncheck rrd logging, save, then check rrd logging, save).

But, with typical negative frequency values, this will screw up the graph scaling terribly, so this is probably not the best solution with the current graphing back-end.

@cmb:

Weird. Something's making it exhaust PHP's memory limit, which I've never heard of on that page. What does your existing port forward config look like? What's the system's config like in general? How many interfaces, Virtual IPs, etc.

16 Port Forwards total with two physical WAN links. Our main WAN has IP's 50.xx.xx.145-150 forwarded to specific machines inside our network running specific services accessible to the outside world. The secondary WAN is only using a single IP and has a total of 4 forwards to 3 different machines. Virtual IP's we have those same 50 addresses set up listed above plus one extra. Hardware specs are in the other post above. 50 or so OpenVPN connections and 3 IPSEC connections as well. Nothing too overly crazy and the hardware is overkill for what we're doing as of now. We never really have more than one person using the WebUI at a time and we're not using captive portal or really much else service-wise on PfSense either. Basically just a router and VPN server/endpoint.

What's in the DHCP log? That indeed is very busy dhcpd for a small network, more CPU usage than is typical on networks with thousands of devices with CPUs not much faster than what you have there.

@divsys:

[Or just a keyboard and monitor [/quote]
Oh, ehmm, right. Haven't used a physical keyboard/monitor on a pfSense for years, so  8)  old man and me…

That's done by default after 15 failed login attempts. That's not configurable.

Still, you shouldn't leave the GUI (or any management interface of any sort on any device) open WAN-side, that's asking for trouble.

Are both proxmox servers on same cluster?

If so, check that you are not using same vmbr and same ip´s for fw's interfaces.

Traffic Totals are coming back soon as a separate package. if you want more details as to why you can search or go through my post history.

Right.  Thanks.

Maybe something like this would work:

Keep that page and make it a link in the DNS Resolver page menu, like the access lists is (do the same for DNS Forwarder), and remove the overrides section at bottom of the pages.  Then the few who need access to the overrides without also having access to the main DNS Forwarder/Resolver page can use a shortcut in their favorites or on desktop, etc.

This would provide the desired access control, retain consistency between resolver and forwarder,  without cluttering the main menu.

@johnpoz:

"to identify which firewall I am working on."

So you don't know what firewall is what based upon name, fqdn, IP?

Couldn't you just use names like pf-sitename.domain.tld or pfsense.sitename.domain.tld, pfsense.sitedomain.tld, pfsense.othersitedomain.tld, etc.. or if just using IP would they be different IP?

I like to apply different themes to the 3 pfsense boxes that I administer. Have you ever tried to compare 3 sets of ipsec settings across 3 different firewalls? It can get very confusing, and having a strong visual reference helps keep my head on straight.

Sure, the address in the URL bar is a logical equivalent, but a different theme and image is more reliable when dealing with humans.