@wamo PowerD only manages power at the mainboard and downstream component level, not what's upstream. A power supply will always take a certain amount of watts for itself even disconnected from the board. I would run PowerD at 'Adaptive' if I were you. It both upscales and downscales very quickly. 'Minimum' will lock it at the lowest CPU frequency, regardless of load, hurting performance. 7W is nothing, that's a single old-style Christmas tree bulb.

@DeLiver I'll test again, so far it hasn't done it for me on the NTP status page though, which is only 3 entries long for me.

@johnpoz I'll describe in another post how I setup the ACME thing; works just fine on one machine, by the way. Used a non-privileged user with sftp into a chrooted enviroment. So unless chroot and/or scponly are broken, this should be rather safe an approach, at least safe enough for a machine which needs its admin interface open to the internet anyway, because it's on a colocation site far away from where I'd have physical access. (The machines mostly act as VPN-based routers, FW is just an added bonus)

So DNS is way too complicated, until it's migrated, as it's still self-hosted on an old computer, and the various automated DNS interactions aren't an option there...

While this might be possible it would only be viable for hardware sold by Netgate directly, so it would end up most likely being a plus-only feature.

We aren't going to take on the massive amount of tech debt involved in detecting non-Netgate/competitor hardware and maintaining an image database and so on.

We already have images of our own hardware, though, and the detection is already in place.

When you have HA and XMLRPC config sync setup the certificates from the primary overwrite the secondary -- that is normal/expected, and not a bug.

What you do in this case is add all certificates on the primary node, allow them to sync, and then choose the appropriate certificate on the secondary node after that sync finishes.

This typically means using the same cert on both nodes and having its properties allow both hostnames/addresses to work, but you can use separate certs as well so long as the certificates are managed on the primary only.

@aiignorance

We have been using Pfsense platform for eight yers now and the more Certificates per User we have the more slowly Widgets are working - this is the problem.

Now we have 1200 certificates for users in Pfsense :)

PHP does not use threading and runs on a single core, so maybe performance of PHP is over for the process.

Thank you. I was able to confirm it was a false positive.

Compliance isn't an issue here.

For it to be a problem it has to be proven to actually be a problem, which hasn't happened.

Whatever scan is flagging it is giving bogus results, it's a false positive.

If you want to alter the source to shut the scanner up, that's up to you.

Side note extra learning

“Edit In Place

Editing the configuration in-place is also possible in a variety of ways. The general procedure is:

Edit /conf/config.xml
Run rm /tmp/config.cache to clear the configuration cache
Reboot, or use the GUI to save/reload whichever part of the firewall utilizes the edited settings”

Ref:
https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html

While the proposed solutions here involve directly editing the /conf/config.xml file with scripts, it is important to note that modifying the /conf/config.xml file directly is a delicate operation and should be approached with caution.
If you choose to install such scripts, be sure to create a backup of the /conf/config.xml file before making any changes.

I had a similar task to install tailscale certificates on the pfSense firewall and created some scripts to import that certificates on pfSense, using acme-command.sh of the acme package.

Github Repository

I might extend that repository with the great ideas and examples of that thread on demand.

@rickandaj Now is something for a feature request?? Maybe yeah wan/lan are special.. But others called just optX where you can change the name on them, etc. but they are always still referenced as optX

Fixed it. It was my PC that needed reboot. All is fine again.

@jimp

Hummm.
"vin" is wine here (French).
Corrected the post .... thanks.

Hi,

The update did not solve the problem. I still got a crash report today.

PHP Errors:
[27-Dec-2023 14:42:09 Europe/Amsterdam] PHP Fatal error: Uncaught TypeError: pfSense_interface_rename(): Argument #1 ($ifname) must be of type string, array given in /etc/inc/interfaces.inc:4593
Stack trace:
#0 /etc/inc/interfaces.inc(4593): pfSense_interface_rename(Array, 'wan_stf')
#1 /etc/rc.newwanip(154): interface_6rd_configure('wan', Array)
#2 {main}
thrown in /etc/inc/interfaces.inc on line 4593
[27-Dec-2023 14:42:28 Europe/Amsterdam] PHP Fatal error: Uncaught TypeError: pfSense_interface_rename(): Argument #1 ($ifname) must be of type string, array given in /etc/inc/interfaces.inc:4593
Stack trace:
#0 /etc/inc/interfaces.inc(4593): pfSense_interface_rename(Array, 'wan_stf')
#1 /etc/rc.newwanip(154): interface_6rd_configure('wan', Array)
#2 {main}
thrown in /etc/inc/interfaces.inc on line 4593

The code I have at this line is:
c8a70086-46d8-4b83-9eae-c5e98fcdce7d-image.png

Please suggest me how I can possibly resolve this issue.

@makaone20 said in Can not access webui from local LAN:

is this a setting in pfsense?

Not unless you created one - or using something like IPS or pfblocker and are blocking it. Out of the box pfsense blocks nothing outbound, and blocks all things unsolicited inbound into your wan.

@johnpoz

Thank you, I blocked popups in my browser.

Problem solved.

Old thread, but should this be helpful I encountered this issue as well and resolved it by updating the router's DNS servers (i.e. to 8.8.8.8)