Should be marked as solved.

@viragomann

@viragomann said in Inconsistency in gateway selection:

Yes, traffic on the same L2 will not pass the router, but any other traffic which goes to it would be forced to the gateway. These could be other subnets or even packets destined to pfSense itself.

ok, yes. That is my intent. Thanks. :)

I found the issue. It's the Configuration Synchronization (XMLRPC Sync). This pfsense receives some configuration sync from another pfsense (CA, certificates, Authentication Servers) and that leads to high CPU usage every one minute.
But it's pretty weird because such configuration has been working for at least 10 years.

Any ideas what could be the reason?

@michmoor said in Disable weak SSL Cipher:

John shows that those weak ciphers aren’t present on the latest OS

No they are.. I just didn't notice them as being cbc until I set my tool to report in iana names. But to be honest its really a minor concern if one at all. The only devices that should ever talk to the web gui are admin devices in the first place. Proper security would allow only an admin network or admin IP to talk to the gui..

I would never even think to expose my web gui to the public internet in the first place.. So scanning from an external tool like ssl labs should never even be viable to do.

Which is why I scanned using a local tool to report what ciphers are being offered. While I agree there is little point in even offering old ciphers.. I have now set mine to only use tls 1.3 currently. I would never need or want to access from my admin machine with old tls 1.2 etc.. But to be honest its pretty pointless, other than just good practice.

If you were setup securely - accessing the gui via just http shouldn't be a problem..

Once you exposed the gui to public or some other hostile local network - the use of some old cipher via old tls 1.2 should be the least of your concerns.

All that being said, I do agree that it would be a good feature add to allow for tweaking and setting what you want to offer specifically be it via the normal web gui, or some captive portal your running on pfsense. Normal users would prob never have need to adjust, but it would be nice feature.. Maybe let the user select modern ciphers, more compatible ciphers for older browsers, etc. Or full custom settings where user could pick exactly which ciphers are offered.

This sort of granular control should also be available for ssh as well. When I looked earlier redmine was down, when it comes back I might look to see if these features have been requested already, if not maybe I will put them in. Of very low priority request - but it would be nice to have.

Did you ever figure out what was goin on here? I just had the same error this morning when trying to login to the GUI. I'm on 23.05.1

The default syslog format doesn't sort well when sorted as a string like that.

If you change your syslog format to RFC 5424 then it should sort better. That setting is under Status > System Logs on the Settings tab. It's the first option there, Log Message Format.

Can be closed.
ntopng is sending the messages.
It was not working with 2.6 and after the upgrade it started to work.

Sorry!

@Gertjan

That is a trivial amount of logging and has no meaningful impact on the system at all.

Whilst I do retain a single Windows 10 server it is off over 99% of the time. Otherwise I just don't do Windows OS, only the 'nix family (macOS, Linux & BSD).

☕️

@johnpoz

Thanks again. Just after I read your reply I realised I had killed the internet when little one said she couldn't stream anything on the ROKU.

I've now added rules for allowing DNS and NTP and also ping.

Thank you for taking the time to explain, its a steep learning curve. I've gone from using an ISP issue router to this in a week and learning fast how to secure my network.

Cheers
Jungle

@NogBadTheBad

Yeah ….
Was about to post @me-too
As I was also selecting “auto select interface”, as I consider this a “don’t care” choice, and was a bit surprised that my selected “IPv4” gets overridden as pfSense prefers IPV6 part of my WAN (?)

@jimp Thanks for your reply.

I did search for 'traffic' in both of them and this is the group privileges menu actually. I have reinstalled the package and rebooted after that didn't work.

I have just reinstalled again, just to make sure. But that also didn't work.

The traffic graph privilege is already assigned to this group, so that's probably why it doesn't show up. There's no privileges on the account not inherited from said group.

See here an example of one of the individual accounts under this group.
5c606339-1d6b-45f2-9c36-167c8c7200bb-image.png

@JonathanLee @jimp thx for your inputs, it was indeed the same trackerid on all the rules. i just copied and paste it on itself and deleted the old ones, now its working as expected.

thx you guys

The problem is actually a bit worse than initially reported.
The problem does not only happen after edit/save, but also after restarting the service.

Steps to reproduce configure correctly (manually add newlines) Save

Now the openvpn server runs correctly, with the extra-certs option

Go to openvpn status page (/status_openvpn.php#) Click "restart" on the openvpn service Result

The service does not restart, openvpn.log shows

Aug 23 17:11:05 fw openvpn[84943]: SIGTERM[hard,] received, process exiting Aug 23 17:11:06 fw openvpn[1001]: ERROR: Endtag </extra-certs> missing Aug 23 17:11:06 fw openvpn[1001]: Exiting due to fatal error

To fix again, go the the openvpn config page, manually add the newlines (2x), save -> service runs.

This has been fixed in commit 9270d777907048d2bfc31f4e57a01e915ff71a88