@jcpolo: Is there such a feature as to monitor services on pfsense? That way if a service died it would fire off a notification? That is different than this original topic. The Service Watchdog package can monitor services and restart them if they are down/crash, and it can send a notification if that happens.

The lack of redirection is a security measure. If you must keep a browser open like that, either increase the session timeout (System > User Manager, Settings tab) or configure your browser (or an add-on) to refresh the page periodically to keep the session active. But those also lessen security, of course.

@spillemw: My pfSense file system is read-only.  When I ssh to the machine and select shell, I am in the root directory, but obviously not a root user.  Note that I bought a Stonegate firewall with pfSense 2.1.5 pre-installed. I am new to pfSense but not new to ubuntu. Any suggestion? –------------------------- Update that may help other people : the file system was read-only so I had to remount it in the shell with rw enabled.  Then I could get the new them and apply it. Do not forget to reboot the machine afterwards so that the ro is in place again for added security. I have no idea what your post has to do with widescreen patch. But: pfSense is built on top of FreeBSD (not Ubuntu) It is all configured from the webGUI - so do not use the shell to change anything unless you know what and why you are changing it. "disk" can be switched between ro and rw and back with: /etc/rc.conf_mount_rw /etc/rc.conf_mount_ro No need to find the right mount commands yourself, no need to reboot to put it back. Diagnostics->nanoBSD also has a button to switch to RW then switch back to RO.

Just found this thread. Sorry for the double post!

Ok, I'm sorry about this stupid question. I find  the line in : /etc/inc/system.inc: $lighty_config I have a better result now : Supported Server Cipher(s):     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA     Accepted  TLSv1  256 bits  AES256-SHA     Accepted  TLSv1  256 bits  CAMELLIA256-SHA     Accepted  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA     Accepted  TLSv1  168 bits  DES-CBC3-SHA     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA     Accepted  TLSv1  128 bits  AES128-SHA     Accepted  TLSv1  128 bits  CAMELLIA128-SHA Prefered Server Cipher(s):     TLSv1  256 bits  ECDHE-RSA-AES256-SHA Thanks to reader ! Best regards.

I'm always thrilled to see quick turnarounds on bugs  ;D Thanks, will test it soon(ish), as work permits.

Hi Do you mind posting the working around you found? Thanks.

Factory default will give you WAN and LAN. Then login to web interface 192.168.1.1 from LAN, Interfaces->Assign, make OPT1, OPT2 on the required hardware ports. Enable them in Interfaces->OPT1, OPT2 and give them IP addresses in other subnets. Then you have to add firewall rules to each interface to allow whatever traffic you wish to come in from those interfaces. Not sure what you mean/require when you say "ideally i'd like to have the OPT ports as backup" - they will have different subnets to LAN.

I use startssl for my pfSense certs.  The root is trusted by all major browsers.  I import the Class 1 intermediate cert into CAs and the issued certificate in Certificates then tell webConfigurator to use the issued cert.  It all just works. I would delete what you have done then reinstall the end certificate pasting in JUST the issued cert, no CAs. pfSense should automatically see that it was issued by the intermediate and see that the intermediate was issued by the root. You should also be able to safely delete the root cert from pfSense.  If that is trusted by the end browser it's already and there's no reason to have it on pfSense.

Suricata should not be the cause of the error.  The file with the foreach() error is not a Suricata file.  It is a pfSense system file.  The error is happening in the section of code where the firewall is attempting to iterate over the configured firewall interfaces. Have you made any other changes to the firewalls or to the host you are connecting from? Bill

LDAP only supports password authentication. Here's one two-factor solution that does: https://www.duosecurity.com/docs/ldap I've been using a free account to add two-factor to pfSense OpenVPN using RADIUS for a while now.  Works great.  Can't imagine LDAP would be any different.

doing a search, I saw another instance where 3 didn't work and they speculated it had reached some max and converted to read only…. IDK

I'm aware of why not to do it. I'm asking if it's intentional that it shows up in one view but not the other, when for the sake of those specific machines, those views are the same.  (The difference being showing inactive leases)

The code for all that is just PHP. It is all in GitHub at https://github.com/pfsense/pfsense and in your pfSense box (Diagnostics->Edit File). Copy the relevant files, edit them, save them on a system you can play with, get it working… /usr/local/www/interfaces.php - has some stuff for entering directly PPTP/L2TP username password... /usr/local/www/interfaces_ppps_edit.php - entering username password... for L2TP on PPP (I think that is what you want) It sounds like you understand what is needed, so have a look at that code and you can add an extra field for the shared secret. Then look in /etc/inc/interfaces.inc function interface_ppps_configure($interface) That writes the config file/s for that stuff. Lines like: set auth authname "{$ppp['username']}" Put the parameters in the config file. Add your new parameter there somewhere. When it is working, make a pull request online in GitHub (just make the few edits in the GitHub webGUI is easy). Then everyone in South Africa and elsewhere gets the benefit.

yes you will

many thanks for repling, I'll take a look. Ideally I would like read only access, apart from allowing changes to one firewall host alliases, to add in people who need the penalty box - I guess this level of lock down isn't available yet ?

Is there anything that needs to be done? Sorry, no idea.  I was just sharing my experience with what happened to me.