I will answer it myself - as long as the interfaces are attached to something....a switch , etc...it doe not time out. Thanks Netgate....maybe you guys will fix that in new versions? Paul

@johnpoz said in webConfigurator: Using my own CA is not working...: I would think so but you can always restart from the console menu, option 11 I forgot about that...., thanks for your help!....

@viragomann Hey thanks for the comment. You are right, if I use the VPN interface IP I can connect! I did not understand this correctly in your second post. That solves my problem

@Ramosel said in Package updates not showing until I ran Package Manager: Patch Manager System Patches? That was released this morning. https://forum.netgate.com/topic/184175/system-patches-package-version-2-2-8 dunno about others :)

Should be marked as solved.

@viragomann @viragomann said in Inconsistency in gateway selection: Yes, traffic on the same L2 will not pass the router, but any other traffic which goes to it would be forced to the gateway. These could be other subnets or even packets destined to pfSense itself. ok, yes. That is my intent. Thanks. :)

I found the issue. It's the Configuration Synchronization (XMLRPC Sync). This pfsense receives some configuration sync from another pfsense (CA, certificates, Authentication Servers) and that leads to high CPU usage every one minute. But it's pretty weird because such configuration has been working for at least 10 years. Any ideas what could be the reason?

@michmoor said in Disable weak SSL Cipher: John shows that those weak ciphers aren’t present on the latest OS No they are.. I just didn't notice them as being cbc until I set my tool to report in iana names. But to be honest its really a minor concern if one at all. The only devices that should ever talk to the web gui are admin devices in the first place. Proper security would allow only an admin network or admin IP to talk to the gui.. I would never even think to expose my web gui to the public internet in the first place.. So scanning from an external tool like ssl labs should never even be viable to do. Which is why I scanned using a local tool to report what ciphers are being offered. While I agree there is little point in even offering old ciphers.. I have now set mine to only use tls 1.3 currently. I would never need or want to access from my admin machine with old tls 1.2 etc.. But to be honest its pretty pointless, other than just good practice. If you were setup securely - accessing the gui via just http shouldn't be a problem.. Once you exposed the gui to public or some other hostile local network - the use of some old cipher via old tls 1.2 should be the least of your concerns. All that being said, I do agree that it would be a good feature add to allow for tweaking and setting what you want to offer specifically be it via the normal web gui, or some captive portal your running on pfsense. Normal users would prob never have need to adjust, but it would be nice feature.. Maybe let the user select modern ciphers, more compatible ciphers for older browsers, etc. Or full custom settings where user could pick exactly which ciphers are offered. This sort of granular control should also be available for ssh as well. When I looked earlier redmine was down, when it comes back I might look to see if these features have been requested already, if not maybe I will put them in. Of very low priority request - but it would be nice to have.

Did you ever figure out what was goin on here? I just had the same error this morning when trying to login to the GUI. I'm on 23.05.1

The default syslog format doesn't sort well when sorted as a string like that. If you change your syslog format to RFC 5424 then it should sort better. That setting is under Status > System Logs on the Settings tab. It's the first option there, Log Message Format.

Can be closed. ntopng is sending the messages. It was not working with 2.6 and after the upgrade it started to work. Sorry!

@Gertjan That is a trivial amount of logging and has no meaningful impact on the system at all. Whilst I do retain a single Windows 10 server it is off over 99% of the time. Otherwise I just don't do Windows OS, only the 'nix family (macOS, Linux & BSD). ️

@johnpoz Thanks again. Just after I read your reply I realised I had killed the internet when little one said she couldn't stream anything on the ROKU. I've now added rules for allowing DNS and NTP and also ping. Thank you for taking the time to explain, its a steep learning curve. I've gone from using an ISP issue router to this in a week and learning fast how to secure my network. Cheers Jungle

@NogBadTheBad Yeah …. Was about to post @me-too As I was also selecting “auto select interface”, as I consider this a “don’t care” choice, and was a bit surprised that my selected “IPv4” gets overridden as pfSense prefers IPV6 part of my WAN (?)