@sergei_shablovsky So whats the problem with the horizontal menu exactly? Many things use it. And yes it's got a bit crowded over the time.

I'd appreciate a bit of redesign or submenu'ism myself, as we run a prod setup with VERY large amounts of VLANs and the interface menu is longer then my monitor height - you have to scroll. That's not nice, yes. But besides that working better in a more left-side-style menu, where's the problem?

And why NAT are in Firewall, but Routing not in Firewall but in System? Because of coder logic on entry stage of creating product? ;)

Simply: logic! Alias, NAT, Rules and Schedules ALL relate to underlying paket filter "pf" and manipulate its ruleset. So it makes absolute sense, that everything firewall/filter related is in there. That's why pfBlockerNG is there after being installed, too, as it fetches IP lists and creates aliases. OK one might argue it also does DNS blocklists and that is more unbound related but hell - can't put it in both menus trees.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

I know that You have a lot of docs made 10+ years ago, but is this really reason to make so khm... bad designed menu that **break all possible rules of creating visual interfaces?”.

nothing "bad menu design" about that IMHO.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

Bu really so outdated, like web from early '80, or just after usenet/FIDO

Sure about that? The UI uses bootstrap - I've seen lots and lots of UIs/UXs that utilize bootstrap and use a horizontal layout. Nothing "old" about that if you can use it easily.

Why States and States Summary, NDP, ARP, SOCKETS and other are not in Status (that mean current state of Firewall) and sit in Diagnostics?

Because that are things you don't normally check all the time. States? State tables? ARP? You check that as a "status" all the time? I'm working with a multitude of customers and from my perspective the only time we have to take a look at state details, ARP or NDPs is - exactly - if we're doing debugging with the client to find out why something is not right or working as intended. So I'd say from our perspective those entries are exactly where I'd put them. Normal customer often has no clue what states really are and what they are needed for so to find that in "Status" they'd be more irritated then helped.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

What is difference and why is Routes both in System and Diagnostics ? Is this different functionality ?

Of course - they are even called differently. So the argument is a bit void ;)
System/Routing(!) is about Gateways, GW Groups and manually adding static routes to those gateways. Diagnostics/Routes(!) is the system routing table. Nothing crazy about it.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

And Logout just between the much used Package Manager and High Avail. Sync ? Really ?

THAT I agree on. As the function is already available via the icon in the upper right, I'd perhaps make it optionally show a text beside it (so people can see it easier) and remove the logout from the system menu.

Backup in Diagnostics are for diagnosing purpose or really working?

I agree, that would perhaps be better suited in "System" rather then Diagnostics and should perhaps read "Backup & Audit" as many forget, that there's a additional tab in Backup&Restore with the config audit and the ability to rollback configuration (although that would perhaps be better suited in Diagnostics as it's more of a tool you'd use in debugging sessions).

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

The groups in 2-nd level menu need to be visually divided:

I'm there on that one. I'd like to see the menus a bit cleaned up or divided into submenus - or even better the ability to switch to a left-hand/right-hand side menu. But the broad categorization is fine with our day to day usage or support tasks with debugging users.

As the comparison with OPNsense often pops up: The left-hand menu there is nice for things like huge VLAN deployments etc. as theres no endless top-to-bottom menu that way but them re-ordering every single freakin' item from Diagnostics to the "best matching" service or system function is incredibly tedious! Every time I'm out to debug one of those systems I'm forced to open up dozens of tabs as the navigation between the various diagnostic or logging menu items is simply nervewrecking. Switching from System General to Firewall logs to OpenVPN logs as you try to track down a connection problem? 3 clicks in the System/System Logs view. With their UI you're constantly navigating to 3-4 levels of submenus that aren't visible, but you have to click to open up. It's insane.

So compared to that pfSense is far more "debuggung-friendly" as all things you're looking for are in one place and not tossed around in various locations all hidden behind clicks and more clicks of submenus. And yeah, sure you can say "just do it via console then" but we are talking UI/UX only here :)

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

Apple Human Interface Guidelines

But seriously I've never seen webdevs or WebUX people being hold to desktop application standards. IMHO that comparison is a bit far fetched?
Not everything needs to be designed like an Apple or Desktop App, but I agree, a few points could profit from a bit of sorting and regrouping. And an option to switch to a side-style menu for those with loooooong list of Interfaces or installed services would surely agree that's more comfortable to navigate.

Cheers :)
\jens

If it compiles against the same version of PHP it should be OK. At the time it was removed it was broken and I'm not sure if anyone fixed it, but give it a shot. Maybe upstream did something different in the meantime it has been a few years.

You're not the first to ask. 😉

https://redmine.pfsense.org/issues/12832

Add comments there if you like. More feedback always better.

Steve

@jimp Hi again I tried the Filezilla method but couldn't connect to it. I took the following steps to make the ssh connection (not in particular order): Gave admin user the Authorized SSH Key of my PC, enabled secure shell with public key only, through WAN rules added a pass action with "any" as a source and from pfsense's terminal enabled secure shell. Still when I put my credentials and IP correct, prints the following:
(IP of pfsense VM: 192.168.1.1 and Port: 5555)

Status: Connecting to 192.168.1.1:5555...
Status: Connection established, waiting for welcome message...
Error: Connection timed out after 20 seconds of inactivity
Error: Could not connect to server

Is anything I've done wrong?

@encrypt1d

This is very handy to have, thank you very much!

@networknotwork

This one : /conf/config.xml

@mako
pfSense (Firewall won't do it)
But maybe a Proxy like squid would - (I think squid is installable on pfSense)

/Bingo

@alroute said in 3rd Party Hardware Request:

I'm guessing Netgate doesn't want to price the 2100 down at home user prices because it might lose small business revenue and the same for access points which I'm guessing are universal to all.

Perhaps you can't simply make it any cheaper without loosing money? Because all electronics prices have gone through the roof and nothing got cheaper at all? There's a reason why consumer/SOHO electronics is cheap, while more flexible hardware and software is not. That's not something to do with "they don't want to make it cheaper" or "they don't like their software running on toasters". It's just that no one wants to pay for that. You can't just throw the software on cheap SOHO hardware and hope it will work just because "it's also an ARM SOC/CPU". There are vastly different ARM SOCs and they have licenses etc. for accessing their tools and drivers etc. Why is Netgate running espressobin-like hardware on those SG1100-3100? Because it's mostly the same SOC and was (guessing) relatively easy to adapt FreeBSDs ARM branch on it.
We can see how "identical normal x86/64 hardware" runs every day. They aren't the same just because they may have the same NIC and CPU in it. Developing on different hardware is far more complex than "just throw it on and have a look at it". Otherwise one could simple extract the installer from e.g. a SG1100 and throw it on a Raspi4 (won't work - different ARM SOC) or on a smartphone perhaps? Those are ARM, too? Nope. Not that easy. And the menhours that go into such things as developing and testing on new hardware is what makes things time consuming and expensive to ensure the stuff is actually running quite nicely when you try to install/update it. Add to that, that many hardware vendors for WiFi, SOCs (Quallcom for ARM etc.) like to have "binary blobs" in their drivers that may only work on Linux or have problems to get them to run on FreeBSD - or even incompatible licenses to BSD/Apache Licenses? Those are just the problems on top of it.

Have you seen 08/15 SOHO hardware with more then 1-2y firmware support? I found them very rare. Mostly the have have a few updates and are then abandoned for the next bigger better version. Also because of ever evolving HW standards of WiFi and such, most SOHO routers tend to get switched out around 2ys. Firewall hardware normally lasts way longer than that in my experience in our company (not Netgate BTW).

@alroute said in 3rd Party Hardware Request:

I noted from the Netgate Website that youa re intending to provide support for Pfsense to be used on 3rd party routers.

Actually don't know where you found that. I only know of "supporting 3rd party hardware" and with that they are only talking about compatible (x64 Intel/amd) 3rd party hardware router boxes or barebones that you can buy/build yourself. I found nowhere they state, that they plan to run on 3rd party routers as an alternative firmware like OpenWRT or DD-WRT or Tomato. That's - AFAIK - far outside the project scope.

Cheers
\jens

looks good thanks.

@viktor_g

After several attempts, it worked...very strange. I had to uninstall and reinstall, and then voila, it worked.

Nice!
I think the biggest issue I had (once I had it compiled) was that the ifconfig parts required to actually use any of the .ac parts are not present so there's no way to test it.

Steve

There is no way to downgrade in-place. You would have to reinstall the older version and restore a configuration made on the previous release as well.

Recently has a time to read more about BBR implementation progress. Very impressive. Just take a look on graphics “quick vs bbr”

@luckman212
Thanks,
I fixed the issue with what @stephenw10 posted

@jegr Never used the backup or filer packages although I've always been vaguely aware of them. Somehow I thought they were unmaintained for years and broken on recent versions of pfSense but I guess that's wrong. I'll check it out (as soon as pkg is fixed 😳 )

@luckman212 Ah we had something similar with a SG-5100 that also utilized the eMMC and had it as primary boot. Every time our coworker installed the new image, it still booted the old one until he finally realized he was booting the eMMC every time but installing on the SSD 😁

But good point about the nuking of the mmcsd0 partition. Will bookmark that to remember it when dealing with such a case again. Thanks 😄

Huh, now that someone mentions it... YES. That would definetly save some time with setting up a restore or similar box without having to edit the complete config.xml to do a full restore. Great idea!

I made a simple script to check if patches are applicable from the console. It's completely non-destructive (checks only).

GitHub gist: ptest.sh

Get

Run

./ptest.sh [-r] <commit-hash>

Sample output

Steve,
Thanks for the advice. Patch seems to work, pcscd is no longer running.

It's not that significant a concern, so nobody has taken the time to clean them all up. They should probably be removed for consistency, but it's not a priority.

If anyone wants to test the package, you can try this script below.
Place it in /usr/local/etc/rc.d, change mode to 0755, disable PowerD in the System / Advanced / Miscellaneous
reboot the system and wait for 5 min, check dashboard for current CPU frequency and temperature.

Packages on pfSense generally offer a GUI component for managing their configuration. Usually the GUI configuration piece is accessed via a menu entry under SERVICES put there by the package when it is installed from the pfSense packages repo (available under SYSTEM > PACKAGE MANGER.

If you mean you installed a package directly from the CLI from a package repo that is not part of the official pfSense distro, then you can be on your own. In that case, the package is unlikely to be manageable from pfSense itself. You would need to resort to manually editing any config files the package might have installed in /usr/local/etc (or more rarely, in /etc).

@pandafy said in Stray commented line in pfsense/src/etc/inc/openvpn.inc:

From looking at the commit which made this change, this seems like it was commented out purposefully back then. Should I open a PR to remove those lines?

That would be fine, I'd say being commented out for over 11 years means we really don't need to keep them hanging around.

Hello @gertjan!

Thank you very much for clearing out my doubts.
This was troubling me for quite a while that why there's a restriction in changing management interface.

Even after adding management 127.0.0.1 7505 directive using Custom Options, the OpenVPN instance on pfSense always used a UNIX socket. (It opens a UNIX socket with IP address as name)

Because ..... that is the way how the Dashboard Server VPN widget 'scans' the OpenVPN server so it can update the dashboard info about a current connections.

This is the crucial information I was missing. I will check the documentation again to confirm if it is already mentioned there. If not, I will open an issue/pull request to add this.

But now, I want to take a dive into the implementation of the "scan client" feature and would like to investigate why usage of TCP ports has been ruled out completely.

It will be really helpful if you can provide links to related code or documentation which can give me a starting point.

Again, thanks a lot. :)

@jimp Thank you, new thread is here

It does appear to be a similar case to exit notify for point-to-point modes.

In "sever" mode (SSL/TLS with a tunnel network larger than /30) it considers Inactive to only apply to client sessions and not the server itself.

In point-to-point mode (client or server are ambiguous to OpenVPN) it terminates the process on inactivity.

https://redmine.pfsense.org/issues/12219

@jimp said in 2.5.2-release still has OpenVPN Site2Site Bug with explicit-exit-notify:

In the meantime, you can always use the Service Watchdog package to restart the service when it has stopped.

Ah didn't think of that. Normally I'm more "solve the problem, don't restart" type of engineer but you're right, if the other side is "wrongdoing" and there's nothing we can do - so be it :/

@jimp thanks jim

Normally you would not edit files in that way on the firewall directly.

Many of us work in one of the following ways:

Thanks for the hint!