Hello,

I think I have solved all issues. The version I will upload in a moment to the bug-tracker-side does have the same functionality as the original NetGate version.

However, on my system and setup, it is nearly 20-times faster and does process a maximum of 250 lines from the firewall log in opposite to only 50 in the original version (which is relevant if you e.g. would like to select alarms from one specific interface).

I also shorted the timestamps printout, since I did not like it and assume nearly any one is interested to see the micro seconds.

If you want to use or test it, you can download it from
https://redmine.pfsense.org/issues/12673

@jimp said in Questions about DHCPd: new service on the agenda? DHCP pool restrictions?:

Yes, it's EOL. We'll be working on moving to Kea but not for this release. We've been using Kea with much success on TNSR, so we are hopeful that is the best path forward. That said, we still need to look into how it does things like failover pools.

Oh really exciting to read. I almost assumed it's a OpenBSD like situation that FreeBSD runs its own fork and will do so further down the road but I see that I now have to read on and check out Kea myself :)

@jimp said in Questions about DHCPd: new service on the agenda? DHCP pool restrictions?:

I'm not sure how Kea handles that second part but if they are actually reservations there then we can obviously lift that restriction after moving to Kea.

Oh then I'm sorry and "my bad" for assuming they actually were reservations. I just followed a similar discussion where ISC-dhcpd was concerned and either there was some misconception or they weren't aware, that preferences weren't really reservations.

But thanks for the update that gives additional input if that question pops up in the future again. Have to read Kea docs, if that is actually supported there (just for informational purpose).

Thanks again,
Jens

@jimp

One other reaction to add. I do not know which security measures / precautions Netgate makes with packages, e.g. with which authorization level they are running, however adding whatever 'external' code to your system is always a risk and surely if the involved system is a firewall.

So, but if you allow that whatever package to be installed, than you trust that package and an installed package does IMHO technically have the capability to do all kind of unwanted things with your platform.

If one of those more or less trusted packages generates fixed html code, it sounds strange to me to see that html code from one of your own packages as ^dangerous^ where the fact that the package is installed is again in my feeling is far more dangerous.

So, I do not need the htmlspecialchars() protection replacement for this case, but I do scratch my head why it is dangerous 😥

This long thread from earlier this year should help kickstart your effort: https://forum.netgate.com/topic/169749/pfsense-compile-requirements-for-3rd-party-software. This thread was about a different binary package, but the information is directly applicable to your iperf3 work.

You will first need to create a FreeBSD package builder environment based on the pfSense version you are targeting. Today that is FreeBSD 12.3-STABLE for pfSense CE and pfSense Plus RELEASE, and FreeBSD-14.0-CURRENT for the DEVEL snapshot branches.

You will find the binary pieces of iperf3 here: https://github.com/pfsense/FreeBSD-ports/tree/devel/benchmarks/iperf3.

The PHP GUI component of the package is here: https://github.com/pfsense/FreeBSD-ports/tree/devel/benchmarks/pfSense-pkg-iperf.

There is very little documentation of the process. Be prepared to draw upon your experience (or else you will have to spend a good deal of time on Google searching for clues and tips).

We're already looking into that. We were aware about it before it went in, it's something we've been keeping a close eye on.

@watermirror said in how to start?:

[00:00:46] [01] [00:00:11] Finished devel/libffi | libffi-3.3_1: Failed: fetch

This is the only error that matters. The others that followed it are just a symptom as they have libffi listed as a dependency, so when that port fails to build the others with a dependency on it will also fail to build.

To see why libffi is failing, you will need to examine its Makefile and perhaps the Poudriere build log for that package. The error says it failed to fetch the source code. That could be because the repo referenced in the Makefile is offline, or it might be that the source file location has been customized to some place not publicly accessible (like a private GitHub, for instance).

And lastly, I will say that trying to build a custom pfSense image is not for the faint of heart. It requires quite a bit of patience to track down and correct some weird errors, and it also demands a lot of experience with using and maintaining FreeBSD build environments.

@stephenw10 said in FreeBSD 13:

Yup, so does main/14. 😉

This does sound as a very very interesting deveolpment for pfSense. However, I’m not a FreeBSD user/follower apart from on my SG-xxxx boxes, so a few questions arise:

1: How big is the difference between 12/Stable and 14/Main in the bits pfSense use/exploit? IE: What will be the most noticable news for pfSense users?

2: Is it a huge leap in additional drivers availability and supported hardware? I’m thinking mainly NICs and especially 4G/5G dongles/hardware support.

3: Is 22.11/2.7’s only focus to change FreeBSD base and PHP build, or will there be other new features/requests included?

Leaving this here in case it's useful to anyone...

github.com/luckman212/pfsense-temp-alert

@cool_corona said in IMHO actual pfSense GUI is slow ..:

@louis2 Its in development and therefore is bet/rc.

I find the GUI quite responsive actually.

It’s all about the widgets you have applied to the dashbord. Remove the bad offenders, and the GUI/login will be much quicker.

Probably possible to backport it but that's very unlikely to happen at this point. It would remove development resources from the work to rebase which is currently underway.
Watch this space. 😉

Ah, OK. Then I'd create it as a feature request in Redmine.

And what about not filling in this field by default, only making it mandatory if the user filled in the IP address?

Unless you type in an IP address that page still behaves as it did before and if the the user types in an IP address the user is forced to provide the subnet mask...

This way it will never warn about the subnet mask unless there is a reason to do so (ie it is missing...). Doesn't this make way more sense than what I suggested earlier, to warn when it is a /32, not knowing whether it is good or not? If the user has to actually fill it and it still manage to still fill in the wrong information then (s)he is a lost cause... 😉

Thank you and have a nice day!

Nick

Can we assume you tried the suggested --clean-builder and it made no difference?

What do the logs show?

Steve

Ok, if nobody else wants to do it I'm happy to rip through them and get them all consistent.

@sergei_shablovsky So whats the problem with the horizontal menu exactly? Many things use it. And yes it's got a bit crowded over the time.

I'd appreciate a bit of redesign or submenu'ism myself, as we run a prod setup with VERY large amounts of VLANs and the interface menu is longer then my monitor height - you have to scroll. That's not nice, yes. But besides that working better in a more left-side-style menu, where's the problem?

And why NAT are in Firewall, but Routing not in Firewall but in System? Because of coder logic on entry stage of creating product? ;)

Simply: logic! Alias, NAT, Rules and Schedules ALL relate to underlying paket filter "pf" and manipulate its ruleset. So it makes absolute sense, that everything firewall/filter related is in there. That's why pfBlockerNG is there after being installed, too, as it fetches IP lists and creates aliases. OK one might argue it also does DNS blocklists and that is more unbound related but hell - can't put it in both menus trees.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

I know that You have a lot of docs made 10+ years ago, but is this really reason to make so khm... bad designed menu that **break all possible rules of creating visual interfaces?”.

nothing "bad menu design" about that IMHO.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

Bu really so outdated, like web from early '80, or just after usenet/FIDO

Sure about that? The UI uses bootstrap - I've seen lots and lots of UIs/UXs that utilize bootstrap and use a horizontal layout. Nothing "old" about that if you can use it easily.

Why States and States Summary, NDP, ARP, SOCKETS and other are not in Status (that mean current state of Firewall) and sit in Diagnostics?

Because that are things you don't normally check all the time. States? State tables? ARP? You check that as a "status" all the time? I'm working with a multitude of customers and from my perspective the only time we have to take a look at state details, ARP or NDPs is - exactly - if we're doing debugging with the client to find out why something is not right or working as intended. So I'd say from our perspective those entries are exactly where I'd put them. Normal customer often has no clue what states really are and what they are needed for so to find that in "Status" they'd be more irritated then helped.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

What is difference and why is Routes both in System and Diagnostics ? Is this different functionality ?

Of course - they are even called differently. So the argument is a bit void ;)
System/Routing(!) is about Gateways, GW Groups and manually adding static routes to those gateways. Diagnostics/Routes(!) is the system routing table. Nothing crazy about it.

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

And Logout just between the much used Package Manager and High Avail. Sync ? Really ?

THAT I agree on. As the function is already available via the icon in the upper right, I'd perhaps make it optionally show a text beside it (so people can see it easier) and remove the logout from the system menu.

Backup in Diagnostics are for diagnosing purpose or really working?

I agree, that would perhaps be better suited in "System" rather then Diagnostics and should perhaps read "Backup & Audit" as many forget, that there's a additional tab in Backup&Restore with the config audit and the ability to rollback configuration (although that would perhaps be better suited in Diagnostics as it's more of a tool you'd use in debugging sessions).

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

The groups in 2-nd level menu need to be visually divided:

I'm there on that one. I'd like to see the menus a bit cleaned up or divided into submenus - or even better the ability to switch to a left-hand/right-hand side menu. But the broad categorization is fine with our day to day usage or support tasks with debugging users.

As the comparison with OPNsense often pops up: The left-hand menu there is nice for things like huge VLAN deployments etc. as theres no endless top-to-bottom menu that way but them re-ordering every single freakin' item from Diagnostics to the "best matching" service or system function is incredibly tedious! Every time I'm out to debug one of those systems I'm forced to open up dozens of tabs as the navigation between the various diagnostic or logging menu items is simply nervewrecking. Switching from System General to Firewall logs to OpenVPN logs as you try to track down a connection problem? 3 clicks in the System/System Logs view. With their UI you're constantly navigating to 3-4 levels of submenus that aren't visible, but you have to click to open up. It's insane.

So compared to that pfSense is far more "debuggung-friendly" as all things you're looking for are in one place and not tossed around in various locations all hidden behind clicks and more clicks of submenus. And yeah, sure you can say "just do it via console then" but we are talking UI/UX only here :)

@sergei_shablovsky said in Grouping Items in menu vs A-Z list:

Apple Human Interface Guidelines

But seriously I've never seen webdevs or WebUX people being hold to desktop application standards. IMHO that comparison is a bit far fetched?
Not everything needs to be designed like an Apple or Desktop App, but I agree, a few points could profit from a bit of sorting and regrouping. And an option to switch to a side-style menu for those with loooooong list of Interfaces or installed services would surely agree that's more comfortable to navigate.

Cheers :)
\jens

If it compiles against the same version of PHP it should be OK. At the time it was removed it was broken and I'm not sure if anyone fixed it, but give it a shot. Maybe upstream did something different in the meantime it has been a few years.