Bump, issue persists. This seems to disrupt ipv6 connectivity on prefix rotation by upstream entirely. The new prefix does not propagate further then a new slaac address on the wan interface itself. All tracked interfaces don't update, ra keeps announcing deprecated prefixes, "LAN" looses internet connectivity. Issue opened https://redmine.pfsense.org/issues/15625

A final harrumph from an old-time C programmer on UNIX systems... I quote from "Advanced UNIX Programming" by Marc J. Rochkind, first edition 1985, page 112: "The cost of a fork [system call in C] is enormous". I suppose this book dates me, but it was a classic in its day. Modern PHP code is doing the C sequence of fork/exec/wait for the UNIX command under the covers (maybe with the modern advantages of COW memory management), so an "exec" in PHP is a really expensive operation. So minimize exec calls, especially in loops. If you can get the same data by accessing memory or reading a file someplace, then do it.

I found something on MACsec https://www.synopsys.com/blogs/chip-design/what-is-macsec-protocol.html And ECMA-393 ProxZzzy on some intel cards https://ecma-international.org/publications-and-standards/standards/ecma-393/ There are also intel vpro features on NICs and RYZEN DASH remote access control features on ECC capable ryzen pro cpus. [image: 9sFSPjG] I am sure a combination of the default deny rule and L2 rules protect these features, but I'd also like to secure them all with snort/suricata and use them accordingly without investing into even more proprietary tech. Is there a steamlined way of identifying all of these features with opensolaris or with nmap or ptrace/dtrace? Their corresponding kernel module necessities etc?

@HLPPC said in pfSense on iPhone: There are probably easier ways to go about implementing a firewall Umm, yes. Just about any other way! That doesn't look like a full VM host. I've no idea how you might go about booting FreeBSD there. At a guess I'd say that's impossible. At the very least I would start with OpenWRT. But that too looks like it wouldn't work in what appears to be a terminal emulator. Unless I'm misreading it horribly. Steve

@michmoor you know big tech says, They say : "Squid is dangerous ..." You want to maintain it with me? We just need to fix the gui is all

Yeah, and they spent a lot of time fixing and putting in features in this release. I don't blame them for taking some time off before they jump into another release. They have been releasing patches for 24.03 for specific bugs that are problematic though, so their not just sitting idle.

Its working now with the Plus 24.02 beta installer. Only cavehat u need to run the installer , note the NDI, contact TAC support to pre activate that NDI.(because new Hardware) After that Installer will run and detect activated NDI so u can install.

https://redmine.pfsense.org/issues/15411

Backtrace: db:0:kdb.enter.default> bt Tracing pid 11 tid 100007 td 0xfffffe0003fd6720 kdb_enter() at kdb_enter+0x32/frame 0xfffffe000379d9c0 vpanic() at vpanic+0x183/frame 0xfffffe000379da10 panic() at panic+0x43/frame 0xfffffe000379da70 trap_fatal() at trap_fatal+0x409/frame 0xfffffe000379dad0 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe000379db30 calltrap() at calltrap+0x8/frame 0xfffffe000379db30 --- trap 0xc, rip = 0xffffffff80b05c80, rsp = 0xfffffe000379dc00, rbp = 0xfffffe000379dc00 --- vmxnet3_isc_txd_credits_update() at vmxnet3_isc_txd_credits_update+0x20/frame 0xfffffe000379dc00 iflib_fast_intr_rxtx() at iflib_fast_intr_rxtx+0xf7/frame 0xfffffe000379dc60 intr_event_handle() at intr_event_handle+0x123/frame 0xfffffe000379dcd0 intr_execute_handlers() at intr_execute_handlers+0x4a/frame 0xfffffe000379dd00 Xapic_isr1() at Xapic_isr1+0xdc/frame 0xfffffe000379dd00 --- interrupt, rip = 0xffffffff8125b026, rsp = 0xfffffe000379ddd0, rbp = 0xfffffe000379ddd0 --- acpi_cpu_c1() at acpi_cpu_c1+0x6/frame 0xfffffe000379ddd0 acpi_cpu_idle() at acpi_cpu_idle+0x2fe/frame 0xfffffe000379de10 cpu_idle_acpi() at cpu_idle_acpi+0x48/frame 0xfffffe000379de30 cpu_idle() at cpu_idle+0x9e/frame 0xfffffe000379de50 sched_idletd() at sched_idletd+0x4d1/frame 0xfffffe000379def0 fork_exit() at fork_exit+0x7d/frame 0xfffffe000379df30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000379df30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- We've seen that a few times and looked into it. We submitted a bug fix for it upstream: https://reviews.freebsd.org/D43712 Disabling multi-queue support prevents it if you're hitting it repeatedly. Increasing the descriptor counts in the tunables will make it happen less frequently. But will still eventually hit it. Steve

Or in: https://redmine.pfsense.org/projects/pfsense-plus

@John-Willard pfSense has python. Open up a command line : console, or SSH into pfSEnse, and fire it up : [23.09.1-RELEASE][root@pfSense.bhf/tld]/root: python3.11 -h usage: python3.11 [option] ... [-c cmd | -m mod | file | -] [arg] ... Options (and corresponding environment variables): -b : issue warnings about str(bytes_instance), str(bytearray_instance) and comparing bytes/bytearray with str. (-bb: issue errors) -B : don't write .pyc files on import; also PYTHONDONTWRITEBYTECODE=x -c cmd : program passed in as string (terminates option list) -d : turn on parser debugging output (for experts only, only works on debug builds); also PYTHONDEBUG=x ........ Be aware : pfSense is a firewall, not a dev system. You'll have a hard time pulling in more packages and other tools that maybe not present in the base system. @John-Willard said in Python and pfSense: Does pfSense have an API pfSense is build upon the FreeBSD kernel, and that one is 100 % open source. But again : it's probably not on pfSense that you develop anything, it's not the correct environment. Btw : Snort, Surriata, Wireshark etc are all binaries, certainly not "interpreted scripts" ;)

@Ellis-Michael-Lieberman said in A questions about certs from a small-shop / home user (Maybe wrong category?): Do I understand that you want me to list "pfsense.netwrightt.net" in my public record? if you want Letsencrypt to sign you a certificate that contains "pfsense.netwrightt.net" you must proof the Letsencrypt that you are "pfsense.netwrightt.net" == that you handle (admin, own, etc) that domain name. There are multiple ways to do this, hence the big list here : https://github.com/acmesh-official/acme.sh/wiki/dnsapi Example : there is a domain name server that handles "netwrightt.net". With a acme.sh script, and access credentials your registrar gave you, acme.sh access your registrar's domain server, and places in the sub domain /.well-known/ a text (TXT) file. The filename and content of the file name are give to acme.sh by Letsencrypt. When done, Letencrypt test the existence of that file name, and the content, so it knows that you 'admin' that domain name. This method is called "rfc2136". Since then, registrars have created their own methods and that's what the dnsapi list is so big.

@stephenw10 That would be greatly appreciated! Thanks!

Nice.

New build is good.

@jrey said in Need Help...Want to build custom pFSense build...: @dapperamer786 said in Need Help...Want to build custom pFSense build...: with my required changes in the GUI What? the GUI is web based. There are even some completely different dashboards floating around. what is it are you trying to do? I think what he is trying to do is install pfSense with his backup config? Rather than install a clean install then go through the process of uploading the config.xml in backup/restore.