• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    31k Views
    STLJonnyS
    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from. I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.
  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    65k Views
    V
    Mine may be typical, maybe not..... Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do. I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help. [image: 1697753147328-pfsense1.png]
  • Restore pfS config.xml to new h/w

    6
    0 Votes
    6 Posts
    34 Views
    T
    You do not need to edit the XML. During the import the system/GUI will ask what you want to map to, and it will prompt you with the adapters it can see.
  • Switched to AT&T fiber, IPv6 tunnel broken

    6
    0 Votes
    6 Posts
    27 Views
    Bob.DigB
    @BiloxiGeek And it has to be ping-able.
  • Transfer license

    4
    0 Votes
    4 Posts
    576 Views
    R
    @akhuyna It's like I already said that. :)
  • Port Forwarding stopped working after upgrading to 2.8.0

    110
    0 Votes
    110 Posts
    5k Views
    C
    @stephenw10 are the lists the items under Feeds? where there is white section some gray and green high lighted areas if so i going to try to see if to disable them?
  • Ecobee thermostat can’t connect to servers

    28
    0 Votes
    28 Posts
    2k Views
    GPz1100G
    Under steady state conditions I show the ecobee premium connecting to a single ip. [image: 1756308824639-67a13b98-e9e5-4a80-baa2-1464cd5fa15d-image.png] and periodic connections to the dns server (x.y.100.2). Using any packages that may be doing traffic inspection?
  • 25.07.1: aspx login page no longer loads, did in 24.11

    16
    1 Votes
    16 Posts
    323 Views
    beerguzzleB
    @SteveITS Since the Netgate 2100 is at the Methodist local church and I support the firewall, this was a real user issue. They access the site monthly to do retirement account contributions for the church employees. Fortunately the login mechanism (once you can see it) requires two-factor authentication. Glad for that.
  • Strange Memory

    8
    0 Votes
    8 Posts
    758 Views
    J
    @stephenw10 I'll hold on any changes to ZFS for now -- I think the timing and data are pointing more to this observation being an "artifact" and that it is actually caused by the syslogd issue. I think from looking at the change I highlighted in the syslogd thread that when the remote goes down, and perhaps only if there are two destinations, the syslog code does in fact fail on the reconnect attempt. but it the mean time it continues to try to spew output to a destination (1 of 2) that is not available. those messages are still going somewhere, (we know they still go the the other syslog receiver and the local files, (as they should). but I think they are also getting "lost in space". I think it is most likely the flood of "sendto: Host is down" messages that I don't see in the logs during the event, (they actually don't show on either destination or local files, but other messages do) on the production server presumably those messages are going somewhere, and if the remote is down long enough and depending on available memory this is when the memory shift happens. Left unchecked long enough syslog eventually crashes (likely runs out of memory) even restarting syslogd does not recover this memory shift. in the graphs the difference between the large shift and the smaller shift is an indication of how long the remote was down and syslog subsequently restarted. Also explains why the shift takes time to go from high to low. Sad part is that restarting syslog does not seem to reclaim that shifted memory - rebooting does. (unless the shift back would take a really long time, I think that "memory" allocation is "lost in space" - the longest the system ran before I restarting when in the shifted mode was a little over a day. Monday morning was the latest observation and I restarted the system and memory has been at "24.11 normal" levels since - I also noted then that I moved the next scheduled syslog receiver server planned outage from Thursday to Friday Theory being if it doesn't shift until then, (that would be a different day timing ) then syslog has been the cause of this memory observation all along. https://forum.netgate.com/topic/198418/25.07-unbound-pfblocker-python-syslog?_=1756291874803
  • 25.07 unbound - pfblocker - python - syslog

    44
    0 Votes
    44 Posts
    2k Views
    stephenw10S
    I'm away at the moment and can't check directly. However I don't believe it includes that. 2.8.1 is intended to be as close to 25.07.1 as possible so that testing/bugs apply similarly to both. It looks like it was the source address binding that was fixed there. I'll be back on this next week.
  • To do 25.07 or not?! That is the question!

    34
    0 Votes
    34 Posts
    2k Views
    stephenw10S
    Like BIOS settings? Not really. It could be an ACPI bug that's exposed by the larger kernel in 25.07 taking up more space. But I'd expect a panic if that was the case.
  • Cannot access some legit 443 on 25.07.1

    4
    0 Votes
    4 Posts
    340 Views
    johnpozJ
    @wzkds if client doesn't have an IP on the network attached to pfsense - it would never send traffic to pfsense.. You could see some broadcast traffic behind blocked.. Are they clients on a vlan? But yeah I would sniff on pfsense - have client ask for IP from dhcp - if your not seeing the discover all then yeah nothing ever going to work.
  • Logging my daily changing WAN-address

    49
    0 Votes
    49 Posts
    6k Views
    J
    @Bob.Dig No worries.
  • Update from 24.11 to 25.07 failed and possible corrupt system

    24
    0 Votes
    24 Posts
    2k Views
    M
    Thanks. I had the same issue, kept failing boot verification 43000 files in the config backup directory. After getting rid of those, it upgraded faster than I have ever encountered in the past., I had gotten used to upgrades taking 10+ minutes.
  • pfsense 2.7.0 installed as vm on xenserver now routing issue

    5
    0 Votes
    5 Posts
    609 Views
    stephenw10S
    @Abdul-Qadir said in pfsense 2.7.0 installed as vm on xenserver now routing issue: the CCTV nvr is somewhere else location connected to switch and i have connected that switch to our office network LAN swith. So how are you separating the two subnets? You are using VLANs on the switches? It sounds like you have a layer 2 issue there. It could be a loop perhaps?
  • pfSense Sanity Check!

    6
    0 Votes
    6 Posts
    543 Views
    stephenw10S
    It should still have a default route of course.
  • 0 Votes
    9 Posts
    118 Views
    stephenw10S
    2.8.1 beta is available as an upgrade or available to install directly from the Net Installer. https://docs.netgate.com/pfsense/en/latest/install/netinstaller.html
  • if_pppoe: Is PPPoE MRU/MTU auto-negotiation not supported?

    7
    0 Votes
    7 Posts
    227 Views
    stephenw10S
    Yup more and better logging is coming. However it also looks like there is an issue with the negotiated MRU/MTU value so a fix for that is in the works.
  • Goodbye pfSense

    Locked
    16
    0 Votes
    16 Posts
    1k Views
    J
    I think it's time one of the MODS lock this thread.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.