• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    29k Views
    STLJonnyS
    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from. I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.
  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    63k Views
    V
    Mine may be typical, maybe not..... Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do. I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help. [image: 1697753147328-pfsense1.png]
  • Changing My Netgate Contact Information

    5
    0 Votes
    5 Posts
    117 Views
    K
    @stephenw10 said in [Changing My Netgate Contact Information] (/post/1222396): Where are you trying to make that change? Thanks you
  • SSH with public key and new macbook pro

    10
    0 Votes
    10 Posts
    79 Views
    patient0P
    @ahole4sure said in SSH with public key and new macbook pro: could you possibly send a screenshot of what all is in your config file? :) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet. Include ~/.orbstack/ssh/config # my firewall, e.g. pfSense, non-standard port # and specify which ssh private key to use Host firewall-at-home 192.168.1.1 User root Port 20022 IdentityFile ~/.ssh/id_rsa HostName 192.168.1.1 # my Synology DS920+ Host ds920plus User admin # default settings for hosts not matched # in above rules Host * User jane
  • Torrents Resulting in WAN Packet Loss

    4
    0 Votes
    4 Posts
    50 Views
    planedropP
    @stephenw10 I'll do some checking on this, though I somewhat doubt that is the issue considering how little traffic I was actually seeing. As for the packet loss, not just gateway monitoring, but also traffic dropping when trying to load websites and pings from clients being dropped entirely as well. Pings to external services, to be clear. Also becomes really obvious with things like voice chat services, lots of disconnected/cutouts/roboting. I'm heavily leaning towards it being the ISP but it's odd that they aren't just throttling and instead I'm just seeing overall packet loss. I can run a speed test during it and still get pretty good bandwidth.
  • upgrading to 25.07, if_pppoe and new bug or what?

    12
    0 Votes
    12 Posts
    134 Views
    C
    @stephenw10 I've been watching for two days - nothing has changed, still a lot of spam in system.log "pppoe: alien host unique tag, no session found". Disabled "Use if_pppoe kernel module for PPPoE client" and rebooted - now the log is clean.
  • XMLRPC Error after Upgrading to 25.07

    3
    0 Votes
    3 Posts
    49 Views
    stephenw10S
    Do you see blocked traffic on secondary? It sure looks like it's failing to authenticate there. Are you using a complex password? Are you using the admin user for the xml sync?
  • New PPPoE Driver in 25.07

    5
    0 Votes
    5 Posts
    96 Views
    stephenw10S
    Yeah it will only show reduced usage when the pppoe link is loaded. On CPU that has good single thread performance it will be less apparent. The single threaded mpd5/netgraph driver is restricted by that. It's still worth using though.
  • Error "loading the rules" after reboot

    2
    0 Votes
    2 Posts
    29 Views
    stephenw10S
    It's almost certainly because at the first boot it had not yet installed the Tailscale package when it first loaded the ruleset. If that error doesn't re-appear after clearing it and the tailscale package is now installed then it's nothing to worry about.
  • 0 Votes
    3 Posts
    53 Views
    C
    @stephenw10 Thanks. I monitored the WireGuard traffic on the underlying interface at the same time and sure enough every 15 seconds the remote peer sends a 32 byte UDP packet. This ties up with the client's setting 'PersistentKeepalive = 15' so it is just the keep alive traffic. Mystery solved.
  • Questions about log messages

    46
    0 Votes
    46 Posts
    5k Views
    stephenw10S
    They are still coming into the WAN just without the :5 octet?
  • Update from 24.11 to 25.07 failed and possible corrupt system

    20
    0 Votes
    20 Posts
    414 Views
    S
    Just wanted to update everyone. My issue also ended up being the backup config files. Once I deleted the ones older than 7 days, the update went through perfectly.
  • 24.11 -> 25.07

    19
    1 Votes
    19 Posts
    273 Views
    Z
    @stephenw10 No it doesn't install a 3rd party repo. However... it could possibly Mess with shared libraries (libmd.so, libssl.so, etc.) getting replaced or misaligned. Create conflicts in /etc/rc.conf, init scripts, or pkg metadata. OS version expectations (pkg or pfSense-upgrade behaving strangely).
  • Port Forwarding stopped working after upgrading to 2.8.0

    92
    0 Votes
    92 Posts
    3k Views
    stephenw10S
    You can't DNS Lookup 1.1.1.1, it's not an FQDN. When you have the outgoing interfaces in Unbound set to only the VPNs then it will fail to resolve anything if the VPNs go down. If pfSense itself it also set to use only the VPN DNS servers it won't be able to resolve the VPN servers to connect to them. pfSense itself must have access to some other DNS server. Or the VPN servers must be entered as IP addresses directly. I would revert to a much simpler more default config and make sure that works first.
  • 25.07 ran for 24 hours and then ????

    4
    0 Votes
    4 Posts
    97 Views
    stephenw10S
    Hmm, well hard to be sure I'd guess that Unbound was restarted when pfBlocker updated and then failed to restart for some reason. However that wouldn't prevent pinging 8.8.8.8. So another possibility is that one of the pfBlocker feeds had some rogue entry blocking far too much when it updated.
  • To do 25.07 or not?! That is the question!

    11
    0 Votes
    11 Posts
    421 Views
    Z
    FWIW doing a "pfSense-upgrade -d" from CLI fixes this for me and does the upgrade properly. Not sure why that works and the GUI fails lol. I did have to rebuild my base packages. Here is what ChatGPT had to say about it. I had the same problem, two different locations, network providers, etc. One is in a datacenter with multiple network redundancies so I doubt it was a network issue. Root cause: The core problem was due to an incomplete or partially failed upgrade from pfSense 24.11 to 25.07. The missing critical libraries (libmd.so.7), corrupted package repositories, and broken package signatures indicate that some part of the upgrade script was interrupted, incomplete, or encountered dependency conflicts. Specific indicators of broken upgrade: Missing libraries (libmd.so.7) causing package operations to fail. Missing critical files (/usr/local/sbin/read_global_var, /usr/local/libexec/pfSense-upgrade, and /etc/version) indicate that pfSense-base or core packages were only partially upgraded. Invalid or broken repository signatures (pkg-static: Error loading trusted certificates) point to repository configuration or trust issues post-upgrade. Dependency conflicts (IGNORE_OSVERSION prompts) clearly indicated version mismatches due to packages from different pfSense/FreeBSD versions.
  • OpenVPN bad encapsulated packet length question

    32
    0 Votes
    32 Posts
    447 Views
    A
    @stephenw10 Thank you. I will do some research on this option
  • 0 Votes
    2 Posts
    25 Views
    stephenw10S
    Skipping the untrusted certs there is expected in any install. CE is not supported in Azure.
  • pfSense 2.8 CE Azure

    5
    0 Votes
    5 Posts
    185 Views
    stephenw10S
    Yes upgrading CE in Azure is not supported. And that includes to Plus. The only supported deployment in Azure is from the tested Netgate image.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.