@mjsengineer Confirmed - unchecking"LDAP Server uses RFC 2307 style group membership" fixes things for me too. Authentication test under diagnostics works and OpenVPN authentication too.

So is this a bug in pfSense? Our LDAP server is 389-DS - if I read the posts correctly, the same problem appeared with other LDAP servers so I tend to believe things should be fixed on pfSense side.
For those not liking the term 'bug' I'm also ok with a non-compliance ;-)

It's unusual because it's not intended for that role (yet, at least) -- adding functions which are useful outside of the firewall is out of scope, even if the cert manager is convenient to use.

@bossaops Its a Fiber ONT from jio. I am from India. btw Thanks for replying.

@viktor_g just that same old error I always get:

4 11:23:19 office-gateway php-fpm[35209]: /diag_authentication.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.

Same thing more or less in auth.log

Feb 24 17:12:58 office-gateway openvpn[345]: /openvpn.auth-user.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials. Mar 2 11:02:41 office-gateway php-fpm[96371]: /diag_authentication.php: ERROR! Could not bind to LDAP server Gsuite. Please check the bind credentials.

Is there any way to get a more complete error from that code? I had to add --ZZ to ldapsearch to get it to state what the error was, it would be nice to understand which of the many reasons the connection fails. As an aside, Cloud Identity LDAP does not actually use the bind credentials (you can connect without them). They will use them if the client insists on sending them.

Why do I need both a certificate and access credentials to authenticate LDAP clients? Only the certificate authenticates the LDAP client. The access credentials only exist if the client insists upon also sending a username and password. On their own, the access credentials don’t confer any access to the LDAP server or user data, but they should be kept secret to prevent them from being used to log in to certain LDAP clients. In the case where an LDAP client requires access credentials, we authenticate LDAP clients with both certificates and access credentials.

@gwaitsi said in Bug: ramdisk Filesystem loaded "[" invalid character:

@jimp Issue #11617 created.

p.s. i am also getting 'can't find /etc/hostid' directly after
/boot/kernel/opensolaris.ko

is this something to be concerned about, or is it non-netgate h/w related?

I'm not sure what that one might be from, but if it's that early in the boot process it's likely from a kernel module that is being loaded (from loader.conf or loader.conf.local).

I don't think we setup a hostid file and I'm not aware of anything we have that requires it to be present.

If you renew the CA but all the details stay the same it should continue to work, but in some cases you may have to copy the new CA to clients. Certificates will still see they are signed by the CA even after renewal since it's just renewed, not a different CA.

Server certificates (GUI, OpenVPN, mobile IPsec, etc) can be renewed at any time, those aren't copied to clients.

If you renew a user certificate you will have to copy the renewed certificate to the client, you can't avoid that.

There isn't a way to do batch operations like mass renew in the GUI or shell currently.

@nerlins said in Another subnet sanity check.:

What IP address do I set for Pfsense itself

It will need an IP on each subnet if the subnet is to communicate with/through the pfSense. (the printer's gateway is the pfSense IP in that subnet)

@summer said in SG-3100 notification after update 21.02:

edits something like "compilation"

It's PHP.
It's an interpreted language. Not compiled.
It's the "Basic" of the last decade.

It looks easy, because it is.

@jimp
Thank you, all good now. Solved.

Bump as I'm also seeing this. Had it in 2.4, still happening in 2.5.
Wan is PPPoE. Outbound WAN traffic appears double in the traffic graph and in the value of ifOutOctets by SNMP. (Both compared to the interface on pfSense that the traffic is flowing to, and the traffic graphs generated by my ISP.) Inbound WAN traffic and all the other interfaces are unaffected.

(I've been working around this in a script that collects SNMP data by dividing the value by two.)

Ruling out snapshots.

/: zfs list -t snapshot zroot/ROOT/default cannot open 'zroot/ROOT/default': missing '@' delimiter in snapshot name

and

zfs list -t snapshot no datasets available

@viktor_g Thanks for your help.

Update: I noticed that many of the logs were not updating and there were 8 zombie processes shortly after a fresh reboot.

Decided to nuke the logs and reboot:
find /var/log -type f -exec rm -f {} ; && reboot

Gateways came back up after the reboot, then went back down.
WTH?

Also still a very odd lag on UI when saving changes.

@jknott said in Root SSH login?:

In the Linux world, root ssh login is generally not allowed

and

@jknott said in Root SSH login?:

The point is you don't allow root login.

Several years ago, 'root' what the user the hosting company gave you, and a password.
We were advised to change that root password asap with the password command after a first login.
These days, a new 'Debain' system (that's the OS I know), you get an 'debian' user account, and a password.
'root' can't login over SSH by default. You have to

su -

So far, all ok. Time learns us to do the same differently.

But there is an extra step that should be done and very few do it :
Shut down password logins altogether over SSH/SFTP.

A ssh-rsa 'thing' should be created with our favorite Putty ssh-gen program.
Two files are created.
The public one ( ?) has to be inserted into the admin account :

d46b7422-60ff-4922-b5a1-e8ebaa3f879f-image.png

The private one should stay on your PC, or better, USB key. Or learn it out of your head. This cert can also be generated with a password - called a pass phrase.

dac8c0b4-f52b-4437-967e-5b2a259d420a-image.png

Now, password login is done.
You need the key file (the private thing).
Putty will throw out the login user 'root' for you - set it up to do so.
It won't ask for keyboard alike passwords anymore.

It will ask the pass hrase of the cert :

11a79cd2-fc00-436e-a9a6-9c05f3f2c2d9-image.png

Enter the phrase and then your are logged in.

Now, all this doesn't change anything for the GUI login.

The good new is that pfSense isn't just some obscure device, it's your firewall and we, as admins, control and secure the firewall. Right ?!! That's why we use pfSense in the first place.

Real nerds do it like this :
The pfSense 'box' is locked up.
The LAN interface - as the console interface, are NOT connected.
All the other interfaces are used for hostile WAN and LAN clients. And now the fun part : all these clients can not use ports 80 and 443 and 22 of our firewall pfSense. You just have to create a block rule that does this. Easy !
Problem solved. No more 'root' issue.

Variant : on your LAN, only accepts traffic to port 22 - 80 - 443 TCP from your IPv4 and or IPv6 (the device you use to admin pfSense).

Or, another variant : use VPN also from LAN to login.

Or : shut down SSH access (not my advise - SSH is gold, as it also gives you SFTP which enables the real power. Still protected by a cert).

IMHO : Just to say : all this 'su' or 'sudo' is discussion is not really needed in this case.
The major week point is the GUI now - hide it as explained above.
And direct hardware (console port) access or screw driver access.

@trickyt I think the issue is the console mode requirement. I did not want it since I use a USB keyboard and the HDMI output and do not have the means for an old-fashioned serial interface. When I realized the box was doing bad things with the console I looked for a regular memstick image which defaults to using the USB keyboard and HDMI display - what worked for me was the regular memstick image.

@stephenw10 Thank you. It was hardware. Replaced SSD resolved it.

@lecygne After all these years pfsense developers are still not convinced that "taking master role too early" is an issue in some cases!

@bingo600 said in Firewall logs - showing other:

Re ISP - The Gateway monitor is prob pinging the isp def-gw.

how can I confirm this ? please note I am still learning and my knowledge is very limited at the moment

https://forum.netgate.com/topic/137938/shaw-300-issue-with-arris-xb6-modem-severe-intermittent-wan-slowdowns/9?_=1614764271055

Sounds similar to issue I had couple years ago with Shaw cable.
Not sure if it was modem or moca filter that resolved as both were done at same time.

@viktor_g A completely clean install on version 2.5.0-RELEASE

@zacaustin

I have a Sony Bravia and a sg3100, it’s on my guest vlan
It works perfectly hardwired.. I have a Ubnt nano mounted directly above it which also works fine..

It works on just the out of box dns resolver for me and also by setting it up with next dns google blocking... where it’s pushed dns servers by pfsense and it blocks google services

@gertjan I mis-typed. I running 2.5.0 on top of freebsd 12.2.

https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html

@lucsuryo Could you create a bugreport https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html

@jknott
I already migrated the "source" machine to v2.5.0 and found a cert corruption issue + dns issue.

I had to redo the whole config on the new machine. However, it offered me the opportunity to "clean up" the whole config ;-)

I want to keep the old machine as a spare one eventually (even if not kept up to date) , so I'm looking for a 2.5.0 -> 2.5.0 transfer procedure.

Update...

I upgraded pfSense and Suricata to:
pfSense 2.5.0-RELEASE (amd64)
FreeBSD 12.2-STABLE
Suricata 6.0.0_9

Interestingly, I'm still receiving the entries in the system logs as my initial post, however, not to the degree that I was receiving them when I first posted the issue.

I find that this is only occurring on my wireless LAN segment where a lot of streaming is occurring; Hulu, YouTube, etc.

I had hoped that the pfSense and Suricata updates would have resolved the issue. Hmmm.