• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    29k Views
    STLJonnyS

    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from.

    I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.

  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    63k Views
    V

    Mine may be typical, maybe not.....
    Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do.
    I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol

    I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help.

    pfsense1.png

  • Frequent Crashing (Page Fault) After Upgrade to 2.8.0 From Latest 2.7

    33
    0 Votes
    33 Posts
    261 Views
    R

    @stephenw10 Yes, I think this is exactly what happened here. After my last post I realized that the gateway I currently use to get to the Internet was not configured. I have a third link I use to get off net in my test environment. This config is for our data center environment and has IP address that do not exist here. So, I created a third DHCP interface to tie this into the actual LAN the boxes are currently on. I switch to using this interface as the gateway when I need them to be able to download PFBlockerNG updates, access Netgate Servers, etc. For some reason in my config I imported the GW was set to the normal GW which will work in my DC setup. Just doesn't work here. So, I had to manually switch to using the secondary gateway to download and install the missing packages.

    I got impatient and went ahead and reinstalled the primary with 2.8.0 and restored the config there. This time I saw a message on first login that said it was re-installing the packages in the background. I switched to the opt1 interface gateway and all the packages were installed perfectly. Not sure why I had to much trouble with previous backup/restores but this works slick today.

    So now I am running the HA pair both on fresh installs of 2.8.0 (not upgraded from 2.7.0). Will let this bake for today and see what we get. Will post any additional dumps I get here.

    Thanks all for the help.

  • Access to new interface

    2
    0 Votes
    2 Posts
    32 Views
    stephenw10S

    You have set up the new interface as an internal interface so there is no outbound NAT on it. The 5G router cannot reply to requests from the 192.168.8.X subnet because it has no route to it.

    You need to setup that interface as a WAN by adding 192.168.1.2 as a gateway on the interface config.

    That will then add automatic outbound NAT rules for traffic from the LAN subnet to 192.168.1.X.

  • PHP Fatal error after adding port forward

    4
    0 Votes
    4 Posts
    72 Views
    A

    Ok, thanks for the suggestions. It's a Netgate 3100 and running in production. I will try to update this weekend. (The old firewall rules do appear to be in operation - whew!)

  • if_pppoe problems with php-fpm causing loops. (resolved)

    65
    0 Votes
    65 Posts
    2k Views
    A

    @stephenw10 My connection dropped tonight. ISP logged it as a "Planned PPP restart". I uploaded a log to the link here. Maybe it's helpful?

    It was only my CityFibre connection which did not reconnect. FTTC reconnected OK. Both use PPPoE and both are with A&A.

    Rebooting the appliance brought it back up.

  • Port Forwarding stopped working after upgrading to 2.8.0

    67
    0 Votes
    67 Posts
    2k Views
    stephenw10S

    I would try disabling DNSSec. When running in forwarding mode that can cause problems if one of the servers you're forwarding to doesn't correctly support it.

  • Not receiving down emails multi-wan in failover config in 24.03 SG1100

    19
    0 Votes
    19 Posts
    656 Views
    stephenw10S

    Hmm, you should be able to check that. When you add a server there it should be added to /etc/resolv.conf.

    If it has a gateway set for it you should see a static route added for the server IP via that gateway in the routing table (Diag > Routes).

  • Will changing boot drive revert me back to CE from Plus

    2
    0 Votes
    2 Posts
    30 Views
    stephenw10S

    No. Changing the drive will not change the NDI so when you reinstall you should be offered Plus if it's currently eligible.

  • VPN Wireguard over HA

    4
    0 Votes
    4 Posts
    68 Views
    stephenw10S

    Yes both nodes would have to have the same WG config.

  • Capture data sent to external address

    3
    0 Votes
    3 Posts
    47 Views
    dennypageD

    @ebcdic What software/hardware are you using to publish? If you haven't looked at WeeWX, you might give it a try as it would certainly address the issue. Just a thought.

  • pimd

    7
    0 Votes
    7 Posts
    265 Views
    L

    @dennypage @maximushugus

    Note that I have posted a compiled version of PIMD in a separate thread a week ago (folder development).

  • 2x pfsense 24.11 hard crashes in under a week - Netgate 1537

    11
    0 Votes
    11 Posts
    193 Views
    J

    @stephenw10 This was definitely not a button push on ours either. Both units are in locked cabinets in a colo. Any access to the facility is logged.

    @SteveITS As for it going to standby or hibernating, the person who went on site the LEDs were normal. Nothing indicating a state change or issue.

  • pfSense Plus 25.03 release question

    25
    1 Votes
    25 Posts
    2k Views
    stephenw10S

    It will be removed at some point. There is no hard date set at this point.

    I expect it to remain until it either fails to build or is replaced.

  • Cockpit is not reachable via HAProxy

    3
    0 Votes
    3 Posts
    353 Views
    M

    @sigulete You solved my problem, thank you !

  • pfSense and Squid going forward?

    11
    0 Votes
    11 Posts
    461 Views
    A

    @JonathanLee Would be nice if squid 7 came to pfsense, if squid is discontinued from pfsense then i guess a docker container running squid could be an option.

  • Simple local Config Backup?

    2
    0 Votes
    2 Posts
    89 Views
  • PHP Fatal error: Allowed memory size of 536870912 bytes exhausted

    8
    0 Votes
    8 Posts
    163 Views
    GertjanG

    @NetRunner8050 said in PHP Fatal error: Allowed memory size of 536870912 bytes exhausted:

    my reputation isn’t high enough yet

    Solved that.

  • Any advice on upgrading hardware of deployed router

    3
    0 Votes
    3 Posts
    68 Views
    S

    @SteveITS Thanks, as I think you clarified a simple mistake I made.

    After you said "add/configure" the interfaces I realized I made a miscalculation of how simple it is to refresh these. The NAT/FW/DHCP tables only utilize WAN and LAN assignments and those assignments are programmed to the physical hardware. WAN currently being re0 would be igb0, LAN from re1 to igb1. So this would only take about 5 minutes. Silly of me.

    Thank you sir, the obvious eluded me.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.