@cool_corona Thanks for information. I'll do it.

well i given up so much a headache.
i learned about conf/config. on usb it install config
so i did that internet partially works.. some websites work most dont.. webpages work on firefox but not Edge

Packages will not install at all.. if i manaully install it from the config file it just hang and sits there that its being initialized.. how long does it take 30 min being initialized is long enough "Please wait while the update system initializes"
..
Nord VPN is down
but Site to Site Open VPN is connected but. and there is a BUT
only the other pfsense box. nothong on the network is accessable i locked out..
on 2.5.1
i going crazy i fed up and i got a migrain 4 days and i cant get this to work and the only reponse is its not a bug and what not from the comment above.. i not crazy.. how can it worked for 2.4.5 but soon i upgrade to 2.5.1 its totally broken and its not a bug? ugh

for now i give up so fed up and dont know how to get it.. ill just wait till a real stable version out there..

sorry venting too much i just cant figure this out deleted this and that changed WAN interfance to DHCP that i got it to dhcp ... you think it would work .no still broken..

so ill just wait and use 2.4.5 as long as it works till bugs are fixed

i appreciate the help and input so far.. i give up for now as no one else really put in input how do i fix this and i searched forum and couldnt find similiar issues
i do a usb of 2.4.5 and config file and installs everything ok.. i sitll have some websites not working but i back up and working though

ill just wait

@timcin said in pfSense HAproxy and Let's Encrypt:

What am I missing?

No idea because you haven't actually posted what you have done.

That depends a lot, you can play with kali linux attacking from inside..

You could attack the dhcp server, like a dhcp starvation attack..
In case you have Cisco, you could attack the CDP..
You could attack the wifi network, especially those using WEP..
These are just some examples of attacks in case you are already inside the network..
ARP poisining and etc.. Rogue DHCP server, the list goes on...

In case you are from outside the network, there is a block all rule in WAN.
This block rule means that the firewall won't be accepting anything from outside.
In the other hand, you may have a port forward in which your server could be vulnerable, and not pfsense.

Also, as pfsense is a stateful firewall, it will allow the clients to go to the internet, and allow the packets to return automatically.
Based on that there is a possibility that you have a host that has a malware, botnet, or this host has a CPU vulnerability (MDS, TAA, Spectre/Meltdown) and thus is vulnerable to code execution, which, according to Arch linux security wiki, this host could be remotely exploited just by accessing a website running JAVA..

@coder said in Lets Encrypt certificate files in /conf/acme - What is what here?:

But it doesn't work

Install Google.

Type nginx fullchain and Enter.

Use any of the 984255865 supplied links to guide you.
Example, the official one is here.

The "ssl_certificate" settings needs the fullchain.pem ( V2_my-pfsense.fullchain ) file.
The "ssl_certificate_key" setting needs the privkey.pem;(my V2_my-pfsense.net.key) file.

You could also have a look at this file :
/var/etc/nginx-webConfigurator.conf
It's the web configuartion file of pfSense.
Guess what : pfSnse uses nginx.

... ssl_certificate /var/etc/cert.crt; ssl_certificate_key /var/etc/cert.key; ...

and compare these two file with what you found in /cf/conf/acme/ (that is, if you obtain your certs using the pfSense acme package).

@alanesi
multi WAN setup?

https://redmine.pfsense.org/issues/11805

@westlos said in PFSense and Mac Addresses.:

What about using apps like Facebook

Why would you care if they are? If your that worried, if a real os and not some tablet or phone.. You could change your mac address.. Maybe whatever OS your running on your phone or tablet allows you do it as well?

In windows its as simple as this. You can view your mac in windows with ipconfig /all

mac.png

Pretty much any OS, and nic driver should allow you to do this. Be careful with what you set it to.. It needs to be valid, and not a multicast mac, etc.

But again - why would you care if some app can see your mac address?

Again as mentioned this mac is used on the local L2 only, it not use with traffic to the internet for example, only for your PC to talk to devices on your network, ie your router lan side interface, etc.

Its a non identifying number, the 1st show you the maker of the device. 00133B for example is

https://www.macvendorlookup.com/
lookup.png

The last 3 numbers would be just the numbers they put on the specific device when they manufactured it.. There is no way to track that to you.. Other than if got with the maker, and said who did you sell this too, hey store who bought this item with serial# (that is if the store actually tracked purchases based on serial# of some nic sold).. Oh F they paid cash - lets go to the camera's, oh there he is buying it with that hoodie.. ENHANCE VIDEO.. Oh its Bob! ;)

Or if that nic was sold to say DELL, then have to get with DELL - hey where did this computer go that you put nic with mac abc in?

I think maybe you been watching too many h@ck3r movies ;)

Hi,

I have some news. After replacing the Intel 10GBE network card with an Intel X722-DA2 (ixL Interface), my performance problems are gone. But there is a new problem. When testing the 10GB performance I only get a speed of 2.7Gigabit. Here is an excerpt from iPerf3:

[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 276 MBytes 2.31 Gbits/sec 0 687 KBytes
[ 5] 1.00-2.00 sec 273 MBytes 2.29 Gbits/sec 0 687 KBytes
[ 5] 2.00-3.00 sec 276 MBytes 2.32 Gbits/sec 0 687 KBytes
[ 5] 3.00-4.00 sec 281 MBytes 2.35 Gbits/sec 0 687 KBytes
[ 5] 4.00-5.00 sec 279 MBytes 2.34 Gbits/sec 0 687 KBytes
5] 5.00-6.00 sec 280 MBytes 2.35 Gbits/sec 0 689 KBytes
[ 5] 6.00-7.00 sec 276 MBytes 2.32 Gbits/sec 0 689 KBytes
5] 7.00-8.00 sec 276 MBytes 2.32 Gbits/sec 0 689 KBytes
5] 8.00-9.00 sec 275 MBytes 2.30 Gbits/sec 0 689 KBytes
[ 5] 9.00-10.00 sec 277 MBytes 2.32 Gbits/sec 0 689 KBytes

[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.70 GBytes 2.32 Gbits/sec 0 sender
[ 5] 0.00-10.00 sec 2.70 GBytes 2.32 Gbits/sec receiver

With the command "top -p CC" I see that the test uses only one CPU Core to 100%. However, this only happens when testing the 10GB connection. 1GB tests are distributed over all cores. As it should be. Is there a command or a way to set the pfSense to multicore for 10GBE connections?

Thanks in advance.

Kind regards,
Kotty

@kiokoman said in Send log to syslog server RFC5424:

there is some problem with 2.5.1 with nat tho

Running 2.5.1 CE here, and it's just fine.
I've just one WAN ..... some NAT rules and all is well.
But a working Client OpenVPN - does that count as a second WAN ?
Also a second WAN created to 'host' a tunnel to ipv6.he.net for my IPv6 access.

edit :

I'm logging to a LAN based syslogger since day one, somewhere in 2005 :
b2199d95-dac0-4785-a503-d7755c9ecac7-image.png

thanks a lot @noplan

@biggsy

My Qotom computer has the Ethernet ports built into the mom board, so no chance of a fake card.

@vwgti Looks as if this is a problem with PPPOe per here also: https://forum.netgate.com/topic/163074/2-5-1-upgrade-have-no-internet-now-yet-reports-i-do/16

@stephenw10 Here's an example, this guy is located in Florida, he was never able to do more than a 10Mbit stream on me (Pfsense, reno or cubic, linux anything reno or cubic), with BBR, he's been doing these streams, starts as he says "instantly", never buffers and never pauses, totally not doable otherwise. He's also doing it over a wireless ISP and his apple tv is wireless....so its impressive.

example.jpg

@jgq85 said in "Add Tag" button missing on Interfaces > Switches > VLANs?:

It was configured that way before it was shipped by a provider.

No freaking clue why anyone would set it up like that ;)

@jdarmstrong

It's a syslog Priority value (facility+severity). See RFC 5424.

@johnpoz said in L3 Switch and pfSense design advise:

What is the point of them - what do you think creating them does?

I have no clue what your trying to do.. Makes ZERO sense..

That was sick on my side, yes. There is no point to creating a Gateway pointing to the same subnet in this case. Better I go to sleep... a bit late on my side I guess

I understood the best practice you suggested. It is ok and thank you for that. I know I have to find the resources to run my DHCP server as I really hate the Cisco DHCP server in the switch.

I am just trying to understand what kind of TCP traffic in my case would cause asymmetrical routing issues when pfsense has track of each interface directly attached in it.

Here are two scenarios for asymmetric routing, credits to https://skminhaj.wordpress.com/2016/02/15/the-concept-of-asymmetric-routing/

f8236-asymetric-2.png

And between User PC and www cloud server:
a0169-routing-1.jpg

With my two switches and setup, return traffic would never pass from one location to another using a different route. Or am I missing such a case ?

So, if I take care at that aspect, can I run DHCP on pfSense without asymmetric routing until I can afford a dedicated DHCP server and remove any future potential asymmetric issues by using a transit route like you suggested ? Simply, am I missing some asymmetric scenario in my layout ?

Sorry again for insisting.

@leoescarpellin

Stop thinking of IPSec vs OpenVPN. Both are just methods to provide an IP connection between 2 points. As such, when the VPNs are up, it's just a matter of routing and rules as to whether traffic can pass between them, just like any other IP connection. Of course, you'll have to ensure network addresses don't collide (the NAT curse strikes again).

@newberger It could be corrupted partition or boot method error. Just fresh install pfsense. A lot user upgraded to 2.5.1 pfsense without rebooting the device first.

BEFORE
Id Refs Address Size Name
1 18 0xffffffff80200000 3aea720 kernel
2 1 0xffffffff83cec000 3bb7f0 zfs.ko
3 2 0xffffffff840a8000 a448 opensolaris.ko
4 1 0xffffffff84311000 1000 cpuctl.ko
5 1 0xffffffff84312000 37f8 cryptodev.ko
6 1 0xffffffff84316000 b7330 if_re.ko

AFTER
Id Refs Address Size Name
1 18 0xffffffff80200000 3aea720 kernel
2 1 0xffffffff83ceb000 d0b38 if_re.ko
3 1 0xffffffff83dbc000 3bb7f0 zfs.ko
4 2 0xffffffff84178000 a448 opensolaris.ko
5 1 0xffffffff84311000 1000 cpuctl.ko
6 1 0xffffffff84312000 37f8 cryptodev.ko

Confirming the same results on 21.05. Would be great to have full implementation of QAT via OpenSSL so more crypto tasks could be offloaded (SSH, HAProxy, OpenVPN, etc...). Even Wireguard eventually as chachapoly is currently being integrated into dpdk for QAT offload.

[21.05-DEVELOPMENT][root@gw01]/: kldstat Id Refs Address Size Name 1 25 0xffffffff80200000 3aebf68 kernel 2 1 0xffffffff83cec000 3bbb70 zfs.ko 3 2 0xffffffff840a8000 a448 opensolaris.ko 4 1 0xffffffff844e6000 1000 cpuctl.ko 5 1 0xffffffff844e7000 146e0 qat.ko 6 1 0xffffffff844fc000 9f521 qat_c3xxxfw.ko 7 1 0xffffffff8459c000 b28 coretemp.ko 8 1 0xffffffff8459d000 37f8 cryptodev.ko [21.05-DEVELOPMENT][root@gw01]/: openssl engine (devcrypto) /dev/crypto engine (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support [21.05-DEVELOPMENT][root@gw01]/: openssl speed rsa2048 Doing 2048 bits private rsa's for 10s: 3651 2048 bits private RSA's in 9.84s Doing 2048 bits public rsa's for 10s: 125823 2048 bits public RSA's in 9.84s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang sign verify sign/s verify/s rsa 2048 bits 0.002694s 0.000078s 371.2 12792.2 [21.05-DEVELOPMENT][root@gw01]/: openssl speed ecdhx25519 Doing 253 bits ecdh's for 10s: 77026 253-bits ECDH ops in 9.85s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang op op/s 253 bits ecdh (X25519) 0.0001s 7818.7 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -evp aes-128-gcm Doing aes-128-gcm for 3s on 16 size blocks: 32281714 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 64 size blocks: 18676449 aes-128-gcm's in 2.70s Doing aes-128-gcm for 3s on 256 size blocks: 8272172 aes-128-gcm's in 2.90s Doing aes-128-gcm for 3s on 1024 size blocks: 2564473 aes-128-gcm's in 2.98s Doing aes-128-gcm for 3s on 8192 size blocks: 336340 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 16384 size blocks: 160840 aes-128-gcm's in 2.84s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 172169.14k 443470.93k 730626.77k 879923.05k 920830.42k 926664.64k [21.05-DEVELOPMENT][root@gw01]/: openssl speed -evp aes-128-gcm Doing aes-128-gcm for 3s on 16 size blocks: 32255868 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 64 size blocks: 20729035 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 256 size blocks: 8243093 aes-128-gcm's in 2.88s Doing aes-128-gcm for 3s on 1024 size blocks: 2532296 aes-128-gcm's in 2.95s Doing aes-128-gcm for 3s on 8192 size blocks: 336769 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 16384 size blocks: 168888 aes-128-gcm's in 2.98s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 172480.46k 442219.41k 732004.53k 878076.99k 922004.94k 927182.74k [21.05-DEVELOPMENT][root@gw01]/: clear [21.05-DEVELOPMENT][root@gw01]/: openssl engine (devcrypto) /dev/crypto engine (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine rdrand rsa2048 engine "rdrand" set. Doing 2048 bits private rsa's for 10s: 3630 2048 bits private RSA's in 9.79s Doing 2048 bits public rsa's for 10s: 125602 2048 bits public RSA's in 9.83s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang sign verify sign/s verify/s rsa 2048 bits 0.002697s 0.000078s 370.8 12779.9 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine devcrypto rsa2048 engine "devcrypto" set. Doing 2048 bits private rsa's for 10s: 3638 2048 bits private RSA's in 9.80s Doing 2048 bits public rsa's for 10s: 125636 2048 bits public RSA's in 9.84s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang sign verify sign/s verify/s rsa 2048 bits 0.002695s 0.000078s 371.0 12773.2 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine rdrand -async_jobs 8 rsa2048 engine "rdrand" set. Doing 2048 bits private rsa's for 10s: 3543 2048 bits private RSA's in 9.56s Doing 2048 bits public rsa's for 10s: 124895 2048 bits public RSA's in 9.80s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang sign verify sign/s verify/s rsa 2048 bits 0.002699s 0.000079s 370.5 12738.3 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine devcrypto -async_jobs 8 rsa2048 engine "devcrypto" set. Doing 2048 bits private rsa's for 10s: 3648 2048 bits private RSA's in 9.84s Doing 2048 bits public rsa's for 10s: 125619 2048 bits public RSA's in 9.83s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang sign verify sign/s verify/s rsa 2048 bits 0.002696s 0.000078s 370.9 12781.6 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine rdrand ecdhx25519 engine "rdrand" set. Doing 253 bits ecdh's for 10s: 74337 253-bits ECDH ops in 9.52s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang op op/s 253 bits ecdh (X25519) 0.0001s 7805.7 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine devcrypto ecdhx25519 engine "devcrypto" set. Doing 253 bits ecdh's for 10s: 75745 253-bits ECDH ops in 9.69s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang op op/s 253 bits ecdh (X25519) 0.0001s 7818.8 [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine rdrand -evp aes-128-gcm engine "rdrand" set. Doing aes-128-gcm for 3s on 16 size blocks: 30782618 aes-128-gcm's in 2.86s Doing aes-128-gcm for 3s on 64 size blocks: 20747977 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 256 size blocks: 8580626 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 1024 size blocks: 2572191 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 8192 size blocks: 320648 aes-128-gcm's in 2.85s Doing aes-128-gcm for 3s on 16384 size blocks: 169422 aes-128-gcm's in 2.98s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 172248.09k 443779.18k 732213.42k 880266.89k 921161.09k 930114.36k [21.05-DEVELOPMENT][root@gw01]/: openssl speed -engine devcrypto -evp aes-128-gcm engine "devcrypto" set. Doing aes-128-gcm for 3s on 16 size blocks: 32215536 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 64 size blocks: 19703584 aes-128-gcm's in 2.85s Doing aes-128-gcm for 3s on 256 size blocks: 8581766 aes-128-gcm's in 2.99s Doing aes-128-gcm for 3s on 1024 size blocks: 2575100 aes-128-gcm's in 3.00s Doing aes-128-gcm for 3s on 8192 size blocks: 320421 aes-128-gcm's in 2.84s Doing aes-128-gcm for 3s on 16384 size blocks: 169559 aes-128-gcm's in 3.00s OpenSSL 1.1.1k-freebsd 25 Mar 2021 built on: reproducible build, date unspecified options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr) compiler: clang The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-gcm 172264.80k 442224.00k 734222.74k 878967.47k 923037.83k 926018.22k [21.05-DEVELOPMENT][root@gw01]/:

@JKnott Sorry pfsense is on the same LAN. I built the whole lab on google cloud to test pfsense api.

@gertjan
it says
Filesystems are clean, continuing...
i have used zfs, so i dont know if still applies?
thanks
p.s. this is unrelated to the first crashes, those were related to the igb driver i think they are resolved now, i just used the same thread

By selecting the check-box in front of the rule, and click dragging. As usual.

Just tested it : works :

64f71557-a257-4efd-a563-08ec4509848b-image.png

Don't know if it was "2.5.0" as it is old by now, but I guess : you would have seen others mentioning your question.

The usual solutions will help your :
a) Use another browser.
b) Hit Ctrl-F5.
as this kind of functionality is being handled by your browser.

Open the web dev windows of your browser and check if it hasn't troubles loading any javascript - or other files.

I'm running the latest - not 2.5.0 :

534166b0-1464-42a0-a261-5ac75f2c229e-image.png

@joshhboss

Most of these questions can be checked, just look at the system in place right now ;)
As networks like "10k" don't fall out of the sky, are not created from scratch today.
Or are you really implementing a "hotspot Wifi network" on a "new aero port" or very big school or company, with nothing in place at the moment ?

You probably want to double the system to make a HA set-up,and both really to be identical from a hardware perspective. Use you current system as a test-bed for updates and spare.

The system you propose shouldn't be the first bottleneck you'll find ;)

@stephenw10 I will try it if it happens again. Last night I found that when I upgraded firmware on the 5548p switch the LAG which connects it to my 2428 switch was no longer a LAG. I redesignated those ports and reloaded the router.

Maybe there was a network loop? I will know more of it happens again as I won't need the internet back up immediately and can investigate more.

pfSense also can't check for updates for system or packages. Internet still functions.

@jknott said in Pfsense with rj45 to USB:

@nollipfsense said in Pfsense with rj45 to USB:

If I were you, I would get a managed switch to use VLAN with that tiny one Ethernet port.

The problem with that is it effectively limits him to 500 Mb and he's got a 900 Mb connection. When you use a VLAN over a single port, a packet has to pass through the same port twice, so a Gb port effectively becomes 500 Mb.

I see ... good to know. Seems that OP might need to get the Lenovo SFF.

@belvac Just a suggestion, some of my clients use Nordvpn with pfsense to bypass region restrictions. As you know Cyberghost bought by Israeli agency. Also Cyberghost fee is almost the same as Nordvpn (3 year plan for $3).

Anyway please take a look at this guide first:
https://support.nordvpn.com/Connectivity/Router/1626958942/pfSense-2-5-Setup-with-NordVPN.htm

Second could you download Cyberghost configuration file, I prefer TCP Switzerland and copy paste here the whole text content of Cyberghost configuration file.
I don't promise anything but I'll try to help you.

Yeah just delete all those hybrids you have.. No idea why any guide would say you need those.. Especially those with specific ports 1024:65k

What guide did you follow?

Also the other thing pretty much every vpn service guide I have looked at wants you to route everything through them.. When most likely you don't want that.. Don't pull routes in your client config, and then just policy route what "you" want to send down the vpn. Which could be all if you want, but ntp down a vpn is going to be a horrible setup.

@akegec Since memory size was reduced pfsense was restarted multiple times and the server was powered off, the glitch still exists even after update from 2.5 to 2.5.1.

Encrypted Configuration files
The GUI can automatically determine the correct decryption method when restoring an encrypted configuration backup file, whether it’s from a current version or an older version. When restoring an encrypted configuration file, check Configuration file is encrypted then enter the password in the Password field, and restore as usual from there.

Encrypted configuration files can be manually decrypted using the correct password for offline inspection.

The method used to encrypt configuration files changed in version 2.5.0, so use the method appropriate for the version which generated the encrypted configuration file. In either case, replace <PASSWORD> with the appropriate password string, and change the filenames as needed.

2.5.0 and later:

grep -v "config.xml" config-encrypted.xml | base64 -d | \ openssl enc -d -aes-256-cbc -out dencryptedfile.xml \ -pass pass:<PASSWORD> -salt -md sha256 -pbkdf2

Older versions:

grep -v "config.xml" config-encrypted.xml | base64 -d | \ openssl enc -d -aes-256-cbc -out dencryptedfile.xml \ -pass pass:<PASSWORD> -salt -md md5

In my case, I changed pass pass:<PASSWORD> to pass file:<PASSFILE>.

Thanks very much ! Based on the thread, my upgrade went perfectly. I'm up and running with no downtime at all.

Keith

Six year old post but your research saved me tons of time. I've been scratching my head for days, contacting both Netgate and several syslog server software vendors to see why their viewer won't show messages actually showing up in Wireshark just fine. I got nothing until I found a simple workaround, just changing the listening port of the syslog server and making the device send to that port instead.

@thewismit
could this be it?
https://forum.netgate.com/topic/144636/sg-1100-intermittent-reboots