Both boxes also have these weird log messages every second. This happened right after enabling WireGuard....

Feb 25 09:46:37 kernel matchaddr failed
Feb 25 09:46:36 kernel matchaddr failed
Feb 25 09:46:36 kernel matchaddr failed
Feb 25 09:46:35 kernel matchaddr failed
Feb 25 09:46:35 kernel matchaddr failed
Feb 25 09:46:34 kernel matchaddr failed
Feb 25 09:46:34 kernel matchaddr failed

@jknott
I need to explain here, actually XG-7100 1U works as a firewall only with a global IP address on my network, and the webserver is with local IP, e.g., 192.168.1.10. on another machine. Pfsense forward all required ports to webserver 192.168.1.10.

To secure XG-7100, I need to install some packages such as snort, squid proxy server, pfblockerNG, etc. Any recommendation for any extra package to secure the webserver?

@johnpoz OK thank you very much 👍 😊

@chpalmer Escalating with Spectrum gives me "Call us again on this and we'll bill you for coming out." I've had multiple techs go out to both sites. The techs that go on site say they put the modem in their "SCOPE" system which puts them in Device Watch. That allows the techs to go back and look at history for the unit. BUT, when you call in and talk to a CSR every one of them says that they no longer use that system. Only the techs onsite can setup or see into the SCOPE system now but you can't get a tech onsite without the possibility of them billing for every visit. Even then they just troubleshoot the moment and don't even refer to it unless you make it a point to make them. It's crazy. But still better than every DSL provider and AT&T U-Verse in this area. You pick your poison.

@bcruze Haven't restarted. What do the openvpn logs say?

@layerthree said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

So the "Don't pull routes" solved the whole problem.

Follow the guide, except this step and then restart ur machine. After this everything works.

Thank you for ur help!

I posted in the other thread. I just reset up my provider that wasn't working

it connected. but if I restart the tunnel. traffic stop passing again

you?

@thiago-0

There are some issues with OpenVPN on the new version. Check the OpenVPN forum.

@xplozia said in Pfsense FW behind to Mikrotik WiFi router:

What I have to do in Mikrotik in order to redirect all traffic to the Pfsense?

Hi,

This seems more like a MikroTik forum issue. 😉

Proposal:
Why not the pfSense is your main router + firewall

There is a potential for some things to be different, and moreso as time goes on, but for the time being most of the PHP code is the same on both.

It's worth trying, and if there is a need for a patch specific to Plus 21.02 we can generate one of those as well.

That's what I thought, so I checked the Status->DHCP Leases immediately after printing and it was still "offline". Oddly enough, my Epson R3000 which I haven't printed from in over a day is showing as "online", but the WP-4530 is "offline".

@lecygne Any replies?

I found today that PHP is already with the correct time, even before we update to PFSense 2.5. With that, the conclusion I had is that certain packages of the FreeBSD system receive updates before the PFSense system itself, even because if I did not do this I would not receive updates from the repository to notify that there is a new update from it.

Problem solved. FreeBSD version 11.3-Stable.

@jknott hello How are You Can you Able to help with this issue pls asa and pfsence in same vlan and i have to do sla

@alanesi

You never know what happens on Pfsense ... Would be interesting what the cause of the fatal error was. The upgrade of unbound is very unlikely to cause such problem.

@serbus thanks G I remembered right !

🙃

I second this request. If anything, the pfSense developers should be aware of this issue that has been uncovered. It seems there is not much more that can be done on the Xen / XCP-ng side as the issue lies more with FreeBSD / pfSense.

(as an example), here is one post from the XCP-ng team:

@stormi (XCP-ng Team)
What the last tests reveal is that pfSense sends A LOT of spurious events, so no wonder it gets throttled to protect the kernel against event flood. Anyone knows a good FreeBSD kernel developer?

What exactly are you trying to accomplish? Nat reflection no matter what mode your trying to do should really be a last choice option working through some messed up application that has your public IP hard coded, or uses external dns that you can not change.

The better solution is not to reflect at all, and just resolve the fqdn to your local IP.

But did you enable the automatic outbound nat for reflection?

natreflection.png

If you ask me any sort of nat reflection is just an abomination to all networking in general.. I would only use it if there was no other way.. Like some borked software that had an IP hard coded and no way to fix.. Like the creator of said software has died before you could publicly flog him for his sins..

Is it only myself who is seeing slowness getting into the webconfig?

@viktor_g said in "pcscd PC/SC Smart Card Daemon" ?:

support for PKCS#11 authentication (e.g. hardware tokens such as Yubikey) for IPsec: https://redmine.pfsense.org/issues/9878

Ok makes sense, thx !

Is there a reason to keep it on and what the best way to disable it ?

I created a bug report for the case mentioned above when renewing in the GUI: https://redmine.pfsense.org/issues/11514

@stephenw10 said in LACP LAGG in Silicom NICs:

Completely different NIC type though.

Yep, I think I'll wait a bit and test again under 2.5.(?)
although, if I read it correctly (somewhere), only "ixl" got a brand new driver under FB12

@cool_corona
Just pay it forward.

I tried about every combination of options in the GUI and it always errored out. I expect that's because I've updated/restored so many times. The cert probably dated back to 2.0 if not 1.2.3

This turned out to be hardware issue. Had to replace the SSD card.

I worked with the freebsd forum.

https://forums.freebsd.org/threads/cannot-boot-via-ssd-gptboot-no-boot-loader-on-0-ad-0p2.78994/

I don't recall exactly when, I thought it was in 2.4.x, but we disabled X11 forwarding in the SSH daemon on the firewall for security reasons.

The error is harmless though, you can ignore it, or like you've done, disable it on the client side.

To ensure you have all of the current known and fixed IPsec issues corrected, You can install the System Patches package and then create entries for the following commit IDs to apply the fixes:

ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435 57beb9ad8ca11703778fc483c7cba0f6770657ac #11435 10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442 ded7970ba57a99767e08243103e55d8a58edfc35 #11486 afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487 2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488

On 2.5.0 you can renew CA and certificate entries in-place. You will need to give new copies of the entries to the clients who need them, though, since the certs will be different, even if their content is the same (except the dates)

As a suggestion, I imagine it would it be possible for pfsense to check the installed system version against the selected update branch (just like it does on the dashboard) and print an indication of this situation (new stable version, so you can't click to update packages right now) either on the 'Installed Packages' list, or on 'Package Installer' tab once an update button has been pressed. Maybe even disable the 'update' links?

ok. I have a 1GB WAN from Comcast. it runs at about 750MB, its never a Gig. anyway, I am in the process of aggregating 2 nic's into my switch from my docs 3.1 modem and 2 WAN ports into pfsense (if thats possible), and added a 2nd virtual and physical nic to the storj node. Now I'm trying to do some traffic shaping to prioritize traffic from the node in both the switch, esxi and pfsense. This is new to me as i said so its going to take me a minute to figure out how to do it. Also, it seems the storj node is working much better already and the satellite online % has increased significantly overnight.

I am having loss and lag on the WAN port still between 8% and 22% I have an appointment scheduled for a tech to come out but of course they will say. "everything looks fine..." because unfortunately Comcast field techs get paid poorly and thus are minimally knowledgeable which is a corporate decision and is a bad one to say the least, for both the field techs and the customer but good for the share holders and board members. Right? Anyway, thank you to everyone for the help identifying my issues. So far pfsense and the community has been great!

EDIT: I just wanted to say, that so far everything open source and Linux related is just awesome. I have been on several forums, this one is the latest and its just great how everyone helps out and i dunno. its just a great way to do things... Thanks everyone.

@deleted Can you please describe what exactly you have done?

After read another topic, I notice that this was the result of pfsense repos changed to the latest branch, 21.02.x (at System/Update/Update Settings). After changing to previous 2.4.5, it happear again.

@stephenw10 They are in tunnel mode. I have not seen then going down before the crash, but will look into it in more detail if this happens again.
Thanks