@leonida368 said in Authenticating Users with Google Cloud Identity: thank you for the idea, but thinking that a teacher can connect to Pfs go to Status / Captive Portal and carry out operations is truly as unfeasible as possible. Can't trust teachers ? Woow. There are some strange places these days. But I wasn't saying you had to give the teacher the admin account. It's very possible to create another pfSense user and give this 'teacher' user only limited access, like the captive portal status page, where he can log them all out, or just some. @leonida368 said in Authenticating Users with Google Cloud Identity: Since we have now enabled popups on the customer's devices, couldn't we try to make the logout popup work? Work or not, most hand hold devices (phones etc) don't use the default browser as the browser to login to a captive portal. For example, the browser the iPhones use, is a subnet browser of safari, not the system user default browser, so no cookies, no session keeping. And this browser doesn't allow popups. Other devices, like ordinary windows based PCs and laptop behave fine. And even if the popup was dismissed (close), visiting again the portal login URL : https://portal.your-domaine.tld:8003/index.php?zone=CPZONE will not show the login page, as the user is already logged in, but the logout page, with a logout button. @leonida368 said in Authenticating Users with Google Cloud Identity: couldn't we try to make the logout popup work? It isn't broken. The fact that your Idle timout isn't working 'very well' is already strange. It's a core pf functionality, and isn't pfSense, but actually build into kernel FreeBSD. As soon as you you what's wrong, you've solved your issue. @leonida368 said in Authenticating Users with Google Cloud Identity: Or find another way for the user to log out? All possible ways are already mentioned. I haven't found any other ways in the manual (the source code). Recently, a new method was created. Look on the forum (captive portal) for the "DHCP 114" method. It's an upcoming RFC draft. Apple (and Microsoft and the original Samsung OS phones - clone OSes : no yet). I have no, under the SSID properties a link to a portal "Status page". The URL I gave the the status page is the logout URL. So no need to type it the URL mentioned above. To use this "DHCP 114" method, no need to edit any pfSense file. There is just one PHP file to upload. You have to use ISC DHCP, not KEA, as you have to add a DHCP option. Number 114. The value of the option, type is String, must be : "https://portal.your-domaine.tld:8003/rfc8910.php?zone=cpzone1" [image: 1718861313372-fbc2f3cb-2d2a-476e-8cef-b12e887c1837-image.png] Where 'portal.your-domaine.tld' is the HTTPS server name of the portal. 8003 is the TLS port used. 'rfc8910.php' is the name of the file you've uploaded. 'cpzone1' is the name of the SSID zone.

Open a TAC ticket if you have not already: https://www.netgate.com/tac-support-request Do you know what versions it was upgrading between? It sounds like it stopping at the bootloader prompt though which implies it cannot see anything to boot from. We'd have to see the output before that to know exactly what errors are preventing it. A clean install of 24.03 is going to be the fastest way back, especially because there is no config on it yet.

Yes that does seem like the monitor target was simply not prioritising pings and dropping them under load.

@WhiteTiger-IT Generally you can comply with the official HAproxy documentation. You just need to translate it to the setting possibilities, which you can find in the pfSense web GUI.

@stephenw10 TIME!!!!!!! Leave this with me :)

@stephenw10 @viragomann Thanks.. yes, it was NAT Reflection, thank you very much. All good now.

@AG23 https://archive.nbaset.ethernetalliance.org/wp-content/uploads/2017/05/NBASET-Downshift-WP-1217.pdf

They are presented in the order they are parsed in the config. If it really borthers you you can just manaully reorder them in the config file. There is risk to doing that, obviously. Steve

They are surveying our customers on our behalf, yes.

It should work fine in legacy mode. It make no significant difference to pfSense. Yes, it would have to be a com port the OS can see such that it uses dual console at boot.

Maybe unable to pull repo data for some other reason then. Does pfSense-repoc -N return without error?

Ok, let me see if I can replicate that.

@bmeeks Blocked hosts set to clear in 1 day, Snort blocking kill states is ON. Will keep monitoring for more crashes.

Yes. When gateway comes back up static routes using it are reapplied.

Yeah that module is not compiled against the pfSense 2.7.2 kernel. The instructions for dong so are in that linked thread. Hopefully that other user may be able to re-upload their compiled module.

Some thing on a client sees the gateway reboot and tries to reconnect maybe? Something had previously passed that traffic and the state still existed until reboot?

Hmm, what limit are you hitting?

@marcvb So it's been 7 years, are you still using pfSense and if so how are you managing them?

Use the default values unless you have a good reason not to.

If you have internal clients that try to use DoT by default it may help to enable that. Almost everything will just fall back to unencrypted DNS. If you have clients that _only) use DoT you you need to enable that. Generally that traffic is all internal only so there is little reason to encrypt it.