@johnpoz Thank you so much! This helped me to understand and pinpoint the actual configuration responsible for the ARP scan.

@dennypage said in IGMP strangeness: @stephenw10 said in IGMP strangeness: As long as the ruleset is reloaded after enabling it that should work fine. Nothing there should require a reboot. Agreed. Only thing I could think of is that something prevented the reload from completing… @stephenw10, In the other recent thread, the user indicated that after defining the rule, they needed to perform a state reset before the rule worked. Worth noting. This would also explain the situation with the user who asserted that they had to reboot.

@michmoor hi mich, can you give more detail on what rules you created to allow bgp across the interfaces? thanks jim

@bthoven It worked for me. Using 'certctl rehash' than 'pkg-static -d update' Thanks

@johnpoz, hum thats what i thought. I will follow the othere thread and see where I end up. I appreciate all the guidance and adviae that you have proevided. I jave a good base to start from now.

Yes that is the best way. For a small edit like this you could likely just edit the config file in place and then reboot.

It's possible if the uninstall didn't complete. Check Diag > System Activity or the output of ps -auxwwd.

The spare 1100 will need a WAN IP that is in your current LAN subnet. I would just use the default for that which sets the WAN as DHCP. It will pull a lease from your existing dhcp server and should be able to connect out.

@Antibiotic said in pfSense hacking: Is it default deny? A firewall is what it says : hard to pass through. At least, that was the word they came up with in the middle of in the last century. These days, I tend to think my pfSense has a back hole in front of my WAN, 'visible' from the outside. With this perspective in mind, why would you block a black hole with 'stop' rules in front it ? Stop signs that say : [first stop rule] no RFC1918 here. And [second rule] unknown flying sorcerers neither. Just let them have it As it should be obvious that anything imaginable (by humans) will get into the black hole, and from there its not our problem anymore. Block rules do use CPU cycles .... why waste cycles on stuff that's going to be annihilated ? So : no need to block access to black hole. It's a bit 'useless'. The perfect WAN firewall list is ... an empty list. There always will be some #d#ts that try to poke in a black hole to see if the can manage to do something with it. They are just proving that physical laws exist, but they just didn't get that yet. Using a firewall is actually a responsible social thing to do : its keep #d#ts busy and from the street, as they might be doing other things out there ^^ edit : wait : your stop rules can have a useful function ! This : [image: 1715172825695-50248455-ad9b-4130-b13f-634626b95d5b-image.png] is useful so you can see if there are actually #d#ts out there that send you packets that match, thus hit, the rule. Your 'Not assigned by IANA' has actually a double score counter : these packets shouldn't even be routed to you by your ISP, so they couldn't never reach you, as "non assigned networks" can't be used / routed on the Internet. So maybe your on to something : your ISP is also a #d#t

It's a compiled patch so it cannot be applied via the patches package. It will be in 24.07. If we have to produce a point release for 24.03 we could probably pull that in but it's unlikely that by itself would warrant it. Steve

@stephenw10 30% of 3.7GB. I started another thread since things have gone downhill a bit.

@stephenw10 Could be, anyway this error does not appear anymore.

It's common to have the SWAP as double the RAM size. That way you can dump the full ram to it if required. pfSense doesn't do that though.

@deanfourie said in Still no 2FA?: I'm just surprised this is not built in. So freerad is click to add to pfsense, how is it not built in? You looking for a click and dropdown menu to setup 2fa? I think there is lack of understanding of what constitutes mfa to be honest.. So any sane setup of a device like a firewall should be limited to what network/devices can access it in the first place. So location of auth is a factor. Now maybe this is just your lan.. But what it should be is secured network that only admins can be on. So that is 1 factor.. Now they need username+password = 2fa by the very definition of what 2fa is.. Do you allow access to the firewall via the public internet? So mfa auth can be made up multiple(s) of these attributes A knowledge factor is something the user knows, such as a password, a PIN etc.. A possession/have factor is something the user has, such as an ID card, a laptop, security token, cellphone, etc A biometric or something you are factor, ie something inherent in the user's physical self. A location factor is usually denoted by the location from which an authentication attempt is being made. A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window. Maybe missing something but lets take these 5.. And walk through some scenarios/setups. So to auth to pfsense Username and password = 1 factor Have to be on the secured "admin" network or IP. = another factor.. So unless you allow login to your firewall from the public internet? There is 2fa auth right there if you ask me. Other factors that should/would be involved in access to this firewall. Could be another something you have, for example your ID to even get in the building to be able to get on the network/room that can even access the firewall. Or maybe even biometric, fingerprint to access the building or IT dept. Or server room or etc.. Other factors to be considered, to get on this "admin" network its possible you have to do some sort of 802.1x auth to connect this device not just just walk in off the street and plug into some port or connect to some open wifi network. So this could be something you have - work laptop that is pre setup to get on this admin network, also something you know the username+password to even login to the laptop you have. So if we walk through a typical possible process of accessing the firewall gui ID to get into the building, laptop that is company laptop and allowed to access the network. Username and password to login to this laptop. Username and password to access pfsense gui. So I count 2 things you have (id and work laptop) and 2 things you know. Login to this laptop and login to pfsense = 4fa So unless this pfsense is say just sitting in the open or in an unlocked closet in a public building that requires no form of auth to enter your satisfying mfa.. Some token or sms sent to a different device is just one of the ways to control access. But it is not the get all end all to having 2fa.. edit: So past company I worked at.. These are factors you would have to do to get access to any sort firewall/router/switch on the network. You had to thumbprint to get into the office.. To get into the server room or network closets you needed a badge to scan at the door. So even if you were going to console in ie physical access you had to have 2 factors. Your thumbprint and badge. But typically thumb to get in. Work laptop to access the network, because 802.1x was enabled - you couldn't just plug any laptop into any network port on some cube. Also even if you passed 802.1x in some cube, ie a company laptop.. To access the admin network you had to use specific cubes ports, and your laptop had to be specific setup to access this network. Now I needed to auth to my laptop.. Which required a tiks card not just username+password, if you just found my laptop on the street wouldn't do you any good. Now to access the devices from this "admin" network you also needed to auth to the admin network - not just be plugged into the network that can auth. So this required a different username and password. Now once was on this network, you could access network devices. And then you needed username and password to auth this device. So how many factors is that? Well over 2 that is for sure ;)

https://redmine.pfsense.org/issues/15470

Indeed you have to create a new certificate with the CA. You can't edit a cert, that would break the chain of trust.

@stephenw10 said in ZFS POOL UPGRADE?: No I would not upgrade the ZFS pool. Good advice. I tried it a while back and system became unbootable.

Sorry missed the replies here. It looks like you're using the webgui cert as the server cert? It has to be a cert created against the server CA. It also looks like the TLS key is different. Both ends must have the sane TLS key. You also still have a bunch of routed tunnel settings like pushing routes and adding gateways. But I'd fix up the cert/key first before looking at that. Steve

I found the issue I changed the OPT1 name and it would not change in the config.xml so it does not bind to the new name, I set it back to OPT1 after seeing that the config.xml did not recognize this as selected for upnp section of the code and it worked. It is like the name change messed up somehow

restarting only OSPFD produced nothing but restarting the pfsense 2.7.2 box output this on pfsense+ 24.03 2024-05-06 10:56:04.896 [WARN] ospfd: [MS0DP-CEKYV][EC 134217751] Point-to-Point link on interface ipsec2 has more than 1 neighbor. 2024-05-06 10:56:09.660 [WARN] ospfd: [MS0DP-CEKYV][EC 134217751] Point-to-Point link on interface ipsec2 has more than 1 neighbor. 2024-05-06 10:56:11.667 [WARN] ospfd: [MS0DP-CEKYV][EC 134217751] Point-to-Point link on interface ipsec2 has more than 1 neighbor. 2024-05-06 10:56:22.682 [WARN] bgpd: [JG0WZ-7X009][EC 33554504] 10.255.255.254 unrecognized capability code: 128 - ignored 2024-05-06 10:56:24.339 [INFO] bgpd: [M59KS-A3ZXZ] bgp_update_receive: rcvd End-of-RIB for IPv4 Unicast from 10.255.255.254 in vrf default