@ppal Try another network cable.

@sergei_shablovsky The answer is : no. My iPhone also decides to update itself to 15.1 (2 GB download) and the rest of the companies network was also actif. I also use an IPv6 connection, that tunnel IPv4 packets out over the WAN with IPv6 traffic in it. So my IPv6 goes over the IPv4 WAN (technically, I have a double WAN setup). I've shut down our main switch, so I was using the only PC on the network : Test again : [2.5.2-RELEASE][admin@pfsense.my-local-network.net]/root: fetch -v -o /dev/null https://snapshots.netgate.com/amd64/pfSense_master/installer/pfSense-CE-memstick-2.6.0-DEVELOPMENT-amd64-latest.img.gz resolving server address: snapshots.netgate.com:443 SSL options: 82004854 Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384 Certificate subject: /CN=*.netgate.com Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA requesting https://snapshots.netgate.com/amd64/pfSense_master/installer/pfSense-CE-memstick-2.6.0-DEVELOPMENT-amd64-latest.img.gz remote size / mtime: 439979895 / 1636700812 /dev/null 419 MB 1868 kBps 03m50s That is close to 19 Mbits / sec, my ADSL down bandwidth. It was using IPv4 - as IPv6 (ipv6.he.net) would be slower for me.

@newberger glad to hear it. Even before it was officially supported you just had to create a VLAN 2 with a QOS of 3 on your WAN port and you were set. I was so happy to get rid of their network box. Hope you enjoy the service and your pfsense experience.

Hi Guys, This issue has been resolved. There is nothing wrong within the proxy and I figured out reinstalling the software agent. Thanks

@viragomann Was intuative to put URL's in Firewall/Aliases/URL simply by the name. Didn't think to look at Firewall/Aliases/IP to find the ability to enter hostnames rather than only IP's. I should have looked beyond the intuative, thanks.

Thank you @johnpoz for taking the time to write such a detailed reply. Do you know if pfSense can create a certificate that is signed by an Intermediate CA that is trusted due to chain of trust to a Root CA? I have managed to get FF to work by importing the the intermediate cert into firefox, but if I just import the root CA it doesn't work. I just went back to revisit this and it looks like I didn't create my certificate correctly because when I execute openssl s_client -connect against my TrueNAS server with a server key created by pfSense, I only have the Intermediate CA in the certificate chain. @johnpoz said in Is anyone using pfSense as a Certificate Authority for their Own Network?: @guardian I have been doing this for years and years.. While I don't see the need of intermediate CA setup.. This is only certs for my stuff, and its all on my secure/trusted home network anyway.. @redsector73 said in Is anyone using pfSense as a Certificate Authority for their Own Network?: @johnpoz Any chance you can link the posts or a guide, this is something I need to do, inclusive of plex / printers etc but haven't got around to yet. Sorry OP not trying to hijack your thread, just interested. @redsector73 So sweat - maybe I can help: If you are on firefox: Settings > Privacy & Security > Scroll down to Certificates Click "View Certificates" Scroll to the bottom and click import Navigate to your CA Certificate (.crt file you have exported from pfSense) Click Open Any certs you sign with that CA will be trusted by the browser (as long as you have created the certificate correctly) On chromium there is a "Manage Certificates" under the Advanced Section of "Privacy and Security". I suspect that Google Chrome is very similar. Hope this helps. [I should have refreshed before sending this... I wrote this yesterday, but forgot to post - @johnpoz has a really great writeup in the link he just added to his previous post.]

@jc1976 said in dnssec and DoT incompatibility question: Why is there a compatibility issue between DoT and dnssec? There ISN'T as I just went over!! If your going to forward be it your doing normal udp 53 or dot.. Uncheck to use dnssec - because it doesn't matter.. Where you forward to is either doing dnssec or they are not.. You checking that box isn't going to do anything but cause extra dns queries..

Hmm, weird! Well if it fails again check the states that are open from the internal client IP. You should see the pass state open on LAN and the NAT'd state on MODEMACCESS. You could check that while it is working so you know what it should look like. Steve

@cabledude said in WAN IP gateway is not my public IP: was merely curious really Yeah I have one of those nagging curiosity kats that is always meowing at me as well ;) hehe

Of course! For the first portion of the report [commands], I have Traffic Totals installed, so I use: /usr/local/bin/vnstat -I igb0 I then list uptime: uptime then today's successful logins: grep -i "/index.php: Successful login for user " /var/log/system.log | grep -e "^date +'%b %e'" note the space after user Then down in Included Logs, I search for "authentication error" and "Authentication error" in the Authentication (General) entries. These just accumulate until the logs roll.

@stephenw10 Understood. Yes, it seems like it was populated wrong. I'll check if the trick with /32 as @bingo600 mentioned will work. Thank you for your reply's.

@stephenw10 Great. Thank you!

@viragomann Awesome!

Set the GUI to authenticate against a RADIUS server, setup MFA on the RADIUS server. You can even do this with the FreeRADIUS package and OTP/Google Authenticator, but it's better when done on a dedicated RADIUS server.

discs.inc is a new file on 21.02 and 2.6.0 snapshots, it is not on 2.5.2. Sounds to me like your system pulled in some parts of snapshots, likely from selecting the snapshot update branch and then making a change to packages without upgrading the firmware first. There isn't likely a bug here, but something broken locally on your system.

The GUI uses 1.2 and 1.3 by default on the current version. Why is it you need to change or restrict this? There are no user options for it. /var/etc/nginx-webConfigurator.conf: ssl_protocols TLSv1.2 TLSv1.3; The captive portal web server config also allows 1.1 because it needs to accept connections from a wider range of clients, such as older clients. If you are using something like haproxy it has its own mechanisms for changing or limiting TLS versions.

Well, it will work. Try it and see. What hardware? What bandwidth? Steve

You can get alerts for gateway events so you only need tune your gateway monitoring to trigger at those levels. I would also set it to monitor something external, like 1.1.1.1. Yes, the usual solution here would be to apply a Limiter to all traffic from a guest subnet so they cannot saturate your WAN upload. Steve

@johnstonf See also here. @johnstonf said in Notification when outgoing rate exceeds limit for time specified: I'm finding that my upload is being loaded, and then slows my whole internet. Then stop doing so !! ;) Btw : You should know this effect exists.