Are you running the 3rd party e2guardian package? Did you upgrade from 2.6? I've never tested that package because it's unsupported but I don't think it will run in the current pfSense version. Steve

Yes it's possible. It's quite a complex setup. It can be difficult to setup a virtualised firewall like that and have everything boot correctly in the event of a power outage for example. Steve

@viragomann said in Using LetsEncrypt Certificate for Web Configurator Authentication: I don't believe, that Lets Encrypt has signed a certificate for 192.168.1.1. They expressly state in their User manual that they only use domain names, and NOT IP addresses. @pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication: Once changes are saved I log out of the pfsense system and type in the url: https://192.168.1.1:443 You all work, and you missed the most important reason why you were asking for a certificate : So you don't have to use htpp://192.168.1.1 anymore, but now you can use : [image: 1713435888086-241d7ea4-e72e-4cba-8518-19f1669d2a34-image.png] https://pfSense.some-domain-name-that-you-rent.tld and yes, "some-domain-name-that-you-rent.tld" is a domain name that you have to rent. Letsencrypt does just one thing : they will test taht you 'own' (= control) that domain name. @pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication: went to dns resolver under General Settings went to Host Overrides selected Add and typed in the requested contents including alias'. You don't have to do this. If you asked letsencrypt to create this cert for you : pfSense.some-domain-name-that-you-rent.tld and because pfSense already has "pfSense.some-domain-name-that-you-rent.tld" loaded into the DNS (point to 192.168.1.1) ... edit : do not believe me !! Go check yourself, using your equipment : nslookup pfSense.some-domain-name-that-you-rent.tld the answer will be : 192.168.1.1 .... So your browser (PC) can resolve "pfSense.some-domain-name-that-you-rent.tld" as pfSense has the answer (and yes, 8.8.8.8 has not !! (of course)) So the browser can nw connect to the resolved domain name = "192.168.1.1" So the pfSense GUI, connected over https (using port 443) will hand over a certificate to the browser stating that this certificate belongs to "pfSense.some-domain-name-that-you-rent.tld" And that is just great : the browser was initially using "pfSense.some-domain-name-that-you-rent.tld", got 192.1368.1.1 as the address where the server can be found, got a cert back from this web server that it is "pfSense.some-domain-name-that-you-rent.tld" => this is what https is all about. Nothing more, nothing less. Oh, yes, now everybody knows who is who, some random numbers can be exchanged securely so the entire traffic can also be encrypted decrypted on both side so the traffic passes over the 'possible hostile network on a secured way, and can not be altered while going over the wire. Btw : if you ask for a wild card certicate like "some-domain-name-that-you-rent.tld" "*.some-domain-name-that-you-rent.tld" ( this means : the top level domain name "some-domain-name-that-you-rent.tld" and all the sub domains "*.some-domain-name-that-you-rent.tld" ) you can now use your certificate for pfsense.some-domain-name-that-you-rent.tld printer.some-domain-name-that-you-rent.tld nas.some-domain-name-that-you-rent.tld when you've installed the certificate on your printer, nas etc. Now you can use "https" to access all these devices (if they support it).

@marnog HA proxy supports FastOpen but not sure if this fits into your design. Up to you.

@edgewater Ugh, that sounds like the tech made more than one mistake. ;) Had one once replace a modem, leave, then we find out only one IP out of 5 is working. And, AND, the model of modem that actually supports multiple static IPs was no longer available. The new one "has problems with that." After a couple days they tracked down one more old model in a truck, and installed that.

@stephenw10 said in Change Authentication Server from CLI: authmode I mens authentification to WUI.. Perfect, i was exactly looking fot that... Thank you!

Yes, and I assume that is the case here. But in addition there were values for client identifier that tripped up Kea that ISC just allowed.

There is /etc/services (on freebsd and most linux) where port/protocol are mapped to service names.

Wow!! Thank you guys! That answers my questions...have windows installed on the backup computer and will install the new 4 port network card as soon as it arrives and dockument mac: addresses etc... Thanks again! bookie56

Ah great. Yes it was exiting out of the entire upgrade process on any error at that point before. It doesn't actually need to create a new uefi boot entry there so should be fine. Interesting that Coreboot doesn't play nice with efibootmgr though.

Send me your NDI in chat and I'll check it. Steve

@stephenw10 I ordered one yesterday. Should be in tomorrow. Looks like a weekend project for me. Thanks again.

@cheapie408 said in HyperV passing wireless adapter for WiFi WAN: @NollipfSense I actually have one sitting here but the reception is horrible, perhaps I need to get me a better one. That might be easiest. Maybe keep an eye out for a throwaway satellite dish on trash day.

@stephenw10 Thank you bookie56

RC 24.03.r.20240416.0005 Here too, on x86_64 rig

@stephenw10 Thanks Stephen. The eeros are hard wired and so we should be ok.

@yaegermeister163 said in New Unifi modem and no internet on LAN: I confirmed with the ISP that it does not lock the modem to a specific MAC address for the router. Yes but the modem will limit the number of MACs it will communicate with per power cycle based on the config file that the ISP sends to it. Most residential accounts limit to only one... Some commercial accounts will allow from 2 to 5 from my experience. You can try cloning the MAC of a device that worked on your pfSense WAN page or simply reboot the modem every time you try a new interface.

Re-linking the WAN triggers a bunch of scripts. Among others it would restart the dhcp client and will start by sending a broadcast to any server not just that gateway. I would start by running the pcap without any filter on WAN. If you see anything coming back in at all that gives us a clue.

Looks like VPP might happen on FreeBSD though, which is really interesting: https://ipng.ch/s/articles/2024/02/10/vpp-freebsd-1.html

OK so you're using Unbound in forwarding mode so it will use the configured DNS servers there. However you have 'DNS server override' set so anything sent by your ISP may be used. Try testing a host in Diag > DNS Lookup. That will show you all the DNS servers configured on the system and if they're responding.