@firewalled_lotusdew It might be trivial now. Try it.

@stephenw10 yup use that if its not openvpn it sends it to the port that haproxy is listening on. port-share 127.0.0.1 9443

@stephenw10 said in Repetitive lines in /boot/loader.conf: I'm seeing that in 23.01 dev snaps. What version are you testing? It's ugly but harmless. There is a bug open for it: https://redmine.pfsense.org/issues/13280 Steve I am on the following version: 22.05-RELEASE (amd64) built on Wed Jun 22 18:56:13 UTC 2022 FreeBSD 12.3-STABLE Agree, it is indeed ugly. Thanks for the link to the bug report.

Hmm, yeah that should definitely work. You were restoring a 2.6 config into 22.05? Steve

That should work fine.

not sure how that got unblocked. thanks. I re-blocked it.

It is possible to use a wifi adapter as a WAN directly in pfSense but the support for hardware is very limited. It would be better to use an external wifi/ethernet adapter if you can. Steve

Ooof! Nice catch.

@understudy The BIOS being off by exactly a multiple of an hour is frustrating to figure out. Much more obvious if it is 27 minutes. :) re: some services using other times, I actually posted a log of that in a completely unrelated redmine, https://redmine.pfsense.org/issues/13593. That log entry was: system log (14:07 is UTC, 9:07 is US CDT): Oct 25 14:07:44 check_reload_status 353 Syncing firewall Oct 25 14:07:44 php-fpm 69691 /pkg_mgr_install.php: Configuration Change: admin@ip (Local Database): Saved firmware branch setting. Oct 25 09:07:13 pkg-static 50845 pfSense-repo upgraded: 2.6.0_8 -> 2.7.0.a.20221025.0600 Oct 25 09:07:11 pkg-static 47503 pkg upgraded: 1.17.5_2 -> 1.18.4_1 Oct 25 14:07:02 check_reload_status 353 Syncing firewall Oct 25 14:07:01 php-fpm 69213 /pkg_mgr_install.php: Configuration Change: admin@ip (Local Database): Saved firmware branch setting. In that case it was the 5 hour time zone. Not on pfSense, AFAIK, but I have set up Linux servers where if you change time zones some services don't pick it up until they restart.

Hi Steve Thanks again for responding. I'll check the counts tomorrow when I see the peak and correlate it with what I see in PRTG and come back. In terms of the number of CARPs I totally agree and I wouldn't set it up like this. The second set of firewalls (HA2) has just the WAN interface CARP VIP and then I use other VIPs and route subnets to the CARP VIP as I find this by far the most flexible in terms of what I can do with subnet allocations. Thanks again.

Agree with what others have already posted: you need to either significantly trim the rules you have enabled in Suricata or else bump up the RAM in the machine to at least 4 GB - and 8 GB is even better. But even with 4 GB of RAM, you will still want to carefully select the Suricata rules you enable. And as mentioned, once your box starts using swap space, performance goes quickly into the toilet.

In most configs you can simply reassign them in the gui and away you go. But you can imagine how that might not be so easy if you have, say, a lagg pair of NICs with VLANs on that and a PPPoE WAN on one of those. Editing the config directly can be easier in that situation. Though it also opens the possibility of user error. Steve

Thanks @viragomann and @Derelict, really appreciate the input. I'll go with the new build as a HA pair (although addresses currently in use would allow for HA to be slotted in without hassle), to make it as clean as possible. I will do a restore to a new VM in a dev environment though and see how nicely that works to know if it's a get out of jail card for future for a quick HA conversion. Thanks

What you're seeing there is the output from the SoC bootloader ROM when it has nothing to load into memory at boot. That means, for whatever reason, it cannot load uboot from the SPI chip. It's possible to attempt to recover from that by uploading a special uboot image over the serial console. It's not a straight forward procedure! If the SPI is damaged somehow it would help. Its extremely unusual to see the SPI contents corrupted during normal running because nothing ever writes to it. Only during a firmware upgrade and even then only if then includes a uboot update. I think this would be the first time we've seen it in the field. To give you an idea of what's involved the procedure for the standard Espressobin is shown here: http://wiki.espressobin.net/tiki-index.php?page=Bootloader+recovery+via+UART Steve

Yes, you can do that. You will find there are some additional delays at boot and on some pages in the web interface when there is no valid WAN. Especially if the WAN is set to DHCP and has to timeout pulling a lease. Steve

@stephenw10 Yeah I bet ;) Other then curiosity on what it is, and how it got there being the biggest question. I would wipe this box for sure.. This is clearly not something you setup. And everything points to nefarious use.. The IPs are hosted vps, and you got some weird ass PTR setting nasa.gov - yeah ok ;) And the one IP is a tor exit node..

@rcoleman-netgate Thanks ! Now that you mention it I do remember the seeing the long strings there. And I'm just realizing those are numbers, not hashes. It "only" took me about 3-4 years. :) Thanks again!

From https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html [image: 1667399977099-12ce405c-644d-42de-bab4-cdecd0e33864-image.png] Combined with what @jimp said above: pfSense is not vulnerable at all /Bingo

Anything that causes the pfSense built-in script "restart all packages" to execute would automatically restart Snort (since it is an installed package). The "restart all packages" script can be triggered by several events within pfSense (for instance, your WAN IP cycling to a new value or the link going down and then back up). If you truly do not want Snort to ever start on an interface, go to the INTERFACE SETTINGS tab for that instance and uncheck the Enable checkbox. That will disable Snort on that interface.

As long as you don't assign any IPs on it you should never see any traffic there directly. Though as I say it's common to see that assigned with an IP in the modems subnet in order to access it. I use that. Just make sure the default gateway is set to the PPPoE WAN if you add another gateway. Steve