@stephenw10 @AndyRH use intel 82574L 1Gbps NIC x2 The network is normal have 1G/600M thank you

Thank you.

@michmoor said in PFSENSE WIFI CALLING:

lots of CP changes in the new releases i see

You mean 22.05 as you talk about a 6100 ?

22.05 doesn't use the good old second firewall 'ipfw', as 2.6.0, but uses a new, modified 'pf' so it can also handle MAC ( ! ). It was Netgate that changed 'pf' upstream for the entire FreeBSD community 👍
22.05 native has issues : the "one queue for all connected users" is one of them. There is a patch.
Look quickly over the last 10, 20 (skip the please help posts) captive portal forum posts, you find them all.

If you are a heavy (hundreds of connected users) portal consumer, then watch your memory as there is a small memory leak in the new pf code. This can't be patched, as it needs binary changes, and the upcoming 23.0x will solve that.

There's nothing built for doing that but I agree (and I'm sure many of the devs do also) the handling in that case could be far better.
If you enable ACB it should still be able to write out changes there. I've tested that though.

Steve

You can restore a 2.5.2 config into 2.6.

The link CRL bug (https://redmine.pfsense.org/issues/13424) is fixed in 2.7 but the patch is part of the System patched recommended list in 2.6. So if you're hitting that you can simply click to apply it.

Steve

@stephenw10 Hi. Thanks for the reply. Yes I confirm, I upgraded to 22.01 and then to 22.05 and yes, I modified "pfsense-utils" to set custom these value. I'm sorry, I did not notice if on 22.01 the bug was presents. Thanks antway for the good new about this bug seems to will be solved on next rel.

@njaimo ...I get it I misunderstood the "score" bit, it is not login attempts... :)
Cheers

@osalj said in notifications via SMTP - every 10 seconds:

What can I do to stop Pfsense from sending emails at all or not to send me an email about DDNS every 10 seconds?

When a message is send, it's paced in file, the message queue, and a "smtp mail send" process is created that reads the file, sends the message, and passes on to the next one if there are still messages to send. If non, the queue is deleted, the process stops.
I guess this is your issue : the message file (on disk) isn't emptied, the "smtp mail send" keep on sending the message.

[22.05-RELEASE][admin@pfSense.local.net]/var/db: ls -al noti*.* -rw-r--r-- 1 root wheel 131 Jan 7 01:01 notices_lastmsg.txt -rw-r--r-- 1 root wheel 41 Jan 7 01:02 notifyqueue.messages

Do you have these two files ?
What is their date time stamp ?
Content ?

And empty queue file (notifyqueue.messages) should contain :

a:1:{s:5:"mails";a:1:{s:4:"item";a:0:{}}}

Not something I've ever looked into but if Windows is choosing to use that I'm not sure what you can do. Maybe radius can indicate why it fails prompting Windows to re-try or send a list of accepted ciphers. Also not something I've had to try.

@jpgpi250 said in how to forward new entries from a specific log to a remote syslog server:

@keyser @bmeeks

I finally got it working, see my comments here

thanks for your time and effort.

Both methods will work in the Suricata package: (1) plain syslog output to the local system log by checking the option on the INTERFACE SETTINGS tab and then restarting Suricata; or (2) configuring the EVE logging subsystem to write to syslog instead of a physical file.

EVE is the direction the upstream Suricata team is encouraging for logging. You can enable the logging of more information via the options in EVE as compared to the older vanilla syslog output feature.

Again, restarting Suricata on the interface after any changes to its core configuration is required for the change to become effective.

It's showing it's never completed a handshake so that is not up correctly. You must have a mismatch there somewhere.
I suspect your ping test was not actually using the WG tunnel.

Steve

Potentially an incorrectly wired cable? If the wires from two pairs were swapped at both ends it could appear correct but use pairs that are not physically in a twisted pair. In that situation the common mode rejection is dramatically reduced and hence is far more susceptible to interference.

Steve

@michmoor yeah not sure who this is meant to trigger? I don't get it - oh some rando on the internet doesn't like xyz - who cares?

Next stop MS forums to let them know Libre Office is better ;) Then off to hulu to let them know sling is better ;)

@viragomann
Ok, that makes sense. For testing I tried the following:

pfSense SMTP Port: 25 pfSense Enable SMTP over SSL/TLS: off Postfix on mail server: smtpd_tls_security_level=encrypt (my understanding: this forces the use of STARTTLS)

Error message from pfSense:

Could not send the message to chris@mail.ws3 -- Error: Failed to set sender: root@pfsense.ws3 [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)]

--> my conclusion: pfSense does not use STARTTLS

Changing the Postfix setting to smtpd_tls_security_level=may solves the issue but leads to a unsecured connection (not a real problem in my environment, but would be interesting to understand the circumstances)

@caymann said in pfsense haproxy LAN side issues:

Host Overrides:
I cannot use host overrides as i have multiple docker containers on the same host.

HAproxy is your frontend server. So point the host overrides to the LAN IP of pfSense, not to the backend.

@bob-dig said in Different Interfaces/Gateways Using Same IP Address:

And there are other providers like Mullvad, where every tunnel gets a different IP.

IVPN is like that as well. I've used them for years. It's been pretty much rock solid, set it and forget it. Good speeds, and I've found their tech support to be very good. I really have no reason to move away from them other than my Proton email account includes 10 VPN connections. So possibly saving $100/yr.

If you set a hint we can search for that.

The ACB key is based on SSH not the NDI. Since 2.6/22.01 SSH keys are backed up in the config so if you restore a back taken since then it should also restore access to ACB for that system.

Steve

Persistence FTW! 👍

@michmoor said in Duplicate tracking ID:

Help me understand why igc0 or igc1 comes up in the logs but its called 'LAN' in the or IOT in the config. Why is it using the physical name of the interface instead of the description?

Maybe because you don't have igc1 assigned as an interface dircetly? Only VLANs on it?
Because the rule is for 'not igc0' that includes all interfaces that pf can see including untagged on igc1. The switch is leaking it there.

I still would not expect the same rules ID there though.

Ok, 550 x 2Mbps pipes is greater than the total available bandwidth. So it's possible you're simply seeing an upstream limitation dropping packets at which point pfSense has no control over it.
You might be better off setting a bandwith sharing dynamic Limiter on the interface rather than a hard 2Mb limit per user.