Yes I use this if I need to decrypt it as the file is base64 encoded also.
You will need to extract that and then decrypt it. That can be done from a Linux box using the following command:
cat /tmp/config-enc.xml | sed -e '1d' -e '$d' | base64 -d | openssl enc -d -aes-256-cbc -out /tmp/config-dec.xml -k '12345'
Or it can be done on the firewall itself if a Linux box is not available using the following command :
cat /tmp/config-enc.xml | sed -e '1d' -e '$d' | b64decode -r | openssl enc -d -aes-256-cbc -out /tmp/config-dec.xml -k '12345'
Where 12345 is the password.
You would expect code in HEAD to be in the next release. That page was last updated in August though.
FreeBSD 11.2 that pfSense 2.4.4 is built on includes those patches:
My setup is; (I tried with traditional separate switchgroups first - same result)
Basically a Distributed-Switch over the two hosts with 2 Port-groups,
one Trunk VLAN (all) and one VLAN tagged with 100)
pfsense connected to Trunk VLAN - and created VLAN inside pfsense with 100 tag
then VM uses the VLAN portgroup (that is tagged to 100)
works like a charm, DHCP, internet etc. - when Iam on the same Host.
but when VM is on the other host, nothing works, no DHCP, even if i set static ip to what i have selected - i can not even ping the gateway.
I have moved both pfsense and VM's back and forth to exclude there is a specific issue with one of the hosts.
I guess there is something in the underlying network that is the problem, according to the vendor (Iam colocated) this network (that my distributed switch is using for uplinks thru one card per host) is a PRIVATE VLAN allowing 0-4095, so I assumed it would work... this is really out of my competence zone :)
However I don't see how this can happen within the DSwitch in ESXi (that should be distributed over the hosts)
@landman16 said in Issue with a block of 16 IPv4 addresses:
ISP is asking if this is the upstream gateway of Zen or some IP within my public subnet.
Sounds like your ISP needs some tech support that's not clueless. When configuring a router, it's the ISP's gateway. With computers, it's your own, in this case pfSense.
On the General Settings tab of the ACME package, check the Write Certificates box, which drops the cert files in /conf/acme/ and from there you can have scripts pick them up and deliver them where you want.
No real way to do this at the firewall usefully I would say.
Might try just allowing only MACs you've added. Or maybe 802.1x at your access points.
Maybe if you have signatures and those phones in questions are calling home you can detect and block them in Snort.
@maximusatov said in Has ufs_dirbad Boot Loop Been Fixed?:
Guys, please don't suggest UPS or other means to stabilize power. Let's assume by default that the power is unstable.
A UPS is the answer. Full stop. If you have unstable power, use a UPS. You can get dirt cheap UPS units that would cover a firewall for a significant amount of time. Coupled with a package like apcupsd or nut that can trigger a clean shutdown, it's a perfect solution.
Moving the goalposts isn't going to get you a better solution here.
ZFS helps, since it's a bit more resilient but even that isn't perfect. RAM disks do help but again, not perfect. NanoBSD is no different than using RAM disks. It had not been set read only in years.
Locking this since it's just going in circles.
@bryan-paradis This is Funny and I know this is an old topic, but sometime ago I added a 5th Nic to my PFsense, it never worked. Added VMX that did not work either, today I tried again multiple times to no avail and stared over like 3 times. Then I decided to enable track interface and I got ipv6 and it worked I could ping tracert every thing for the first time my 5th Network card was operational, just not on ipv4. I am trying to setup a vlan for wifi in another location in the building. Well I followed your suggestion above even though the path was a little wrong but I fixed the Rule that was not auto created for some reason. Now I have the extra Vlan and the 5th network card working in a virtualized pfsense.
Happened to me again just now. Of course, I had flattened my PC and not yet installed Fiddler. :-) I unplugged my cable modem then plugged back in to get all lights correct\connected. Then I had to shutdown the pfSense device wait a tick and power it back on. That was MUCH faster than trying to go to https://<pfSense device IP>/status_interfaces.php and renew there because of the super slowness (in FF and Chrome).
Waiting for next Spectrum outage now (or may pull WAN cable once my bandwidth-gobbling kids hit the sack tonight <g>).
@stephenw10 said in pfSense stops responding after login on Netgate MBT-2220:
How are you logging in that seems to trigger this? At the webgui?
Can you login via SSH or use the physical console? If you have a physical console connected when this happens it may show what is happening or at least allow you investigate or reboot cleanly. Or if it stops responding there it's also a indication.
Thanks for replying, Steve. The problems occur when I log in through the web GUI. When I've tried to log in using SSH or the console after a GUI login and the system has stopped responding, those attempts failed. No login prompt appeared. pfSense had simply stopped responding.
To be honest, I haven't tried to log in using SSH or a physical console prior to logging in through the web GUI. But I'll give it a try this weekend and report back.
Mmm, probably going to need a script to do it. You might be able to define a custom Snort rule to detect that which would be nice. But it will only throw an alert when it sees it. No way I'm aware if to send a notification based on that alert. Maybe if you were exporting the Snort logs you could have something else setup to do parse them and do that.
Neither of those things are anything I've ever tried.
@stephenw10 I was fully stopped, not a timing issue. I figured it out much later because the usage of haproxy/squid is optional. I do not use clamav or other filters, the proxy being 100% for caching.
Unrelated to the original question one hour ago I found an issue specific to squid: it breaks use of wss:// (web sockets) and so far I was not able to find info about how to avoid it (if is even possible). Clearly this has nothign to do which pfsense.
You might be able to do that via Captive Portal. You have a combination of stuff there that I've not tried, time-limit, MAC auth and presumably auto refreshing each day. But it might be possible.
You can just filter the logs by IP change and you will see changes listed for the time covered by the logs:
That does show all 'WAN' type connections so an OpenVPN client connection also in my case there.
The only thing you have mentioned there that I wouldn't do is antivirus on the firewall. It is only available as clamav via the Squid package but it can only scan whatever Squid sees so to be of any use at all Squid had to proxy SSL traffic and that introduces a whole new level of complexity. YOu do get some level of protection from malware in general using Suricata/Snort as an alternative.
You can add the VoIP router as an additional gateway and configure it as failover from WAN if required.
Windows subnets usually work better when the DC is doing DHCP/DNS for clients on them so I would do that if possible.
I also experienced an issue with my Amazon Echo not being able to connect to the WiFi Network. It had worked okay for may months. But after a power outage, I was not able to reconnect it. I use an Asus AC68U in AP mode as the Access Point. I was able to see the MAC address of the Amazon Echo on the Access Point. On pfSense itself, I could see the Amazon echo was assigned the static IP I had assigned it. But it could never finish connecting to the WiFi network and result in an error message about a failure to register device. I was able to connect it to my backup Asus AC88U router with no issue.
I have one WAN interface and three OpenVPN interface and selectively route devices and traffic thru each tunnel. I checked all of the log files. No domains were being blocked per the pfBlockerNG reports and the firewall logs showed no blocks either.
The solution was to remove the Amazon Echo from the TorGuard OpenVPN client interface and assign it to the WAN interface. Doing this step allowed the Amazon Echo to connect to the WiFi network. After completing the connection, I reassigned the Amazon Echo to the TorGuard OpenVPN Client Interface.
Hope this helps others who may have a similar issue. I spent many hours on the problem.