The 7100 also has on-board eMMC, it may not have shipped with an m.2 SATA drive.
But if the eMMC has failed you can always fit an SSD and boot from that.

Steve

https://redmine.pfsense.org/issues/14174

@josephchrzempiec

View status without having to login?

I'm not telling you you should, but I can show you what I have : this.
This permits me to see some basic pfSense parameters with the 'tap of a finger' wherever I am on the planet.
It's not a click here, click there solution, as it implies that you temporarily ( ! ) activate FreeBSD package source to install a FreeBSD package called Munin (it will pull in a boatload of dependencies - this was fine, but can be 'dangerous'), and then you have to set it up (some script coding is needed).
Munin isn't the most beautiful grapher out there, it's the one I use for .... many years.

@josephchrzempiec said in View status without having to login?:

Is it possible to run python on pfsense?

I guess it's there in the basic install. I'm not sure.
But install pfBlockerNG-devel or pfBlockerNG :

fa349811-b3d2-4c71-8c66-64bbee3c48af-image.png

and that will pull in Python for sure.

@gertjan

pfBlockerNG, by default, right after installing, does contain an 'example' DNSBL feed

DNSBL isn’t enabled by default. There are plenty of DNSBL feeds that appear on the Feeds tab, but none of those are enabled either.

Hello all, Thank you for replying back to my post. I'm only trying having one server connected to my pfsense router that is all. I was looking for the minimum requirements to run a pfsense router. I have found a few. Sense I only have one server and no need of more I have a small computer with 2gb of memory and 32gb of hard drive on a computer I have should be perfect for it.

Joseph

@jknott

@jknott said in Problem with updating packages over ipv6?:

@aholmes5

Does your WAN interface have an IPv6 address?

Yes it gets a 2001:506:* address. LAN gets 2600:1700:* address.

@steveits Thanks a lot!! it worked!! I wish i could buy you a cup of coffee.

@deanfourie Normally MITM is achieved by installing a CA cert on each device and then creating "certificates" on the fly. Can be done on a PC but you can't really install your cert on an IoT device.

Easier to just block DoH per the above and then if you need to, allow a device to use it.

@patryan I like the simple ones!

Ted Quade

@pf-sense-help here is a quick walk thru I did years ago, that still valid

https://forum.netgate.com/post/831783

This is how you would create a CA, sign a cert and have your browser trust it. You can use whatever sections of it you need if parts have already been accomplished.

@rcoleman-netgate
Am I correct that the i915 kmod video driver would not help with this as it not loaded at the time boot menu shows?

Btw I tested booting 2.7CE (feb 15th build) from usb-drive and it had the visually correct boot menu.
For proper testing, I would need to swap in another ssd and make a test install with 2.7CE, but I don't think I'll waste time at that...

@johnpoz Thanks! That worked just fine. I am not knowledgable about certificates and was nervous about changing anything that might break web access.

@stephenw10 Yeah, it's recurring, still nothing in a Zpool scrub.

@stephenw10

LOL me 2
ill have to reload the old settings on the old hardware and load the patches 1 by 1 and see what fixed it i guess.

pfSense itself must already have a static IP address on that interface. The DHCP server would not be able to run there if it didn't.

The 'Copy my MAC' function there is the MAC for client you're accessing the gui from, not the pfSense MAC.

Steve

Hi there

I am trying to get this working, without luck so far. I have set the firewall rules like described and also the pimd setup.
7cd4d017-d15a-4d57-913e-8983c3304253-image.png
f481ca80-f71f-4af1-89ab-ccdb8f4aa98d-image.png
1b58df44-0145-4899-bc24-7495b37decfc-image.png
56f54691-56f4-4bf9-bec5-26f5e862d65e-image.png
f4f0226c-a5a1-40ef-b5ee-c0c9eb91785a-image.png

As soon as I enable pimd, my devices drop from the wifi.

Any ideas?

I work for IPinfo. If we are not providing accurate IP geolocation data for you, consider submitting an IP correction request: https://ipinfo.io/corrections

The request goes through the verification process. If the correction is verified within 24-48 hours the geolocation data gets updated.

@johnpoz @dobby_ Thank you I will explore

@rcoleman-netgate Sorry, can not reproduce now this error to make screenshots. Did fresh reinstall of Windows 11 and for this moment no any warnings. That was standard error warning "your connection is not secure and site can steeling your sensitive data."))) Took a look on certificate of this site and was intercept with additional certificate from my ISP! No any idea , how it possible during using of VPN. My laptop was connected with VPN client (ExpressVPN) throw home router ((Router not from ISP and firmware is OpenWRT ) to pfSense box (pfSense plus 23.01 is installed on old laptop). But this warning start coming not immediately on fresh copy of Windows but a few days later. Now after reinstalling will watching out this situation again(((

@ffuentes said in Logs Settings and OpenVPN:

After upgrading from the latest 22 branch to 23.01 I lost my logs settings page
Also OpenVPN no longer wants to start for nether client or server.

I fixed the OpenVPN issue with the patch: https://redmine.pfsense.org/issues/13963

@Stugots open a ticket at https://go.netgate.com and include your current Netgate ID and the order number from your original CE->Plus upgrade token.

I also had occasional dns failures when using quad9 dns. I simply turned off forwarding mode and have had no issues with root servers doing the work.
I find this to be non-ideal, but at least functional.

I agree, it should almost always be bridged if you're running VBox in any sort of permanent way.

400Mbps between VMs is pretty slow though. That seems like it must be a problem in the VBox config somehow. Though it's been many years since I ran in Windows.

Ok. I can see it now. Thanks for your help.

@viragomann
Yeah I did before you replied and that's actually what told me how it works haha. I thought "it can't be that".

@efriseer
Wake on LAN packets are broadcasted by default. So the packets do not pass a router at all.

If the bot belongs to the server anyhow you can possibly put it behind pfSense as well.
Or send the WoL packet from any other host which resides within the servers L2, maybe from pfSense itself.

@billy_c

Thanks for the additional information Billy! It's all helpful.

@richardsago instead of or in addition to limiters traffic shaping could be used as well for instance to prioritize UDP from the video class.

Residential has some minor drawbacks such as outgoing port 25 is often blocked and/or the IP on the Spamhaus policy block list. Plus it normally is a DHCP IP.

@johnpoz said in PfSense pretty slow GUI opening FW rule:

@operations said in PfSense pretty slow GUI opening FW rule:

I don't even use PfBlocker

So you don't have any large aliases setup like with all of the internet IP ranges in them?

Nope, couple of aliasses with one to max 6 or 7 IP's.

Other options here might be simpler but Home Assistant cloud is pretty cheap and since there is an pfsense integration that makes all the stats accessible from anywhere without “exposing” direct access to pfsense to the internet. There are other security risks involved with this approach. Just wanted to throw in some other options.

@operations said in Fine tuning PfSense for network with AD:

@stephenw10 yes i have my AD DNS as a forwarder pointed at PfSense atm. Just wanted to check this part.

Then setting the override will allow pfSense to resolve names in AD DNS (e.g. local SMTP).

Private is not necessary.

You can also override the reverse DNS if you have AD DNS set to use/hold the reverse zone. Then it can look up LAN IPs.

If you have the ability, use Telegraf to output stats to an InfluxDB database then use Grafana to visualize the data.

@vuiora said in Set up GRE tunnel. Sendto error:5:

Sendto error:5

It's an Input/Ouput error: https://man.freebsd.org/cgi/man.cgi?query=errno#RETURN_VALUES

So maybe there's no link on the NIC it's trying to use?

More info needed.

Steve

@stephenw10 Solved by set in firewall rule( Lan traffic to ExpressVpn) default gateway to ExpressVpn. Thank you for your assistance. Have a good weekend!
Screenshot 2023-03-25 022907.png

Are you trying to connect to the IP address(es) directly? Or using fqdns, which would go via Cloudflare?

Do you see the connections coming in if you run a packet capture or check the state table?

Steve

It's probably possible. You'd need to arrange VLANs shared between the physical and virtual pfSense instances such that all interfaces share a layer 2 connection with each other.

Steve

@simois no problem - its was a very valid and good question to be honest.

Hmm, the last thing shown there is a zfs command. If it was unable to write to the drive whatever is accepting connections there could also be unable and eventually fill the buffers causing that queue overflow.
However usually that would also prevent writing the crash report.

Are you able to reproduce this?

Steve