https://redmine.pfsense.org/issues/15874

https://redmine.pfsense.org/issues/15873

Thanks! 👍

Did you try running radsniff -x on the cli of your freeradius box?

@DominikHoffmann Thank you!

@eagle61 I think its strange no matter who you are or what region of the world your in ;)

There is no possible way those can not be changed.. If they don't know how to do it, or have no access to the router - I would check if the username/password is just default for the make and model for sure.

Then call the isp for help, those clearly not default.. So even if the isp set them up initially, not like they can not change them.. Its not like they said ok we can set this IP exactly once.. Once you set it your locked to that IP forever! ;)

But no there is going to be no way you can just slide pfsense into your original setup without some down time.. And you sure are not going to be able to route with the same networks on 2 legs of a router..

Lets say you could route even.. If some client on your 192.168.10 network wants to talk to 192.168.10.1 as its gateway.. How would that work.. He says oh need to send this to my gateway 192.168.10.1 - let me arp for that.. ooops no answer, = no access to anything off my network.

So you would have to change the gateway on the client to point to pfsense 192.168.10.x address on the lan side.. So you would have to touch every device on your 10 anyway.. And then still policy route if you wanted specific devices to use a specific gateway.. But you can not do that anyway..

So bite the bullet, schedule some down time with the business and set this up correctly.

@Bob-Dig said in [SOLVED] DNS issue with mullvad wireguard clients.:

@nimrod said in [SOLVED] DNS issue with mullvad wireguard clients.:

Ill mark this as resolved.

Great, although that was more luck than anything else. 😉

Well, it worked. And it never came to my mind yesterday. I wasted hours on this with no acceptable solution.

If you still have problems, maybe switching the DNS to WAN instead of the VPN will solve it.

Switching to WAN produces DNS leak with my old settings.

With DoT it is still encrypted and you have to trust mullvad in any case.

I dont have problem with that. Thats how it was when i was using openvpn. But openvpn didnt had issues with DNS once i reboot.

So you're connecting some servers on OPT2 and want to put HAProxy in front of them?

First get the port, VLAN and switch configured in the same way you did for OPT1. Connect the server(s) and make sure they are in the correct subnet and are reachable.

Then add HAProxy.

Hmm, but it is somehow routing traffic on every interface?

Can you ping out from the console to anything?

Please disregard. The field looks grayed out but it turns out you can actually change the values. Sorry!

(Side note - BIND stopped writing to resolver.log after I changed the setting but I was able to fix this by restarting the named service on Status > Services)

It probably is fixable. You might be seeing that error temporarily anyway.

But try running at the CLI:

pfSense-repoc -N

pkg-static -d update

What error(s) are shown?

Steve

@jimp The Unbound crash happened again today. The Unbound crash has not happened in months, particularly since reducing memory size parameters. It's been so long, in fact, that I removed service watchdog a week or two ago, thinking the issue was resolved. So much for that.

Here's various symptoms:

The only relevant error message I found in the System>General log is: Nov 24 10:57:21 kernel pid 54097 (unbound), jid 0, uid 59, was killed: a thread waited too long to allocate a page

Note this error is different than those in the past where Unbound was killed failing to reclaim memory. End result is the same: dead Unbound and dead production on my network (without service_watchdog, which I have now restored to service).

I haven't found any relevant messages in the Unbound logs.

The Status>Monitoring>System>Memory shows a puzzling zeroing of all parameters at about the same time as the Unbound crash:

f65f0225-4352-4253-801a-02172f323524-image.png

So, while I've been admonished in this forum to not use service_watchdog, I can't maintain production uptime without while these Unbound discrepancies live on.

If there's something more I can do to assist Netgate in figuring this out, please let me know. I'll be happy to do whatever I'm able.

Thanks!

After fixing the backup node, i encounter the exact same issue on the master node...
Snapshot before reboot to be able to recover the config file !

Using Spectrum as ISP and was pulling my hair out on why the Netgate sg-2100 wasn't getting a WAN ip address. After unplugging the modem and the Netgate for a few minutes, then plugging in the cable modem then the Netgate did it get a WAN IP address on the device, thanks!

@stephenw10 Thx! It works :-)

Thanks again for your replies.

I enjoy playing around with all this networking and security stuff.

Very exciting.

And pfsense is the best!

And a great support community - thank-you.

But like home, pro, server etc?

No that's not possible. And you really don't want to have that sort of service on a firewall anyway.

@dutsnekcirf said in Convert pfsense ova file to qcow2 fails with either virt-v2v or qemu-img:

I'm wondering how well this works.

Very well. All the config is in that file. It should restore and be identical. The only issue you will have are he interface names will probably be different (vmx vs vtnet) so they will need to be re-assigned when you import it.

Steve

@Antibiotic get rid of that torrent client eventually it’s gonna break stuff if you keep using it. Trust me. Stop using it, think about how many ports you need open. It just takes one bad download

@stephenw10 I'm also noticing this behavior. I'm on pfSense version 24.03-RELEASE.

@stephenw10

Both really.

My infrastructure segment is inaccessible unless you can either get on that vlan through a physical port on the switch, or via a VPN that the FW originates as the server to get on an administrative network.

There are also client mode VPN connections to a commercial provider.

Regardless of if the traffic is coming in via the admin VPN and then out WAN, or on the local segment and then routed over the client VPN out to the web it takes a big hit to throughput. It would be difficult to pin down if it affects traffic both ways given the huge imbalance in the down/up speeds.

It does seem to be limited to traffic routed externally that has the issue though. Running a speed test from the admin net to a local server works as expected despite going through a vpn tunnel to get to that network. But anything either from the admin vpn or going over the external commercial vpn to an external site is heavily limited.