• Pfsense box stopped working

    2
    0 Votes
    2 Posts
    196 Views
    stephenw10S

    What does line 21 in /tmp/debug actually look like?

    That's not the more common memory error if you have the max table size set too low. That looks like a syntax error somehow.

    Steve

  • Static IP over PPPoe questions

    4
    0 Votes
    4 Posts
    1k Views
    stephenw10S

    Nice! Thanks for documenting that. I'm sure it will help someone else at some point. ☺

    Steve

  • Setup Openvpn on vps

    4
    0 Votes
    4 Posts
    504 Views
    stephenw10S

    Ok so that should be no problem. Setup the OpenVPN server in the VPS, route your traffic to it, add a firewall rule to allow that traffic. All the other default settings should work there. What are you seeing not work?

    Steve

  • Forward Proxy question

    2
    0 Votes
    2 Posts
    154 Views
    stephenw10S

    A proxy for what?

    You can use the Squid http/s proxy package. That can authenticate against LDAP or Radius.

    Steve

  • 0 Votes
    26 Posts
    7k Views
    D

    After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...

    FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").

    When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:

    Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)! Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -

    So far I have not been able to figure how to effectively enable the client cert. CN check.

    I wonder if this is also some stupid beginner's mistake, or is this something else?

    And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...

    When the check box is not checked, authentication with the certificate succeeds without any problems.

    FWIW, Radius debug log reveals:

    (2) files: users: Matched entry host/K14 at line 2 (2) [files] = ok

    ...so it seems that it indeed performs the check against user database where I have an entry "host/K14".

  • 0 Votes
    8 Posts
    2k Views
    jimpJ

    On 2.4.4-p3 you can apply 71185882dc168e49347f0924f33a207aaf6e2db0 with the system patches package and then run pfSsh.php playback generateguicert and it will make you a new GUI cert with the new 825-day default.

  • Network Stability Issues

    8
    0 Votes
    8 Posts
    926 Views
    M

    I will say that since 2009 when I was first introduced to PFsense, the few issues I've had have all been due to failing hardware... either a bad NIC or a failing MB in a PC. This may or may not be your case, but just sharing what I've experienced.

    A factory reset obviously worked for you in this case, however, you're also running discontinued nettop/desktop hardware. You may want to consider moving to new hardware going forward.

  • RTO Ouf of no where

    Moved
    13
    0 Votes
    13 Posts
    1k Views
    JKnottJ

    @xodiacx said in RTO Ouf of no where:

    what if we have multiple gateways?

    You can only have one default gateway, though you can have other routes out, but they have to be specified.

  • Painfully slow centurylink gigabit

    2
    0 Votes
    2 Posts
    365 Views
    stephenw10S

    Connect a client directly to the upstream device and test that.

    The SG-3100 should pass close to Gigabit line speed though so those speeds look far lower than expected.

    Steve

  • Blocking everything except...

    9
    0 Votes
    9 Posts
    1k Views
    OceanwatcherO

    @stephenw10 said in Blocking everything except...:

    It might not be...

    That is correct 😉

  • This topic is deleted!

    1
    0 Votes
    1 Posts
    23 Views
    No one has replied
  • pfSense throughput testing details with iPerf 3

    1
    0 Votes
    1 Posts
    194 Views
    No one has replied
  • Download Speeds are very poor but upload is fine.

    10
    0 Votes
    10 Posts
    565 Views
    awebsterA

    @tbattista Always power-cycle the modem, then connect the device you are testing with when doing these sorts of tests to flush anything the modem may have learned.
    @stephenw10 having a managed switch that can mirror the traffic might be a great way to analyse where the problem is stemming from, although there would be some challenges as speeds approach 1Gbps, but given the low speeds reported, it should be sufficient to see what's really going on.

  • This topic is deleted!

    3
    0 Votes
    3 Posts
    18 Views
  • Print out pfSense config?

    2
    0 Votes
    2 Posts
    947 Views
    stephenw10S

    The entire running config can be backed up from Diag > Backup/Restore.

    The file is /conf/config.xml if you're digging through the filesystem directly.

    https://docs.netgate.com/pfsense/en/latest/backup/index.html

    Steve

  • reading openvpn server socket with zabbix user

    5
    0 Votes
    5 Posts
    918 Views
    M

    Hi Stephen. Thanks for your reply and interest.

    How can I give the zabbix user rights to run nc? Anyway it looks like it already has permissions for that as I am able to get the nc help screen from the zabbix server. What I am not able to is to read the openvpn server socket. It also has permission to echo data as I am able to get the echo output from there too.

    Is there any way to give the zabbix user limited permissions to the openvpn server socket? making zabbix root equivalent is not a good idea for a firewall so we should avoid this approach.

  • Need to upgrade cable modem and avoid Puma 6 problems

    11
    0 Votes
    11 Posts
    3k Views
    chpalmerC

    I had a Linksys CM3024 which became the star of a youtube video where we torched it. Way to flammable but I digress.. That was my first experience with the problems with the Puma6. I blamed the ISP for all our VOIP problems.

    The original problem with traffic flow exhibited itself with UDP traffic. DNS suffered greatly. VOIP traffic also suffered as well as VPN connections over UDP. Many ISP's have pushed out updated firmware which has fixed those issues. But the other security issues still exist.

    "It is a unpatched 0-day exploit that has no current mitigation with published code anyone can download and target other users."

    "In addition to the DoS mentioned above, there's also a memory corruption DoS which causes a full modem reboot. The details of this attack have not yet been published while a patch is being worked on."

    Yep. YMMV. :)

  • Detect missing IP address

    6
    0 Votes
    6 Posts
    721 Views
    stephenw10S

    @netpok said in Detect missing IP address:

    over 9000

    😁

  • No temperature info

    4
    0 Votes
    4 Posts
    541 Views
    O

    @stephenw10 Thanks, i found it under misc

  • User Admin Question

    3
    0 Votes
    3 Posts
    391 Views
    T

    Resolved. Thank you!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.