What does line 21 in /tmp/debug actually look like?

That's not the more common memory error if you have the max table size set too low. That looks like a syntax error somehow.

Steve

Nice! Thanks for documenting that. I'm sure it will help someone else at some point. ☺

Steve

Ok so that should be no problem. Setup the OpenVPN server in the VPS, route your traffic to it, add a firewall rule to allow that traffic. All the other default settings should work there. What are you seeing not work?

Steve

A proxy for what?

You can use the Squid http/s proxy package. That can authenticate against LDAP or Radius.

Steve

After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...

FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").

When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:

Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)! Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -

So far I have not been able to figure how to effectively enable the client cert. CN check.

I wonder if this is also some stupid beginner's mistake, or is this something else?

And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...

When the check box is not checked, authentication with the certificate succeeds without any problems.

FWIW, Radius debug log reveals:

(2) files: users: Matched entry host/K14 at line 2 (2) [files] = ok

...so it seems that it indeed performs the check against user database where I have an entry "host/K14".

On 2.4.4-p3 you can apply 71185882dc168e49347f0924f33a207aaf6e2db0 with the system patches package and then run pfSsh.php playback generateguicert and it will make you a new GUI cert with the new 825-day default.

I will say that since 2009 when I was first introduced to PFsense, the few issues I've had have all been due to failing hardware... either a bad NIC or a failing MB in a PC. This may or may not be your case, but just sharing what I've experienced.

A factory reset obviously worked for you in this case, however, you're also running discontinued nettop/desktop hardware. You may want to consider moving to new hardware going forward.

@xodiacx said in RTO Ouf of no where:

what if we have multiple gateways?

You can only have one default gateway, though you can have other routes out, but they have to be specified.

Connect a client directly to the upstream device and test that.

The SG-3100 should pass close to Gigabit line speed though so those speeds look far lower than expected.

Steve

@stephenw10 said in Blocking everything except...:

It might not be...

That is correct 😉

@tbattista Always power-cycle the modem, then connect the device you are testing with when doing these sorts of tests to flush anything the modem may have learned.
@stephenw10 having a managed switch that can mirror the traffic might be a great way to analyse where the problem is stemming from, although there would be some challenges as speeds approach 1Gbps, but given the low speeds reported, it should be sufficient to see what's really going on.

The entire running config can be backed up from Diag > Backup/Restore.

The file is /conf/config.xml if you're digging through the filesystem directly.

https://docs.netgate.com/pfsense/en/latest/backup/index.html

Steve

Hi Stephen. Thanks for your reply and interest.

How can I give the zabbix user rights to run nc? Anyway it looks like it already has permissions for that as I am able to get the nc help screen from the zabbix server. What I am not able to is to read the openvpn server socket. It also has permission to echo data as I am able to get the echo output from there too.

Is there any way to give the zabbix user limited permissions to the openvpn server socket? making zabbix root equivalent is not a good idea for a firewall so we should avoid this approach.

I had a Linksys CM3024 which became the star of a youtube video where we torched it. Way to flammable but I digress.. That was my first experience with the problems with the Puma6. I blamed the ISP for all our VOIP problems.

The original problem with traffic flow exhibited itself with UDP traffic. DNS suffered greatly. VOIP traffic also suffered as well as VPN connections over UDP. Many ISP's have pushed out updated firmware which has fixed those issues. But the other security issues still exist.

"It is a unpatched 0-day exploit that has no current mitigation with published code anyone can download and target other users."

"In addition to the DoS mentioned above, there's also a memory corruption DoS which causes a full modem reboot. The details of this attack have not yet been published while a patch is being worked on."

Yep. YMMV. :)

@netpok said in Detect missing IP address:

over 9000

😁

@stephenw10 Thanks, i found it under misc

Resolved. Thank you!