• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    24k Views
    STLJonnyS

    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from.

    I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.

  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    52k Views
    V

    Mine may be typical, maybe not.....
    Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do.
    I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol

    I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help.

    pfsense1.png

  • Unknown DHCP ping

    35
    0 Votes
    35 Posts
    603 Views
    D

    Everything that can be off is off.
    Screenshot_20250519_045529.png

    Something doesn't fit. When I have the solution, I'll let you know.

  • getting frustrated I cant Post my Question Akismet

    12
    3 Votes
    12 Posts
    111 Views
    stephenw10S

    Yes, unfortunately the tsunami of spam that happens if we disable that filter makes the forum basically unusable. 😞

  • 0 Votes
    1 Posts
    8 Views
    No one has replied
  • 0 Votes
    1 Posts
    11 Views
    No one has replied
  • Netgate 6100 using 2.5Gbe port for WAN?

    1
    0 Votes
    1 Posts
    10 Views
    No one has replied
  • How to handle Telnet access to industrial control appliance

    4
    0 Votes
    4 Posts
    32 Views
    johnpozJ

    @NGUSER6947 no creating a vpn does not force traffic through it.. so you are remote to this pfsense right - just vpn into pfsense, and then telnet to what you want to telnet to.

    You can setup your vpn to be as restrictive or open as you want - you could allow access to anything, or you could limit to only this telnet devices IP on telnet port.

    Another way less config needed would be to port forward to this telnet IP on pfsense wan, but only allow your specific source IP.. If you know the IP where you will be coming from.. This would be secure, but not as elegant of a solution. And the traffic over the internet would not be encrypted inside a vpn tunnel.

    Another way to skin the cat would be to ssh to pfsense wan, then telnet from pfsense to the telnet box. This would be encrypted over the internet.. And if you only allow public key auth to ssh on pfsense, this would be pretty secure.. Still not as good a vpn setup, you could limit to your source IP as well, etc. To prevent spam noise of boxes hitting ssh, changing the port would cut down on log spam as well.

    But the best solution is setup vpn to pfsense.

  • Possibility of capturing ssl-keys using tcpdump in the pfsense shell

    10
    0 Votes
    10 Posts
    97 Views
    johnpozJ

    @b3rt see my edit of above post, there are some tools you could try ;) but once you had hacked the iot os to trust your cert - you wouldn't have to do that in real time or anything.. You would then really own all its encrypted comms. Until its firmware was updated, etc..

  • LAN with external addresses not working

    3
    0 Votes
    3 Posts
    42 Views
    D

    @johnpoz I think that has everything I need. Thanks! I need t get more familiar with the documentation.

  • PFSense hangs up while booting

    8
    0 Votes
    8 Posts
    1k Views
    D

    If you're running pfSense as a VM on Proxmox (like I am), you'll likely go through multiple reboots with no problems... then one day it will just happen. Not sure exactly the cause... I assume something more than dumb luck triggered it to happen... 🤷 Either way the fix was simple enough in my case.

    Power off then on (or "reset") the VM while viewing the console via Proxmox UI When you see the initial Proxmox BIOS boot/splash screen, press F2 to enter it Go to "Device Manager" >> "OVMF Platform Configuration" Update the "Change Preferred" value to a more common (if there is such a thing) resolution value E.G. 1024x768
    In my case the original value was 1280x800 Select "Commit Changes and Exit", then back out to the main BIOS screen. NOTE: Make sure you "Reset" when exiting the BIOS... not "Continue". This forces the new configuration to be applied and will be seen by pfSense

    That should do the trick.

  • Update problems

    11
    2 Votes
    11 Posts
    8k Views
    F

    @chpalmer thanks, 05/17/2025 this helped me!

  • 0 Votes
    1 Posts
    29 Views
    No one has replied
  • Attack option with a USB stick

    8
    0 Votes
    8 Posts
    144 Views
    D

    Hi everyone,

    I'm glad that a few thoughts have come together after all.

    Sure, if I have access, then it's over. But that's also the point, so that you can make entries.

    I actually imagined it to be like “Hollywood”.
    Or rather scenarios along the lines of Stuxnet.

    What is possible if you have the option of connecting a stick briefly.

    However, if in any case, even if you extend the scenario and you still have a keyboard with you and the menu in your head always needs a restart, this is conspicuous at the latest.

    Thank you and I am now quite relaxed.

  • 0 Votes
    6 Posts
    79 Views
    M

    @stephenw10 I understand the conflict.

    If Netgate contributes to the open-source project, maybe this is an effort where it can contribute, namely, end-user comprehensible error messages.

    If that's "too hard" then solve it with documentation: initiate an error messages and codes section of the user manual which lists the error messages, then what it means and directions to take for recovery.

    As it is, customers are left thrashing around with support, or this forum, often at Negate's direct or indirect, uncompensated, expense.

    For instance, DEC had the OpenVMS error messages and codes manual, which was helpful to the customers.

    It seems to me we've regressed since then where error messages appear to have been made up on the spot by the developers and are substantially meaningful on their face mostly to developers.

    Customers support the business. Making their life harder makes the business' life harder. Is that what business leadership wants?

    Example:
    https://www.digiater.nl/openvms/doc/alpha-v8.3/ovms_archived/OVMS_MSG_REF_AL.PDF

  • 0 Votes
    10 Posts
    145 Views
    stephenw10S

    So do you see the DoT states on Comcast only?

    Are you sure this is actually a DNS problem?

    Is the client actually using pfSense for DNS? It could be be using DoH directly for example.

  • 0 Votes
    29 Posts
    536 Views
    stephenw10S

    Ah, OK.

    So if you have enabled: Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection it should work.

    Try to open something that should be forwarded then check the states. You should see the NAT states on both interfaces applied to make the reflection work.

  • pfSense Error: NGINX syslog logging failed — Connection reset by peer

    5
    0 Votes
    5 Posts
    132 Views
    stephenw10S

    Then I wouldn't worry about it.

  • eMMC appears to have failed after only 5-6 months of use.

    7
    1 Votes
    7 Posts
    133 Views
    patient0P

    @dutsnekcirf said in eMMC appears to have failed after only 5-6 months of use.:

    I've suggested that she purchase an 1100 series router as a replacement

    The 1100 also has eMMC memory and therefore the same issue can occur.

    Install the SATA SSD only after your check with Netgate support if you still got warranty.

    Mentioned in the Netgate doc: Optional M.2 SATA Installation:

    "The 42mm standoff cannot be moved without disconnecting the thermal paste between the processor and the heat sink. This is not supported and may void the warranty."

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.