@stephenw10 Excellent thank you.

24.11 changed something. New code:

$username = 'foobar'; $user_item_config = getUserEntry($username); $usernum = $user_item_config['idx']; $user = &$user_item_config['item']; $user['authorizedkeys'] = "base-64-encoded-string-here"; config_set_path('system/user/'. $usernum . '/authorizedkeys', "base-64-encoded-string-here" ); write_config('edited SSH public key for user foobar via pfSsh.php'); local_user_set($user);

Usual suspects are some browser plugin blocking a script or similar. Though I've never seen that particular behaviour before.

@johnpoz Ok, thank you. So to avoid any possible side effects by doing some exotic settings mentionned in your post, I decided to follow the "ocd monkey gone with simple click" suggestion.

Thank you all.

@dutsnekcirf said in Can the "Auto Configuration Backup" Device Key be recovered from the CLI?:

how should I copy that directory back onto the box from my usb drive?

Install pfSense using the installer.
Accept all values 'by default', so you can go as fast as possible.
As soon as the GUI becomes alive, login, and import the latest backed up config.
Have it reboot - and during reboot it will set up your LAN 'as before' a,d your WAN 'as before' - and all interface if you had any.
Because WAN is now fully operational and you had probably some packages installed, it will fetch them, and set them up. This can take a minute or two.
When that's done, for good manner, from the GUI, do a fill reboot again.

If you really want to, you an now insert the USB drive with all the files have kept on it, mount the USB drive, and copy (/cf/conf/backup - see below) them in place.
Just keep in mind : check what happens afterwards. Normally, the files located in /cf/conf/backup/ are maintained by pfSense. Dono what happens when you copy files in there.
The content of /cf/conf/ : don't touch / add / remove anything from that place, let pfSense handle it.
Or create a new folder below the /root/ folder, and put them there.

Or don't copy anything, keep the saved files on another place, like the USB drive, as that will be the best place : not on pfSense itself, but another device.

The only way to do that securely is multiple servers, one per "group" based on what they should be able to access. Ideally each with a separate CA and unique TLS key.

Static addresses can work but you also can't necessarily guarantee OpenVPN wouldn't assign an IP address to a client randomly that you have set static -- it doesn't do reservations like that.

Per-user rules from RADIUS could work but it's a lot more complicated to setup and maintain, and harder to troubleshoot.

@briddle said in Older devices have MUCH slower download than before upgrading pfSense device and child switch:

is now seeing only 95 Mb/s down

That says there is very likely something in the route linked at 100M. Some switch port, maybe a bad cable etc. Maybe the client devices directly.

But that number is too close to 100M to rule out. Check all the links between the 6100 and client.

@Patch said in getting frustrated I cant Post my Question Akismet:

but from a forum reader perspective that would be a disaster.

Don't forget the forum owner ^^
Do you really want them to hire xx extra people just to dig trough the daily list of forum posts ?

@comet424 said in getting frustrated I cant Post my Question Akismet:

cuz that akismet you cant read up

And that's actually not a bad thing.
If I could see how "it's done", then some one else can do that also.
5 minutes later this forum, and many others becomes a porn depot.
1 day later Netgate will have to stop hosting a public freely accessible forum.
Not only Netgate btw, but actually every big forum out there.

@comet424 said in getting frustrated I cant Post my Question Akismet:

.... like the government

Askimet isn't a free service.
If forum owners use it, pay for it, and start to loose legit forum users, then they will adapt their usage profile, and even stop using if there are to many false positives.

Imho : check your own 'profile' : from where are you posting ? What ISP ? What IP ? etc. As they are not all treated (listed) equal.
Be aware that using a VPN is great .... but these are used, by definition, by other clients that have something to hide. That simple fact can be used against you.
A VPN that will just work for you is : the one you create yourself on your own server. Maybe not a server hosted in the amazon cloud. The server IP, with some luck, isn't tainted (known to be used for scam stuff in the past) so you're good : it's only you using this IP so nothing can happen, it won't get flagged / listed.

@deleted the manual I found had a disable option - not sure if for same version of ipmi you are running.. But with that setting of dhcpv6 - I would expect it to yeah send out dhcpv6. Its like yours is missing the disabled option

@johnpoz I think that has everything I need. Thanks! I need t get more familiar with the documentation.

If you're running pfSense as a VM on Proxmox (like I am), you'll likely go through multiple reboots with no problems... then one day it will just happen. Not sure exactly the cause... I assume something more than dumb luck triggered it to happen... 🤷 Either way the fix was simple enough in my case.

Power off then on (or "reset") the VM while viewing the console via Proxmox UI When you see the initial Proxmox BIOS boot/splash screen, press F2 to enter it Go to "Device Manager" >> "OVMF Platform Configuration" Update the "Change Preferred" value to a more common (if there is such a thing) resolution value E.G. 1024x768
In my case the original value was 1280x800 Select "Commit Changes and Exit", then back out to the main BIOS screen. NOTE: Make sure you "Reset" when exiting the BIOS... not "Continue". This forces the new configuration to be applied and will be seen by pfSense

That should do the trick.

@chpalmer thanks, 05/17/2025 this helped me!

Hi everyone,

I'm glad that a few thoughts have come together after all.

Sure, if I have access, then it's over. But that's also the point, so that you can make entries.

I actually imagined it to be like “Hollywood”.
Or rather scenarios along the lines of Stuxnet.

What is possible if you have the option of connecting a stick briefly.

However, if in any case, even if you extend the scenario and you still have a keyboard with you and the menu in your head always needs a restart, this is conspicuous at the latest.

Thank you and I am now quite relaxed.

@stephenw10 I understand the conflict.

If Netgate contributes to the open-source project, maybe this is an effort where it can contribute, namely, end-user comprehensible error messages.

If that's "too hard" then solve it with documentation: initiate an error messages and codes section of the user manual which lists the error messages, then what it means and directions to take for recovery.

As it is, customers are left thrashing around with support, or this forum, often at Negate's direct or indirect, uncompensated, expense.

For instance, DEC had the OpenVMS error messages and codes manual, which was helpful to the customers.

It seems to me we've regressed since then where error messages appear to have been made up on the spot by the developers and are substantially meaningful on their face mostly to developers.

Customers support the business. Making their life harder makes the business' life harder. Is that what business leadership wants?

Example:
https://www.digiater.nl/openvms/doc/alpha-v8.3/ovms_archived/OVMS_MSG_REF_AL.PDF

Ah, OK.

So if you have enabled: Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection it should work.

Try to open something that should be forwarded then check the states. You should see the NAT states on both interfaces applied to make the reflection work.

Then I wouldn't worry about it.

@dutsnekcirf said in eMMC appears to have failed after only 5-6 months of use.:

I've suggested that she purchase an 1100 series router as a replacement

The 1100 also has eMMC memory and therefore the same issue can occur.

Install the SATA SSD only after your check with Netgate support if you still got warranty.

Mentioned in the Netgate doc: Optional M.2 SATA Installation:

"The 42mm standoff cannot be moved without disconnecting the thermal paste between the processor and the heat sink. This is not supported and may void the warranty."

@stephenw10
Interesting indeed:
pfSense can notify us: of expiring Certs, and after a reboot, but apparently not much more.
Packages like arpwatch, nut, add notifications for ARP changes and UPS status.
I just had a system with a failing disk send me an email about the reboot we performed, all the while it was logging fatal disk errors.
Not only should pfSense be aware of syslog severity, we should be able to get notifications for crit, alert, emerg level entries so long as notification is still functioning.
In response to above incident, I've been researching options:

remote syslog: every entry cleartext to an Internet host: nope smartd: so close: smartmontools already installed, but cannot run the smartd daemon. (only covers disk errors) zabbix-agent: package is not current. Zabbix svr on Internet: nope.

Could probably accept the risk of cleartext remote syslog, if we could also filter Remote Syslog Contents by severity, in which case virtually nothing would be sent until there is a serious problem.

May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00 May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT ) May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): CAM status: ATA Status Error May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00 May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): Retrying command, 0 more tries remain May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): RES: 71 04 00 00 00 40 00 00 00 00 00 May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): ATA status: 71 (DRDY DF SERV ERR), error: 04 (ABRT ) May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): CAM status: ATA Status Error May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): FLUSHCACHE48. ACB: ea 00 00 00 00 40 00 00 00 00 00 00 May 2 14:40:07 kernel (ada0:ahcich1:0:0:0): Error 5, Retries exhausted

24.11 does compared with 2.7.2. But 2.8-beta is built on the same base as 25.03-beta.

https://docs.netgate.com/pfsense/en/latest/releases/versions.html

However I'd expect an X550 NIC to work fine in any of those.