So far, so good! No crashes after about 10 days since updating the BIOS/microcode. Let's hope it stays that way!

@johnpoz Yes, as above "I can ping all the IP addresses returned by the pools." and as is the nature of the pools, you likely get different responses which each subsequent uncached DNS query.
However those IP addresses can be pinged as well..

Nothing has really changed in my configuration and clearly it has stopped around the time I applied the last system update.
But not a DNS issue for sure.

No FW rules have even been changed since it worked last. The log file I originally attached in the first message has IP address, all check.

4.png

I setup a packet trace to check for 123 outbound on the Wan. I don't have an old log file, but I'm pretty sure it use to log the finding and changing of the active.
Meanwhile
The packet trace lead to a WTH moment.
The requests are coming from an IP that I don't use in my network. (10.10.
ifconfig, it is bound to localhost.
Wait localhost, why that? (I don't even listen on localhost.)

5.png

But what I did, was select (WAN, LAN, localhost) on the above screen, then clear WAN, localhost) and NTP almost immediately started working again.
Not sure why, but I pulled an old config and localhost has never been selected.
Seems something in the update made the system think it was, and the system was listening to itself, even though I couldn't see this in the dialog as only LAN appeared selected.

6.png

The behaviour has been patched in 2.7.0, details here, the details indicate it should be less aggressive now, so will run without my patch for a while on 2.7.0, and if the old behaviour comes back will submit my patch, I didnt submit before as been on 2.6.0 code would have been too far away from dev code, was planning to update to dev branch and then 2.7.0 got released. :)

https://redmine.pfsense.org/issues/12619

@matthewgcampbell Good, glad it's working! Yeah most likely the repeat pings were being blocked for some reason and then pfSense presumes the gateway is down. I personally almost always disable the gateway monitoring action if I only have a single WAN (since there is no need for failover) just in case some issue arises causing pf to think it's down.

@michelbinkhorst

The patches proposed above are valid for 2.7.0.
"2.7.0" is like "2.6.0", with hundreds of issues less.

So....finally figured out I had the incorrect credentials when I couldn't get it to log in using the No-IP software. Using a group, the login field is format groupname:account-username not groupname:dyndns-first-part-of-hostname. 🤕 However, I am left wondering why it "succeeded" so often using pfSense, in that I only got the "mysterious" credential error sometimes.

@1s440 - I have not uninstalled then installed packages again. Maybe doing so you have a corrupted package (or packages) in your config that is causing issues. It might be that your only recourse is to install 2.7 from scratch ☹

@robato You may want to change the IP used for the monitoring the gateway as well. This way when your internet connection goes down, but not he ISP router, it will reflect the correct status. You could use google or cloud flares DNS servers (1.1.1.1 or 8.8.8.8).

@r0utevv3

A VLAN is a means of separating logical networks over a physical network. As I mentioned, I have a guest WiFi, which is allowed to only access the Internet. The way I did this was to configure a 2nd SSID on my access point, which connects to the VLAN. My main SSID connects to the native LAN. This means both the main and guest WiFi travel over the same cable, but are logically separate. I do not separate my main WiFi from my main LAN. Both wired and wireless devices are on the same subnet.

According to my test,

unset($config['interfaces']['opt1']['enable']); interface_reconfigure('opt1'); write_config('enable/disable opt1 interface'); exec exit

Real-time enable/disable interface

The device key is derived from the SSH keys and those are only backed up in manual backups from Diagnostics > Backup & Restore, and even then only when the option is set to do so (which is on by default).

The extra backup options such as SSH keys, DHCP leases, Captive Portal databases, and RRD files, are not supported in AutoConfigBackup as they can significantly increase the size of the backup data.

@VioletDragon , to my knowledge (experience) license is per device, but that needs to be answered by a Netgate rep. or someone with much more knowledge on their licensing, once you register a device, the next time you install PfSsense+ on that same hardware it will show "Your device does not require registration, we recognize it already. You may have already registered, or it may be a pre-registered Netgate appliance." on the registration page, so I had to acquire another Plus (+) License for a second box. between Community Edition and plus, in my case, moving from the CE (FreeBSD 12) to Plus 23.05.1-RELEASE (amd64) (FreeBSD 14.0-CURRENT), it killed all my 2.5GB NICs (RTL 8125) and the 10GbE/40Gb_IBoIP (Mellanox CX-3) because of none hardware support in that later release, so if you planning on going to do that, make sure your hardware is covered/supported for the v14....

@templateunheard What does "repeater mode" mean? The 1100 is a router not a wireless access point.

Is the pfSense WAN the same 192.168.1.1/24 subnet as LAN? In that case, one needs to change. You can unplug WAN to configure that via LAN (may be slow as it tries to connect out to the disconnected WAN for updates and whatnot), or connect to the console.

https://docs.netgate.com/pfsense/en/latest/install/install-pfsense.html#pfsense-software-default-configuration

I ended up purchasing the TP-Link EAP650, I will see if it works out, this next weekend!

@AndyRH said in If a skilled hacker breaks into the network within PFSense:

are mostly legitimate and there is not good way to tell if they are being misused.

And how would pfsense even see them, since they would almost for sure be inside the https connection.. Without breaking end to end encryption and doing a mitm there would be no way for pfsense to even see cookies being used between the server and the client.

Hi

I have been traveling so I have not been able to respond.

I have made some changes and to my Pfsense which has fix many issues. Yes this is a simple setup with a single NIC computer running Pfsense.
Yes, It is a router on stick which I find is good for a small home office. You need to trust VLAN technology to be able to use router on stick designs.
I trust vlans and vlans is very practical in many ways. I will later on change from VL1 to something else as it is not recommended for security reasons
to use VL1. Pfsense, Netgear and Cisco talk vlan via Dot1q protocol, Cisco used to also do vlans via their proprietary protocol ISL but they have skipped that one
many years ago.

I have been using my own DNS for many years because of security and the low latency in DNS resolution. I like to keep my data in my log own files
rather having them at Google Datacenters :)

So I was running version 2.6 when I had "my" issues. I noticed in systems log that when I was loading the NIC with "more" traffic, NIC often
"decided" to restart which of course caused issues. I use a builtin Realtek Gigabit card in my Pfsense server and have found out that more people
than I have had issues with Realtek.

I have now upgraded the Pfsense to version 2.7, I have not started services like Snort, DNSBL for now.
I only run Ntopng 5.7.2 and the setup seem to work much better with my HW compared to when I was using 2.6 version of Pfsense.
No more odd NIC restarts when I load traffic on the network,

I am really happy right now and I love Pfsense. :)

Are you certain that the MB8600 actually supports LACP (as opposed to static LAG) in the first place? LACP doesn’t really provide any benefits if the devices are connected directly (i.e., no. media converters or such in between); why are you looking to enable it?

Also, regardless of LACP, unless your speed test uses multiple TCP connections, link aggregation will not give you better bandwidth — an individual stream will always be routed over exactly one link in the aggregation group.

@tcsac thank you for the instructions, this worked great and now I can cast YouTube from my mobile to my TV. However, the screen mirroring on my iPhone is still not displaying the TV which I have assigned a static IP. Any idea on how to fix that? TIA.

@Gertjan said in Telegram notification setup:

// edit start
notify_all_remote(sprintf(gettext("Successful login for user '%1$s' from: %2$s"), $_POST['usernamefld'], get_user_remote_address() . get_user_remote_authsource()));
// edit end

Genius! 😃