@stephenw10 Hmmm, I will have to wait it does it again..
Thank you for taking the time, and I will report back the next time it does it.

Can we assume you don't have a note of the ACB key then?

@stephenw10

Ugh... missed an interface on the DMZ. It's a /27 routed through the WAN. There was a virtual IP assigned which was acting as a gateway for the network behind it. I failed to manually block the admin ports.

Thanks for helping me with my troubleshooting gymnastics!

@stephenw10 ok thank you I will try🙏🏼

If nothing was changed in pfSense in between those connection attempts then the difference is that it succeeds when pfSense initiates the connection:

Sep 27 14:02:48 charon 18669 09[IKE] <con2|5> initiating Main Mode IKE_SA con2[5] to 200.0.211.137 Sep 27 14:02:48 charon 18669 09[IKE] <con2|5> IKE_SA con2[5] state change: CREATED => CONNECTING Sep 27 14:02:48 charon 18669 09[CFG] <con2|5> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Sep 27 14:02:48 charon 18669 09[ENC] <con2|5> generating ID_PROT request 0 [ SA V V V V V ] Sep 27 14:02:48 charon 18669 09[NET] <con2|5> sending packet: from 190.13.88.176[500] to 200.0.211.137[500] (180 bytes) Sep 27 14:02:48 charon 18669 11[NET] <con2|5> received packet: from 200.0.211.137[500] to 190.13.88.176[500] (104 bytes) Sep 27 14:02:48 charon 18669 11[ENC] <con2|5> parsed ID_PROT response 0 [ SA V ] Sep 27 14:02:48 charon 18669 11[IKE] <con2|5> received NAT-T (RFC 3947) vendor ID Sep 27 14:02:48 charon 18669 11[CFG] <con2|5> selecting proposal: Sep 27 14:02:48 charon 18669 11[CFG] <con2|5> proposal matches

But fails when the other side is initiating:

Sep 27 14:02:43 charon 18669 16[NET] <4> received packet: from 200.0.211.137[500] to 190.13.88.176[500] (168 bytes) Sep 27 14:02:43 charon 18669 16[ENC] <4> parsed ID_PROT request 0 [ SA V V V V ] Sep 27 14:02:43 charon 18669 16[CFG] <4> looking for an IKEv1 config for 190.13.88.176...200.0.211.137 Sep 27 14:02:43 charon 18669 16[IKE] <4> no IKE config found for 190.13.88.176...200.0.211.137, sending NO_PROPOSAL_CHOSEN

So there is probably some difference between the configs. For example if the other side is set to IKEv1or2 it may be defaulting to v2 when it proposes but allows v1 when pfSense proposes it.

If the other node is not running the same version then config sync will be disabled. But state sync would still be enabled. And the CARP status doesn't care about the version.

It could be related that bug, though I don't see the same flood of CARP events that triggered.

It depends who/what the users are. If they are real people they usually let you know pretty quick when things don't work. 😉

If it's IoT devices etc you have to test yourself.

As with all things it's a question of security vs convenience. Though the actual security benefits are questionable at best and the inconvenience is significant so.....

@abuttino there was a really long thread a while back about - android seems to be very problematic with trusting CAs

https://forum.netgate.com/topic/180369/freeradius-eap-tls-android-13

Only android I had to work with was a lenovo tablet.. Using an older version of android.

I use eap-tls with chromebook and ios phones and tablets and my windows pc without any issues.

Thanks for all the great suggestions. Found that the log issue was with PFblockerNG with log files being huge, reset the logs and we are now at a normal level .

Thanks
CJB

You don't need to know anything about Python. That just sets the module Unbound is using to import the lists from pfBlocker.

@rheritier yes as long as IPv6 clients know where the proxy is your good to go.

@stephenw10 I tried again today. This time I used my latest config backup in version 2.6, deleted the said rule and its duplicates (size 398KB), and then rebooted. It booted up properly with config size 399KB. I initially got no internet and later found my LAN interface rule, which allows any sources/ports was missing. Adding the rule back and the internet was back. I tried changing a few configurations and the config file has not grown like before.

I'll keep monitoring whether there will be any other side effects.

Thanks.

update on Oct 2, 2023: The problem has been permanently fixed, though I don't know how such Openvpn wizard creation xml section was there.

Thanks for your help Steve.

Ujjwal

@Vinatra configuration wise - we simply edited the config file and put in the IP of the Wazuh server
That was the full extent of any configuration

@stephenw10 thanks I will try it out. I appreciate it.

@cornerstonefound said in Noob q what ip should show in iplookup, still my dns ip or firewall lan ip?:

Btw, your profile pic is satanic

Ok -- sorry don't like it, I think its cute.. And btw it's the mascot of bsd, which is what pfsense runs on a flavor "freebsd". So guess your saying pfsense is satanic.. Maybe it will take your soul if you use it?

https://en.wikipedia.org/wiki/BSD_Daemon

His name is Beastie btw..

It has taken mine ;)

I know Jesus, he lives down the street - his wife makes great freaking tamales!!

@Trent2458 This ended up fixing it. I was trying to connect while on WAN, connected to my LAN and it started working

Both could be DHCP. The 4G router would be handing a DHCP lease to the pfSense WAN. pfSense would be handing DHCP leases to the clients on it's LAN.

The link between the pfSense WAN and 4G router could use static addressing instead but I would use DHCP initially.

Steve

@tman222 said in PPPoE - Single Core - SMT / Hyper Threading On or Off:

Xeon D-1718T

I went with the D-1736NT (8-core QAT) wrapped in the very familiar Supermicro short-depth design (SYS-510D-8C-FN6P).

I did look at the 4-core QAT version for the lower TDP but they were exceptionally hard / impossible to find in the UK and not much cheaper than the 8C. No doubt I will end up running a few things on it so the extra cores will probably get to stretch their legs at some point.

The rest of it will come from stuff existing I have kicking around - a couple of 16GB RDIMMs, Optane (M.2 and/or U.2), slimSAS to 4x or 8x SATA SSDs are all candidates. These things always tend to get 'played' with. Tempted to try Proxmox too.