@michmoor said in [Negate 6100] No logging post 23.01 upgrade:

@stephenw10 Nope no error. I still think it’s package related perhaps.
Suricata alerts I get a syslog entry.
EVE json logs are not generated and not sent to pfsense syslog.

Probably just similar to this then but as you say that code will all be in the package. Better to open a new thread for that in the IDS/IPS section.

@jimp

Wow
I knew nothing about this patches system ! It's nice.
I just did what you said.

I learned many new stuff about my pfsense today, thanks to you !
I love it even more :D

Thank you !

@stephenw10 Staples has nothing on Netgate in the "That was easy" department. :)

10 mins to get the image, 5 to find a usb stick and burn it, maybe 20 total to install 23.01 to a different mSATA and restore the old config. Yep, half hour total.

Good job. Thanks.

@mauro-tridici The path ends up being like this:

packet goes out from 192.168.120.111 to 192.168.120.1

192.168.120.1 sends the packet to 172.16.3.10

The PC at 172.16.3.10 doesn't need to use a gateway, it knows how to talk to 192.168.120.111, because it's on that network, so sends a response out from 192.168.120.10 to 192.168.120.111

192.168.120.111 is not listening for a reply from 192.168.120.10 so ignores it

Mmm, run sockstat and see what's using port 80. I assume you moved the webgui to 8180?

If you've installed some 3rd party package though anything is possible!

@Gertjan Do you know what token I should use here ?
https://github.com/pfsense/FreeBSD-ports/blob/487258ae7cbd1039621b5dc5ac625f23d5519f39/security/pfSense-pkg-acme/files/usr/local/pkg/acme/acme_command.sh#L96

Where I can find it?

If you run that script it enables that option, so you would see it checked after no matter what it was before.

Look in the config history to see what changed in the configuration when you ran the script. Do a diff from the version before to that version and see what it altered.

https://redmine.pfsense.org/issues/13983

Somehow Virtual IP of WA2 was created.
Just removed it and all back to normal
Thanks!

almost 3 days of uptime, no page faults so far!

@steven81 said in pfsense, google wifi and port forwarding:

current info is that the port forwarding is no longer needed.

And what does that have to do with you sending traffic from can you see me and not getting it?? You either sent it to wrong IP, but they no what IP you are talking to the website for. So either vpn or proxy so they have wrong IP, or there is something blocking traffic to your IP upstream of pfsense.. Or you just not sniffing correctly?

Either way I would figure it out - what about the next thing you need to setup a port forward for?

@tse-0 hmm.. no time right now to examine further but the code does seem to validate old IP vs new:

if (!is_ipaddr($oldip) || ($curwanip != $oldip) || file_exists("{$g['tmp_path']}/{$interface}_upstart4") ||
(!is_ipaddrv4($config['interfaces'][$interface]['ipaddr']) && ($config['interfaces'][$interface]['ipaddr'] != 'dhcp'))) {
....
<package restart here>
...

Could be one of the other conditions here I guess... Might hack in some debug code for the log so I can see what's going on ...

Thank you!

Your reminder that ESXI has command line capability enabled me to finally get to the pfsense console and restore a configuration.

I had to shutdown the pfsense server
Startup an old firewall that had a DHCP server
This finally gave my computer the ability to get to the ESXI webpage.
From here I could start pfsense and use the console.

There are probably better ways to resolve this, but this is what I did and it is working.

Thanks again!

I don't know what I did wrong previously, but I re-attempted it and managed to get it to work with the same thought processing in mind. I created a backend that will be my local web server:

- Open HAProxy/Backend and add a new backend entry, named , which forwards to port

My http/https offloader (front-end) defines a path rule and redirects to such backend if we have an ACME challenge:

- Edit your frontend, which shall be named and is triggered by any external address with port

- Under "Access Control List" add an entry called with the expression "Path starts with:", CS: no (not case-sensitive), Not: no (no inversion) and the value

- You now need two actions, one for the condition name and one for . should offload using the action "http-request redirect" with the rule while should use the action "Use Backend" with the previously created local backend

Maybe it was the ordering of the actions, maybe it was the naming. I was pretty confident that I tested my previous setup with 127.0.0.1 as well, but this seems to work and I don't know why it did not work previously.

Now it was very easy to confirm the configuration is right when using postman. Say you have the domain example.org, you should do a GET request to two different URLs to validate their response:

http://example.org/foobar: Should return a Location header with the https version of the URL, so confirming the offloader works http://example.org/.well-known/acme-challenge/foobar: Should timeout! It must not return an error immediately, or the configuration is wrong. If the configuration is right, it will try to talk to the standalone HTTP server that only runs during the ACME challenge, so it will timeout with 503 Service Unavailable after 60 seconds or so, which means it will succeed if the standalone HTTP server is running.

With this setup the "Standalone HTTP server" method will work.

It depends on the device and the image. Some do have specific firmware (especially true with different types of ARM devices). That said, the 5100 and 4100 both use the same serial memstick installer so it should work on both.

@jimp Fair enough at least im not missing something simple then. As I said it was an easy fix just wasn't sure if I was making it harder for myself.

Hi,
Still having this latency.
Maybe it's normal ?

In your pfsense, do you have the same problem ?
Does the ping increase slightly after pfsense ?

Thanx

@gertjan

Partial reset : LAN :

418dd979-67f2-4ce9-ad40-db4105d7312a-image.png

edit : or a total reset of all counters, and IPv6 is 75 % of all outbound traffic 😊

@steveits Thank you, Steve. I appreciate it. It's very encouraging.

@steveits Thank you. I'll take a look at that.