Yeah, it would probably expose an attack method if the replies could be seen as success or failure. And, yes, I agree the original issue seems like it was more than that. Glad you got it working now though.

Yes that would be a good test. It would rule out some link negotiation issue with the WAN NIC.

@JoeAshley What model modem? If it is a telephone also modem it might have a battery in it. Can you confirm either way? (Post the model here if you are unsure.) With the ISP router out of the mix.. if you go to Diagnostics/Ping.. Can you try to ping something like 1.1.1.1 or 8.8.8.8 and see if that comes back.. Then try to ping a host name from the same tool.. Commercial or Residential account?

Hmm, this seems familiar....

@stephenw10 Okay that's good to hear. I wasn't sure. Thanks.

@hack3rcon The proper way is to run Tor in a VM. Put it on its own vlan to isolate it from your network and forward it through the firewall.

@hack3rcon said in What is the problem with my firewall?: Only computers that have the same Default Gateway as pfSense can use pfSense. You mean only clients in the same subnet? That implies clients from other subnets are being blocked somewhere. Possibly by pfSense itself. The default allow rule only passes traffic from the same subnet so might need to add another rule. Otherwise if could be being blocked on whatever your other router/firewall is.

@hspindel said in Long wait for GUI to appear: conf is a misfeature if IPv6 is disabled. Put in a feature request. But its only an issue because you manually selected to block IPv6.. Out of the box with no IPv6 ::1 works just fine. I personally don't get the uncheck IPv6 allow in the first place - if you do not enable IPv6 there is little point to block it via rules. Its not going to work over ipv6 if its not setup ;) for external anything. No, that's what I determined experimentally. Not sure how you did that, because its not true at all. Mine doesn't listen on ::1 because I have do-ipv6 set to no in unbound. But if you ask unbound then yeah you would still resolve your local resources.. Sure if you set your dns in pfsense to be something remote like google or something then no your not going to be able to resolve local stuff.. Set your dns to be local and point to a local IP be it 127.0.0.1 or your lan IP, etc..

Maybe! The PHP LDAP module is.... interesting.

@it_geek said in Force fsck on a secondary drive installed on the system every time at boot: people appear to take labels on power plugs as... suggestions. One way a good UPS solves this is by the constant "power out beep".. Just keep the display hard to reach so they can't silence it.

You can install various versions from the installer. You can put several configs onto the installer memstick and choose from them at install time. The config you can set in the installer should be almost everything you can set in pfSense so I wouldn't anticipate a problem. What sort of config do you need to set for your modem?

OK, I now understand the nature of the problem. See PR 252165. Ali Abdallah 2024-11-13 21:26:53 UTC The usb process/request code is completely broken when it comes to different threads sharing ue_lock (ioctl versus uether tick), the usb request code releases the acquired lock, making ioctl thread waiting for the same lock to be scheduled for execution, lovely! To be more precise. ioctly waiting for ue_lock, which is acquired by ue_tick, but then the tick code will call at some point usbd_do_request_flags, which will release the lock at the beginning (and then acquire it later), but in the meantime we have our "cute" ioctl thread waken-up only to report wrong media_status value! vxasxfepbikrfqdruz 2022-10-22 04:06:44 UTC Yeah, I was pretty surprised as well that this is entirely broken despite several USB to ethernet adapters being listed as supported by FreeBSD. This also affects pfSense and opnSense which you think would generate some attention about this, but they just seem to recommend not using USB adapters at all. Ali Abdallah 2026-03-16 16:00:12 UTC I got excited for a moment when I saw a commit referencing this bug, I thought that we have finally a solution, but unfortunately this is just a workaround, it is not a resolution for the issue, and it is only implemented for if_ure, other usb network drivers suffers also from this bug (if_muge, if_axge, if_rue, etc...) TBH after all these years, I was expecting a real solution, at the usb request code level (see comment 38). If a workaround is to be implemented, there are easier solutions (see comment 3, patch https://bugs.freebsd.org/bugzilla/attachment.cgi?id=221274&action=diff) which needs to be extended also for other phys at the mii bus level. So the MII layer driver was, is, and will be completely broken in FreeBSD. And the number of failure modes from a driver bug seems unbounded. For example, after a dozen or so reboots yesterday, I had a stable system for about a day. Until I didn't. PFP-FPM failure was a sign, so I restarted it. Still no joy. No DNS response. I tried killing and restarting dnsmasq but that did not help. Rebooting showed dnsmasq running, but still no DNS service immediately. Again I rebooted about a half dozen times until I finally got DNS service. I guess the best I can hope for is another day of operation until I have to repeat. Routing tables Internet: Destination Gateway Flags Netif Expire 0.0.0.0 xxx.yyy.zzz.1 UGS ue1 8.8.8.8 xxx.yyy.zzz.1 UGHS ue1 10.0.0.0/16 link#1 U re0 10.0.0.1 link#3 UHS lo0 10.1.0.0/16 10.0.0.1 UGS re0 xxx.yyy.zzz.0/23 link#7 U ue1 xxx.yyy.zzz.247 link#3 UHS lo0 127.0.0.1 link#3 UH lo0 [2.8.1-RELEASE][admin@fw.bananas.com]/root: nslookup orange ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to ::1#53: connection refused ;; communications error to 10.1.0.1#53: timed out ;; no servers could be reached [2.8.1-RELEASE][admin@fw.bananas.com]/root: nslookup www.google.com ;; communications error to 127.0.0.1#53: timed out ;; communications error to 127.0.0.1#53: connection refused ;; communications error to 127.0.0.1#53: connection refused ;; communications error to ::1#53: connection refused ;; communications error to 10.1.0.1#53: timed out ;; no servers could be reached [2.8.1-RELEASE][admin@fw.bananas.com]/root: ps -auxww | fgrep dns nobody 34809 0.5 0.0 16644 5080 - S 10:51 0:00.01 /usr/local/sbin/dnsmasq -C /dev/null --dhcp-hostsfile=/etc/hosts --no-resolv --server=10.1.0.1 --server=8.8.8.8 --server=1.1.1.1 --server=4.4.4.4 --strict-order --dns-forward-max=5000 --cache-size=10000 --local-ttl=1 root 46981 0.0 0.0 13988 2612 - Ss 10:51 0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d bananas.com -p /var/run/dnsmasq.pid -h /etc/hosts root 92820 0.0 0.0 22908 3596 - Is 10:50 0:00.00 /usr/local/sbin/filterdns -p /var/run/filterdns-ipsec.pid -i 60 -c /var/etc/ipsec/filterdns-ipsec.hosts -d 1 root 47137 0.0 0.0 14076 2676 0 S+ 10:51 0:00.00 fgrep dns [2.8.1-RELEASE][admin@fw.bananas.com]/root: You can't tell me that this is all because the USB network drivers are "flappy". This is house of cards that falls down due to unhandled errors. And is blamed on the USB if instead of correcting. Andrew

@Gertjan said in 26.03.1 ?: it did take less then two minutes, reboot included. Nice!!

@dennypage Hmm. Yes I could try that. Somehow I thought maybe IPv6 was required for AirPlay. Right now everything's working but when I go back to tinker mode I'll give that a try.

@stephenw10 Yeah, you're right—“PBX” is a big word for this little plastic box. Also, the box is actually at least 13 years old and was only meant to be a temporary solution. But it looks like the “box” isn't going to cut it anymore. Even with static ports, nothing has changed. I'm done with this thing. I’ve already picked out a really nice board for a small freePBX and will use that. I think that will give me a clean solution. But thank you very much for your help @chpalmer & @stephenw10.

So that pcap was taken on WAN_5G? If so it looks like it leaves there without being NAT'd for some reason. If you filter the states for all interfaces do you see the state for that on WAN_5G? Does it show NAT on the state? The other curious thing there is that the monitoring pings, that you see are working, are coming from 20.1.10.5. Is that a new IP you're using on WAN_5G? Those pings are probably leaving via the wrong interface. Potentially something defined in IPSec could be grabbing it.

@hack3rcon What exactly are you trying to achieve here? What's your end goal?

@johnpoz So I have that working now. It was the certificate. I’ve been down the rabbit hole of trying to gat a VPN working but now luck so far. Still working on it. I can’t really use one for this task. There are several different places connected in a few different ways so I don’t know how it would have to be setup. Anyway, thanks for the help, Jack

no go epic!! You know you’re gonna do it check out this code

@patient0 said in How to restart unbound from command line: /usr/local/sbin/pfSsh.php playback svc restart unbound yeah that should work [26.03-RELEASE][admin@sg4860.home.arpa]/root: /usr/local/sbin/pfSsh.php playback svc restart unbound Attempting to issue restart to unbound service... unbound has been restarted. [26.03-RELEASE][admin@sg4860.home.arpa]/root: