Ciao, @stephenw10

I did some test as suggested.

With pfblocker enabled worked well for 2 days, then it begun to had some random crashes.
These crashes usually happens during video stream (netflix) or watching youtube.
Also, the router crashes even after pressing the "save" button to disable the plugin. But I have no issue when I do the same procedure but to enable it.. very strange.

Unfortunately I haven't any log of these situations, usually on the home screen I have a yellow bar with a link, but now after the router reboot, it is like nothing happened.

Now I removed pfblocker and eneble the traffic shaper again and I will do some new test with this settings

@stephenw10 Thanks for the offer, I had already decided to just open a case as I was about to call it a night. I removed the 2 SSDs and replaced with an NVMe drive. This time I installed 2.5.0 -> 2.6.0 and amazingly I got a super quick reply to my case, they offered to remote access the system to see what was going on. I did the upgrade to 22.01 and uname -a showed correctly and this time no issues with temperature sensors and AES-NI was showing as active. Did the upgrade to 22.05 and again uname shows correct and everything works as expected.

I really appreciate the help, I am not sure what the issue was, either some problem with the ZFS mirroring and it was reading conflicting data from the disks or somehow the 2.5.0 starting point helped. Interestingly this time, I noticed that the wall of text during the upgrade was much much shorter and faster, not just the result of the faster NVMe drive, it just had less text, this time I recorded the upgrade incase it was showing errors, so I can only assume during the previous upgrade there were lots of errors reported but wasn't paying attention to what they said as I didn't expect any errors, I really don't know. I am happy that it's working and again thanks for your help.

I was in contact with my ISP and we managed to solve the problem by changing the ip 185.113.141.145 to the ip 185.113.143.xx inside the /24 of my /28. Thank you for help.

Yes, you would think. If it got stuck in a loop compressing the logs it could have high CPU usage for a long while though.

@skilledinept said in Automount ZFS volumes/datasets:

could it be that it's not loading some service that mounts the ZFS pools?

That is a good possibility. On a normal FreeBSD system /etc/rc.conf has "zfs_enable=YES" to enable/start the zfs service.
I don't have a pfSense with ZFS in front of me, but in the Web GUI, look under services and see if there is a ZFS somewhere to enable.

@bob-dig @stephenw10 You guys were 100% right... lol. I ended up having it configured through my wireless router (which I had setup as ap mode only). In AP only mode, it hides the ddns configuration... (smh). So when I checked it as a possibility it didn't show up. But after monitoring tcpdump I saw it reach out and try to update, so changed it back to router mode and was able to disable it. Thank you all for your help!

@matthew_beck You setup a traffic shaper (also called a limiter), or multiple traffic shapers, and apply that to an interface or one specific machine, or an alias of machines (hosts) on an interface.

https://docs.netgate.com/pfsense/en/latest/trafficshaper/index.html

Here'a a good video on the process:

https://www.youtube.com/watch?v=gIvc1qZn5dc

@hlrobert said in Local Password policy:

My PCI/SOC2 auditor would like to talk to you.

I known you're joking ;)

When handling private data like credit card stuff, medical data, or worse, army stuff, all bets are off. Even simple systems that handle the power grid should be seriously protected, because it's the blood of our society.

I only need one training when I have to deal with "PCI/SOC2" : and that is wrting clear and correct huge payment checks, as I would eject myself out of the "I know that" position.
I would pay some one. And sue the hell out of him when thing go wrong.

Thanks, everyone.

You're all correct. The count did include the replies. hahaha, I need more coffee. But, I also would like to reduce the noise. These answers are exactly what I was looking for. Really appreciate the quick responses. Thank you again!!

But it could be and by doing that the other side will be able to reply.

Your rule need only apply to the monitoring pings. So you probably want it on the MPLS interface.

Steve

Right obviously the package is not required and the Radius config is all on the remote and not in the firewall. But from the user auth point of view t configured in the same way. In both cases you need to add a Radius server in User Manager. The only difference there is that with Freeadius the server is specified as running at 127.0.01, because it's local. With a remote Radius server you need to configure the server IP address so pfSense knows where to find it.

But the OpenVPN config is no different, the only change would be selecting the new radius server to use.

Steve

@tedquade Seems it was quite broken. Did a bare-metal memstick install and config restore. Am now back in operation.

Thanks for your help.

Ted

Not sure what post you were refering to there, the link was removed.

What exactly are you seeing? I assume a 502 error.

What pfSense version are you running?

Did this just start happening?

Steve

@stephenw10 said in pfSense pkg from FreeBSD ports or repo:

That's really only any use if you have wifi hardware in the firewall. And we are all familiar with the issues there.

Unless you run kismet in server/drone config. But in that setup running the server part on some other host would probably be better. With the drone part running on an AP. Been many years since I did that....

Ok thanks for clarifying this, I would set up it then better
on an small RAPI and combine there kismet and fail2ban
for rough hosts in AP mode.

I've never tried that. But I'd say you're doing it correctly since the logs are reporting the file was loaded as expected.

Mmm, OK I replicated that. That clearly that is loaded though. Something in the perl config maybe. Someone more familiar with perl will need to look at it.

I'm using the RADIUS class property (Group Membership) > like described here.

Is there not a way to write into the radius server certificate
in wich vlan the user must be put in? And each vlan has
then its own IP range. Done.

@johnpoz
@stephenw10

Yes working great, thank ya'll so much :)!

@bert-0 said in No Internet:

BTW: I am new to CMTs. How can you tell if a device you hit is a CMT or not?

A CMTS is the device you connect to at the cable company head end. I used Wireshark to examine the DHCPv6-PD packets and saw the error message that identified, by host name, the failing system.

Anyway, as I said, try connecting a computer to your modem directly. And if a tech comes make sure he can connect with his own equipment.

BTW, have him try test-ipv6.com to show you everything is working properly. You should get 10/10.