@stephenw10 @stephenw10 said in FreeRADIUS 3.0.22 has a bug.: That was lucky. It could easily have not worked with 2.5.2. Well, between me and you, it did not work the first time because I had forced a package repository update: pkg update -f Doing that undid the modification I had done to the pfSense.conf file. So I edited the file a second time and it worked.

@deanfourie said in Interface Timer Suggestion?: should I still use relative paths in cron? Yes, use the full path. That's the most common reason custom cron jobs fail. The cron user does not have the same paths as root which is what the command prompt runs as. Steve

@jhparizona Google "free computer". I was surprised at the result. You may find what you need. Ted

What I can say, while I am not a "fan" of breaking the L2 barrier with such discovery. There have been some recent mdns questions. And easy way for me to test that mdns via avahi is working is just my iphone using airprint. Which printer and client are being on different vlans. Can tell you it works - I setup avahi, my iphone can discovery and print to the printer.. If I also allow communication on the vlan to actually talk to the printer. As @stephenw10 mentions.

With an apparent bandwidth reduction that high the first thing I would do is check the port status in Status > Interfaces to make sure both are linked at the expected 1G full duplex. You should upgrade to the current version, 21.05.1, when you can. 2.4.4p3 is very old. You may wish to re-install clean to be sure. Open a ticket with us to get the recovery image: https://go.netgate.com/ Steve

Other than an update of pfsense actual version, there should never be a reason to have to reboot pfsense. Common issue where people believe this is the case in change in firewall rules, and not working as they think... This is most likely related to existing "state" for whatever trying your trying to change what happens with. And the reboot clears all this. But if you do have an existing state causing a rule not to function as you believe - you can either kill that specific state, kill all the states or just wait for them to time out on their own, etc.

@stephenw10 Hello ! Information on status. So far, in case of power failure, I want the UPS to start and the initiation of new back-up tasks to become impermissible, Upon a combination of time and remaining charge of the UPS' battery; a proper shut down of the mac; and, if possible, Shut-down of the UPS. So Far, On my pfSense firewall SG-1000, there is a pre-installed NUT package, It works already and can trigger termination of NUT clients. For macOS, (version 10.13 High Sierra, the package manager Homebrew does not work any more, but the package manager MacPorts does), so I would (1) Install or update xCode on the mac; (2) install or update MacPorts, (3) configure and set instructions to slave on pfSense SG-1000, and (4) complete on pfSense the remainder of NUT configuration. This is my current plan, which seems feasible so far.

Hmm, that is interesting. I assume the WAN IP is not changed when you restart dpinger? I.e. it's not somehow restarting the connection? (it shouldn't).

Since you are using a correctly configured policy routing rule for LAN traffic you do not have to do anything. Anything not caught by that policy rule, such as traffic from the firewall itself, will use the default gateway. Just be aware that with that set to the load-balancing group as it is traffic will use one of the two PPPoE WANs that are in tier 1. It will not use both and there is no way to specify which one it will use. It will simply switch to the other one if one goes down or to the LTE if both go down. That setup is probably fine for your use. Steve

There are packages for sending snmp data, allowing external collectors to query the firewall, but not for using the firewall as a collector itself.

You should upgrade to 21.05.1, the current version. It should (obviously!) not reboot at random like that. You should open a ticket with us to troubleshoot that: https://go.netgate.com/ Steve

Code carried over from the old forum was incorrect. Check now.

I had the "firewall optimization options" set to "conservative" and changed this now back to "normal". maybe......

@chudak dns has NOTHING to do with ports.. As I already went over if your goal is to get redirected to some port, then use HAproxy.. And then sure you can hit the public IP on port say 80 or 443 http/https and get proxied to port 1234 if you wanted.

An HA pfSense setup would usually be between two devices in the same location, often in the same rack. It's intended to mitigate a failing node or connection to/from that node. There is no reason it could not be between nodes in different buildings as long as they can be on the same layer 2 segments but there's not really much advantage in doing so. Steve

@johnpoz Yap! You are right... Some times we don’t think as it should be. It’s exactly the same situation that I’ve with the printer – just an IP assign and everything is working. As far as I know, TrueNAS (before FreeNAS) has not any internal firewall. At least configurable with the GUI. I’ll investigate deeper. Maybe it’s the gateway (I’ve some doubts that is wrong), so I’ve to confirm. For testing, I’ll also change the NAS to the LAN (same net where I’ve also the pfSense) and check if anything changes.

@bmeeks I have set min ttl of 3600 on my unbound.. Everything works - so its not like these sites are changing IPs they use every 5 minutes and old IP no longer works.. ;) I would normally say do not mess with the ttls that the owners have set, but 60 seconds, 5 minutes - FU! that is insane unless you were getting ready to do a big change to another IP, etc. I guess it does give you the ability to change IPs on the fly and nobody to notice at all - but I sure and the F do not want to be doing a query every 60 seconds because your shit might fail ;) In this day and age of load balancers and ability to ramp up processing power on your server (since its VM) and network access on the fly.. There should be little reason that I have to query for www.domain.tld every freaking 60 seconds..

HA with CARP? Two pfSense nodes? Hmm, it's unusual but you should be able to do it. You will end up with some asymmetry. Really you would want the /29 directly on the WAN for HA, not routed via a /30. You will have to use the /30 IP as the WAN side CARP VIP and two IPs from the /29 as the WAN IPs on each node. But that means the /29 will always be routed to the master node including backup node WAN IP. The Master node will redirect it but you will get some asymmetric routing and might need appropriate firewall rules to pass that. Steve

@jkalber Another quick and dirty way is to set up a domain or host override in the DNS Resolver. Then anything that wants to connect to (www.)spotify.com will get the address you put in, like 127.0.0.1 or whatever. Nowadays DNS over HTTP will bypass that so also need to disable DoH.

Packet loss that high is almost always an IP conflict of some kind. It's definitely not dual Master on LAN? Even if it was that would not affect traffic to from the FW02 LAN IP directly. Steve