You could also try adding a host override for acb.netgate.com as a test. I wouldn't leave it like that because the IP might change at some point in the future. But it's been the same until now!

@Bambos your switch needs to support that. If you just have dumb switch its not going to work. Pretty much any 40$ smart switch turn off a port not in use. But to do something like port security that is just mac based, or using 802.1x you need a slightly better switch.

If your goal is locking down your physical access, you need a switch that provides some methods to do that. Not providing IP sure isn't going to stop them from scanning other devices once they have a physical connection.

@georgelza said in pfSense not enabling port:

@Gblenn

Yes... the VM is started via the data centre and that won't allow you to start it twice. You will need to clone it and give it new name and IP.

I'd prefer to have the VM Images on local mirror via Ceph, gives me speed and Ceph will make sure there is a copy on another node.

Would like someone else to chirp in here... confirm this works with Proxmox. know other Hypervisors allow this.

G

Yes that is my understanding as well, although I have not tried it. And I totally agree that using the local nvme's will give you way more speed.

I still suggest creating a PBS VM (Proxmox Backup Server) and perhaps map e.g. a disk on your TrueNAS for that. I've had a few instanses where I have wanted to "go back in time" and restore something from a few weeks back even. Typically because I messed up and didn't realize it until some time later.

other than the official proxmox forum which does not seem to have much activity, anyone aware of a active/responsive proxmox community...
otherwise wondering if we can get the admin's here to create a proxmox section ;)

There is a virtualization section already, with plenty Proxmox activity...
https://forum.netgate.com/category/33/virtualization

@Gertjan i can see only 3 pushover threats , and about 40 telegram threads.
I see the probability to have success with pushover very slight. so i will check out telegram.

@stephenw10 yeah I have installed the CA on multiple computers, both windows and linux. iphones and android tablet and never ran into a issue.

But yeah if should be tagged critical, should be an easy fix.

@mmege Glad you found a simple work around with creating intermediate with openssl

So put the host override in whatever DNS server you are using.

Good question! Probably some small change to the bootup order.

You could add floating rules to just pass the traffic even if it is asymmetric:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

But I prefer to avoid that if at all possible though. It almost inevitably ends up with other issues in the future. It will be confusing to anyone else looking at it later.

Got it. Thanks so much for the help!

@Reidid said in How change title from authentification page ?:

pfsense/src/etc/inc/captiveportal.inc

In that file you can 'find' the original 'With love from Netgate' portal login html file.
Here you have mine :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html lang="fr-FR"> <head> <title>BHF</title> <meta name="viewport" content="width=device-width, user-scalable=no" /> <style> #content,.login,.login-card a,.login-card h1,.login-help{text-align:center}body,html{margin:0;padding:0;width:100%;height:100%;display:table}#content{font-family:'Source Sans Pro',sans-serif;background-color:#1C1275;background:{$bg_src};-webkit-background-size:cover;-moz-background-size:cover;-o-background-size:cover;background-size:cover;display:table-cell;vertical-align:middle}.login-card{padding:40px;width:280px;background-color:#F7F7F7;margin:100px auto 10px;border-radius:2px;box-shadow:0 2px 2px rgba(0,0,0,.3);overflow:hidden}.login-card h1{font-weight:400;font-size:2.3em;color:#1383c6}.login-card h1 span{color:#f26721}.login-card img{width:90%;height:90%}.login-card input[type=submit]{width:100%;display:block;margin-bottom:10px;position:relative}.login-card input[type=text],input[type=password]{height:44px;font-size:16px;width:100%;margin-bottom:10px;-webkit-appearance:none;background:#fff;border:1px solid #d9d9d9;border-top:1px solid silver;padding:0 8px;box-sizing:border-box;-moz-box-sizing:border-box}.login-card input[type=text]:hover,input[type=password]:hover{border:1px solid #b9b9b9;border-top:1px solid #a0a0a0;-moz-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.login{font-size:14px;font-family:Arial,sans-serif;font-weight:700;height:36px;padding:0 8px}.login-submit{-webkit-appearance:none;-moz-appearance:none;appearance:none;border:0;color:#fff;text-shadow:0 1px rgba(0,0,0,.1);background-color:#4d90fe}.login-submit:disabled{opacity:.6}.login-submit:hover{border:0;text-shadow:0 1px rgba(0,0,0,.3);background-color:#357ae8}.login-card a{text-decoration:none;color:#222;font-weight:400;display:inline-block;opacity:.6;transition:opacity ease .5s}.login-card a:hover{opacity:1}.login-help{width:100%;font-size:12px}.list{list-style-type:none;padding:0}.list__item{margin:0 0 .7rem;padding:0}label{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-align:center;-webkit-align-items:center;-ms-flex-align:center;align-items:center;text-align:left;font-size:14px;}input[type=checkbox]{-webkit-box-flex:0;-webkit-flex:none;-ms-flex:none;flex:none;margin-right:10px;float:left}@media screen and (max-width:450px){.login-card{width:70%!important}.login-card img{width:100%;height:100%}}textarea{width:66%;margin:auto;height:120px;max-height:120px;background-color:#f7f7f7;padding:20px}#terms{display:none;padding-top:100px;padding-bottom:300px;}.auth_source{padding:20px 8px 0px 8px; margin-top: -2em; border-radius: 2px; }.auth_head{background-color:#f7f7f7;display:inline-block;}.auth_head_div{text-align:left;}#error-message{text-align:left;color:#ff3e3e;font-style:italic;} </style> </head> <body> <div id="content"> <div class="login-card" style="text-align:center; margin:0 auto;"> <form method="post" action="$PORTAL_ACTION$"> <p>Bonjour, <br />Vous &ecirc;tes sur le portail d'accueil 'Wifi' de</p> <a href="http://www.bhf.tld/" ><img src="captiveportal-nvxx-logo.png" width="200%" alt="BHF Logo" ></a> <p>Tout d'abord, nous vous <g>conseillons</g> de consulter notre Livret d'accueil.</p> <p>C'est ici : <a href="ROOM-DIRECTORY-BH-FUMEL.pdf?zone=$PORTAL_ZONE$">Livret d'accueil</a><br /> (Veuillez cliquer/taper !).</p> <hr> <p>Souhaitez vous accéder l'Internet ?</p> <div class="auth_source"> <input name="auth_user" id="auth_user" type="text" size="12" maxlength="10" value="#USERNAME#" placeholder="Numéro de chambre"/> <input name="auth_pass" type="text" size="12" maxlength="10" value="#PASSWORD#" placeholder="Mot de passe (dans le Livret d'accueil !) "/> </div> <input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$" /> <input name="zone" type="hidden" value="$PORTAL_ZONE$" /> <p><input name='accept' type='submit' class='login login-submit' value='Acc&eacute;der &agrave; l&acute;Internet' /></p> <?php global $config, $cpzone; if(isset($config['voucher'][$cpzone]['enable'])) { ?> <p><input name="auth_voucher" type="text" value="#VOUCHER#"/></p> <?php } ?> </form> </div> </div> </body> </html>

Big surpise, no ?
It's the thing you've been looking at half a billion times in your live.
It's just html.

Here it is adapted (honestly stolen ^^) from what I've found in pfSense :

63bd17a5-4439-46c5-bc27-8bb8becb18bc-image.png

@Gblenn okay, yeah it is coax to xFi. So, bridge mode it is.

You can install it yourself but you should not be able to purchase 3rd party hardware with it pre-installed.

It you do I would strongly recommend you reinstall it to be sure what you have is actually unmodified pfSense.

If the license expires you will lose access to the pkg repos which means you can no longer see updates or install new packages. It does not prevent existing services running.

If this is used Netgate hardware it will always have access to Plus, that does not expire.

Steve

Hmm, interesting. Be sure to check the ware level again. That's not a set of symptoms I've seen but it does look like a failure mode that could also be the eMMC. 🤔

@Gertjan said in WAN requiring root CA to be installed for internet access:

Ok to keep old software. But mixing new stuff (pfSense 2.7.2 uses FreeBSD 14) on old stuff, is like installing windows 11 on a PC without a TPM : you can (probably) force it, but it needs uncommon knowledge to do so.

I know, but the iron does not support 6.0 and later.

@bmeeks said in WAN requiring root CA to be installed for internet access:

@reqman said in WAN requiring root CA to be installed for internet access:

Unfortunately, a bit later the VM shutted down by itself. Tried the exact same procedure, but no go.

The problem is likely the vmxnet3 driver. Change your virtual machine to use the e1000 NIC driver and try again. You will take a performance hit using the e1000 virtual driver, but that should let the newer pfSense boot and run.

Very useful info, thanks. Will give it a try, when I find some time to reschedule this experiment.

@stephenw10 said in Wireguard with IPv6:

Nope you are not wrong. My ISP only provides a prefix so I have no routable IPv6 address on the WAN directly. That's BT, the largest ISP here in the UK.

Thank you stepehen. Helps a lot. :)

If you're running ZFS it may be old BE snapshots filling the drive.

If you can reach the command line you can check that with: bectl list

Otherwise it's probably logs from some package, check /var/log

Steve

@JonathanLee said in Multiple issues, firewall freezes and whole network goes down.:

https://forum.netgate.com/topic/171842/queue-management-algorithms-differences

My main interface is on 2x25G LAGG and LAGG is not supported with traffic shaper so other than bufferbloat nothing is set there.

Wow, there is considerable information you have provided, thank you! DNSBL reloads once per day at 15 minutes past midnight, 00:15. I am using KEA for DHCP services which does not contain the DHCP registration setting. Knowing the origional DHCP service is will be remmoved at some future point appeared to the best option. Service _Watchdog is not installed given the issues it creates. I added the service status to the dashboard for monitoring.

@stephenw10 exactly 7547 is the TR-069 service.

"is a bidirectional SOAP/HTTP-based protocol that provides communication between CPE devices and auto-configuration servers (ACS)."

Would seem quite possible that the isp device, ie the CPE is using this.

https://en.wikipedia.org/wiki/TR-069

@viragomann they are being processed by the floating rule
maybe I should get rid of the floating rule, at least that might help with future trouble shooting.