@QuantumParadox said in upgrade error message in pfsense dashboard GUI:

I am on version 24.03

An ID is always something unique. As we are all on 24.03, that number can't be an ID.
This one is :

90af6c4c-68bc-480d-9a30-b9f20a0e294c-image.png

If you had something creating a picture with all your devices.. Say something like this..

devices.jpg

And then you had some way to input some parameters like port.. It could show you which other devices the firewall rules allow for..

But even viewing it gets tricky when you have lots of devices.. This is only showing my wireless devices, and you have to really zoom in to see anything.

And while pfsense can say hey there is a rule that allows that to these other devices in other networks.. Still doesn't know if that device even listens on that port, or that its own possible firewall allows it. And as you mention how would it know if something like private vlans or AP isolation is deployed?

Is this AI going to validate every connection is actually possible from the devices IP address you selected as your source? And for stuff on the same network as your client, pfsense isn't involved anyway..

I have worked on many a different firewalls, Palo's, ASAs, Juniper, checkpoints way back in the day.. The only thing I have seen that would come close to what your asking that isn't graphical is where you can put in some parameter(s) and it will list the rules that mention those parameters, you can do with panorama for the palos.. But not freaking cheap! ;)

But I do not see how this helps you learn to be honest.. If you want to learn.. Learn how to create the rules you want to allow or block and how to create those.. I mean how many rules could you possible have? Its not like enterprise, previous gig we had over 50 different Palo firewalls in the org, and searching for what rules might allow or block specific traffic was really a requirement.. There were 1000's and 1000's of rules across the org.. Finding out if some specific traffic was allowed or not would of been painful if there wasn't a way to easy search through them..

Biggest save in search in rules was when someone requested something to talk to something else on port X.. Was to search for if those devices are already allowed to talk to each other one some ports so you could just add the port to an existing rule, etc.

After set that checkbox? Hmm, try restarting arpwatch. Though I would have expected that to happen anyway...

You can run: pfSense-led.sh update 0

That will clear the update alert. It be interesting to see if it comes back. It does look like there may be an issue.

Regarding using shellcmd to start the iperf3 server ... be sure to include the "-D" option or your boot-up will hang in difficult-to-identify ways. My start-up command in shellcmd is

iperf3 -s -D

If you look at your firewall console and don't see your usual menu or login prompt after setting iperf3 to start on boot, a Ctrl-C will get you unstuck. If this sounds like the result of a painful experience ... well, yes. 😆

Little update for this shell script in case You have MULTIPLE WAN (and need testing each uplink connection):

THIS SCRIPT SENDS HEARTBEAT ON ONE (1) CERTAIN TEST ID.

So, if You need really monitoring all WANS and receiving SEPARATE ALERT on EACH WAN,- You may create several Tests on StatusCake and USING V.2 OF THIS SCRIPT

#!/bin/sh # HEARTBEAT to StatusCake external monitoring and alerting service # Examples and additional information # https://www.statuscake.com/kb/knowledge-base/what-is-push-monitoring/ # Successfully working on pfSense CE 2.7.X # List of network interfaces INTERFACES="igb10 igb11 igb12 igb13" # StatusCake URL URL="https://push.statuscake.com/?PK=123456764226&TestID=7347942&time=0"" # Loop through each interface and send a curl request for INTERFACE in $INTERFACES do echo "Sending request through interface $INTERFACE" /usr/local/bin/curl --interface "$INTERFACE" "$URL" echo "" # Print a newline for better readability done

YOU MAY TEST exactly script from Diagnostic / Command Shell TO ENSURE THAT ALL ARE WORKING as expected!

The result MUST be looks like this:

Sending request through interface igb0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 12 0 --:--:-- --:--:-- --:--:-- 12 success Sending request through interface igb1 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 13 0 --:--:-- --:--:-- --:--:-- 13 success Sending request through interface igb2 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 13 0 --:--:-- --:--:-- --:--:-- 13 success Sending request through interface igb3 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 13 0 --:--:-- --:--:-- --:--:-- 13 success

P.S.
1.
After testing on exactly Your setup, You MUST comment both ‘echo’ command to avoid unnecessary output to terminal.
2.
logger’ command not using also: because of a lot of calling (1 time / min, 1 time / 5 min,…) system log would be filled by unnecessary records that not helping You even when You have automatic log aggregator & analyser like Splunk, ELK, Graylog,….

No worries let us know if that fixes it.

@JonathanLee
I guess that was me, almost lost in the noise. Anyway thanks for tidying. 👍

☕️

Oh.. would be wonderful to have a detailed update for DSA which replaced Openwrt's switch function. Not out of laziness, much easier to learn this way, following the steps and trying to make sense of it.

Thanx

Hmm, then it feels like something else must have changed at that time. Was pfSense upgraded? Maybe some other config change?

There are no other components shared between those connections as I understand it. Separate switches on each one.

Do you log CPU usage with Zabbix? Did that change when the errors started?

Thank You for patience and detailed answering!
So, let’s dive in ;)

@bmeeks said in Booting stuck on “Restoring contents from RAM store…”:

@Sergei_Shablovsky said in Booting stuck on “Restoring contents from RAM store…”:

Is this mean on this separate Snort/Suricata server I need 16 (2 x 8, for inspecting traffic) + 1 for SecAdmins management?

Yes. It will take two separate NIC ports per pathway to implement. Think of it as a transparent firewall "bridge" of sorts. Suricata sits between two NIC ports (directly) and either forwards or drops particular packets between those two ports.

Adding 2 multi-CPU is not a problem for us.

More important-

You could consider splitting the load across two mostly identical servers (4 complete pathways on each server). 8 Suricata instances inspecting a lot of traffic against many rules is going to be resource intensive. Splitting that across multiple servers might work better performance wise.

You will want multi-queue NICs and high core-count CPUs and lots of RAM.

@Sergei_Shablovsky said in Booting stuck on “Restoring contents from RAM store…”:

Why exactly Linux (and which one ? RHEL, Debian?) and not FreeBSD ?

Mostly because Suricata is primarily developed and debugged on Linux platforms and thus has excellent support there. While the Suricata team does compile and test on FreeBSD, they must do that manually because none of their automated testing tools work on FreeBSD. And none of them that I know run Suricata on FreeBSD themselves.

Another reason is that the AF_PACKET interface is quite well established on Linux and less buggy than the netmap interface in FreeBSD.

These are the available IPS options on Linux: https://docs.suricata.io/en/suricata-7.0.5/setting-up-ipsinline-for-linux.html.

I don't think it really matters about the Linux distro. Just choose one you might already be familiar with.

@leonida368 said in Authenticating Users with Google Cloud Identity:

thank you for the idea, but thinking that a teacher can connect to Pfs go to Status / Captive Portal and carry out operations is truly as unfeasible as possible.

Can't trust teachers ? Woow. There are some strange places these days.
But I wasn't saying you had to give the teacher the admin account. It's very possible to create another pfSense user and give this 'teacher' user only limited access, like the captive portal status page, where he can log them all out, or just some.

@leonida368 said in Authenticating Users with Google Cloud Identity:

Since we have now enabled popups on the customer's devices, couldn't we try to make the logout popup work?

Work or not, most hand hold devices (phones etc) don't use the default browser as the browser to login to a captive portal. For example, the browser the iPhones use, is a subnet browser of safari, not the system user default browser, so no cookies, no session keeping. And this browser doesn't allow popups.
Other devices, like ordinary windows based PCs and laptop behave fine.

And even if the popup was dismissed (close), visiting again the portal login URL :

https://portal.your-domaine.tld:8003/index.php?zone=CPZONE

will not show the login page, as the user is already logged in, but the logout page, with a logout button.

@leonida368 said in Authenticating Users with Google Cloud Identity:

couldn't we try to make the logout popup work?

It isn't broken.
The fact that your Idle timout isn't working 'very well' is already strange. It's a core pf functionality, and isn't pfSense, but actually build into kernel FreeBSD.
As soon as you you what's wrong, you've solved your issue.

@leonida368 said in Authenticating Users with Google Cloud Identity:

Or find another way for the user to log out?

All possible ways are already mentioned.
I haven't found any other ways in the manual (the source code).

Recently, a new method was created.
Look on the forum (captive portal) for the "DHCP 114" method.
It's an upcoming RFC draft. Apple (and Microsoft and the original Samsung OS phones - clone OSes : no yet).
I have no, under the SSID properties a link to a portal "Status page". The URL I gave the the status page is the logout URL. So no need to type it the URL mentioned above.
To use this "DHCP 114" method, no need to edit any pfSense file.
There is just one PHP file to upload.
You have to use ISC DHCP, not KEA, as you have to add a DHCP option. Number 114.

The value of the option, type is String, must be :

"https://portal.your-domaine.tld:8003/rfc8910.php?zone=cpzone1"

fbc2f3cb-2d2a-476e-8cef-b12e887c1837-image.png

Where 'portal.your-domaine.tld' is the HTTPS server name of the portal.
8003 is the TLS port used.
'rfc8910.php' is the name of the file you've uploaded.
'cpzone1' is the name of the SSID zone.

Open a TAC ticket if you have not already: https://www.netgate.com/tac-support-request

Do you know what versions it was upgrading between?

It sounds like it stopping at the bootloader prompt though which implies it cannot see anything to boot from. We'd have to see the output before that to know exactly what errors are preventing it.

A clean install of 24.03 is going to be the fastest way back, especially because there is no config on it yet.

Yes that does seem like the monitor target was simply not prioritising pings and dropping them under load.

@WhiteTiger-IT
Generally you can comply with the official HAproxy documentation.
You just need to translate it to the setting possibilities, which you can find in the pfSense web GUI.

@stephenw10 TIME!!!!!!!

Leave this with me :)

@stephenw10 @viragomann

Thanks.. yes, it was NAT Reflection, thank you very much.

All good now.

@AG23

https://archive.nbaset.ethernetalliance.org/wp-content/uploads/2017/05/NBASET-Downshift-WP-1217.pdf

They are presented in the order they are parsed in the config. If it really borthers you you can just manaully reorder them in the config file. There is risk to doing that, obviously.

Steve

They are surveying our customers on our behalf, yes.