Similarly for me

Are you running the 3rd party e2guardian package?

Did you upgrade from 2.6?

I've never tested that package because it's unsupported but I don't think it will run in the current pfSense version.

Steve

Yes it's possible. It's quite a complex setup. It can be difficult to setup a virtualised firewall like that and have everything boot correctly in the event of a power outage for example.

Steve

@viragomann said in Using LetsEncrypt Certificate for Web Configurator Authentication:

I don't believe, that Lets Encrypt has signed a certificate for 192.168.1.1.

They expressly state in their User manual that they only use domain names, and NOT IP addresses.

@pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication:

Once changes are saved I log out of the pfsense system and type in the url:
https://192.168.1.1:443

You all work, and you missed the most important reason why you were asking for a certificate :
So you don't have to use htpp://192.168.1.1 anymore, but now you can use :

241d7ea4-e72e-4cba-8518-19f1669d2a34-image.png

https://pfSense.some-domain-name-that-you-rent.tld

and yes, "some-domain-name-that-you-rent.tld" is a domain name that you have to rent.
Letsencrypt does just one thing : they will test taht you 'own' (= control) that domain name.

@pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication:

went to dns resolver
under General Settings went to Host Overrides
selected Add and typed in the requested contents including alias'.

You don't have to do this.
If you asked letsencrypt to create this cert for you :
pfSense.some-domain-name-that-you-rent.tld
and because pfSense already has "pfSense.some-domain-name-that-you-rent.tld" loaded into the DNS (point to 192.168.1.1)

...
edit : do not believe me !!
Go check yourself, using your equipment :

nslookup pfSense.some-domain-name-that-you-rent.tld

the answer will be :

192.168.1.1

....
So your browser (PC) can resolve "pfSense.some-domain-name-that-you-rent.tld" as pfSense has the answer (and yes, 8.8.8.8 has not !! (of course))
So the browser can nw connect to the resolved domain name = "192.168.1.1"
So the pfSense GUI, connected over https (using port 443) will hand over a certificate to the browser stating that this certificate belongs to "pfSense.some-domain-name-that-you-rent.tld"
And that is just great : the browser was initially using "pfSense.some-domain-name-that-you-rent.tld", got 192.1368.1.1 as the address where the server can be found, got a cert back from this web server that it is "pfSense.some-domain-name-that-you-rent.tld" => this is what https is all about. Nothing more, nothing less.
Oh, yes, now everybody knows who is who, some random numbers can be exchanged securely so the entire traffic can also be encrypted decrypted on both side so the traffic passes over the 'possible hostile network on a secured way, and can not be altered while going over the wire.

Btw : if you ask for a wild card certicate like
"some-domain-name-that-you-rent.tld"
"*.some-domain-name-that-you-rent.tld"

( this means : the top level domain name "some-domain-name-that-you-rent.tld"
and
all the sub domains "*.some-domain-name-that-you-rent.tld" )

you can now use your certificate for
pfsense.some-domain-name-that-you-rent.tld
printer.some-domain-name-that-you-rent.tld
nas.some-domain-name-that-you-rent.tld

when you've installed the certificate on your printer, nas etc.
Now you can use "https" to access all these devices (if they support it).

An update after further testing, details below:
After getting the unencrypted TCP working reliably, I wanted to verify the SSL with LDAPS and noticed that the SSL auth was randomly failing with the same bind error. I could not fix this one no matter what I tried and eventually it started failing all the LDAPS binds.
Everything works fine with LDP and Apache Directory Studio but for some reason pfSense just does not want to work with SSL.
I use LE certs on my server and in theory the LE CA should work since it is working in every other application like LDP and Apache Directory Studio.
The only major change to pfsense was the updated OpenSSL package. Might it be possible that this is the reason? If anyone can confirm that I would be happy to open a bug report but I don't want to waste anyone's time over there if this is a configuration mistake on my part.
Packet capture shows TLS 1.3 auth

@marnog
HA proxy supports FastOpen but not sure if this fits into your design. Up to you.

@edgewater Ugh, that sounds like the tech made more than one mistake. ;)

Had one once replace a modem, leave, then we find out only one IP out of 5 is working. And, AND, the model of modem that actually supports multiple static IPs was no longer available. The new one "has problems with that." After a couple days they tracked down one more old model in a truck, and installed that.

@stephenw10 said in Change Authentication Server from CLI:

authmode

I mens authentification to WUI.. Perfect, i was exactly looking fot that...
Thank you!

Yes, and I assume that is the case here. But in addition there were values for client identifier that tripped up Kea that ISC just allowed.

There is /etc/services (on freebsd and most linux) where port/protocol are mapped to service names.

Wow!!
Thank you guys!
That answers my questions...have windows installed on the backup computer and will install the new 4 port network card as soon as it arrives and dockument mac: addresses etc...

Thanks again!

bookie56

Ah great. Yes it was exiting out of the entire upgrade process on any error at that point before. It doesn't actually need to create a new uefi boot entry there so should be fine.
Interesting that Coreboot doesn't play nice with efibootmgr though.

Send me your NDI in chat and I'll check it.

Steve

@stephenw10 I ordered one yesterday. Should be in tomorrow. Looks like a weekend project for me. Thanks again.

@cheapie408 said in HyperV passing wireless adapter for WiFi WAN:

@NollipfSense I actually have one sitting here but the reception is horrible, perhaps I need to get me a better one. That might be easiest.

Maybe keep an eye out for a throwaway satellite dish on trash day.

@stephenw10 Thank you 😁

bookie56

RC 24.03.r.20240416.0005

Here too, on x86_64 rig

@stephenw10

Thanks Stephen. The eeros are hard wired and so we should be ok.

@yaegermeister163 said in New Unifi modem and no internet on LAN:

I confirmed with the ISP that it does not lock the modem to a specific MAC address for the router.

Yes but the modem will limit the number of MACs it will communicate with per power cycle based on the config file that the ISP sends to it. Most residential accounts limit to only one... Some commercial accounts will allow from 2 to 5 from my experience.

You can try cloning the MAC of a device that worked on your pfSense WAN page or simply reboot the modem every time you try a new interface.

Re-linking the WAN triggers a bunch of scripts. Among others it would restart the dhcp client and will start by sending a broadcast to any server not just that gateway.

I would start by running the pcap without any filter on WAN. If you see anything coming back in at all that gives us a clue.