Little update for this shell script in case You have MULTIPLE WAN (and need testing each uplink connection):

THIS SCRIPT SENDS HEARTBEAT ON ONE (1) CERTAIN TEST ID.

So, if You need really monitoring all WANS and receiving SEPARATE ALERT on EACH WAN,- You may create several Tests on StatusCake and USING V.2 OF THIS SCRIPT

#!/bin/sh # HEARTBEAT to StatusCake external monitoring and alerting service # Examples and additional information # https://www.statuscake.com/kb/knowledge-base/what-is-push-monitoring/ # Successfully working on pfSense CE 2.7.X # List of network interfaces INTERFACES="igb10 igb11 igb12 igb13" # StatusCake URL URL="https://push.statuscake.com/?PK=123456764226&TestID=7347942&time=0"" # Loop through each interface and send a curl request for INTERFACE in $INTERFACES do echo "Sending request through interface $INTERFACE" /usr/local/bin/curl --interface "$INTERFACE" "$URL" echo "" # Print a newline for better readability done

YOU MAY TEST exactly script from Diagnostic / Command Shell TO ENSURE THAT ALL ARE WORKING as expected!

The result MUST be looks like this:

Sending request through interface igb0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 12 0 --:--:-- --:--:-- --:--:-- 12 success Sending request through interface igb1 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 13 0 --:--:-- --:--:-- --:--:-- 13 success Sending request through interface igb2 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 13 0 --:--:-- --:--:-- --:--:-- 13 success Sending request through interface igb3 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 7 100 7 0 0 13 0 --:--:-- --:--:-- --:--:-- 13 success

P.S.
1.
After testing on exactly Your setup, You MUST comment both ‘echo’ command to avoid unnecessary output to terminal.
2.
logger’ command not using also: because of a lot of calling (1 time / min, 1 time / 5 min,…) system log would be filled by unnecessary records that not helping You even when You have automatic log aggregator & analyser like Splunk, ELK, Graylog,….

No worries let us know if that fixes it.

@JonathanLee
I guess that was me, almost lost in the noise. Anyway thanks for tidying. 👍

☕️

Oh.. would be wonderful to have a detailed update for DSA which replaced Openwrt's switch function. Not out of laziness, much easier to learn this way, following the steps and trying to make sense of it.

Thanx

Hmm, then it feels like something else must have changed at that time. Was pfSense upgraded? Maybe some other config change?

There are no other components shared between those connections as I understand it. Separate switches on each one.

Do you log CPU usage with Zabbix? Did that change when the errors started?

Thank You for patience and detailed answering!
So, let’s dive in ;)

@bmeeks said in Booting stuck on “Restoring contents from RAM store…”:

@Sergei_Shablovsky said in Booting stuck on “Restoring contents from RAM store…”:

Is this mean on this separate Snort/Suricata server I need 16 (2 x 8, for inspecting traffic) + 1 for SecAdmins management?

Yes. It will take two separate NIC ports per pathway to implement. Think of it as a transparent firewall "bridge" of sorts. Suricata sits between two NIC ports (directly) and either forwards or drops particular packets between those two ports.

Adding 2 multi-CPU is not a problem for us.

More important-

You could consider splitting the load across two mostly identical servers (4 complete pathways on each server). 8 Suricata instances inspecting a lot of traffic against many rules is going to be resource intensive. Splitting that across multiple servers might work better performance wise.

You will want multi-queue NICs and high core-count CPUs and lots of RAM.

@Sergei_Shablovsky said in Booting stuck on “Restoring contents from RAM store…”:

Why exactly Linux (and which one ? RHEL, Debian?) and not FreeBSD ?

Mostly because Suricata is primarily developed and debugged on Linux platforms and thus has excellent support there. While the Suricata team does compile and test on FreeBSD, they must do that manually because none of their automated testing tools work on FreeBSD. And none of them that I know run Suricata on FreeBSD themselves.

Another reason is that the AF_PACKET interface is quite well established on Linux and less buggy than the netmap interface in FreeBSD.

These are the available IPS options on Linux: https://docs.suricata.io/en/suricata-7.0.5/setting-up-ipsinline-for-linux.html.

I don't think it really matters about the Linux distro. Just choose one you might already be familiar with.

@leonida368 said in Authenticating Users with Google Cloud Identity:

thank you for the idea, but thinking that a teacher can connect to Pfs go to Status / Captive Portal and carry out operations is truly as unfeasible as possible.

Can't trust teachers ? Woow. There are some strange places these days.
But I wasn't saying you had to give the teacher the admin account. It's very possible to create another pfSense user and give this 'teacher' user only limited access, like the captive portal status page, where he can log them all out, or just some.

@leonida368 said in Authenticating Users with Google Cloud Identity:

Since we have now enabled popups on the customer's devices, couldn't we try to make the logout popup work?

Work or not, most hand hold devices (phones etc) don't use the default browser as the browser to login to a captive portal. For example, the browser the iPhones use, is a subnet browser of safari, not the system user default browser, so no cookies, no session keeping. And this browser doesn't allow popups.
Other devices, like ordinary windows based PCs and laptop behave fine.

And even if the popup was dismissed (close), visiting again the portal login URL :

https://portal.your-domaine.tld:8003/index.php?zone=CPZONE

will not show the login page, as the user is already logged in, but the logout page, with a logout button.

@leonida368 said in Authenticating Users with Google Cloud Identity:

couldn't we try to make the logout popup work?

It isn't broken.
The fact that your Idle timout isn't working 'very well' is already strange. It's a core pf functionality, and isn't pfSense, but actually build into kernel FreeBSD.
As soon as you you what's wrong, you've solved your issue.

@leonida368 said in Authenticating Users with Google Cloud Identity:

Or find another way for the user to log out?

All possible ways are already mentioned.
I haven't found any other ways in the manual (the source code).

Recently, a new method was created.
Look on the forum (captive portal) for the "DHCP 114" method.
It's an upcoming RFC draft. Apple (and Microsoft and the original Samsung OS phones - clone OSes : no yet).
I have no, under the SSID properties a link to a portal "Status page". The URL I gave the the status page is the logout URL. So no need to type it the URL mentioned above.
To use this "DHCP 114" method, no need to edit any pfSense file.
There is just one PHP file to upload.
You have to use ISC DHCP, not KEA, as you have to add a DHCP option. Number 114.

The value of the option, type is String, must be :

"https://portal.your-domaine.tld:8003/rfc8910.php?zone=cpzone1"

fbc2f3cb-2d2a-476e-8cef-b12e887c1837-image.png

Where 'portal.your-domaine.tld' is the HTTPS server name of the portal.
8003 is the TLS port used.
'rfc8910.php' is the name of the file you've uploaded.
'cpzone1' is the name of the SSID zone.

Open a TAC ticket if you have not already: https://www.netgate.com/tac-support-request

Do you know what versions it was upgrading between?

It sounds like it stopping at the bootloader prompt though which implies it cannot see anything to boot from. We'd have to see the output before that to know exactly what errors are preventing it.

A clean install of 24.03 is going to be the fastest way back, especially because there is no config on it yet.

Yes that does seem like the monitor target was simply not prioritising pings and dropping them under load.

@WhiteTiger-IT
Generally you can comply with the official HAproxy documentation.
You just need to translate it to the setting possibilities, which you can find in the pfSense web GUI.

@stephenw10 TIME!!!!!!!

Leave this with me :)

@stephenw10 @viragomann

Thanks.. yes, it was NAT Reflection, thank you very much.

All good now.

@AG23

https://archive.nbaset.ethernetalliance.org/wp-content/uploads/2017/05/NBASET-Downshift-WP-1217.pdf

They are presented in the order they are parsed in the config. If it really borthers you you can just manaully reorder them in the config file. There is risk to doing that, obviously.

Steve

They are surveying our customers on our behalf, yes.

It should work fine in legacy mode. It make no significant difference to pfSense.

Yes, it would have to be a com port the OS can see such that it uses dual console at boot.

Maybe unable to pull repo data for some other reason then. Does pfSense-repoc -N return without error?

Ok, let me see if I can replicate that.

@bmeeks Blocked hosts set to clear in 1 day, Snort blocking kill states is ON. Will keep monitoring for more crashes.

Yes. When gateway comes back up static routes using it are reapplied.