We contain this by creating NAT rules on an off port from a specific IP/network that point to an internal interface (such as the LAN or Mgmt VLAN). That way there is no external attack surface. Alternatively, use a VPN when possible.

Yup that's a fun* one!
More than 4 vmx NICs in esxi changes the PCI device ordering. Crazy.

Ah I see, that's a special case. 😉

@jeffsmith82 said in Login security - phishing resistant MFA:

....
From what I understand you can list multiple sites against the same key at creation time though I might be wrong.

I don't believe the standard allows you to do this. Each passkey\registration is tied to a relying party which would be the current site you are accessing. You need to directly access the other servers (over HTTPS) to create registrations unique to them. If for example you access https://fire01... then the passkeys are scoped only to that FQDN and won't be presented when attempting to login to https://fire02... You would need to register a key for each server, or a common front-end that they all share.

If you create on the secondary it will get overwritten by when the config syncs from the primary to secondary i would assume.

It should not, my pending implementation allows you to register multiple times for the same user, which in theory should allow for other sites to be used.

The only potential challenge I see is that my implementation verifies the FQDN for registration based off the configuration files (system/hostname + system/domain) . So i'm not sure how your HA deployment deals with that on the config side for both servers. Something that would need to be tested.

@stephenw10 said in Compiling and running 3rd party software on pfSense:

I would expect to see at least some sort of error in the boot log when the driver attaches if the module is rejected as unsupported.

Apparently you're, right: No messages were logged and - against expectations - the Zaram XGS-PON ONT SPF+ module works beautifully in my X710-DA NIC. Perhaps because it's the Intel branded version, perhaps not. But at this moment, there's no problem to solve, but that you very much for your input!

@stephenw10 said in LCP: no reply to echo request(s) Help:

It looks like there's no response at all so I'd check the basics. Is it actually using the correct interface? Is the modem functioning correctly for PPPoE?

I restarted the isp fibre modem that didn't help but weird when I removed the cat 6 an put it back in it started working. Weird.. Going to check the cable next an see.

@keyser said in How (and why) to create a management VLAN?:

@ErniePantuso There is no “special” management VLAN entity. A management VLAN is merely a normal VLAN where you have defined Firewall rules on all pfsense Interfaces to block access to that particular VLAN/Interface.

@keyser Got it. Thank you! I'm using the !RFC1918 rule on all my VLANS (with pass rules above it as necessary) so I think I pretty well have that covered.

PFsense has no dependence on special interface naming, so you can just rename your LAN to MGMT if that makes sense to you according to the firewall setup.

Cool. Thanks very much for the expertise and help!

The only thing I would be concerned about is the fact that igc1 lost link for some reason. Since it's connected to a switch directly it should not.

Some of the early i225v revision (<rev3) chips had link issues. Try running: pciconf -lv igc1
`

Since I'm the OP I thought I'd chime in here. We changed what we do and don't clone anymore. Instead we keep a default config with 90% of the work done and have it import on a brand new install. That config does not contain the SSH keys or RRD data so we don't have to worry about it getting mixed up with other devices. Generally the only things we need to change at that point is the name and the WAN config and anything specific about that install. We leave the WAN to DHCP and plugged in upstream so that the packages reinstall on boot and then change when put in to place.

It seems far more likely that exhausting the available PHP memory causes #14061 rather than the other way around.

This seems like a bug in the bind package and should be reported separately. If it hasn't been already.

Steve

@stephenw10 @Gertjan Issue resolved thank you for you help. The Policy Routing Configuration doc was what I needed to follow.

@johnpoz Thank you for the quick reply. You are awesome, issue resolved!!👍 😀

Actually my bad, I had to re-create all of the interfaces, etc under FreeRadius Service, its working fine now

@johnpoz said in AT&T screwed me over, now can't reach services behind pfSense from outside:

One that that got my panties in a twist, is when I had an outage with comcast back in the day.. I wasn't getting an IP.. Which I clearly stated, and mentioned more than a few times.. I was showing link on the modem, but couldn't get an IP.. They wanted me to ping 8.8.8.8 - I was like how is that going to work, when I don't have an IP.. ugggghhh.. Just move me up the queue please!

I feel your pain brother!
Same with Spectrum (can't put what I call them).

Phizix

Yup, you'd see broadcast traffic from the other firewall but unless you have something configured to do it (or misconfigured!) I wouldn't expect to see unicast between them.

@stephenw10
Thanks! It's working and I suspect I did that when I was trying to setup and test different VPNs. (Ended up with Tailscale - had issues with OpenVPN, PureVPN, and multiple others - either they couldn't do something or it was a feature trade that didn't work for me.)

That's how the xmlrpc for config sync works. It implies the secondary didn't respond for some reason. Perhaps it was down at the time?

Although the 2100 has a switch you don't need to have any config for it. By default it uses the two NICs (mvneta0/1) for WAN and LAN and without any specific switch config the switch just acts as a 5 port unmanaged switch on LAN. So if you only have two interfaces in your CE config you can import that to the 2100 and just reassign them. The same is true for the 3100. It is not true of the 1100 which requires the switch to be configured.
If you have more than two interfaces though you would need to configure the switch to separate the ports.

Steve

@fenster Sounds more like an AP problem than something to do with pfsense... Have you checked out the Ubiquiti forums for help? Perhaps take a look in your Unifi Controller for any clues...

Could be lot's of different radio problems. Do you have more than one AP, does it happen on both bands? What about neighbours with wifi?

@stephenw10 After a factory reset, it is working now. All my WAN rules are back in place, and I was able to install multiple packages from the GUI. Still not sure what the problem was.