@KOM The other record types make it resolve able but the record type is wrong for automatic KMS activation. So i did add the custom option as well to get the correct record type.

So i did the following:

server:
local-data: "_VLMCS._TCP 3600 IN SRV 0 0 1688 kms.dmz.ls.lan"
local-data: "_VLMCS._TCP.ls.lan 3600 IN SRV 0 0 1688 kms.dmz.ls.lan"
local-data: "_VLMCS._TCP.dmz.ls.lan 3600 IN SRV 0 0 1688 kms.dmz.ls.lan"

The first line is to make sure custom lines don't break the DNS resolver. I have 2 networks one (LAN) with the domain name ls.lan and the other (DMZ) with the name dmz.ls.lan i want machines to be able to activate from both networks. Firewall between both networks is oneway traffic only from LAN to DMZ not the other way around.

So the first local-data line is to make sure machine can activate when they are not aware in which network they are in. The other 2 are for the machines that do know that.

On windows machines you can test with nslookup if everything is setup correctly.
In my case all 3 return a service record.
nslookup -type=srv _vlmcs._tcp
nslookup -type=srv _vlmcs._tcp.ls.lan
nslookup -type=srv _vlmcs._tcp.dmz.ls.lan

@NollipfSense

Excellent advise my friend and very well appreciated. I bought the first one. Fingers crossed it will work Ok :-) I checked the feedback earlier today and other buyers have reported that it works Ok with Pfsense.

Again, many many thanks.

@stephenw10 Thank you very much, it works perfect!!!
I don't know why I didn't think before at such simple solution 😊

@stephenw10

Thank you very much, It works great .. however LACP had some issue with Firmware 23.05 once I upgraded to 23.09.1 that resolved too.

0f4eb7f0-c82f-4934-8523-9ca214bf311f-image.png

Also as for record spoofing MAC Address in LACP breaks the connection so spoofing must be disabled.

@stephenw10 thank you very much. i will look into all this

@SteveITS Thats perfect!

Thank you.

Nice 👍

@SteveITS Thanks for the link. I saw similar references in the ICS CERT RSS feed. Interesting world we have.

Ted

The package system switched to using .pkg some time ago. The pkg binary should check for both files but may only show the error unless if you run it verbose.

@stephenw10

Lucky Netgate ;), no you did a great job so I will probably buy an Netgate 8200. I just need a confirmation concerning the SFP Module i need from my provider then I will ask here if it's compatible in a new thread.
This thread can be closed.

@stephenw10 I was one version behind so I updated to the latest Intel firmware. It is still interesting that the system was running almost a year before I ran into the panics with the latest FfSense image.

For those running Debian 11, the instructions on Debian site have not be updated. The Intel firmware is located in non-free-firmware so you need to add the following:

deb http://deb.debian.org/debian bookworm main contrib non-free-firmware

Thanks for leads and I hope this stabilizes everything

@gabeqc said in Random monitoring data loss on Netgate 1537:

My monitoring graphs will randomly stop working

May I kindly ask (just for my curiosity) if you use the english GUI on your pfsense or a translated one?

Thanks

@stephenw10
I figured it out, (I figured out what fixed it, not sure what caused it. I have been dealing with this for 2 days ugh)

I have debug window in browser open, disabled cache and the pages loaded. removed the check mark and they load fine. Not sure why the problem started on those two pages.
3bc3be4a-0fe1-442a-932a-ce736a6f49b2-image.png

Yeah if you only need bash just install bash and avoid this issue entirely.

@stephenw10 i test your command on my "backup" pfsense and it's worked, got a 1Go file vmcore.0
So we just have to wait now...

@Hyperion said in Using certificate on 2 Firewalls?:

how do I get/obtain a certificate for a firewall example pfSense to install on the hardware?

A 'certificate ' for what usage ?
You can make your own. If you trust the certificate you just created yourself, and you install it into the browser and other app that use these certificate(s), you'll be fine.
If you want a certificate that everybody and everyone trusts out of the box, you need to have a domain name, one you've paid for, like "123456-just-for-me.com".

@Hyperion said in Using certificate on 2 Firewalls?:

can I install an existing certificate on a 2nd firewall and use the 2nd firewall as a replacement if the 1st firewall has a hardware defect?

44a583c8-2ac1-40e9-9f22-ab84a32ac49e-image.png

The third certificate : I 'own' (rent !) the domain name (example) "my-local-network-net" and I use the pfSense package acme to handle the (re)newal of the certificate.
When done, every 60 days or so, I export them to my NAS, printers and other APs : everybody that has a GUI port 433 (https) access.

@Hyperion said in Using certificate on 2 Firewalls?:

can I install an existing certificate on a 2nd firewall and use the 2nd firewall as a replacement if the 1st firewall has a hardware defect?

of course.
You can even automate this setup : if one fails, the other one takes over you doing nothing but drinking beer.
See the pfSense documentation, or one of the many video's about the subject.

@Hyperion said in Using certificate on 2 Firewalls?:

if I export an complete existing pfSense Firewall setting, will this export contain the certificate as well?

All pfSense settings are in the file you export.
Example : the hard disk of your firewall does what they all do : it dies.
No problem : you have your daily backup of the config, so :
Put a new drive in place.
Get the latest copy of pfSense : = download or contact pfSense tech support - TAC.
Put the firmware on an USB key - see pfSense Documentation "How to use Etcher to create a USB boot drive for pfSense).
Install pfSense.
As soon as the GUI is up, import your config.
Reboot.
Done.

The most difficult step was probably :

Put a new drive in place.

Btw : VMs are even more easier ...

@Hyperion said in Using certificate on 2 Firewalls?:

given by ChatGPT:

A forum member ?
Must be anew one then.

Normally, the old answer is used : RTFM ^^
As very soon you will have hundreds (more probably) questions. (and that's a good sign !)
And you really don't want to type them all.
An nobody here likes to copy past the same answers here 😊

edit : pfSense Documentation
and also : the Youtube Netgate Channel.

edit : Don't be bothered with the RTF.. word : if you have a question : post.
We have all several things in common : born without knowing what a firewall is.
"Fire" and "wall" came in early (for me) but the two combined, buried in a small box with a lot of cables, that one needs to be learned the old fashioned way, mostly by trial and error (for me, that is) ;)

@Alena-Cantillo said in Pfsense is unreachable after reboot.:

Have you find any solution about that? I mean when the pfsense doesn't reload

Can't tell.
Only the admin in front of the device can discover that.
By using the console cable he would be able to see pfSense booting, and if there was an issue, it will be shown on the console screen.

@stephenw10 said in Reboot using R/r (Reroot): Does not restart pfBlockerNG (DNSBL, firewall filter) and others:

So they do restart as expected?

Yes, I should have include I have Airvpn configured and using all three available connections as a Gateway Group along with balancing, so it takes a moment or two to get going...