• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    29k Views
    STLJonnyS
    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from. I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.
  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    63k Views
    V
    Mine may be typical, maybe not..... Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do. I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help. [image: 1697753147328-pfsense1.png]
  • To do 25.07 or not?! That is the question!

    16
    0 Votes
    16 Posts
    610 Views
    AndyRHA
    @stephenw10 Fiber straight into the 7100. Nothing funky. No heavy packages. With no performance hit I did not see a reason to chase it. Someone fixed something and made it better. In theory I could boot the old image and Clonezilla the disk.
  • New PPPoE Driver in 25.07

    7
    0 Votes
    7 Posts
    187 Views
    stephenw10S
    It might. If depends if that's the limit it's hitting. The mvneta NICs on the 3100 are single queue anyway so it's always limited to a single CPU core there which may limit more than the PPPoE driver. But try it and see. The netgraph driver is pretty inefficient in other ways so you should see some change even if it's reduced CPU usage.
  • What rule blocks this ?!?

    19
    0 Votes
    19 Posts
    168 Views
    stephenw10S
    @johnpoz said in What rule blocks this ?!?: short block You mean an invalid short packet? Edit: Oh the log reason is 'short'. Hmm I don't think I've ever seen that before. Yeah it's doesn't have to match a rule so no id etc.
  • SMART not checking drives.

    smart monitor freebsd
    4
    0 Votes
    4 Posts
    57 Views
    A
    Thanks Guys... that explains everything. The other drive is a M.2 Samsung 250GB, worked OK on that.
  • Keyboard stops responding after booting

    4
    0 Votes
    4 Posts
    76 Views
    K
    So you're seeing the boot process on a screen attached to the device with a CVGA/HDLI cable ? The kernel boot probably switched over to the serial USB console from that point on, so nothing shows up on the screen anymore. This might help you : Troubleshooting Boot Issues. @basketball superstars said in Keyboard stops responding after booting: is due to needing to disable DHCP You disabled the DHCP server on LAN ? Thanks for your answer. I got it.
  • pfsense 2.8 CE Crash Report

    4
    0 Votes
    4 Posts
    58 Views
    stephenw10S
    Hmm, so is that shown in the main system log? It may just not be in the console log.
  • 25.07 unbound - pfblocker - python - syslog

    18
    0 Votes
    18 Posts
    239 Views
    J
    @stephenw10 For what it is worth After sitting turned off for almost 260 days, I started and upgraded a virtual from 2.7.x install to 2.8 the same "duplicate" syslog problem exists there. when I had the same individual syslog options checked there as I did on my production box) which is the way the virtual was last turned off. duplicates from unbound [image: 1754683969504-screenshot-2025-08-08-at-4.12.06-pm.png] changed setting to "everything". Duplicates gone [image: 1754684035363-screenshot-2025-08-08-at-4.13.45-pm.png] and "bonus" cron and nginx messages
  • upgrading to 25.07, if_pppoe and new bug or what?

    15
    0 Votes
    15 Posts
    233 Views
    stephenw10S
    Ah, that's fun*. Not currently there isn't, either source or a way to suppress it as far as I know. We are adding more refined logging output now.
  • Error "loading the rules" after reboot

    8
    0 Votes
    8 Posts
    112 Views
    stephenw10S
    Hmm, I'm not sure why you would need NAT there if each site is advertising the correct subnets. But yes that would be a problem if you needed to do it. In pfSense you need to assign an interface to apply NAT on it.
  • Unable to log into WebUI after 25.07 upgrade

    8
    0 Votes
    8 Posts
    111 Views
    GertjanG
    @michmoor said in Unable to log into WebUI after 25.07 upgrade: I am assuming nginx has their own local database file that it uses for credentials? Not its own. 'The' System > User Password Manager. So a user like the 'admin' is present (has to be present) in the main pfSense config file : [image: 1754649198363-9b0cf17d-25e4-4d36-8ebf-2d1a7036523e-image.png]
  • Torrents Resulting in WAN Packet Loss

    17
    0 Votes
    17 Posts
    203 Views
    planedropP
    @stephenw10 Yeah that's what I'm thinking, maybe the ONT itself can't handle it or something along those lines. I know many ISPs do throttle torrents, but you'd usually see that as the torrent traffic itself having higher latency and stuff, not just dropped packets on the entire connection, though it doesn't appear the later is unheard of. Pretty confident at this point it isn't pfSense, so at least that's good. May also see if my ISP can get a tech out, after I test both VPNs and possibly direct fiber connectivity instead of the ONT.
  • Update from 24.11 to 25.07 failed and possible corrupt system

    21
    0 Votes
    21 Posts
    582 Views
    N
    Updated to 25.07 today and had the same issue. Hung at updating configuration for about 10 minutes. Reverted back to 24.11, cleared all the pfBlocker config backups (~7k), updated went smooth.
  • SSH with public key and new macbook pro

    10
    0 Votes
    10 Posts
    105 Views
    patient0P
    @ahole4sure said in SSH with public key and new macbook pro: could you possibly send a screenshot of what all is in your config file? :) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet. Include ~/.orbstack/ssh/config # my firewall, e.g. pfSense, non-standard port # and specify which ssh private key to use Host firewall-at-home 192.168.1.1 User root Port 20022 IdentityFile ~/.ssh/id_rsa HostName 192.168.1.1 # my Synology DS920+ Host ds920plus User admin # default settings for hosts not matched # in above rules Host * User jane
  • XMLRPC Error after Upgrading to 25.07

    3
    0 Votes
    3 Posts
    63 Views
    stephenw10S
    Do you see blocked traffic on secondary? It sure looks like it's failing to authenticate there. Are you using a complex password? Are you using the admin user for the xml sync?
  • 0 Votes
    3 Posts
    63 Views
    C
    @stephenw10 Thanks. I monitored the WireGuard traffic on the underlying interface at the same time and sure enough every 15 seconds the remote peer sends a 32 byte UDP packet. This ties up with the client's setting 'PersistentKeepalive = 15' so it is just the keep alive traffic. Mystery solved.
  • Questions about log messages

    46
    0 Votes
    46 Posts
    5k Views
    stephenw10S
    They are still coming into the WAN just without the :5 octet?
  • 24.11 -> 25.07

    19
    1 Votes
    19 Posts
    338 Views
    Z
    @stephenw10 No it doesn't install a 3rd party repo. However... it could possibly Mess with shared libraries (libmd.so, libssl.so, etc.) getting replaced or misaligned. Create conflicts in /etc/rc.conf, init scripts, or pkg metadata. OS version expectations (pkg or pfSense-upgrade behaving strangely).
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.