@stephenw10

Wow, so simple, I had not done a reboot and assumed all would work. Killed power and rebooted modem and router together, tada, internet! Thanks!!

@stephenw10 said in where to put hw.uart.console setting so it sticks after reboot:

@gfeiner said in where to put hw.uart.console setting so it sticks after reboot:

show command reveals efi is already in the console option:

console=comconsole,efi

But comconsole is set first and the referenced bug shows that running it unsets the hw.uart value.
So try adding console=efi to loader.conf.local

Bingo. That was it. /efi/freebsd/loader.env is not needed. All that is needed is a /boot/loader.conf.local with these two entries:

console="efi" hw.uart.console="mm:0xfedc9000,rs:2"

In looking at the details and comments of the actual change in FreeBSD 13, it makes sense: https://cgit.freebsd.org/src/commit/?id=525ac1948af8
Their change will specifically unset hw.uart.console if console has comconsole as a value.

For those reading this who may wish to install pfSense on a Deciso appliance like myself, I got the mmio address value for hw.uart.console by inspecting the output of "dmeg | grep uart" while the appliance was running OPNsense.

@flugenblar yeah as long as your browser doesn't bug you every time about the self signed, its not an issue for sure.. Your still encrypting your traffic..

Its only a few seconds to setup, and once you setup a browser to trust you can issue signed certs for all your different things that might want to use a cert. switches, printers, your nas gui, my unifi controller software.. etc. etc.

Use to be better when the browsers also didn't complain about lifetime of cert, use to issue them for 10 years and never had to think about it again etc.. But now I think like 398 days is longest you can issue one for before browsers bitch at you about it.

I don't believe that's possible. Only kernel mode crypto operations can use SafeXcel, so IPSec or OpenVPN DCO.

Check the MAC stats in the sysctl output. The errors there are shown by type. For example in igb:

[2.7.2-RELEASE][admin@t70.stevew.lan]/root: sysctl dev.igb.0.mac_stats dev.igb.0.mac_stats.tso_ctx_fail: 0 dev.igb.0.mac_stats.tso_txd: 0 dev.igb.0.mac_stats.tx_frames_1024_1522: 4687 dev.igb.0.mac_stats.tx_frames_512_1023: 2618 dev.igb.0.mac_stats.tx_frames_256_511: 7200 dev.igb.0.mac_stats.tx_frames_128_255: 27786 dev.igb.0.mac_stats.tx_frames_65_127: 75559 dev.igb.0.mac_stats.tx_frames_64: 722390 dev.igb.0.mac_stats.mcast_pkts_txd: 0 dev.igb.0.mac_stats.bcast_pkts_txd: 26 dev.igb.0.mac_stats.good_pkts_txd: 840240 dev.igb.0.mac_stats.total_pkts_txd: 840240 dev.igb.0.mac_stats.good_octets_txd: 68322288 dev.igb.0.mac_stats.good_octets_recvd: 145377581 dev.igb.0.mac_stats.rx_frames_1024_1522: 24579 dev.igb.0.mac_stats.rx_frames_512_1023: 4478 dev.igb.0.mac_stats.rx_frames_256_511: 9296 dev.igb.0.mac_stats.rx_frames_128_255: 6689 dev.igb.0.mac_stats.rx_frames_65_127: 53689 dev.igb.0.mac_stats.rx_frames_64: 1503308 dev.igb.0.mac_stats.mcast_pkts_recvd: 21 dev.igb.0.mac_stats.bcast_pkts_recvd: 785609 dev.igb.0.mac_stats.good_pkts_recvd: 1602039 dev.igb.0.mac_stats.total_pkts_recvd: 3127575 dev.igb.0.mac_stats.xoff_txd: 0 dev.igb.0.mac_stats.xoff_recvd: 0 dev.igb.0.mac_stats.xon_txd: 0 dev.igb.0.mac_stats.xon_recvd: 0 dev.igb.0.mac_stats.coll_ext_errs: 0 dev.igb.0.mac_stats.alignment_errs: 0 dev.igb.0.mac_stats.crc_errs: 0 dev.igb.0.mac_stats.recv_errs: 0 dev.igb.0.mac_stats.recv_jabber: 0 dev.igb.0.mac_stats.recv_oversize: 0 dev.igb.0.mac_stats.recv_fragmented: 0 dev.igb.0.mac_stats.recv_undersize: 0 dev.igb.0.mac_stats.recv_no_buff: 0 dev.igb.0.mac_stats.missed_packets: 0 dev.igb.0.mac_stats.defer_count: 0 dev.igb.0.mac_stats.sequence_errors: 0 dev.igb.0.mac_stats.symbol_errors: 0 dev.igb.0.mac_stats.collision_count: 0 dev.igb.0.mac_stats.late_coll: 0 dev.igb.0.mac_stats.multiple_coll: 0 dev.igb.0.mac_stats.single_coll: 0 dev.igb.0.mac_stats.excess_coll: 0

Yup it's gets added to the config if you make a change to the interface. So I imagine you set the subnet there in the setup wizard and never changed anything since.

Anyway glad that solved it!

@dennypage Thanks!

@SteveITS Thanks! Have taken my question to that thread.

@Cobrax2 said in netmap errors since 2.7.x:

Umm, tried to go back to 2.6.x but it seems that the old versions are unavailable for download? Wtf

They may not be there long, so grab a copy quickly from this link:

https://atxfiles.netgate.com/mirror/downloads/

There are 2.6.0, 2.7.0, 2.7.1, and 2.7.2 images posted at the link. Download the appropriate image for you (ISO or USB memstick) and make sure you save it in case you need to reinstall at some point in the future.

Be very careful installing/updating packages with any older version. Be sure you set the repo under SYSTEM > UPDATE > Update Settings to the appropriate version. Failure to do that will result in either the package installation failing, or worse, breaking the install completely by pulling down shared libraries compiled for newer pfSense versions.

@SteveITS Thanks - I wound up finding this...https://forum.netgate.com/topic/184661/unable-to-upgrade-from-2-7-1-to-2-7-2-unmounting-boot-efi-done-failed/18 Which netted out to reinstalling 2.7.0, its configuration which I had backed up and then upgrading to 2.7.2 -which worked.

Happy New year!

Hello!

It is worth noting that the check_dnsavailable function in system.inc that was improved/patched is also used by other subsystems in addition to acb, such as pkg and dhcp. The change may address weirdness in those areas as well.

John

@JonathanLee said in SG-2100 Network Interfaces Question:

Happy new year everyone

Happy new year to everyone !! =)

Going to meet my friend now, Mr. Jack Daniels.. Nice guy.. hehe

@stephenw10

Indeed they are. Will decide which Sophos appliance I’m sticking with.

Seen a 2nd hand Netgate 7100 that I am keeping my eye on.

Yes this is a known issue. It's really only cosmetic but can be confusing. https://redmine.pfsense.org/issues/15019

Yes if you really need to I can remove your NDI so it stops seeing Plus as an available upgrade.

L2TP over IPSec can work: https://docs.netgate.com/pfsense/en/latest/recipes/l2tp-ipsec.html

That's a long list of failures. 😉 We'd need to get more info about any one to know more.

@AMSUIT said in pfSense & concurrent users:

i did a test with the local website using the Firewall as intermediate, and faced the same problem!

Where did you state that? You stated this

i had done a test with the same Moodle platform locally in our LAN (with no pfSense in the middle) and it works fine with concurrent 109 students

Ok I see now where you redirected it through pfsense.. How exactly did you do that? Locally pfsense would be involved in talking to some website on your own local network and if just routed to a different segment it wouldn't nat. You setup nat reflection?

There is a checkbox to add the CA to the system when you import it if required:
Screenshot from 2023-12-31 18-31-58.png

However in this situation I would add the proxy IP to pfSense specifically so it doesn't need to have that CA.
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#proxy-support

Steve

@jeffshead
That is correct. Snort/Suricata operates outside the firewall so to speak so it cannot inspect ssl traffic. There is no mechanism within pfsense to decrypt a flow and send to an engine to inspect. This largely,in my opinion, makes the threat prevention aspect of pfsense quite useless. It would be more useful to have your endpoint mitigation tools on the clients do the protection.

@lkh allow windows firewall to approve ping you shouldn’t need to disable defender. Make one rule in windows firewall to approve pings.

You might be able to use a driver for the specific hardware rather than the cdce driver. It's possible some specific driver gained support for that hardware in 2.7.1/2.7.2 and that's what changed.