@deanfourie said in Still no 2FA?:

I'm just surprised this is not built in.

So freerad is click to add to pfsense, how is it not built in? You looking for a click and dropdown menu to setup 2fa?

I think there is lack of understanding of what constitutes mfa to be honest.. So any sane setup of a device like a firewall should be limited to what network/devices can access it in the first place. So location of auth is a factor. Now maybe this is just your lan.. But what it should be is secured network that only admins can be on. So that is 1 factor.. Now they need username+password = 2fa by the very definition of what 2fa is.. Do you allow access to the firewall via the public internet?

So mfa auth can be made up multiple(s) of these attributes

A knowledge factor is something the user knows, such as a password, a PIN etc.. A possession/have factor is something the user has, such as an ID card, a laptop, security token, cellphone, etc A biometric or something you are factor, ie something inherent in the user's physical self. A location factor is usually denoted by the location from which an authentication attempt is being made. A time factor restricts user authentication to a specific time window in which logging on is permitted and restricts access to the system outside of that window.

Maybe missing something but lets take these 5.. And walk through some scenarios/setups.

So to auth to pfsense
Username and password = 1 factor
Have to be on the secured "admin" network or IP. = another factor.. So unless you allow login to your firewall from the public internet?

There is 2fa auth right there if you ask me.

Other factors that should/would be involved in access to this firewall. Could be another something you have, for example your ID to even get in the building to be able to get on the network/room that can even access the firewall. Or maybe even biometric, fingerprint to access the building or IT dept. Or server room or etc..

Other factors to be considered, to get on this "admin" network its possible you have to do some sort of 802.1x auth to connect this device not just just walk in off the street and plug into some port or connect to some open wifi network. So this could be something you have - work laptop that is pre setup to get on this admin network, also something you know the username+password to even login to the laptop you have.

So if we walk through a typical possible process of accessing the firewall gui

ID to get into the building, laptop that is company laptop and allowed to access the network. Username and password to login to this laptop. Username and password to access pfsense gui. So I count 2 things you have (id and work laptop) and 2 things you know. Login to this laptop and login to pfsense = 4fa

So unless this pfsense is say just sitting in the open or in an unlocked closet in a public building that requires no form of auth to enter your satisfying mfa..

Some token or sms sent to a different device is just one of the ways to control access. But it is not the get all end all to having 2fa..

edit:
So past company I worked at.. These are factors you would have to do to get access to any sort firewall/router/switch on the network.

You had to thumbprint to get into the office.. To get into the server room or network closets you needed a badge to scan at the door. So even if you were going to console in ie physical access you had to have 2 factors. Your thumbprint and badge.

But typically thumb to get in. Work laptop to access the network, because 802.1x was enabled - you couldn't just plug any laptop into any network port on some cube. Also even if you passed 802.1x in some cube, ie a company laptop.. To access the admin network you had to use specific cubes ports, and your laptop had to be specific setup to access this network.

Now I needed to auth to my laptop.. Which required a tiks card not just username+password, if you just found my laptop on the street wouldn't do you any good.

Now to access the devices from this "admin" network you also needed to auth to the admin network - not just be plugged into the network that can auth. So this required a different username and password. Now once was on this network, you could access network devices. And then you needed username and password to auth this device.

So how many factors is that? Well over 2 that is for sure ;)

https://redmine.pfsense.org/issues/15470

Indeed you have to create a new certificate with the CA. You can't edit a cert, that would break the chain of trust.

@stephenw10 said in ZFS POOL UPGRADE?:

No I would not upgrade the ZFS pool.

Good advice. I tried it a while back and system became unbootable.

Sorry missed the replies here.

It looks like you're using the webgui cert as the server cert? It has to be a cert created against the server CA.

It also looks like the TLS key is different. Both ends must have the sane TLS key.

You also still have a bunch of routed tunnel settings like pushing routes and adding gateways. But I'd fix up the cert/key first before looking at that.

Steve

I found the issue I changed the OPT1 name and it would not change in the config.xml so it does not bind to the new name, I set it back to OPT1 after seeing that the config.xml did not recognize this as selected for upnp section of the code and it worked.

It is like the name change messed up somehow

restarting only OSPFD produced nothing but restarting the pfsense 2.7.2 box output this on pfsense+ 24.03

2024-05-06 10:56:04.896 [WARN] ospfd: [MS0DP-CEKYV][EC 134217751] Point-to-Point link on interface ipsec2 has more than 1 neighbor. 2024-05-06 10:56:09.660 [WARN] ospfd: [MS0DP-CEKYV][EC 134217751] Point-to-Point link on interface ipsec2 has more than 1 neighbor. 2024-05-06 10:56:11.667 [WARN] ospfd: [MS0DP-CEKYV][EC 134217751] Point-to-Point link on interface ipsec2 has more than 1 neighbor. 2024-05-06 10:56:22.682 [WARN] bgpd: [JG0WZ-7X009][EC 33554504] 10.255.255.254 unrecognized capability code: 128 - ignored 2024-05-06 10:56:24.339 [INFO] bgpd: [M59KS-A3ZXZ] bgp_update_receive: rcvd End-of-RIB for IPv4 Unicast from 10.255.255.254 in vrf default

@cometphoton said in Setting a different monitoring IP.:

what is the next hop in the trace.

I just did a traceroute to Google and picked the first address that worked.

AFAIK there's no way of reading the actual NIC chip temperature there. If the module reports a value that's the only thing you can check.

That can only be done manually currently. If you send me you NDI in chat I can remove it.

Did you try to open it with curl like I showed above?

@Unoptanio said in ARP TABLE Refresh time for Wake On Lan:

just add it in the /etc/sysctl.conf file?

Nope, pfSense doesn't use that. The system tunables table replaces it so add it there if you need to.

@stephenw10 - Right?

Thanks for all the help!!

There are several threads about boxes with N100 CPUs specifically where the default power settings in the BIOS interact unexpectedly with the speedshift driver in FreeBSD/pfSense.

@DominikHoffmann said in The oldest Netgate hardware still running pfSense+ 24.03?:

it’s good to know that in 15 years my Netgate...

By that time you may need a 128bit processor!

Responded in chat.

You would usually add VIPs (IPAlias) on the WAN for each additional public IP. Then change the outbound NAT rules to manual and add rules for the internal subnets via the appropriate VIP.

https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#single-ip-subnet-on-wan

Steve

@stephenw10 Memories! Nokia ip530

@Gertjan Thanks , the trick at the end was "just " the cert , it is not mentionned explicilty in the post with the command but part of the actions to make.

For benefice of the Forum Q, command to run is

certctl rehash

This info is from PFsense Troublehoosting Manual
Solved !
Thanks !