• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    29k Views
    STLJonnyS
    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from. I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.
  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    63k Views
    V
    Mine may be typical, maybe not..... Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do. I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help. [image: 1697753147328-pfsense1.png]
  • 25.07 pfb_dnsbl wont start unless i edit / save carp vip

    3
    0 Votes
    3 Posts
    36 Views
    Mr_JinXM
    @stephenw10 it sure is, i have a pair of 8200's
  • OpenVPN bad encapsulated packet length question

    33
    0 Votes
    33 Posts
    525 Views
    A
    Sounds like your tun-mtu change didn’t fully sync with the other side — sometimes mismatched MTU or TCP MSS values can still cause warnings without actually dropping the VPN. You could try lowering tun-mtu (e.g., 1400) and adjusting mssfix on both server and client to see if the encapsulated packet length stays within limits. By the way, if you’re using this VPN setup for secure browsing or private searches, sites like escort-yerevan[dot]com keep things discreet — verified Yerevan escort girls, VIP escort, and erotic massage Yerevan without leaks. #YerevanEscort #EscortYerevan #YerevanEscortGirls #VIPEscort #EscortServiceYerevan #ArmeniaEscort #EroticMassageYerevan #IndependentEscorts
  • To do 25.07 or not?! That is the question!

    17
    0 Votes
    17 Posts
    665 Views
    stephenw10S
    @AndyRH said in To do 25.07 or not?! That is the question!: Someone fixed something and made it better. I'll take it.
  • New PPPoE Driver in 25.07

    8
    0 Votes
    8 Posts
    220 Views
    B
    @Cornel said in New PPPoE Driver in 25.07: And should I remove the tunables I added to incease the pppoe perfromance? The pfSense documentation on this says if_pppoe "may eliminate the need for additional tuning". I've removed net.isr.dispatch=deferred from my loader.conf.local file but can't say I've noticed any difference.
  • What rule blocks this ?!?

    19
    0 Votes
    19 Posts
    178 Views
    stephenw10S
    @johnpoz said in What rule blocks this ?!?: short block You mean an invalid short packet? Edit: Oh the log reason is 'short'. Hmm I don't think I've ever seen that before. Yeah it's doesn't have to match a rule so no id etc.
  • SMART not checking drives.

    smart monitor freebsd
    4
    0 Votes
    4 Posts
    67 Views
    A
    Thanks Guys... that explains everything. The other drive is a M.2 Samsung 250GB, worked OK on that.
  • Keyboard stops responding after booting

    4
    0 Votes
    4 Posts
    78 Views
    K
    So you're seeing the boot process on a screen attached to the device with a CVGA/HDLI cable ? The kernel boot probably switched over to the serial USB console from that point on, so nothing shows up on the screen anymore. This might help you : Troubleshooting Boot Issues. @basketball superstars said in Keyboard stops responding after booting: is due to needing to disable DHCP You disabled the DHCP server on LAN ? Thanks for your answer. I got it.
  • pfsense 2.8 CE Crash Report

    4
    0 Votes
    4 Posts
    60 Views
    stephenw10S
    Hmm, so is that shown in the main system log? It may just not be in the console log.
  • 25.07 unbound - pfblocker - python - syslog

    18
    0 Votes
    18 Posts
    249 Views
    J
    @stephenw10 For what it is worth After sitting turned off for almost 260 days, I started and upgraded a virtual from 2.7.x install to 2.8 the same "duplicate" syslog problem exists there. when I had the same individual syslog options checked there as I did on my production box) which is the way the virtual was last turned off. duplicates from unbound [image: 1754683969504-screenshot-2025-08-08-at-4.12.06-pm.png] changed setting to "everything". Duplicates gone [image: 1754684035363-screenshot-2025-08-08-at-4.13.45-pm.png] and "bonus" cron and nginx messages
  • upgrading to 25.07, if_pppoe and new bug or what?

    15
    0 Votes
    15 Posts
    240 Views
    stephenw10S
    Ah, that's fun*. Not currently there isn't, either source or a way to suppress it as far as I know. We are adding more refined logging output now.
  • Error "loading the rules" after reboot

    8
    0 Votes
    8 Posts
    115 Views
    stephenw10S
    Hmm, I'm not sure why you would need NAT there if each site is advertising the correct subnets. But yes that would be a problem if you needed to do it. In pfSense you need to assign an interface to apply NAT on it.
  • Unable to log into WebUI after 25.07 upgrade

    8
    0 Votes
    8 Posts
    115 Views
    GertjanG
    @michmoor said in Unable to log into WebUI after 25.07 upgrade: I am assuming nginx has their own local database file that it uses for credentials? Not its own. 'The' System > User Password Manager. So a user like the 'admin' is present (has to be present) in the main pfSense config file : [image: 1754649198363-9b0cf17d-25e4-4d36-8ebf-2d1a7036523e-image.png]
  • Torrents Resulting in WAN Packet Loss

    17
    0 Votes
    17 Posts
    206 Views
    planedropP
    @stephenw10 Yeah that's what I'm thinking, maybe the ONT itself can't handle it or something along those lines. I know many ISPs do throttle torrents, but you'd usually see that as the torrent traffic itself having higher latency and stuff, not just dropped packets on the entire connection, though it doesn't appear the later is unheard of. Pretty confident at this point it isn't pfSense, so at least that's good. May also see if my ISP can get a tech out, after I test both VPNs and possibly direct fiber connectivity instead of the ONT.
  • Update from 24.11 to 25.07 failed and possible corrupt system

    21
    0 Votes
    21 Posts
    595 Views
    N
    Updated to 25.07 today and had the same issue. Hung at updating configuration for about 10 minutes. Reverted back to 24.11, cleared all the pfBlocker config backups (~7k), updated went smooth.
  • SSH with public key and new macbook pro

    10
    0 Votes
    10 Posts
    108 Views
    patient0P
    @ahole4sure said in SSH with public key and new macbook pro: could you possibly send a screenshot of what all is in your config file? :) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet. Include ~/.orbstack/ssh/config # my firewall, e.g. pfSense, non-standard port # and specify which ssh private key to use Host firewall-at-home 192.168.1.1 User root Port 20022 IdentityFile ~/.ssh/id_rsa HostName 192.168.1.1 # my Synology DS920+ Host ds920plus User admin # default settings for hosts not matched # in above rules Host * User jane
  • XMLRPC Error after Upgrading to 25.07

    3
    0 Votes
    3 Posts
    70 Views
    stephenw10S
    Do you see blocked traffic on secondary? It sure looks like it's failing to authenticate there. Are you using a complex password? Are you using the admin user for the xml sync?
  • 0 Votes
    3 Posts
    65 Views
    C
    @stephenw10 Thanks. I monitored the WireGuard traffic on the underlying interface at the same time and sure enough every 15 seconds the remote peer sends a 32 byte UDP packet. This ties up with the client's setting 'PersistentKeepalive = 15' so it is just the keep alive traffic. Mystery solved.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.