• Terrapin SSH Attack

    Pinned
    33
    16 Votes
    33 Posts
    31k Views
    STLJonnyS
    @willowen100 It basically forces your ssh (on the Windows side) to utilize that encryption algorithm. You'll need to do that on any machine you ssh from. I'd have rather found a more elegant workaround (preferably on the pfSense side, so the mod only has to be done in one location), but this works in a pinch.
  • pfSense Hangouts are available on YouTube!

    Pinned Locked
    1
    5 Votes
    1 Posts
    11k Views
    No one has replied
  • Share your pfSense stories!

    Pinned Moved
    76
    0 Votes
    76 Posts
    65k Views
    V
    Mine may be typical, maybe not..... Took over a large sennior living facility with a pretty robust it infrastructure spread between 4 IT rooms, 23 access points, 12-14 switches, and 200 internal devices and 200 guest/resident devices, all being run by a Sonicwall TZ350. I had been wanting to reallign everything network wise for some time but the TZ had 2 ports that were failing. I had worked with ClearOS from back in the ClarkConnect days and started searching for something similar. I found PfSense and it just fit what I wanted to do. I tested it a bit on an old Athalon64x2 rig for proof of concept and had planned on installing on a mini pc or something, but I wanted 6 nics. Standing in my main IT room I looked down and in the bottom of the rack were 4 HP DL380s, 2 of which were decommissioned 2 years ago. It's such huge overkill for hardware that it's hard to explain, but who wouldn't want redundant power supplies, raid 60 with 25 drives and remote system monitoring through ILO? lol I spun one up and loaded PfSense and started tweaking. 2 weeks ago I switched over and have been working out gremlins since.. Overall it's gone well, just one snag that a couple members here have been very kind in helping me work out. Thank you to this page for all the help. [image: 1697753147328-pfsense1.png]
  • 25.07 unbound - pfblocker - python - syslog

    46
    0 Votes
    46 Posts
    2k Views
    J
    @stdanro It would be the recovery from that -- look at the code referenced - syslogd and the changes are specifically related to EGAIN and ECONNREFUSED messages (they were not being handled) - not having them processed causes all kinds of interesting artifacts -and different when sending to a single server vs multiple servers (I have 2, and the order they are listed also changes the behaviour that is if one goes down and the other does not, which is my case) Because in my environment I know exactly when the issue is going to occur because of a fixed schedule maintenance window on one of the syslog servers) I have a script that monitors that receiving device and restarts syslog accordingly after it detect the system/port are back and available) Other than that "tiny little issue" as far as I can tell it is rock solid in processing messages. The only option for us currently is to wait for the new build of syslogd - so that it just recovers like it did before, back in the 24.11 days.
  • Order / Timing of Booting Modem and pfsense PC

    11
    0 Votes
    11 Posts
    117 Views
    M
    @johnpoz @provels I know that "unstated industry standard" is 192.168.100.1, but I've learned the hard way that assuming may cause problems. Now if IANA had something stating 192.168.100.1 is the default address for devices like cable modems, I'd accept that as gospel :)
  • Ecobee thermostat can’t connect to servers

    86
    0 Votes
    86 Posts
    3k Views
    patient0P
    @ezhawk said in Ecobee thermostat can’t connect to servers: And to no one's surprise, Ecobee says it is a problem with the pfSense Just to be clear (and I leave it after that), my suggestion to contact support was not to blame them but get help from them, getting information about connection made by pfSense and if Ecobee was blocking that connection at some point. I suspect you won't get that info in a chat from a 1st level support. Your package capture shows a 'Client Hello' from the Ecobee device when connecting to idt.ecobee.com and in a normal conversation, the answer would be a 'Server Hello' from the Ecobee server. But instead Ecobee ends the connection (the connection to home-fw.ecobee.com get a 'Server Hello', seems successful).
  • Firewall Logs with Unavailable Matched Rule and Empty Tracker ID

    10
    0 Votes
    10 Posts
    300 Views
    M
    @johnpoz In cas this was not clear, the question is meant for @aarontry1
  • Wireguard fails after reboot (2.8.0)

    26
    0 Votes
    26 Posts
    1k Views
    B
    @stephenw10 Sorry for the delayed reply - I have just got back from a business trip. Anyway, this is the output from the CLI [2.8.1-RC][root@pfSense.mymain.local]/root: ls /var/run check_reload_status cron.pid daemon_sshguard.pid devd.pid devd.pipe devd.seqpacket.pipe dhclient.igb0.pid dmesg.boot dnsbl.pid dpinger_VPNUNLIMITED_L2TP~10.240.0.2~10.240.0.1.pid dpinger_VPNUNLIMITED_L2TP~10.240.0.2~10.240.0.1.sock dpinger_WANV6_TUNNELV6~2001:470:1f08:84a::2~2001:470:1f08:84a::1.pid dpinger_WANV6_TUNNELV6~2001:470:1f08:84a::2~2001:470:1f08:84a::1.sock dpinger_WAN_DHCP~82.13.203.142~82.13.202.1.pid dpinger_WAN_DHCP~82.13.203.142~82.13.202.1.sock dpinger_wg1GW~10.102.1.114~10.102.1.114.pid dpinger_wg1GW~10.102.1.114~10.102.1.114.sock dpinger_wg2GW~10.102.100.206~10.102.100.206.pid dpinger_wg2GW~10.102.100.206~10.102.100.206.sock expire_accounts.pid filter_reload_status filterlog.pid ipsec_keepalive.pid kea kea2fib6.cache kea4-ctrl-socket kea4-ctrl-socket.lock kea6-ctrl-socket kea6-ctrl-socket.lock l2tp_opt9.pid ld-elf.so.hints ld-elf32.so.hints log logpriv mdns-bridge.pid miniupnpd.pid nginx-webConfigurator.pid ntpd.pid pfSense_version pfSense_version.rc php-fpm.pid php-fpm.socket ping_hosts.pid radvd.pid sshd.pid sshguard.pid syslog.pid unbound.pid update_alias_url_data.pid updaterrd.sh.pid utmp utx.active wireguardd.pid [2.8.1-RC][root@pfSense.mymain.local]/root: [2.8.1-RC][root@pfSense.mymain.local]/root: ls /var/run kea4-ctrl-socket.lock kea6-ctrl-socket kea6-ctrl-socket.lock l2tp_opt9.pid [2.8.1-RC][root@pfSense.mymain.local]/root:: Too many arguments. [2.8.1-RC][root@pfSense.mymain.local]/root: check_reload_status ld-elf.so.hints ld-elf32.so.hints log logpriv mdns-bridge.pid miniupnpd.pid nginx-webConfigurator.pid ntpd.pid pfSense_version pfSense_version.rc php-fpm.pid php-fpm.socket ping_hosts.pid radvd.pid sshd.pid sshguard.pid syslog.pid unbound.pid update_alias_url_data.pid updaterrd.sh.pid utmp utx.active wireguardd.pid
  • Upgrading pfSense 21.05 to 23.01

    upgrade
    11
    0 Votes
    11 Posts
    87 Views
    stephenw10S
    ZFS is also a lot more resilient to filesystem issues than UFS. So if you see frequent power outages it's a much better choice. But, yes, it does write more to the drive. Though the default values in 25.07 reduce that significantly. You can mitigate it almost entirely by running RAM disks too.
  • pfsense 2.7.0 installed as vm on xenserver now routing issue

    13
    0 Votes
    13 Posts
    701 Views
    stephenw10S
    Yup so check the routing and arp table on a client when it's unable to browse.
  • 25.7.1 package issue

    1
    0 Votes
    1 Posts
    34 Views
    No one has replied
  • 0 Votes
    10 Posts
    70 Views
    AndyRHA
    @ChrisJenk said in Netgate 6100 / 25.07 - any recipes / guidelines for optimising high speed LAN and WAN connections?: Speedtest program on the router itself No, I ran it on a Windows computer connected at 2.5Gb. I got full line speed up and down. I have since changed my internet to 1Gb so I only get 1.2Gb up and down now. A while back a friend and I were building and testing a VPN tunnel between us, a 7100 and a 6100, we found a noticeable speed difference if we used iperf on pfSense vs a computer on each end. We only get in the 700Mb/s range and still iperf on pfSense really added a load and skewed the results at least 10%.
  • Port Forwarding stopped working after upgrading to 2.8.0

    113
    0 Votes
    113 Posts
    6k Views
    C
    guess back to testing... after a reboot of pfsense i can search again on the HD site with that disabled.. will test more to see if it comes back.. havent solved how the isp dns or cloudflare dns show up on the vpn side as it says you maybe leaking i gave up trying for now jsut working on this pfblocker
  • Restore pfS config.xml to new h/w

    20
    0 Votes
    20 Posts
    161 Views
    stephenw10S
    If it's a paid subscription and you had to replace the hardware you should open a TAC ticket. We are not completely inflexible. Yes, it's tied to the hardware but if you are forced to change that we have options.
  • Strange Memory

    9
    0 Votes
    9 Posts
    809 Views
    J
    ^^ yes - this. - and the syslogd fix in the works should resolve this.
  • Why do we need to pay for pfS + ????

    12
    0 Votes
    12 Posts
    149 Views
    S
    @chudak said in Why do we need to pay for pfS + ????: How do you connect monitor to it? See for example https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/#how-to-guides In general Netgate makes sure new releases work on old Netgate hardware until it can’t.
  • Switched to AT&T fiber, IPv6 tunnel broken

    8
    0 Votes
    8 Posts
    79 Views
    BiloxiGeekB
    @johnpoz Yep, that's the setup I've got in place. It's been working for quite a few years for me when I was on a cable modem. @Bob.Dig My SG2100 does get a public IP, it is pingable from the outside world but still get no tunnel. In the Gateways widget the tunnel just shows "Offline, Packetloss"
  • New if_pppoe module no logging in Status / System Logs / PPP?

    3
    0 Votes
    3 Posts
    53 Views
    S
    @stephenw10 thanks for the feedback!
  • IAX2 not going out after a while

    6
    0 Votes
    6 Posts
    902 Views
    stephenw10S
    Mmm, you'll probably have to wait for it to fail and check what states are still there. I'd expect it to just re-connect if the states timed out and start to fail.
  • Cannot access some legit 443 on 25.07.1

    5
    0 Votes
    5 Posts
    371 Views
    stephenw10S
    Sounds like they are getting redirected locally if they see a cert error. Check what cert they are being offered. The details there may indicate what is intercepting the traffic.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.