@stephenw10
here is the settings in dns resolver
bd1a9f0e-9ced-426d-af54-6624f82a3d85-image.png

openvpn settings
46694373-2f6c-49e7-b399-97b52d5c7c89-image.png

in my local machine the url work fine but the dev team told it is not working
I tried on my phone (connected to vpn) and the url is not working also
so what is the issue

@TonyArizin said in NAT Reflection Issue with Dual WAN Setup in pfSense 2.7.2:

Initially, I created the NAT rules with “Filter rule association” set to “Add associated filter rule”

This only adds a rule to the WAN. For access from inside your network using NAT reflection, you have to add a rule manually to the internal interface.

@SteveITS

Thank you for the clarification. You're right — better to be safe. I’ll update FW2 when I'm on site, and then FW1, which is my usual one.

Mmm that^.

However what you will see is that after booting back into the 24.11 BE the update branch will still be set to 25.07-RC because that was the last thing that was done before the upgrade took the snapshot. So if you plan to run 24.11 for some time after reverting you would need to set the update branch back to 24.11 in that BE before doing any package operations.

Cool. Yup there was a backend issue last night. It should be fixed now.

@70tas Indeed the global token does not work anymore, you must use the API token. And then for the login, do not use your email address. As I wrote before: "One must use the Zone ID when using the API token."

I have this working using the DDNS GUI. I only needed the script for debugging.

It's not a bug because that's the expected behaviour. You could consider it a missing feature if you need to make changes there. Open a feature request: https://redmine.pfsense.org/

This is the first time I've seen anyone ask about it in 10 years though so it's clearly not a huge problem.

You could just patch the file to create the config with the values you need then carry that as a custom patch in the patches package.

@stephenw10 Confirmed fixed ty kindly sir.

Yup the issue definitely exists. I have no fix for it yet, none of the things I tried made any difference.

@dennypage said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

@wolffire said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

I really like ntopng, but I'd rather it not be able to access the internet whenever it wants.

Is it possible to block package processes from doing so?

You can't block individual packages. The closest you could get is to find the domain or addresses the package is accessing and block those.

With specific regard to ntopng, I haven't examined all the callouts but I don't recall it doing much unless you were using the licensed version (activation check), or had one of ntopng's "active" modes enabled.

Make sure you have Active Network Discovery disabled in ntopng. It's in Settings / Preferences / Network Discovery / Active Network Discovery. This option should never be enabled on pfSense. Ditto for Active Monitoring.

Thanks for the quick answer.

I'm a little surprised about not being able to lockdown individual processes for those 'who watches the watcher?' types of situations. Finding a dynamic workaround will be painful.

As far as ntopng, I just don't want it to be able do anything online unless I've configured it to do so; I loath the idea of telemetry being sent off to various companies.
Not that I've found anything (I haven't taken a serious look yet); I'm just a bit weary.

Speaking of the settings, after reading that post about inadvertently scanning the Internet, I definitely ensured active monitoring and network discovery was turned off. 😆

https://github.com/pfsense/FreeBSD-ports/pull/1420

Merged I could not test it but it is in there with the make file now and the distinfo file

@stephenw10

Let me know if you can test that out

Dont use this I am having issues with the MASTER SITES and patches folder it wont make clean install all the way

@stephenw10 Correct. Way longer than the tunnel rekey times, so something must prompt a configuration reload outside of that.
Or maybe the tunnel went down at some point and the config was reloaded when a reconnect was attempted.

@patient0 OK, that helped. I'm fairly certain I had tried clicking Add time before and it hadn't worked - with the error I previously reported. In any case, it worked for me now. Thank you!

@stephenw10 I believe that is mpt attempting to talk to the RAID card as if it was in IT mode, trying to count the individual drives ("REPORT LUNS"), and the card replying "No, this is RAID, you can't talk to the drives directly" ("ILLEGAL REQUEST").

I'll run a fs check next time it's convenient to take down the entire network. Probably this evening.

@ameinild said in Kea client logs:

I get no logging from the kea-dhcp4 service for client DCHP logs, only from the dhclient for the WAN interface.

Well ... this is FreeBSD/( and Linux) classic log behavior : no news is good news.

Does it reconnect as expected using the old mpd5/netgraph?

Is it failing at both IPv4 and IPv6?

If you disable IPv6 does it then reconnect correctly?

We have seen one other report from an A&A user but that failed to connect after reboot.
https://forum.netgate.com/topic/198027/if_pppoe-problems-with-php-fpm-causing-loops-resolved