@Gertjan So I used both tcpdump and radsniff to look at packet traces, but I can't see any issues. In both cases (working and non-working) the radius server sends back an Access-Accept message with the same set of fields.

@stephenw10 - Excellent! Patch worked. Glad I wasn't imagining things.

Our solution at this point :

Automatically :

Remove unwanted boot environnements Update the train to the stable version Check upgrade availability (pfSense-upgrade -d -c) Prefetch all packages (pkg fetch -u -d -y)

So we want finally launch the upgrade (pfSense-upgrade -4 -d -y) it's faster !

@JonathanLee said in issues with dumpdev in /etc/defaults/rc.conf:

sysctl debug.kdb.panic=1

b9160abf-7a3b-47d4-a8c5-0ace4dae0fe1-image.png

Custom solution

add the cron copy the rc.dumpon to rc.dumpon.old
add the new info

and it works

I'm referring to the recommends patches list in the System Patches package. I can't see anything there that should make any difference to dnsmasq but it's worth trying.

@froussy yeah as long as you connect in on something other than what is being changed you should be fine - if something goes wrong and your change isn't working you can always switch it back, etc.

Over the years I have myself shot myself in the foot a few times, its never fun.. ;)

Always give yourself a backup/backout plan.. When doing change on a cisco router or switch that could be problematic etc, always put in a reload command on a timer.. So worse case if goes wrong - it will reboot say in 10 minutes and your back to the start, if your change worked as you expected and all things working you can cancel the reload and save the config, etc.

I mean the switch/router rebooting might be a shitty outcome and maybe cause a service interruption, but that is far better than being in a broken config for a length of time until you can get to the site to fix, etc.

I mean your switch of interfaces should be no big deal, and work just fine, etc. "But" what if it doesn't and now you can't get in to fix it.. Better safe than sorry..

edit: I once getting cocky after so many eventless upgrades - had just clicked upgrade on a one of the old 2440 netgate boxes while home after work because figured hey nobody is there so they won't notice the few minutes of down time while it upgraded... Well it never came back and had to go into the office early to fix it. Only took a few minutes to restore and get the upgrade done when I was there.. And that was always my back up plan in case of disaster.. But this is why during covid and locked out of the office I didn't upgrade anything remotely ;) heheh

Better safe than sorry is good motto to live by ;)

@AJ847-63 said in Setup and add PFSense router to existing network:

trying to figure out why disabling WPS on a router solved speakers not being detectable in the app (despite everyone including the product designer telling me that's not possible)

Ha, I know that feeling! And, yes, hard to see how that would have any effect. Yet....

But, yes, I imagine the Asus router is connected to one of the LAN ports on the Telstra CPE?

In which case you should be able to connect pfSense to one of the other LAN ports on the Telstra without affecting any of the existing network. Just make sure there are no overlapping subnets.

Then you can experiment with pfSense and move things across to it when it's ready.

Yup, two completely different crashes again. I would definitely do a memory test here as a next step. A software bug would not present such widely varying crashes.

@conover

Install pfBlockerng-devel first.

This will install pfBlockerng-devel, and install the de-install instructions.

Now de-install.

I understand, thank you for the details and fast reply.

@stephenw10 @johnpoz thanks!

@stephenw10 I might have to reformat the micro HDD it’s one big zfs parition

@war6000 while that would most likely stop the logs you were seeing. It would prob be a more logical to set your ip to say 192.168.100.2/24 and then if you want to talk to 192.168.100.1 to access say your modems status page you would be coming from 192.168.100.2 vs your public IP on that interface hoping the modem answers, etc.

vip.jpg

states.jpg

It's this: https://redmine.pfsense.org/issues/15411

Running an OpenVPN client in pfSense connected to some commercial provider does nothing to protect wireless traffic between clients and pfSense.

Running a client in AP also doesn't protect the wireless traffic and would prevent pfSense seeing the traffic.

If you actually want to protect the wireless traffic you would need to run the VPN client on the end point client devices directly. But you shouldn't need to do that unless you have an ancient AP that only supports WEP!

Steve

The 4100/6100 bracket fixes to the device using specific mounting holes in the side. The 1100 doesn't have them so you'd need to do some work to it just to allow it to hold it. A shelf or something custom would be better IMO.

Thank you @Konstanti for pointing to the relevant part in the source, as a quick remedy, I changed 5 of the ips to a /29 as other type of alias, and now it stays running.

However I am clueless on how IGMP is supposed to function, is it actually worth anything when using IPTV app's on smart tv's like ITV player, iplayer, channel 4 etc. or is it just for specific types of TV broadcasts?

Since turning it on there has been some activity from the TV in question, and my one plus 8 pro phone despite having no TV apps installed is now sending IGMP packets.

It also is spamming this which is the TV IP.

The source address 192.168.90.119 for group 239.255.255.250 is from downstream VIF[1]. Ignoring.

Ok i worked it out
first enable 2-Step-Verification
then go to
https://myaccount.google.com/apppasswords
and create a password

@stephenw10

Basic setup, I changed the portal to no Authentication and enabled it on the VLAN 30 interface.
I wrote two words in the terms and conditions section.
and under Firewall - VLAN 30 interface, I created a test rule to allow all traffic (Any, Any) on that interface.
I tried to assign VLAN 30 to a physical port on the PFSense just now and that did not make a difference either.

For web browsers, I tried Chrome and Edge, with and without incognito, after a hard cache reload, and after a restart.
I also tried a Pixel 7 and a Samsung S24+ Phone (Connecting to the SSID for VLAN 30), same issue.

I just tried to ping google.com in windows cmd and it returned the IP address for google, but the request timed out.
Is it safe to assume DNS is good up to this point?

Edit: I just got the portal to pull up on my phone, The changes I made were as follows:

1- Assign the VLAN-30 a physcial port on Lan 3 for testing. (Test portal, Test failed)
2- Update the PFSense from the previous stable build to the most current one. (Test portal, Test failed)
3- Disable DNS Server Override (which shouldn't be related but it was mentioned somewhere in the wild). (Test portal, Test failed)
4- Reboot.
5- Test portal, Test Successful.
6- Enable DNS Server Override. (Test portal, Test Successful)
7- Assign VLAN 30 to the original port I expected it to be on. (Test portal, Test Successful on hardwire)
8- Test using SSID, Test successful.

For testing sake and knowledge,
I'm about to restore a backup that I had yesterday before the update and test again. I'm wondering if it was an issue related to the previous stable version.

Edit 2: I just realized that restoring a backup does not revert the release, I will test with that backup anyways since I already know it was bad?
I'll update shortly after it's done.

Last Edit:
Under Services>DHCP>VLAN30 Interface>Server Options>DNS Servers:
I had these pointing to google DNS servers.
Of course, since there is CP and it has to be passed before connecting to the internet, the clients never reach out to the DNS server and in turn breaks the CP connection.
Clearing these fields resolves the problem.

This was on me, I apologize about it.
Thanks for your help @stephenw10 -!!

@TJS well out of the box pfsense would you a self signed cert that you would have to make an exception for. So you would have to add the exception

example using firefox

I have my own cert, that I trust - but I don't have this IP of pfsense listed in the san, so its not trusted

example.jpg