Sorry for necroposting, but to resolve the installer looking all funky, in putty: Window -> Translation. Set "Remote Character Set" to "Use Font Encoding" (it's at the bottom of the list). Leave "Handling of line drawing characters" set to "Use Unicode line drawing code points." [image: 1534523863564-2018-08-17-10_15_38-putty-reconfiguration.png]

I'm understand complexity of task, and because of it I ask this at forum before destroy my pfSense . Obviously use pfSense for build bins is really not good idea. About simply use NAT: I really like how in pfSense work Squid (for proxy) and HAproxy (for reverse proxy) and how I can combine HAproxy with pfBlocker aliases and GeoIP, and it will be awesome if them will support at least mainline OpenSSL version like optional plugin, and LTS line 1.0.2 by default that goes in FreeBSD. Or maybe some paranoiac guys do this already and have how-to in home wiki

@nogbadthebad said in Restore from AutoConfigBackup without user information: Guess you need to do a fresh install, then recover everything from a backup except System as that contains the users & groups. Try it on a different PC first. What is the device pfSense is running on? it is an older Dell server with complete oversized hardware. 3 network cards. I already started with the reinstall. Copied the config.xml down from AutoConfigBackup services and started to restore one by one service through the "standard" backup/restore function. Looks good so far! Services and all rules etc. are restored including the snort stuff and so on. Found there a problem or may a bug during restore: after restoring the config of the package manager the list of the manager shows the services which where installed what is good. But just once! Will say everytime you choose to reinstall of a not yet complete restored package the list disappears again and you have to restore the package manager config again. This is taking time if you need to reinstall a lot of services. So I guess the list is updated everytime a package has been installed too with the packages which are completely installed already. Better would be if the package manager just updates/modify the list of installed packages instead overwriting it with just complete installed packages.

Correct. radius 2 was declared dead some time ago, and shouldn't be used anymore anyway. FreeRadius 3 has some new, mandatory settings.

found it - https://store.netgate.com/Chelsio/T520-SO-CR.aspx what would you recommend for CPU and RAM ? I mean cpu and memory support for the 10gig card so there will be no bottlenecks in system so it can run at 10 gig 24/7 with no hiccups

Also found this link https://www.newshosting.com/usenet/usenet-connections/. This explains how connections works. Just didn't figure out how to test the ideal amount of connection in combination with a speed test... Just wanted to share this aswell. Herman

Yes, try a 2.4.4 snapshot. Whatever issue you're hitting there may well have been resolved in FreeBSD 11.2. Steve

Got my hints right here, all set! https://forum.netgate.com/topic/7246/command-line-config-restore

Okay, thanks for your help!

I imagine you will fine routing at the firewall between the internal subnets. That hardware is probably far in excess of what you need. Steve

If it were a small update there are ways to force it back but given the scope of the changes between 2.4.3 and 2.4.4, it will indeed require a reinstall and to restore an old backup from before the upgrade.

@stephenw10 Perfect - Thanks!

This is resolved. There was a hangup with the peer identifier being returned by some FWs. By forcing all IPSec connections to use "IP address" the remaining sites connected. The specific error message that led me to this solution was like this: no IKE config found for 123.124.125.126...131.132.133.134, sending NO_PROPOSAL_CHOSEN (note IP's have been changed for security reasons). Thanks, Frank

@derelict Nope, 100/100 Mbit's fiber, the whole download process was strangely slow too. EDIT: But wow... I see now when measuring I only get like 7 Mbit/s down......... Is there a package in pfsense where I can log the speed over time and make a nice graph over it?

I found the cause of the problem! My network cable (in the wall) which is leading to the ISP switch is only Cat 5 and my hardware / pfSense could not measure it was only "100baseTX <full-duplex>" so after setting this manually it went pass the configuring WAN step. Now I am installing updates tho! :)

@gertjan said in UPDATE Offline: But also : these systems seem pretty mission-critical to me. The fact that they are isolated takes away all forms of "firewall aggressions" from the outside. Being isolated does not necessarily reduce risk. The biggest threat is human error with portable media (USB sticks, flash memory cards, etc.) that can "migrate across" those data diode devices I mentioned. Of course there are many rules and procedures governing portable media control, but any process with a human involved can break. The firewalls are used to segment various control and monitoring networks and plant systems from each other. They provide routing between control networks when necessary and police the traffic that passes to insure it is authorized and expected. So really not any different from what firewalls do at the perimeter of any network and the Internet. You want to keep your firewall software somewhat current to stay ahead of any known flaws. Anti-virus software updates are another problem in need of a good offline update solution. Again, because of the threat posed by USB devices and other portable media, you want your workstations on control networks running AV. But AV quickly becomes useless without weekly and sometimes daily updates. All of this is a big headache for the cybersecurity guys working the nation's critical infrastructure ...

2.4.4 is not yet released. It's still in development.

Thanks for the quick reply @kpa The USB boots with UEFI enable on my test laptop, so that seems to be the main issue. I hope my (very old) pfsense box has UEFI to boot from... Cheers.

sounds good, thanks buddy.

If this is on 2.4.4 snapshots, there is a known issue there that already has a thread and a redmine entry. If this is not on 2.4.4, but a different version, you'll need to provide a lot more information before we can speculate about the cause or solution.