You paid for hardware that is tested and guaranteed to work with current and future pfSense versions, during it's lifetime. The software itself is free.
If we're going to be pedantic, hardware support for the device itself also would not be complimentary for any period after purchase.
Any pull request against the code would be simply doing that. But I can't make that happen -- only the pfSense package maintainers can.
Everyone can make pull requests: https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html
But not everyone can merge that pull request and build a new package. I don't see how submitting a PR for something as simple as pulling in the latest version of a third party tool would be any different than filing the ticket in Redmine (which is what Netgate support instructed me was the proper thing to do).
Anyway -- I find the debate with you pointless. My only hopes were to make others aware of what was going on with ntopng, and perhaps catch the eye of a package maintainer -- since Redmine doesn't seem to do the trick and Netgate support says they can't help.
As @Gertjan writes, the GUI will cover that. The messages you saw were from the package installation (on shell level) and are triggered by the package maintainer of vnstat to remind the user after installation that one has to setup the package accordingly. You have the GUI for that :)
The package manifest: /usr/local/pkg/ntopng.xml uses:
Config: /usr/local/pkg/ntopng.xml which includes:
Include: /usr/local/pkg/ntopng.inc which includes:
Include: /etc/inc/certs.inc which holds the cert-functions
@MyKroFt Did you read the announcements for Dev Version 2.4.5 and the migration to FreeBSD 12? If not, please do so. You can expect package problems while switching major OS releases underneath for sure.
Agree, I was forced to use Netflix via LTE in Germany at one point as the WiFi on site was so bad and accidentally startet a 4k stream. Wasn't so bad at all, as compression, codecs, audio etc. all have to come together to get you to ~15Mbps. If it's a fairly good codec and the pictures are good to compress I'd guess with stereo or a reduced audio band you can get it done with around 3-5Mbps. Add in caching etc. and you won't get near the expected numbers :)
I realize this is an old post. I thought I would respond so others will find a solution.
The issue is usually two fold.
New browser versions do not like mismatched certificates and your firewall software may also be blocking the SSL certificate.
First here is a link to some general information on deactivating SSL scanning on some firewall softwares. (scroll down to the middle bottom of this page for that section) https://ugetfix.com/ask/how-to-fix-err_ssl_version_or_cipher_mismatch-error/
Second and a more permanent fix is to create a new CA and Certificate then adding the CA to windows or the browser. Doing this will allow you to keep your firewall SSL scanning active and still allow you access to pfsense. Just be certain to follow the instructions precisely. https://www.ceos3c.com/pfsense/pfsense-generate-ssl-certificate-https-pfsense/
NOTE: You may find that you need to flush your DNS cache on Chrome afterwards to get things going again. Also possibly a browser reset. I also found some Chrome extensions do not play well with certain sites. So also try Incognito Mode (which disables extensions for that session) to see if an extension might be causing trouble.
EDIT NOTE: Also if you happen to have the latest version of Bitdefender they changed the name of Scan SSL. I'm attaching screenshots of that setting. It is the same setting.
I have not seen that happen here but are you sure it passed on your credentials? IIRC the ntopng process will try to fetch some external resources and it's entirely possible they have those password protected using some other stored credentials.
You might install it again and capture outbound traffic going to that server, then load it up in wireshark and see what it's doing.
It probably is not doing anything nefarious, but a packet capture would tell you that definitively.
Just curious with so many different nodes - do you have these devices broken out into different vlans... For example you mention iot - do you have that isolated and locked down in any way?
Yes, these nodes are across 10 VLAN's (to name but a few IoT, Printers, Guests etc.). The reason is just as you mentioned, IoT's are locked down. Printers for instance are accessible from LAN, WLAN and Guest and to let them be accessible for IOS I have Avahi Enabled (Bonjour/Zeroconf proxy).
What your going to find is pretty much all traffic going to be http/https.. Unless you have a lot of console game play or something? Are you actually using pop/smtp? You use fat clients for emails? Ie like outlook or thunderbird or something?
Most of the traffic is prob going to be https traffic - so unless you plan on doing mitm on your own devices.. Other than say seeing that iot device phoned home via https to some amazon IP your not going to get much info, etc.
You are right https will not be readable and MiTM (man-in-the-middle) is not what I am planning on my own devices ;)
I was having an issue with Lets Encrypt certs as well. They worked fine for PFSense GUI, they just were not working for ntopng. As other's have indicated, when using the LE certs, the browser was giving a "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" and the process core dumps when restarting. When using other SSL/TLS testing tools (like testssl.sh), the port was open by no TLS handshake was happening, no cipher was being offered.
Originally I was using a 384bit ECDSA LE certificate.
What seems to have allowed me to work around the issue was switching to a 2048 bit RSA certificate. Earlier in the thread @spambait mentioned that didn't help him, so not sure why it's working for me. I did manually cat the key and fullchain into the ntopng/httpdocs/ssl/ntopng-cert.pem file.
Switching certificate types in the existing certificate did not seem to actually change the type of certificate being generated. I had to create an entirely new certificate (Services -> Acme Certificates -> Certificates -> + Add).
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.