If you get the message, there's likely a disconnect somewhere regarding the NDI. Please contact TAC with your current NDI and pfSense+ order number (or serial number if on Netgate hardware) to sort it out.

@stephenw10 @bmeeks Just a feedback: After I updated my box with the latest RC, it seems the memory issue was fixed and suricata is not being killed by kernel anymore. It is being running for 5 days and no issues since the upgrade. The memory consumption it looks back to normal similar when it was running with 22.05 version. On previous RC, I noted at some point the memory consumption of box was growing continually and gradually until it reached close to 97% just before Suricata process died.

@cmcdonald Just got here to report this... Thanks Christian for being active on it!

Manged to get it upgraded after doing a factory restore to 22.05 as per Reinstalling pfSense Plus Software and then trying again.

@yellowrain https://forum.netgate.com/topic/177632/pfblockerng-update-errors

Problem solved for me after updating to 23.01.r.20230208.1414
Now Avahi works fine.

Apparently this was a configuration issue on my end or something weird with unbound and host overrides.

I had removed all my custom DNS entries from the piholes since I was now forwarding everything to pfSense to be resolved.

I had all the correct Host Overrides in the DNS Resolver on pfSense, but somehow the piholes were caching both the direct IP of each server (from the static assignments in pfsense I guess) behind HAProxy as well as the VIP address assigned by the host override. Basically, the lag was caused by there being two IP addresses available from the pihole for all the servers behind HAProxy.

I have added the custom DNS entries back to each pihole so they will send only the correct internal VIP address. This seems redundant since I would expect pfSense to only reply back to the pihole with the host override ip address I had entered. I am not sure why the static IP from DHCP in pfSense was being sent to the piholes along with the host override IP address.

@chudak

Well some updates.

I did find a minor issue when on 25.01RC I was not able to connect to a remote ubuntu box via Remmina, decided not to troubleshoot at the moment and wait for the final release, rebooted to a saved configuration, and confirmed that it was not an issue on 22.01.

During using Boot Environment encountered some problems, see details here

FYI

Yeah, your bogons update schedule is not the default. You can set it in Sys > Adv > Networking.
The v6 bogons file can be large updating it will allocate some ram.

There are also more details regarding the workaround in a thread here.

@jimp after backing up and restoring the edited configuration the wizard succeeds.

However, two other problems occurred during the restore:

I use the 4100 igc3 as the WAN port since its 2.5 gbit/s. During the restore the WAN port was restored as igc0 which conflicted with the LAN port. The acme certificate that was restored was not current. It was the first certificate that was obtained via acme. I had to manually request a new certificate which was successful. However, due to HTTP STS I couldn't successfully connect by hostname until the new cert was obtained.

You might just need to update it. When I was helping someone the other day on another similar thread, I spun up a fresh HA install, and setup the integration and it worked fine against the latest RC build once it had the lock fix referenced in the other thread.

It's possible what you're hitting was fixed upstream, it's definitely different than the other thread.

@g-shaffer That is great info. With the...

boot_serial="NO"

...line present in loader.conf, it did boot normally without the video connection present. I later updated to the latest RC and the problem has remained at bay. Thanks!

@michaellacroix said in Changelog for RC23.01 Updates:

a change log

have a look at https://redmine.pfsense.org/projects/pfsense/issues?query_id=224
And the still outstanding issues https://redmine.pfsense.org/projects/pfsense/issues?query_id=186

@gertjan

After starting over with clean install of PFBlockerNG I have discovered that all of the GeoIP / Top Spammer pages will crash with a PHP error when saving, no matter the settings I choose.

The rest of PFBlocker seems completely funtional as far as the features/settings I normally use.

No fix yet. Unfortunately it's low priority as very few users actually make use of the PCIe slot.

It may have to be pushed to the 23.05 release.

Steve

I have the same issue with suricata 6.0.8_8.
In my case it shows 2 time LAN.

The previous version 6.0.8_7 works fine though.

@stephenw10
I believe I can finally put this project in perspective for all of us.

The reconciliation of the 32 bit unsigned int overflow so that pfSense knows the actual value of max-octets-total in freeRadius will enable you to track a "single session" against the correct pfSense-Max-Total-Octets in pfSense/Captive Portal. From that perspective this is a valid improvement.

The above achievement is flawed in that total traffic in pfSense/Captive Portal is only maintained for the active session or duration of pfSense powered up state. This means it tracks the traffic data on a single user session between session start and either logout or in this case a traffic quota based on a valid freeRadius supplied pfSense-Max-Total-Octets. A reboot or power loss will result in the pfSense Captive Portal session surviving if "Preserve connected users across reboot" is checked, i.e. True, but the traffic quota cumulated to date in pfSense will be lost on a reboot or power loss and restart from 0. This means pfSense is not capable of tracking a single user session against the freeRAdius max-octets-user value because the traffic to date value is not persistent. But... it is persistent to the nearest accounting interval on freeRadius because it uses a physical storage on a hard drive file, which survives both a login/out session, and reboot, be it deliberate or power related. freeRadius typically autosums all open user sessions to the main used-octets-user file on a restart. pfSense Captive Portal will force the creation of new used-octets-user-uniqueID files on freeRadius after the restart at the appropriate interim accounting interval.

If the captive portal is set to "Multiple" under Concurrent user logins, there will be multiple active sessions for the same user account under pfSense. Each separate session is checking that session's traffic against the pfSense-Max-Total-Octets value so it will not logout either user until that individual user reaches the pfSense-Max-Total-Octets value which is not the intent at freeRadius. On the freeRadius side, it will cumulate all users together into used-octets-user based either on stop/start or if set to interim, based on the interim interval value set on freeRadius, it will create a used-octets-user-uniqueID value for each user which are only summed to the main used-octets-user file when each individual user logs out. Although this is by design on the freeRadius side, it could be considered a bug because a logout will not be initiated by freeRadius until the used-octets-user exceeds the max-octets-user setting. Thus, neither pfSense, nor freeRadius will log all users out unless something intervenes and forces summation of all the used-octets-user-uniqueID files into the used-octets-user file that freeRadius uses to determine if the quota was breached.

Yes, this now accurate pfSense-Max-Total-Octets value tracked against a single session user for an uninterrupted session will force a captive portal traffic quota related logout, which in turn will force freeRadius to sum all the uniqueID files into the main used-octets-user file but it will not do so in captive portal: "multiple" Concurrent logins mode as it is tracking each individual user against pfSense-Max-Total-Octets instead of summing all the authenticated users on that user account together first. Thus "multiple" is not supported.

freeRadius has all it needs to do both multi users per account and session interruption tracking if pfSense was to force the summation of the uniqueID files into the used-octets-user file on a regular basis. This is why stop/start freeRadius solves this problem and works perfectly. Unfortunately that solution is not elegant and has serious scaling issues.

As we already have a working solution in stop/start all we need to do to get interim to use freeRadius to accurately invoke pfSense-Max-Total-Octets is to regularly fire one stop/start accounting packet session. I suggest when you select interim, you add a gui option to set a "cumulate every ??? seconds" option and point out it should be at least as large as the freeRadius interim setting (default 600 seconds). Once this is done, pfSense Captive portal in cooperation with freeRadius through the interim accounting period set on freeRadius will enforce the pfSense-Max-Total-Octets in all scenarios.

As I said in the outset, the correct determination of the pfSense-Max-Total-Octets is irrelevant other than if the above is implemented, it will fix the failure of either freeRadius or pfSense to accurately track pfSense-Max-Total-Octets when interim sessions are still active within this "powered session".

in the above scenario. reauthenticate every minute does not appear to have purpose other than to force freeRadius to check max-octets-user against used-octets-user once a minute. As it does NOT force the cumulation of the multiple used-octets-user-uniqueID files into the used-octets-user file, it is not a tool to address the multiple user under interim setting issue. If it did, it would also be a solution to the tracking of multiuser traffic.

The above assumptions have been lab confirmed on 23.01RC 08 Feb 06:00 version, in both single and multiuser mode.
See #13843 & #13418 for historical information

Hi,
I can confirm, auto-negotiation seems to work correctly on version 23.01.r.20230208.1414.

@jimp @stephenw10 Thank you.