@johnpoz I see, thanks for explaining and the help!

I have already solved the problem by using the Python library. You can delete my post. Thank you for your help)

@lbeard said in Dynamic dns don't work with carp ip:

Done => https://redmine.pfsense.org/issues/16326

Great, thanks 👍 👍

@aaronouthier said in Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.:

Ok, so I've been researching the topic. It seems SO has an integration for PFSense. However, the FreeBSD implementation of Syslog is not optimal for this purpose, as mentioned above.

Although I am comfortable with CLI Linux, I am effectively a Newbie with regard to BSDs.

My next question is: What would be the least invasive method as far as the PFSense Box to export just the Suricata logs? I believe I saw an option to log to a Unix Socket. Would that be helpful coupled with something like Netcat? I'm not necessarily looking for help with such a feat, just wondering if such would likely be fruitful, or am I just chasing the infamous wild goose?

I recommend exporting the EVE JSON log as that will be the most comprehensive. To export to a UNIX socket, change the EVE OUTPUT TYPE setting to UNIX socket. You will need to manually create the socket and give it a name. It will be up to you then to "receive" the socket data stream and redirect it elsewhere (seems you want it remote for your case to Security Onion).

@SteveITS

Thank you for the clarification. You're right — better to be safe. I’ll update FW2 when I'm on site, and then FW1, which is my usual one.

Thanks everyone. That did it. No more errors!!

@The-Party-of-Hell-No excellent. I’m glad some experimentation proved successful.

@stephenw10 I believe that is mpt attempting to talk to the RAID card as if it was in IT mode, trying to count the individual drives ("REPORT LUNS"), and the card replying "No, this is RAID, you can't talk to the drives directly" ("ILLEGAL REQUEST").

I'll run a fs check next time it's convenient to take down the entire network. Probably this evening.

@AWeidner its just pfsense trying to proect you against a rebind. When you foward to something that is normal some external public NS - which normally should not be returning rfc1918.

You might want to read some of the history of rebind attacks. And why this good protection to have in place.

@detox you should be able to edit your first post and edit title with [solved] in the title, add tag.. If you can not - let me know and can do it for you. There might be some restrictions on rep ports or something - but you have 6, I would think that enough?

@ashleygavin said in Vodafone UK - IPv6:

What error do you get if you wget -6 a website?
And you have the two default LAN firewall rules, one for IPv4 and one for IPv6, and only the LAN net? On WAN you won't need any rules for accessing internet. And do you see open states for the (web) connection?

NAT would not be a topic for IPv6 in the default config.

@AlexK-0 said in Can't receive GeoIP databases updates anymore, banned:

Days ago, I received from MaxMind an email, notifying me that my country has been banned to receive GeoLite City database updates.

You've found a reason to use a VPN.

Nice. Weird though. 😕

@NickJH
Not clear, what you intend to achieve with this, but the Directory container in Apache is meant to be used for local paths. "/" might not be correct here.

If you need to describe a virtual path use "Location".

There was a backend issue that's now fixed.

@Gertjan said in Does not have a public address and is behind NAT:

Managed to solve the problem.

You need to enter any fictitious name and your external IP in DNS Resolver. I entered both my pfsense on one and the second pfsense.Снимок экрана 2025-07-21 в 15.38.01.png In phase 1 you need to register.
Снимок экрана 2025-07-21 в 15.39.32.png
After which everything started working.

Hi @SteveITS.

That was an excellent tip, I had missed the "self" target completely. This allowed me to get rid of all of my firewall aliases I needed earlier.

Thanks!

Yup, there was a backend issue. Should be good now.

Mmm that^.

However what you will see is that after booting back into the 24.11 BE the update branch will still be set to 25.07-RC because that was the last thing that was done before the upgrade took the snapshot. So if you plan to run 24.11 for some time after reverting you would need to set the update branch back to 24.11 in that BE before doing any package operations.

Hmm, but they are policy based tunnels? And 300 Phase 1 configs not a total of 300 Phase 2 configs for example?

I'm not aware of any issue in 2.8 that might present like that for IPSec.