@gemg83 I see what you're saying - it could be the jump from 12.3 to 14 on the BSD side.

It really hampers the use of limiters in multi-WAN setups so it feels like an important bug (I call it a bug as it doesn't behave at all how the UI or documentation suggests, it's more like using them on a floating rule).

@patient0 OK, that helped. I'm fairly certain I had tried clicking Add time before and it hadn't worked - with the error I previously reported. In any case, it worked for me now. Thank you!

@cmcdonald Appears to be back/fixed. Thanks.

@stephenw10

I want to use 10GBIT DAC inside my rack and also directly attach to my ISPs Fiber. It'd be the perfect successor for the SG6100 with the SFP+ Addon installed.

@ameinild said in Kea client logs:

I get no logging from the kea-dhcp4 service for client DCHP logs, only from the dhclient for the WAN interface.

Well ... this is FreeBSD/( and Linux) classic log behavior : no news is good news.

@stephenw10

Thank you, that was what I was not doing and really appreciate the guidance and support here. Thanks

Ping a mullvad domain endpoint that causes wireguard gateway to have 100% packet loss:

1ab0f742-701a-4172-8788-74c4b5dc2ef8-image.png

@Bob-Dig
Not seeing those in my firewall logs. Yours do look rather odd.

No, just ordered from Amazon.

@Bannister8487 This worked for me, but I'm on 2012R2... LOL

Create /boot/loader.conf.local (or add to it if it exists)

kern.vty=sc hint.sc.0.flags="0x180" hint.sc.0.vesa_mode="279"

Nice. 👍

I managed to resolve my above issue and for anyone ending up with the same question:

My issue was caused because of a colleague who added a floating rule, rejecting traffic coming form another alias with logging disabled on that rule. Unfortunately that alias contained a different FQDN that resolved to the same IP of the removed FQDN.

What is the important lesson here:

Apparently the PF box handles floating rules AFTER interface rules. And since logging of that floating rule was disabled, the firewall log logged the allowed traffic from the interface rule, but blocked the traffic afterwards based on the floating rule with no logging! You end up seeing an allow in your log, but it is blocked in the end!

This must be a culprit some else will face one day or another :)

I use a gateway group as the default gateway for both IPv4 and IPv6 and it works as expected - igb0 is tier 1 and igb1 is tier 2:

# netstat -rn | grep default default 192.168.1.254 UGS igb1 default fe80::da21:daff:fe19:dbb0%igb1 UG igb1 # ifconfig igb0 | grep status status: no carrier

You can share the files/logs here for review:
https://nc.netgate.com/nextcloud/s/Dj3ZbjQstNB52e7

Do you have the NDI from the device? If you send that to me in chat I can check for an ACB key.

What is the difference between the device/PC that IPV6 works on and the ones that don’t? I would start with looking at the IPV6 settings on the devices/PCs that are having problems. I’m going to guess that your router advertisements are managed. Try stateless DHCP advertisements and see if that solves your problem.

Sulla web GUI di pfSense vai in diagnostica e poi in command prompt,nella casella execute shell command digita il seguente comando: certctl rehash
Attendi un output e poi ricontrolla gli aggiornamenti o i pacchetti e dovrebbe funzionare.
pfSense 2.7.0 è una versione vecchia,quindi penso dovresti aggiornare alla versione 2.7.2 e poi alla versione 2.8.0,prima di fare qualsiasi cosa ricordati di salvare il file XML della configurazione attuale di pfSense.

Saluti

Hmm, I thought we'd fixed that. Let me see...

Ah, maybe not: https://redmine.pfsense.org/issues/16207

@EChondo

What's your pfSense version ?
The instructions are shown here :

1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

@EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

No need to wait x days.
You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

@dlogan From the console restart the webconfigurator and/or PHP. Check the logs?