Mmm, I'm not aware of anything else. That would probably work though.

@Gertjan , @EDaleH

Yes, the dhcp 114 is giving my device a notification where I can see the connection and log out. But I just wanted a backup solution in case this didn't work right on all devices, such as TVs.

Turns out the URL for logout is the same as the login.
When I enter https://MYDOMAIN.tld:8003/index.php?zone=MYZONE it loads the logout page. SO that solves that issue as well.

Now it appears I can support new and old devices.
Thank you both for all your help and insights.

@v16v It hard to say, where the BIOS chip is on that board is tbh.

Regards

@Gertjan said in After upgrading to 24.11 DHCP fails every 10-14 days:

I agree with what bmeeks said above about 32 bit arm code.

Then don't release 24.11 for 32-arm and just EOL those platforms. Don't lead affected customers down an unstable path. Just end the support instead of introducing unstable code for the platform.

By telling customers that 24.11 is the preferred release that implies it works for your platform.

The conflicting messaging as to what's preferred, deprecated, supported, potentially unstable, etc. was not handled clearly.

@JKnott

I was younger than you when I got mine, but based upon your other historical background, I suspect that you're a few years older than me as well. Too bad we didn't know each other back then. I think we would have had a lot of fun.

Thank you again for engaging with me in this discussion, and for keeping it civil. I've enjoyed the discussion, and look forward to communicating with you again.

@Gertjan said in Can't login to GUI:

The Johnpoz story

He posted his 'story' just a couple of minutes ago : https://forum.netgate.com/topic/195900/ssl-certifications-not-trusted-on-my-system/41?_=1736352508256

@Decepticon yup thanks!

When I did it I used a USB2 drive in the USB2 slot because when both drives are present it tries to boot from the USB3 slot first. You should be able to move it afterwards.

It should at least recognise both drives in the boot messages if it is booting.

@Gblenn said in pfSense behind ISP modem (Double NAT) trouble:

I kind of looks ok, although it's confusing to see that VID is listed as untagged for ports 1 - 10, which includes port 2. Perhaps it's a limitation of the UI, and I would have expected it to read 1, 3-10. Sicne you don't want any VID 1 traffic ending up on port 2... Are you sure you are actually seeing the devices picking up DHCP from pfsense or is it from the modem?

I set port 2 to PVID 10 so the traffic from this port always falls into VLAN 10, I will try to disable this port for ID 1 however.

Also I will do a pcap and report my results later.

@seanr22a said in IPsec routing problem:

I have three web sites including Nextcloud on the server at siteB and they are behind Cloudflare CDN (free version). I use an Apache reverse proxy at siteA now to get around the port blocking issue (Sending the traffic over the IPsec to the server at siteB). The ping time is around 230ms and I get around 10Mb up and 45Mb down from siteB to siteA. I spend most of my time in Thailand so the speed I get here is most important.

I get the Proxy setup, that's what I use to access my NextCloud server, as well as my Homeassistant and some other stuff. I just happen to use Nginx.

But I'm not sure I understand how Cloudflare CDN fits into this setup that you have?
If you host your server at your home in Thailand, and you access it via Sweden using some DynDNS service to find your Swedish IP, then you go directly via the VPN to site B. Where does Cloudflare come into play?

And I'm curious, which ISP is it, and which ports do they block? And what ports don't they block?

I've seen that many users say nginx is faster and use less resources but in my very small setup I really don't think it matters.

I agree, probably wouldn't make a noticeable difference if you changed. If you are curious however, and use docker, it's actually super simple to set up and has a very intuitive UI...

BUT, what could potentially improve performance quite a bit is if you change VPN to Wireguard. Depends on what HW you run pfsense on of course, but on smaller machines I can see a real difference even at moderate speeds.
I have a site with pfsense running on a tiny PC Engines APU2 and I can saturate the 250 Mbit connection to that site over Wireguard. But on an IPSec connection I can perhaps get 80-90 Mbit when testing with e.g. iperf or openspeedtest.

@sub2010 ich habe keine Lösung für dein Problem, wenn es dir nur um die portfreigaben geht. Ich nutze privat sehr erfolgreich frp Proxy ein, da musst du keine Ports öffnen.

@JonathanLee I'm sure someone with longer and deeper understanding of pfSense will be able to answer that.

So - I added an Intel Pro 1000 - 4 port 1G NIC - and all is well.
Realtek disabled in the bios.
Life is good.
Lesson learned.
All functions normal...

Thanks to all who helped.

@johnpoz Thanks on Safari I was able to figure out!!: Screenshot 2025-01-02 at 04.34.24.jpg I had to delete this and then it clears all domains entries in the local storage with .home.arpa!

@Uglybrian
Took me a bit to figure where "DNS Resolution Behavior" was.. Mine was to "fall back to remote". I may have to clear cache and few other things. I need to look at the other settings yet.

@SteveITS

This "10.10.10.1" is an option that will get ditched soon.

02a55b89-694c-45ad-a67c-7d61f0de335d-image.png

I use this :

df6fa93f-450e-47ef-a1b4-13b4380d7c94-image.png

A browser on your LAN wants to visit facebook.com
But you, as the pfSense admin, have blocked "facebook.com" (as a DNSBL)

Do you think that a page like this :

f67137b8-6c17-422b-ba7b-9d7c69d443c6-image.png

will pop up to warn the user in its browser that 'facebook' has been blocked ?
Now way ! Because you, me and nobody can't break TLS. Remember, https is used. The browser want to visit facebook.com but it gets an answer back from some guy called "10.10.10.1". That is interception, and that is bad. The browser will bark.
And not showing any pages - no way, it will throw the complex and scary messages on the screen .... (we all know them)

So, the admin that start to understand what TLS (= https) is, doesn't care about what the pfBlockerng web server "10.10.10.1" has to offer.
"10.10.10.1" was nice in the good old http days.
There are no http server anymore, they have been shut down (actually : they are still there doing just one thing : redirecting you to the https counterpart, as http traffic can be redirected.

That's why I "Null log".

Btw : Null logging means : return 0.0.0.0 (means : doesn't exist, don't insist - do nothing)

cf706ddc-954e-4629-9dcb-5e06f7e52b29-image.png

means : return "10.10.10.1" - which is, imho, as I exposed above, pretty useless.

@stephenw10 said in Awfully slow transfer speeds from remote NAS over ZeroTier:

Yup good to know that about zerotier, I wouldn't have thought it was required.

According to the documentation, it is not required for holepunching, but they do refer to challenges with symmetric NAT.
https://docs.zerotier.com/corporate-firewalls/#:~:text=Default%20zerotier%2Done%20listening%20ports,ZeroTier%20hole%20punching%20to%20work))

@rheuer22 Perhaps try to set Static Port (Hybrid outbound rules), to see if that has a similar effect?

@nbk333 the standard ethernet mtu is 1500.. If your internet connection is something that requires overhead like a pppoe connection or something ok.. Just wondering why the switch would default to 1400?

@patient0 said in /mnt folder question:

@Gertjan a bit further up stephenw10 wrote:

I'm pretty sure the efi partition is mounted there to test at upgrade for example.

... that's why.

That's why I replied ... it wouldn't mount in /mnt but somewhere in /mnt/somewhere/
That is, that is what I hope.
Because, if not .... dono, that feels pretty dirty to me.
What if I have a USB drive mounted (also) with my config.xml ?
Anyway, just thinking out loud here.

thanks @stephenw10 !
I think I got all the info I needed. Now have to decide to-buy or not-to-buy :)