@chrcoluk said in PSA: If you are using DHCP options with Windows 11 and DHCP/networking ceased to function after upgrading to Windows 11 24H2 ...:

, I use option 43 to make sure Netbios is disabled

Ah - ok that use case seems like it would be more common on a user machine vlan..

@JonathanLee said in issues with dumpdev in /etc/defaults/rc.conf:

sysctl debug.kdb.panic=1

b9160abf-7a3b-47d4-a8c5-0ace4dae0fe1-image.png

Custom solution

add the cron copy the rc.dumpon to rc.dumpon.old
add the new info

and it works

You shouldn't be using it in a MAX variant, no. It's safe to just exclude it from the widget.

@jimp I'll reboot to 24.11 tomorrow when I can get an hour's downtime in

@stevencavanagh
As far as I know, it does. If you choose to direct all upstream traffic over the VPN "redirect gateway" should be set in the server, which might be the case, since you cannot access the internet.

Then need an outbound NAT rule to masquerade the internet traffic from the VPN client. You mentioned above, that there are outbound NAT rule. Ensure that the source is the OpenVPN tunnel network in the additional rules, apart from the rules for LAN subnet.

And also you should provide a DNS server to the clients. This can be a local or a public one, but ensure that access is allowed.
If you provide the local DNS resolver, maybe you need to add the tunnel network to its ACLs. Access should be allowed automatically, but this doesn't ever work.

@FrostElara Activate the TLD in pfblockerng and add it to the blocklist. pubgmobile.com I solved it by adding the address. Of course, it works by blocking external DNSs.

Yup, two completely different crashes again. I would definitely do a memory test here as a next step. A software bug would not present such widely varying crashes.

Yes just disable all the outbound NAT rules that have destination port 500 in them. They are not needed and just make it more difficult to read.

Those firewall rules look good. As long as you are testing from a client inside the QNCNet alias and the EXPRESSVPNNEWJERSEY3_OVPN4 gateway is up traffic should go via the VPN.

@Gertjan said in Captive Portal not working on iOS devices only (DHCP 114):

I've edited services.inc :

I have noticed that once Affinity is running, not only does it protect the IP/Mac Pair until it meets the affinity duration after disconnecting, it also does not re-assign that IP again. Instead it keeps counting up with ever increasing IP numbers, even if it is the same MAC that had an IP before, and IP that is now available. It appears that it will use up the pool before re-assigning any of the IPs that were issued while affinity was turned on. Simply turning on Affinity of any duration appears to enable this behavior. This is very beneficial to Captive Portal when running the modified index.php/RFC8910.php files in Redmine 15854 and/or Redmine 15904. The default index.php and original release of RFC8910.php will pop up a login screen and once logged in, create a new authorized entry in the CP DB with the new IP, resulting in two authorized IPs for the same Mac unless the idle/hard timeout is less than the lease duration. iOs devices using the original RFC8910.php may show a blank temporary browser screen.

Without Affinity enabled, the default Kea assignment is to reuse the IPs from the lowest number upwards within seconds to a couple of minutes of the IP expiring. In this case the original index.php and RFC8910.php files will try to use the CP DB entry of that IP and fail if it was previously used & authorized (but not yet timed out), thinking it is already logged in, showing either a blank screen or a copy of the logout page. No internet access is possible until you manually delete the IP from the CP DB before connecting a device with the same IP of one already authorized.

Using the original RFC8910.php, with the recent release of Windows 11 24H2, it is popping up the RFC8910 JSON file with no login screen. The JSON is modified to go to a Microsoft URL rather than the one specified in the Captive Portal configuration. Clearly Microsoft is experimenting with DHCP 114. The modified RFC8910.php mentioned above in the Redmines does not fix this unless you are also running the suggested index.php which will update the CP IP address and thus maintain the connection. There is an issue though with Windows because it loads the connection test screen (msn) instead of the logout screen. I expect Microsoft will fix this though as it works fine with IOS, the folks who created DHCP 114 in the first place.

To make this post complete: Even though the Affinity period has expired, Kea keeps allocating IPs with ever increasing numbers from the DHCP pool until the pool is full. It then starts over at the lowest number and works upwards, respecting existing leases and any within the affinity protected time period that may not have expired yet. This behavior suggests that Captive Portals will be more reliable with Affinity enabled, independent of the duration.

@maltepk
You didn't even add a rule to allow this?
pfSense is a firewall! 🙄

@stephenw10 @johnpoz thanks!

@Gertjan Thanks, good idea. I will try increasing the log level. Unfortunately pfblockerNG-devel did not solve the issue.

@stephenw10 - Excellent! Patch worked. Glad I wasn't imagining things.

It's this: https://redmine.pfsense.org/issues/15411

Can you select an x86 CPU type there? It appears to offer other x86 parts for emulation.

If you can then the amd64 image should work. Probably.

@johnpoz Yep. There's also the challenge of reliably identifying and redirecting or blocking DoH traffic, assuming redirection even makes sense. I'm not running DPI, and relying on a canned list of DoH servers for identification feels fragile.

Mine is a residential network. I run standard port 53 DNS internally and unbound DoT for external resolution, mostly for privacy reasons. If there are clients on the network using DoT or DoH, I guess some privacy objective is still met ... but probably not mine :) Devices like that are (likely) on untrusted VLANs though.

@FWright Your option b wouldn't work.

If your untagged network on pfsense is 192.168.10/24 then why would you think you could create a vlan with that same network..

You have few ways to go about this, either change your pfsense untagged network to something other than 192.168.10 or change your vlan 10 IP range..

I too like using an vlan ID that matches up with the 3rd octet.. its an easy way to remember what the vlan ID and network is.. Why not use say 192.168.30/24 vs 10, and use the vlan ID 30.

You could change your untagged network to say 10.10.10 or 172.16.10/24 and then you could use 192.168.10 on your vlan 10.

Or use one of those other network on your vlan 10.. As mentioned its not actually the vlan 10 that is the problem, its that you have overlapping networks.

Hello,

I was able to configure the WAN correctly by defining a VLAN with the tag required by the ISP and define the WAN on this interface.

A step-by-step guide with screenshot is available here: https://ic.rcasys.com/s/RantzDKFxHjX3Ba

Thanks @stephenw10 and @keyser for your support!

@froussy yeah as long as you connect in on something other than what is being changed you should be fine - if something goes wrong and your change isn't working you can always switch it back, etc.

Over the years I have myself shot myself in the foot a few times, its never fun.. ;)

Always give yourself a backup/backout plan.. When doing change on a cisco router or switch that could be problematic etc, always put in a reload command on a timer.. So worse case if goes wrong - it will reboot say in 10 minutes and your back to the start, if your change worked as you expected and all things working you can cancel the reload and save the config, etc.

I mean the switch/router rebooting might be a shitty outcome and maybe cause a service interruption, but that is far better than being in a broken config for a length of time until you can get to the site to fix, etc.

I mean your switch of interfaces should be no big deal, and work just fine, etc. "But" what if it doesn't and now you can't get in to fix it.. Better safe than sorry..

edit: I once getting cocky after so many eventless upgrades - had just clicked upgrade on a one of the old 2440 netgate boxes while home after work because figured hey nobody is there so they won't notice the few minutes of down time while it upgraded... Well it never came back and had to go into the office early to fix it. Only took a few minutes to restore and get the upgrade done when I was there.. And that was always my back up plan in case of disaster.. But this is why during covid and locked out of the office I didn't upgrade anything remotely ;) heheh

Better safe than sorry is good motto to live by ;)

@quickmo said in Wireguard Site to Site keine Verbindung vom Client:

1 <1 ms <1 ms <1 ms unifi.localdomain [192.168.2.1]
2 42 ms 26 ms 29 ms 10.0.20.1
3 * *

Die Route wäre die IP des Clients, der dann im Wireguard-Tunnel selbst die 10.0.20.2/32 erhält, dann noch den 10.0.20.1/32 erreichen (Standort A) kann.
Kann der Client dann noch den 10.0.20.5/32 anpingen?
Das 10.0.20.0 selbst ist aber ein /24?