@chris-doldolia Have you tried force update?

591d63d4-f132-4425-a94d-b499bb0cb0a1-image.png

Click the Run button...

@mrwaltman

You haven't given me enough information to know the answer to your question.

But, if you're worried about it, change your subnet at home.

Personally, I prefer to use 10.1.1.1/24 for my router. It's super easy to type.

@totalimpact said in Pfsense cannot port forward to Layer 3 switch:

having static routes requires a gateway on the Transit network.

Not on the interface - you create a gateway to the IP on the transit network, but you don't actually put that gateway on the interface of pfsense on the transit.. Or pfsense thinks a wan interface and creates an outbound nat on it.

You create the gateway in the routing gateway section not on the specific interface.

pfsense-layer-3-switch.png

@TravisH said in Suricata fails install:

drwxr-xr-x 2 root wheel 512 Jan 7 00:40 .pkgtemp.suricata.08AVRPG9TWd8
drwxr-xr-x 2 root wheel 512 Jan 7 00:06 .pkgtemp.suricata.DfPhnP3ubUyZ
drwxr-xr-x 2 root wheel 512 Jan 7 00:09 .pkgtemp.suricata.mIizbZW8LHex
drwxr-xr-x 2 root wheel 512 Jan 7 00:03 .pkgtemp.suricata.ScU3s6QPguyZ
drwxr-xr-x 2 root wheel 512 Jan 7 00:04 .pkgtemp.suricata.sPo4YPq2L88A

If these are valid directory entries in your screenshot, then they indicate multiple "stuck" package install processes for Suricata. They will all be competing with each other for access to the disk structure. At this point I would reboot the firewall and try again.

Nothing has changed in the Suricata installation process recently.

@Sawami648 what fqdn is your cert for.. How are you accessing pfsense gui?

If the fqdn does not match you will get an error, or if you access via local IP you will get an error the name doesn't match..

If your cert is for say pfsense.publicdomain.tld and you access with say pfsense.home.arpa that would fail.. If you access via 192.168.1.1 that would fail, etc.

Also you mention you tell your browser to trust the cert - doesn't work that way, you need to have the CA of who signed the cert trusted by your browser.. But doesn't matter if your browser trusts the CA or not, if the CN or SAN of the cert doesn't match up with how your accessing it be it fqdn or an IP.

Example my pfsense name is sg4860.home.arpa - see if I access with that name or even IP.. It is trusted because the CN matches, and the SAN also has the 192.168.9.253 IP in it.. But notice it fails if I access it with another IP on pfsense 192.168.3.253

certsanjpg.jpg

Here is examples of it working with that fqdn or the 192.168.9.253 IP, and the error the browser gives me if access with something that doesn't match up with the cert.

cert.jpg

I just created my own CA in pfsense and signed cert pfsense uses for its web gui, and my browser trusts this CA, which is why able to use non puplic domain, and rfc1918 Ips in the cert.

ca.jpg

Perhaps the solution is to release the lease prior to disconnecting either network.

Unplugging a network connection is different than releasing the lease then disconnecting the cable.

If this is windows, it's possible to create a task based on a trigger. In this case I don't think it will work. The trigger would be loss of network connection, but once lost, can't issue a dhcp release.

You could however run a script that would do the same via commandline. Just have to remember to execute it before switching wired<>wireless.

I use something like this for my screen blanking. I have a rodent that suffers from tourette's syndrome, manifesting as random movements when the the trackball is not even touched. This results in the screen waking for no good reason.

Using such a script it's set to disable the mouse, then induce screen sleep mode. Of course I can't wake the mouse but can with keyboard. A trigger based on wakeup runs another script that re-enables the rodent.

This particular box has 2 ethernet nics + wifi. AP is configured for for a different vlan than the primary lan. Both wifi and wired can be on at the same time (with different IP's).

What is your use case for keeping the same ip for both interfaces?

Mmm, nothing terribly exciting there.

@Gertjan This is Noted, and Thank you

@stephenw10 thanks sent in a email to sales. Might be able to do without the actually bracket. Might be able to fabricate my own bracket.

@CatSpecial202

There's no such thing as broadcasts on IPv6. The closest to it is all nodes multicast, which is an ICMP6 message. FF00::/8 is multicast. Since IPv6 relies on multicasts for a lot, you want to be careful of what in that range you filter. For example I just saw a multicast to ff02::1, which is a router advertisement to all nodes. If you block that, you'll kill your network. FE80 the link local range and those shouldn't even be passing through pfSense. However, they are also critical to the operation of IPv6, so again be very careful of what you filter.

@elexir said in Error after package update:

pfBlockerNG-Dev

The latest version, or development version, is written with the latest version of pfSense in mind.
That not 24.03, but 24.11.
Next time : always start by checking what the latest pfSense version is and if needed, update pfSense first.
Then, start to think about upgrading packages.

@kenw as mentioned by @keyser even if you could shave off a few watts - is it worth the risk that might come with instability? Your not talking from going from 100w to 10w, lets say you could save 2 watts.

In the big picture at say 15 cents per kwh.. Do the math.. Your talking like $2.63 over the year..

And you might be below that or even if you were paying 50 cents a kwh your only talking $8.77 over the year..

This cost savings are in no way worth any effort even, or the risk of problems.

Now if you were talking say changing some hardware or whatever and went from 150W to 10 watts.. So a savings of like 180 dollars a year.. Hey such a savings might be worth even changing hardware - because you might recoup the cost of the new hardware in a few years.

@rac1503
Sorry for late reply, but thanks to the last iOS update I see emails only just after rebooting the phone. (One may think that email is an anachronistic way of communication compared to modern messengers but it is annoying if it does not work.) However, fine, that you have solved your problem!
Regards, Michael

Ah, nice. Yes some modems only support some variables there.

@Gertjan thx for the explanation.
As the problem seems to be related to the php interpreter memory pool and the computer i'm testing on (2sockets - 2 cores of a i7-6700 with 6G of ram) seems pretty weak for the use case i'm trying to to implement.
I'm gonna try to see if a can do some test on the server the app will be deploy on.

For the firewall related rule, i meant an option in the php script as the goal is to aumotate all the LXC handling process.
It works in "pass" mode but i guess it would be better with a firewall rule ?

I will give a feedback after some tesing (if they let me play with the big toys :p )

OpenVPN can be configured for smartphone use and set up to access a NAS at home or what have you.

@johnpoz I admit the setup isn't ideal, however somehow despite the error messages the system seems to work -- clearly I don't really understand all the underpinnings of how things work.

How should I be constructing things??

Two pfsense installations running unbound with same domain. Each pfsense installation has domain overrides for subdomains running on their installation. Additionally each pfsense answering DNS over DOT on port 853.

domain.com------->>>Pfsense #1 (domain=domain.com) -> Overrides--->test.domain.com --->test2.domain.com --->test3.domain.com ------>>>Pfsense #2 (domain=domain.com) -> Overrides --->test4.domain.com --->test5.domain.com --->test6.domain.com

Each installation can resolve locally, however if pfsense installations connected by vpn, I need name resolution for devices on Pfsense #1 network accessible to devices on Pfsense#2 network -- and vice versa. If VPN is broken or down, local domain overrides will still work.

I'm just making use right now of the unbound domain overrides section similar to this:
Screenshot 2025-01-01 at 5.40.14 PM.png

In terms of DOT -- no I don't need it between the pfsense nodes on either end of the tunnel -- however how do I have it only active for LAN clients but not for the tunnel?

I'm not looking actually to forward DNS requests, rather have unbound "resolve" them and then pass the answer back to the clients. In terms of resolving (not forwarding), how does each unbound server know what DNS server is definitive for a specific local domain that's split? I thought I was accomplishing this by listing the servers within the domain overrrides section.

@Sergei_Shablovsky said in Mixed MTUs on different NIC's interfaces on same pfSense bare metal:

How mixed MTUs impact on FreeBSD overall performance and throughput as this server are BORDER firewall ?
(PCI bus pressure, RAM pressure, etc...)

You can have different MTU on different sides of a router, as they are separate networks and the router will handle the MTU difference with Path MTU Discovery (PMTUD) or sometimes with fragmentation.

I don't have anything hyper-V here but someone may have a suggestion.

Hmm, that seems more like a hardware issue in the server then.

Is it still responsive locally if you connect to the console?