@stephenw10

Hello,

we add some client target routes (custom option "push route <ip> <mask>") to modify the VPN "content".

In 2.7.2
The /etc/rc.reload_all was triggering the update of /var/etc/openvpn/server1/config.ovpn with the changes from /conf/config.xml)
Afterwards the OpenVPN service was restarted

same like the "save" button in the WebGUI/OpenVPN menu.

in 2.8.0 the config.ovpn stays unchanged if I execute /etc/rc.reload_all

If I do a "reboot" the changes in config.xml will be applied to config.ovpn and OpenVPN service.

Hope this is clearer now.

BR

@viragomann

The LAN rule already has the source set to all and all ports going out are open.

@wbmstr2000 : Thanks! I will investigate it, greetings

@spickles Thanks for the explanation. I think I understand now.

Yes, the example I gave is router on a stick.

I didn't dig deeply, but it appears that while pfSense supports VLAN traffic segregation, it does not support tagging inbound traffic onto a VLAN, i.e., no concept of a PVID that can be set per port (excluding the few Netgate devices with built-in switches). Tagging has to be done downstream: a host that tags its own traffic, a switch or an AP.

You might be able to get something similar to what you describe with bridge groups (haven't played with them myself on pfSense) rather than VLANs. IIUC, each bridge group can be configured with its own router config. That way, all ports in the bridge group would share a gateway/routing/firewall configuration. For individual hosts, their port on the pfSense would be assigned to the relevant bridge group. For the multi-VLAN AP, each VLAN that also support hosts directly attached to the pfSense would be assigned to the bridge group containing those hosts/ports. I've never tested whether VLAN subinterfaces can be assigned to bridge groups, but the GUI seems to support it. The downside of bridge groups is that the bridging is done on the CPU; there's a performance hit.

@Wolfgangthegreat For example (this is checked by default):
8544523b-d69b-4088-b221-d2532912455c-image.png

@stephenw10 I don't have enough points to upvote, so I'll just say thank you Stephen 👍 !

Now, if the seller agrees to selling me that M570, I should be good to tackle this thanks to all the good info supplied by the community in this thread :)

and then it worked...

@werter
Благодарю за ссылки!
Поток негатива на netinstaller уже пошёл.
Задушат pf CE походу...

@Bob-Dig thanks
But I cannot understand why the FTP performance is crippled when going via Wireguard and not when going via the WAN.
The same happens for NFS and SMB file sharing protocols. The performance over Wireguard is rather poor, although I haven't tried these over an unencrypted WAN for obvious reasons so can't really compare.

@MacUsers said in Kea DHCP stops working:

all of pfSense are v24.11-RELEASE (amd64); as far as I can see now, KEA actually never worked for me since I migrated from ISC, regardless of the pfSense version.

There is a 99,99 % solution avaible now.
Right now, this one :

05190dbc-0f5c-445e-ba66-8104c93aae78-image.png

is available.
An RC version is identical to the final Release.
It stays RC so very minor issues let GUI text can get corrected.
Major changes, like 'kea not working' won't be corrected anymore.

I'm pretty sure (tens of thousands) use "25.07"(RC) right now, and they 'all' use kea.
No issues afaik.
So .... even if 25.07 won't solve your issue, you'll be sure for 99,99 % that the issue is ... on your side.
Or, you are using pfSense (hea DHCP) in a very special way, and no one else is using it that way so we can't know what your issue is ?
Do you have any details about why your 'pfSense' (DHCP kea settings) are so different that it 'break's ?
Do use an edge case scenario where things were possible with ISC DHCP, but not anymore with kea ?

Btw : we all have iMac, IPads iPhone and other iStuff in our networks, they all behave fine with kea, using classic DHCP leases, or static MAC leases.

@Qinn Thank you, I just turned it back on and it is working!

Mmm indeed, I would expect that to be they or it depending on whether 'peer' refers to the user or the device. More likely it's a device in that reference.

You can download it here now:

https://raw.githubusercontent.com/ianb/alexa-sites/refs/heads/master/top-1m.csv

@dennypage said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

@wolffire said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

I really like ntopng, but I'd rather it not be able to access the internet whenever it wants.

Is it possible to block package processes from doing so?

You can't block individual packages. The closest you could get is to find the domain or addresses the package is accessing and block those.

With specific regard to ntopng, I haven't examined all the callouts but I don't recall it doing much unless you were using the licensed version (activation check), or had one of ntopng's "active" modes enabled.

Make sure you have Active Network Discovery disabled in ntopng. It's in Settings / Preferences / Network Discovery / Active Network Discovery. This option should never be enabled on pfSense. Ditto for Active Monitoring.

Thanks for the quick answer.

I'm a little surprised about not being able to lockdown individual processes for those 'who watches the watcher?' types of situations. Finding a dynamic workaround will be painful.

As far as ntopng, I just don't want it to be able do anything online unless I've configured it to do so; I loath the idea of telemetry being sent off to various companies.
Not that I've found anything (I haven't taken a serious look yet); I'm just a bit weary.

Speaking of the settings, after reading that post about inadvertently scanning the Internet, I definitely ensured active monitoring and network discovery was turned off. 😆

@stephenw10 i have same issue

@jamesdun

@jamesdun said in DNS problem:

if the new machine wasn't picking up the correct DNS server

Well, launch

ipconfig /all

and it tells you what DNS server it uses.
Normally, a new Windows PC will use DHCP is so it's 'plug and play'.

@jamesdun said in DNS problem:

Both machines show the correct DNS server when NSLookup is launched, although the old one also gives it a name and the new one fails to do the reverse lookup

Looks like the new machine isn't allowed to do DNS requests against pfSense ?

@jamesdun said in DNS problem:

and the new one fails to do the reverse lookup

Humm. The new one's DNS request gets refused ...

@patient0 OK, that helped. I'm fairly certain I had tried clicking Add time before and it hadn't worked - with the error I previously reported. In any case, it worked for me now. Thank you!

@cmcdonald Appears to be back/fixed. Thanks.

@wc2l Whst makes you think it’s pfSense related? (Serious question)

Is IPv6 working?

@chano76 Define "disconnects"? As in, unplugged, or the gateway is marked down?