@stephenw10 I did it this way: used a 25.07.1 VM set update path to 25.11 forced install of pkg with pkg install -f pkg --> pkg 2.3.x installed immediatly afterwards, running of pkg fails because of dependencies lldpd now also fails with the same reasons Yes I know, normally one wouldn't force pkg to install a new version but that's what now has happened to various systems twice. Once in a beta build or when the first RC came out? and once now at the beginning of that thread. Every time we checked, pkg has updated itself to a new 2.x.x version and thus threw errors and lldpd died. So something seems to have triggered a pkg upgrade to a newer version even if 25.07 was selected fixed as install path. Cheers :)

@eagle61 said in Umstieg auf Glasfaser - ws ist zu beachten ?: Genau das meine ich doch auch. Dann geht dann halt kein VoIP mehr - sie agieren dann als Modem, Deshalb gibt es bei Cable.-Fritten (wenn der ISP mitspielt) die zweite IPv4. Eine behält die Fritte, die andere geht an den nachgelagerten Router.Die IP die die Fritte behält ist für VoIP, etc. OK dann mißverstanden. Anyway Kabelboxen kann man hier nicht vergleichen, denn wie schon weiter oben gesagt, werden die von Fritz einfach an die Betreiber rausgegeben und die machen die Bestückung und Änderungen in der Firmware. Was dann geht entscheidet bspw. Vodafail. Die Firmware ist auch von VF, Fritz schickt sein Update da hin und die ändern was sie da ändern wollen. Du kannst zwar ne nackte Box kaufen unbranded, dass die funktioniert sagt dir der Provider dann aber auch "eher unwahrscheinlich, da biste dann allein" und dann kannst du gleich was ganz anderes kaufen. :) Bei DSL/Glas ist das anders weil man sich da wieder halbwegs an Standards hält. Auch wenn ich PPPoE für nen Krampf und nicht nen Standard halte. Aber da gibt es zwar "branded" Boxen wie bspw. 1&1, die haben dann aber meistens eher nur ne Sonderlocke für schnelle Konfig vom Provider eingebacken, du kannst aber problemlos das manuell machen. Lässt man die Fritte nur noch als Modem agieren, hätte man doch auch gleich vor die sese nur einen ONT (z.B. Glasfaser-Modem 2 der Telekom) klemmen können. Das kostet weniger als 40 Euro. Die Fritte ein Mehrfaches. Nicht ganz. Klar kostet das weniger, aber wenn du "Ruhe" mit dem ISP haben willst, ist es meist einfacher dessen vorgeschlagene Box zu nehmen, sofern die noch "akzeptabel" ist. Die 0815 Telekom Box bspw. eher nicht. Aber wenn der Provider dir ne Fritte für lau obendrauf gibt, dann nimmst du meistens die mit, weil das wenigstens das kleinere Übel ist. Gerade wenn du bspw. noch ne echte v4 bekommst. Oder wenn du dahinter mit nem Cluster rumspielst. Nur Beispiele. Wenn einem da der ISP Support egal ist kann man natürlich machen was man will, aber bei jedem Mal wenn die was ändern und die Verbindung nicht mehr klappt steht man wieder alleine da und muss hoffen, dass man nicht in irgendeinen Callcenter oder Support Bot abgeschoben wird, weil man ja unsupportete Geräte nutzt. @eagle61 said in Umstieg auf Glasfaser - ws ist zu beachten ?: Was die Sicherheit des LAN*s angeht, ist es doch vollkommen egal ob ich eine Fritte im Bridge-Mode oder einen ONT/Modem vor der Sense habe. Um Sicherheit gehts da gar nicht, wie gesagt, das Thema ist da eher ISP Support und Umgang mit eigenen Endgeräten. Und da erlebe ich immer wieder Dramen auch mit unseren Kunden, die echt zum Heulen sind. Da wird man eben pragmatisch und nimmt das kleinste Übel. Cheers

@JonathanLee said in Doh and chat gpt: It is safe to say that that if they recommend to do this ... I found one paragraphe that I understood and agreed with : NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver. This ensures proper use of essential enterprise security controls, facilitates access to local network resources, and protects internal network information. All other DNS revolvers should be disabled and blocked. For me, this is a good advise. Let's all agree that this just is my opinion. This paragraph also explain (again : for me) why pfSense adopted unbound, and left the forwarder, (dnsmasq) as it is a resolver and it support DNSSEC. The fist paragraphe (I dismiss the intro paragraphe) : DNS translates domain names in URLs into IP addresses, making the internet easier to navigate. However, it has become a popular attack vector for malicious cyber actors. DNS shares its requests and responses in plaintext, which can be easily viewed by unauthorized third parties. Encrypted DNS is increasingly being used to prevent eavesdropping and manipulation of DNS traffic. Wasn't this partially solved a couple of years ago ? Short story : Enable DNSSEC on your web site (mail server, any resource) - activate DNSSEC on the pfSense*-unbound site and from now on the DNS info you receive can't be tampered with. Example : visit this test site : https://www.test-domaine.fr - I own this site for demonstration purposes. This domain name server is DNSSEC secured. So when our resolver unbound resolves this domain name, from top (root servers) to bottom (a domain name server), the entire revolver process will be signed and everything adds up, the answer is accepted and unbound will give it to your requesting LAN client. Afaik, initially, the US was slow in accepting DNSSEC, and I really did understand why : "There must be something better as that ?!" but years passed and nothing better was found, so, not long ago, it became mandatory for all 'official' domain names even in the US. Example www.usa.gov. If you like the visual graphs : www.usa.gov. DNSSEC doesn't hide. It's not a "don't see me watching p#rnhb.com" solution. It's a tool that makes sure that when you want to visit p#rnhb.com, you get p#rnhb.com, and not a spoofed web site. Spoofing p#rnhb.com is one thing, if your bank's domain name gets spoofed, then you will have "issues" very fast. DNSSEC promises you just one thing : "You'll get a exact answer when you do a DNS request". It will be the domain (site) you want to visit, and nothing else. The 'hiding' and 'flying below the radar' web surfing is for those who have sensible formation to hide, and this isn't valid for what ? 99 % of us. I tend to see DNSSEC as 'chain singing'. If it breaks, then sell your bitcoins right now, as they will break minutes later ^^( and post/warn us here as fast as possible, so we can sit on the front row as this will bring some economic fireworks with it ) DoH just hides the DNS traffic. Maybe not for the 3 letter agencies like the NSA ?! - It maybe just me : if the NSA advises to used DoH, what does that really mean ? After all : the NSA wants info [with the "no matter what" authorization], that is their main goal. They care way less about 'your' security' or our 'private rights', these are just optional. Btw : I'm not against their (NSA) existence, every country has one. Afaik, we need them. Edit : @netgate : really ? can some one sign that netgate.com domain please ? It's not rocket science anymore. Visit the registrar, check "Enable DNSSEC" and be done. Or do it the manual way, as I did it, if you host your own domain names (Me, running a hotel, can do it, so consider the trick as mangeable ^^) @JonathanLee said in Doh and chat gpt: but how do you make sure your clients are configured to only use that one DoH server? Afaik : there is no DHCP option (even RFC ?) yet that asks for a DoH type of DNS server. Also : 99 % of all routers out their are the crappy ISP routers. They might host a dsn forwarder, not something that hands out DoH DNS servers. This means that a device with 'some' OS might be hard locked to an existing, know upfront, probably hard-coded into its firmware, DoH server IP (and domain name !!). For what I know : If you want to use a DoH DNS solution on your system, you have to enter it by yourself. This tells me : [image: 1763656524355-ae258d6c-34e2-446d-a4bb-884f5ec876cb-image.png] that "Microsoft 11" has its own list with 'Microsoft' DoH servers - the "automatique mode", or you can enter one of yourself. By default, the Microsoft OS will obtain it's (classic) DNS IP by asking it during the DHCP lease request. @JonathanLee said in Doh and chat gpt: there is no settings on iMac or on Windows etc and or browsers to lock down to a single DoH Group some Windows Microsoft devices together, make them member of a Microsoft domain, get a domain controller, and use the Domain Policy editor (or whatever its called), and can set set whatever you want. Including mandatory DoH. No RFC needed.

Nice.

@korenchkin .... Hello everyone, just wanted to mention that the cable (the rj45 to db9) and a new CF card didn't work at all. Same results. So, my only option is to flash the BIOS directly. I was looking for guidance here (I was reading through 5he comments) but I only saw mention of the success. I was looking for a guidance and details that I should pay attention to the process. I downloaded the program and ordered the kit. If there is any details and or advice in how to proceed, I will be please to hear it. Good day.....

@Gertjan FWIW, the (apparent) default kern.ipc.maxsockbuf is also ~ 4 MB on CE. Presumably OP could've increased this value dramatically—in excess of 10 MB—to match Unbound's configured 'message cache size.' But that's as bad of an idea as arbitrarily increasing the latter in the first place.

@johnpoz Just thought of something. Create the profile and import it onto the iPhone partner like normal. Then after you 'accept' or 'allow' the profile from Settings, that's maybe when it gets 'transferred' over to the watch. You'll know that this might work if you don't see 'incompatible profile' when you tap the emailed attachment on the iPhone.

@johnpoz Don't be naïve, John. Maybe it'd help to think of it more like people trying to actually understand the technology they use. You're welcome for the report.

@stephenw10 said in New log type entry?: What is hostname_0 in that context? I'll try to replicate with some clients on it.... See here : pfSsh.php playback pfanchordrill (when portal is active) - let's continue over there.

@marcosm That's good news. Glad you guys snagged this last minute!

Hmm, how are those VMs configured? I've run that upgrade numerous times in Proxmox and never seen that.

@marcosm DM sent.

@stephenw10 Oh, great! Thank you for that correction (I didn't know that). I'll replace my script with the one you gave me. Thank you so much!

Yes.

@marcosm the patch can be applied on 25.07.1 and looks fine : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: pfSsh.php playback pfanchordrill ################ # ethernet rules ################ ether anchor "cpzoneid_2_auth" on igc1 l3 all { anchor "192.168.2.38_32" all { ether pass in quick proto 0x0800 from 32:e4:ee:0b:29:c8 l3 from 192.168.2.38 to any tag cpzoneid_2_auth dnpipe 2016 ether pass out quick proto 0x0800 to 32:e4:ee:0b:29:c8 l3 from any to 192.168.2.38 tag cpzoneid_2_auth dnpipe 2017 } anchor "192.168.2.42_32" all { ether pass in quick proto 0x0800 from 26:e4:a6:2f:22:15 l3 from 192.168.2.42 to any tag cpzoneid_2_auth dnpipe 2010 ether pass out quick proto 0x0800 to 26:e4:a6:2f:22:15 l3 from any to 192.168.2.42 tag cpzoneid_2_auth dnpipe 2011 } anchor "192.168.2.43_32" all { ether pass in quick proto 0x0800 from 9a:65:2b:20:a3:b3 l3 from 192.168.2.43 to any tag cpzoneid_2_auth dnpipe 2012 ether pass out quick proto 0x0800 to 9a:65:2b:20:a3:b3 l3 from any to 192.168.2.43 tag cpzoneid_2_auth dnpipe 2013 } anchor "192.168.2.44_32" all { ether pass in quick proto 0x0800 from ac:1e:9e:70:cd:2d l3 from 192.168.2.44 to any tag cpzoneid_2_auth dnpipe 2014 ether pass out quick proto 0x0800 to ac:1e:9e:70:cd:2d l3 from any to 192.168.2.44 tag cpzoneid_2_auth dnpipe 2015 } } ether anchor "cpzoneid_2_passthrumac" on igc1 l3 all { anchor "28704e6249e5" all { ether pass in quick from 28:70:4e:62:49:e5 l3 all tag cpzoneid_2_auth dnpipe 2000 ether pass out quick to 28:70:4e:62:49:e5 l3 all tag cpzoneid_2_auth dnpipe 2001 } anchor "28704e6260bd" all { ether pass in quick from 28:70:4e:62:60:bd l3 all tag cpzoneid_2_auth dnpipe 2002 ether pass out quick to 28:70:4e:62:60:bd l3 all tag cpzoneid_2_auth dnpipe 2003 } anchor "9c05d6320095" all { ether pass in quick from 9c:05:d6:32:00:95 l3 all tag cpzoneid_2_auth dnpipe 2004 ether pass out quick to 9c:05:d6:32:00:95 l3 all tag cpzoneid_2_auth dnpipe 2005 } anchor "d8b370834988" all { ether pass in quick from d8:b3:70:83:49:88 l3 all tag cpzoneid_2_auth dnpipe 2006 ether pass out quick to d8:b3:70:83:49:88 l3 all tag cpzoneid_2_auth dnpipe 2007 } } ether anchor "cpzoneid_2_allowedhosts" on igc1 l3 all { anchor "hostname_0" all { ether pass in quick l3 from any to <cpzoneid_2_hostname_0> tag cpzoneid_2_auth dnpipe 2008 ether pass in quick l3 from <cpzoneid_2_hostname_0> to any tag cpzoneid_2_auth dnpipe 2009 } } ################### # translation rules ################### nat-anchor "natearly/*" all { } nat-anchor "natrules/*" all { } rdr-anchor "tftp-proxy/*" all { } ############## # filter rules ############## anchor "openvpn/*" all { } anchor "ipsec/*" all { } anchor "userrules/*" all { } anchor "tftp-proxy/*" all { }

@marcosm Since I'm the only one reporting the issue with openvpn, I have uploaded the requested info. However, testing further reveals that dco enabled client connection doesn't work only if the vpn is established over pppoe internet connection. if the dco enabled openvp connection uses dhcp wan, then openvpn works fine. So, opevpn client without dco works over pppoe connection from a non virtual pc, while at the same time , the same pc can only ping anything on the Internet but fails on anything else.

@skynerd said in Any packet containing sufficiently long sequence of 'J' characters disappears: Testing across my local network, going through the 2100 but not routed through the WAN, doesn't reproduce. Was that just through the switch? Like between devices in the same subnet? Or routing between VLANs on the LAN side?

I have a WRT3200ACM running OpenWRT. Hard to recommend it though as the WiFi seems very unstable. I've never seen it stay up reliably across several versions.

@marcosm Yes, I’ve tried removing all packages and installing the devel version, and even just installing it without configuring it, and ONLY on the backup node; there was no pfBlocker at all on the primary. All of these variants lead to the same result: if pfBlocker is present on the backup node, there is no synchronization. The only thing I haven’t tried yet is wiping everything and installing from scratch. With the patch, synchronization of the main settings works in any scenario, as well as package sync, at least for Filer. I haven’t checked pfBlocker itself. It’s possible that the actual bug is somewhere else, maybe in the rules… but then there’s still the question: why is pfBlocker, for which synchronization is disabled and which is not configured at all, interfering with the main config sync at all? Anyway, these are just my rhetorical questions from a non-expert… By the way, here are my sync settings: [image: 1764014604935-ff761b4a-75ee-4495-af63-58fbe57f732b-image.png] And on the backup everything is unchecked.

Yes it will try if the remote side is configured as a single public IP. But behind CGNAT that usually isn't the case. It would work for the connection before failover as long as there is no nat in place to change the source ports.