If you're authenticating against Freeradius the users only need to exist there.

If you have 100s of users though I'd consider using an external radius server. The Freeradius package in pfSense is not really optimised for large numbers like that.

@johndoe102 said in Netgate 4200 thermal question:

In my case , my Netgate 4200 is placed in the basement with ambient temperature of 16-18 C and I also had about 50 C of the CPU temperature. So I decided to place a 140mm fan running all the time on top of the Netgate 4200 and now I have about 20-24 C

Screenshot from 2025-03-17 12-25-36.png

I had a similar situation with mine. Sticking a fan to the top cut the temps to about half.

It was ISP based, due to merging networks with their new owners CityFibre.

I do appreciate the assist.

Doing so removes all filtering. You can have filtering as long as you have the rules to pass traffic you need.

Redmine has been updated to reflect the testing done by @mcury so there is official guidance regarding treating this set up with dynamic routing.

I would take it a step further and make the declaration that if your firewall is running dynamic routing protocols (BGP/OSPF) then disable reply-to system wide and make sure you are using floating state policy. I wouldn't do it on a per-rule basis as that's not scalable - prone to error as you miss a rule with those advanced options set.

Hmm, it appears lsof is a dependency of Telegraf: https://github.com/pfsense/FreeBSD-ports/blob/devel/net-mgmt/pfSense-pkg-Telegraf/Makefile#L17

How do you have it configured?

@periko what version of pfSense is this for? I think that the new version of Squid makes it such that cachemgr.cgi no longer works. I have not attempted this inside the new package. If you are running older software like 23.05.01 with Squid 5.8 it works. Sorry.. It did the same for me on pfsense version 24, some code needs adaption for this functionality to work again.

Ok try running: ls -ls /usr/local/etc/pkg/repos

That should show a symlink for pfSense.conf that points to the selected repo like:

24.03-RELEASE][admin@plusdev-4.stevew.lan]/root: ls -ls /usr/local/etc/pkg/repos total 1 1 -rw-r--r-- 1 root wheel 25 Apr 19 2024 FreeBSD.conf 1 lrwxr-xr-x 1 root wheel 55 Mar 18 12:49 pfSense.conf -> /usr/local/etc/pfSense/pkg/repos/pfSense-repo-0003.conf

When you change the update branch in the webgui that symlink should be updated.

Then if you check that repo it should be 24.11 like:

[24.03-RELEASE][admin@plusdev-4.stevew.lan]/root: cat /usr/local/etc/pfSense/pkg/repos/pfSense-repo-0003.conf FreeBSD: { enabled: no } pfSense-core: { url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-core", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes } pfSense: { url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v24_11_amd64-pfSense_plus_v24_11", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes }

I'm guessing your install is not showing that for some reason.

@ErrorHandler I’m not familiar with the game setup, but, see if your ISP router allows setting pfSense as its DMZ. This forwards all inbound packets to pfSense.

If the game requires uPnP, pfSense supports that, it’s under Services.

@Bob-Dig Thanks for the reply. Subsequent error messages appear to show the SMS is being blocked as spam.
(AUP = Acceptable Use Policy, CNCT = Concurrent Connections, MXRT = Max Rate)

Final-recipient: rfc822; XXXXXXXXX@mms.att.net Diagnostic-Code: smtp; 421 att-e2xms-ibgw-6001a.ext.cloudfilter.net cmsmtp 96.102.19.37 blocked AUP#CNCT Final-recipient: rfc822; XXXXXXXXXX@txt.att.net Diagnostic-Code: smtp; 451 4.2.0 <XXXXXXX@comcast.net> server temporarily unavailable AUP#MXRT

I likely have a ton of messages in queue and will wait for them to fail out and before testing again. Just leaving this for anyone who is having similar issues. Searches found many instances of this problem with other providers.
For example.:
Anyway, thanks again for the comments.

@Hyperion_Cyber Run an update in pfBlocker.

In general devices need to use pfSense and not DOH/DOT for DNS, or they bypass blocking. pfBlocker has a checkbox in DNSBL to block that.

@Bob-Dig

I found other configuration examples on GitHub: https://github.com/a4649/wireguard-multi-site

In this example, site A is the "hub". In each "spoke" site, the AllowedIPs contains the remote LAN of all other sites and the tunnel interface of the hub instead of the entire tunnel network. So it seems to me that it is not a "requirement" to have the entire tunnel network specified in the AllowedIPs in all the "spoke" sites.

The use case you mentioned is indeed very rare, but I couldn't really think of other reasons why the entire tunnel network is specified in each remote office's AllowedIPs setting.

@Maxpower said in Issue with ACME Certificates Refresh & Restarting HAProxy:

For this, I have configured the command /usr/local/etc/rc.d/haproxy.sh to restart HAProxy, as its described in the GUI

What exactly did you do here ?
Can you go into detail ?

I edited one of my DNSBL groups :

c32c8394-4a11-4916-b7f9-4fca099b6f91-image.png

and I've added, like you :

55f65d56-e053-456b-9da9-f9f02605ef18-image.png

I reload everything :

6617f34e-5132-4aa5-859b-b2a6adff3b65-image.png

On my test PC (192.168.1.6), I flushed my PC's DNS cache - just to be sure.
Now, the test :

a1406ebb-f5e4-47fc-86b7-c5abf21fb1a5-image.png

for the domain dnsbltest.com : same result.
My browser was unable to resolve both never.com and dnsbltest.com.

It's normal that an "browser error" is shown, and not the :

183d3533-fd19-4d9e-85d3-42c1b8f88bee-image.png

because "10.10.10.1" would only work for non TLS (non https) web access.
10.10.10.1 could not intercept https requests.

Looking at the pfBlockerng Alerts page shows that both DNS request were blocked :

1a072383-05a4-47cb-82f9-0c3b964347f0-image.png

@hajun29011 said in dnsbl is not working properly:

https://www.zenarmor.com/docs/network-security-tutorials/pfblockerng

zenarmor ? Who is that ?
Why not using the official docs and/or video's ??
This is a bit vague :

a44524f0-ab7a-4842-abef-e3c13fab6834-image.png

Here : https://www.youtube.com/@NetgateOfficial/videos

@viragomann

Thank you. I am new in networks. I thought that Local Networks means Tunnel network. I inserted 192.168.50.0/24 into Local Networks and it works.

@Gblenn

Hey thanks for replying.
I'm really struggling to make this work

Currently I have a split tunnel network I'm trying to setup here (essentially what I'm describing).

Out of desperation I tried tunneling all traffic from site A to Site B over the WG interface. I created a static route on pfsense (10.1.0.1) of 0.0.0.0/0 to be routed over WG interface and included 0.0.0.0/0 as allowed networks.

On pfsense at site B, I turned off blocking bogon or private LAN addresses.

The resultant however was the same. Site A Clients could all reach clients on Site B (tested with ping and ssh), however no Site A client could connected to the internet beyond the router. (which includes AT&T modem as this device sits on the external side of the WAN nic).

How do I get the WG interface at SiteB to route the connection out the WAN interface? Nothing is showing up being blocked in firewall logs

Sounds good and thanks again for helping out!

The options are still valid; they just can't have spaces between them otherwise it tries to interpret them is new switches.

yo uso este X4E N150 DDR5 lo uso para administrar dos conexiones de 1GB, pfblocker, squid, snort y sin problema, va perfecto, n150 es mucho más rápido que los celeron que menciones

I would still just use the default sizes. And I'd probably just use two drives in a zfs mirror.