@johnpoz

I normally leave a browser open all the time in the software forum as shown here:

b91d59b0-2a8e-48f6-9dd1-360b4f486913-image.png

As you can see, no highlighting.

But when I go into a forum, in this case General pfSense Questions:

a7b1e236-0828-40c0-b47e-4aae8e3ed514-image.png

Here the highlighting is visible.

@stephenw10
Exactly.
I am testing 2.7.2 memstick serial, i downloaded iso.
I'm installing via usb
It says lo0 link state changed to up.
But at this point installation stops it seems freezed

@tschan wie hoch ist denn die CPU ausgelastet?
Mach doch auch mal einen größeren Download und schaue es dir mal an.

My OpenVPN connection works perfectly with a regular pfSense local user.

I think that I may not understand which requirements are necessary to connect OpenVPN with the remote LDAP directory as an authentication source.

@Enso_ I wasn't clear, I meant VLANs. Snort/Suricata (basically) don't see VLAN tags so one only needs to run it on the parent.

Nothing in the logs then? It should log something if it doesn't start.

Mmm, I'm pretty sure it will boot but I have no idea if it will hit the reboot issue. 🤞

@stephenw10 said in Any new hardware planned for 2025?:

You would want to use the GPON/XPON SFP module dircetly? At 1G or some higher speed?

Yes - these boxes needs to be able to terminate fiber connections directly as the last thing I/we need is another router/bridge in front that can also cause issues or break.

I only wrote 1 Gbit for the interface because I understand the cost/product segmentation issue with the 2100 and 4200 on either side of it.
But obviously I would MUCH prefer a 2.5Gbit Dual Identity interface if possible as that would enable XPON capabilites and performance :-)

I'm crossing my fingers for such a product :-)

685ef897-9dfa-4656-81a3-8cb04f4c40f8-image.png

I am aware of the resolver interval, is there a way to bypass one url

example imap.gmail.com always forward to 8.8.8.8 do not save in firewall dns namesever for reuse

thus every time it gets the new ip address google has for the mail server, they change so fast the firewall can't keep up so the mail app at times says error after 5 mins it will resolve but that is unacceptable for modern use.

Imagine you work for a busy company that is trying a different brand of delivery trucks for its fleet that operates 24/7. The delivery trucks work well and employees like them, so the company buys many more over the next few years. At first, there were no available options, but the brochure for recent models lists two axle options: BASE or MAX. The only difference mentioned is that the BASE axle is 6-lug and the MAX axle is 8-lug.

Recently, the factory-equipped axles have begun failing much sooner than those of other truck brands and previous delivery trucks you have owned. Now, a sixth truck is stuck at the side of the road waiting for a tow, missing another important delivery and losing your customer's confidence.

You begin researching axle failures and this truck model. You find that the BASE model tires are similar to the axles used on passenger vehicles. They are fine for driving around town with light loads, but highway driving, adding additional equipment, or carrying additional weight causes the axles to wear internally and fail prematurely. Changing to the MAX axle requires a truck to be out of service for 2 days. You find that other companies using these trucks are having the same problem, and the manufacturer even recommends removing the spare tire, jack, radio, passenger seat, bumpers, and mud flaps to reduce weight and extend the life of the BASE axle.

You might think, "Ridiculous!" One of the main reasons we bought these trucks is that they support a wide variety of aftermarket accessories that allow the trucks to be customized to significantly improve their functionality, as shown in the glossy brochures.

You wonder, "Since these are sold as delivery trucks, why would the manufacturer use inferior axles without making it clear that the BASE axle option is what most customers will need to use the trucks for anything but the lightest of tasks?"

The MAX model was a $1000 option that seemed unnecessary at the time, but each premature axle failure costs you $10,000 in towing charges, labor, equipment rentals, customer goodwill, and vehicle repairs. Replacing the axles before they fail will cost $7000 of lost revenue, parts, and labor per truck. You look out your office at the 40 trucks in your loading yard and wonder how you will get through this situation.

This doesn't have anything to do with VPN, multi WAN, etc. It's the same interface ("PLDT") in either case.

I checked the code. Both graphs are produced by /usr/local/www/js/traffic-graphs.js and the data for both comes from the same rrd file.

The graphs have different refresh rates, resulting in different time periods, which results in different time averaging intervals for rrd. The Traffic Graph page, with a hard-coded refresh rate of 1, ends up with a shorter time interval (magnified view) when compared to the Dashboard widget with a default refresh rate of 3. So on the Traffic Graph page you might see two brief spikes of 40M in quick succession, however on the dashboard widget only see one spike of 20M. It's still the same data.

FWIW, The graphs also have different smoothing applied, but this doesn't have nearly as much of an impact as the time averaging interval.

If you really want the Dashboard widget and the Traffic Graph page to match, you would need to change the widget refresh period to 1 second. In general this is not recommended due to the increased CPU requirement, but you have to decide what's more important to you.

@Gertjan

7zip did the trick. Thank you.

@michmoor said in *Allow* IOS Facetime/iMessage Home Network:

Why would anyone need to create firewall rules for IoT device(s) ?

If you need to ask...

You're only seeing that because you're running the custom package notification script. Most users don't see that and don't need to. The pfSense-upgrade package updates itself when it's run at upgrade.

But you can update that anytime without issues. It's only used at upgrade.

@CatSpecial202 said in Allow only ssh login for admin:

Is it possible to enable SSH login via public key for the admin user?

Not only possible. Its imho pretty mandatory.

Any every server device you use, rent, buy create, uses initially a SSH connection, and the admin (mostly root) + password is send to you.
Or you created these when installing the OS.

Os soon as you enter the first time, you create cert. Export the public part to yoruself, so you can use it with your SSH client, for example Putty.

The 'admin' user on pfSense should have this part :

f6007dfb-5168-45c3-94ac-6a40cb5ad49d-image.png

and then you select (again : pfSense) :

7afdc234-f7df-4035-8ef6-381c4dc4708e-image.png

and from now on, your SSH client will be needing the exported cert to be able to connect to pfSense :

69e4ee4d-b341-4809-a487-237a2f376f0a-image.png

and I have to type in the password == passphrase of the cert, not the admin password.

Do this with pfSense, and any other device you can connect to over SSH - if possible.

edit : don't even bother grating other users access to pfSense with non admin accounts.
pfSense is a router, not some multi media file server.
I always recommend severely creating an ssh admin pfSense so you can have access, when needed.
Some will then never really use it afterwards.
Other - like me - use it several times a day. As I use the same connection with for example WinSCP, so I can explore the file system, and look at things like using Windows explorer. Don't ask me why ^^

If needed, block the SSH port TCP 22 to some known LAN IPs.
Lock your own devices, the ones you can use to connect to pfSense, with a DHCP MAC lease, so from now on they will always have the same IP.
Throws these IPs in a Alias.*Use this Alias to create a LAN firewall rule.
From now on, only these IPs can use the pfSense SSH port.

Read security nerds will use a dedicates admin LAN, and connect to this LAN with their device to access pfSense SSH.
Now lock your pfSense into a safe. Lock the safe. Done. Now you're close to what they use at Langley.

@milonic

Running processes, like syslog, don't keep their own time. The use a system call to get the exact time when needed.
That time, you can see it on the command line, just type

date

That is the "time stamp" syslog uses when it writes a log line.

The time is normally counted by a real time clock on the system motherboard. This chip, or the power (remember the famous BIOS RAM battery - it's the same ?)
Added to that, pfSense processes a ntp = a real time service, so even if the local real time facilities is bad or worse, the system will will get synced every minute or so so it compensates for the loss ( normally less then some nano seconds )

You have the ntp service activated, right ? By default, it is.
Just checking : Status > NTP :

3ac5ce55-f1a7-491f-b828-6768ee125630-image.png

The NTP is normally configured with host or pool name - I use

a9428efe-3b28-4b96-b6b7-8493eeaf70b3-image.png

and this host name points to a pool with mixed IPv4 and IPv6 IPs.
One is chosen, and the others are backups.

If you managed to find a pfBlockerng IP list that has these (time server) IPs on the list, and you use the list to block for outgoing connection, then yeah, you've aligned the nearly impossible :
Using a device with a bad real time clock - this happens more often nthen you thing, stuff just dies .... that's normal.
Adding extra software (pfBLockerng), and use it to block IP that you actually need : the time server your NTP has selected... now the system time will derail.

And yes, a good accurate time isn't that important for syslogging (that is, I would consider it a security issue), but becomes very important for simple DNS requests (DNSSEC)à ... or just TLS, also used by pfSense itself.

So : pfBlockerng : check your IP feeds you've chosen. You should always do this. Just think about it : what happens if you start to use that list that contains all the windows update IP's of Microsoft - and you use this list for blocking outbound connection ? Your PC will not receive any updates anymore, as it can't contact to 'Microsoft' anymore. That's ... dono, not great ?!
Or you got the list that contains all the IPs of the servers that contain the lists of all the other IP lists and DNSBL (yes, that has been done already) : pfBlocker can't download (update) the other lists anymore ... also great ...
So, to make a long story short, sorry to say, but do not trust anything that comes from the internet. Use it, and check it. If doubts, don't use it.

With pfBlockerng taken care of, your NTP server should now sync up your real time.

@Michal944
The IPv4 Tunnel Network has to be a usable IP with the mask, e.g. 10.0.12.15/24.
Also you have to specify the client sides LANs at "Remote Networks" in the CSO as well, aside from the server settings.

@johnpoz said in Firewall rules for Guests network on IPv6?:

You want a simple solution - don't give your guests an IPv6 address ;)

For a simple solution, look at my post of my guest WiFi rules.

You should be able to see it blocked in the Snort Alerts list. And you can then disable or suppress that signature to prevent it happening again. Remember to remove the remote server from the blocked hosts list as well.
https://docs.netgate.com/pfsense/en/latest/packages/snort/alerts.html

@droidus

Hello,

I have a similar problem with setting up a new wireguard "client".

Wireguard is running for a longer time with some clients connecting to home network. There are Androids and Linux Mint devices. All connect through a full tunnel.

I added a new Linux Mint device. As always, same config (besides the keys...). The client is able to connect to pfsense, connect to the internet via tunnel BUT can't connect to any services hosted in my home network.

Some important configs in my environment:

Wireguard config file for my Linux Mint clients:

[Interface] Address = 192.168.200.20/32 PrivateKey = 1234 DNS = 192.168.1.1 [Peer] PublicKey = 2222 PresharedKey = 3333 AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = example.domain:51820 PersistentKeepalive = 15

-> DNS is my pfsense.

DNS Resolver is enabled. No other DNS connection (e.g. 8.8.8.8) are allowed.

Firewall logs show only connections to pfsense:53, to visited sites in the internet but no connections to local services in my home lan. I can't see any blocked packets of the attempt to connect
.
There are no states visible between any local service and the client.

I even restarted pfsense.

Any ideas what to check to fix this?