@derelict Many thanks, that's what I wanted to learn.

Now time to find a reseller with a good price in France ;)

@ronpfs The Master is running 2.5.1 and all the child boxes were running 2.4.5. I upgraded the child pfsense that's failing to the same version as the master, but I'm still getting the

/usr/local/www/pfblockerng/pfblockerng.php: New alert found: A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section:

error when I force a reload on the master.

@NollipfSense now I added any to any.

alt text

I attempted to submit this as a bug on this issue but it was rejected blaming it on my configuration or my provider. the problem doesn't exist with release candidate 2.5.1.r.20210403.0300. As I stated no config changes were made. The configuration has worked for several years However with version 2.5.1 and later the packet loss issues appear. I roll back to the release candidate or older all works as before. I've installed from scratch & attempted multiple configuration changes with no success. Is there anyone using multiple OpenVpn clients in a similar failover fashion confirm that this problem stated above does or does not exist for them? When community forums aren't helpful and bug reports are rejected where does one turn? OPNSense?

Hello!

A cursory look through some of the code indicates that some voucher info is stored in the config during a graceful shutdown/reboot. Even that wont help with ram disks, or if there is a power loss.

Check on the requirements that forced you to move from 2.4.5 to 2.5.x and see if any of those can be worked around.

Try building a fresh 2.5.x without ram disks and see how it works.

Moving back to "no ram disks" after initially using them might work with a little scripting.

Using the current rc.backup* and rc.restore* scripts as a template for manually saving and restoring the /var/db data...

While ram disks are still on...
rc.backup_db

#!/bin/sh # : ${DBPATH:=/var/db} : ${CF_CONF_PATH:=/cf/conf} : ${RAM_Disk_Store:=${CF_CONF_PATH}/RAM_Disk_Store} # Save the logs database to the RAM disk store. if [ -d "${DBPATH}" ]; then echo -n "Saving DB to RAM disk store..."; [ -f "${RAM_Disk_Store}/db.tgz" ] && /bin/rm -f "${RAM_Disk_Store}/db.tgz" if [ ! -d "${RAM_Disk_Store}" ]; then mkdir -p "${RAM_Disk_Store}" fi /usr/bin/tar -czf "${RAM_Disk_Store}/db.tgz" -C / "${DBPATH#/}/" echo "done."; fi

Turn off ram disks, reboot, manually run...
rc.restore_db

#!/bin/sh # : ${CF_CONF_PATH:=/cf/conf} : ${RAM_Disk_Store:=${CF_CONF_PATH}/RAM_Disk_Store} /usr/bin/tar -xzf "${RAM_Disk_Store}/db.tgz" -C / 2>&1

Restart captive portal and see if it picks up your newly restored /var/db

The standard system rc.restore_ramdisk_store might even catch & restore the db.tgz you created if it runs when rams disks are off (???).

This is a highly experimental process with lots of unknowns. Use at your own risk.
Maybe someone with more/better knowledge of the startup/shutdown and ram disk operations could chime in.

John

I am also just a user who shares your pain, stuck on 2.5.1, any guesses will just be speculation at at this time.

@chamilton_ccn said in Pfsense 2.5 stacks at boot with dots:

Why, upon encountering an empty or bad file

.... this situation was probably not tested.

Why would the most important system file disappear ??
It's the one and only file you should backup regular - as with this file you can rebuild an entire pfSense system from scratch in a couple of minutes.
The absence of this will take down the same system - but faster ^^

@chamilton_ccn said in Pfsense 2.5 stacks at boot with dots:

or something other than printing an infinite string of dots to the console?

These dots are just what should be "low-bud" progress bar, as it could take some time to look over 'all' the saved config files. It could be the last one that is good.
Or the first.

edit : see below : I found out what it does when running ecl.php .....it's a lengthy, non-standard process. I never saw this file running.

@chamilton_ccn said in Pfsense 2.5 stacks at boot with dots:

That said, one of the most helpful steps in any troubleshooting scenario is the ability to reliably recreate the problem.

I totally agree.
But by just wiping (zeroing out) the config files you test the behaviour of what the system would do without a valid config file. That is : with the multiple config files - with non content.
It should load in default config (this one has no interface assigned), and wait for you at the console level so you can re init the entire system again.

I want to know a test that creates failing disk system .... or whatever is needed so that only empty files are created.

Btw : I just found ecl.php - it's in /etc/ and not in /etc/inc/
(wtf ...)

It stand for External ( external from to what ??? ) Config Loader ....
It scan other disks / partitions / slices / .... !!!!

It look like that it found something somewhere -dono what 'disks and partions' you have , and then the system tries to 'upgrade' it (every pfSense version has its own config 'level' version) and that process fails.
True, that's an issue.

What I would like to know is : why is the (your) main /cf/conf/config.xml fckd up ?
I never saw that before.

And I'm pretty sure that when you install a clean pfSense :

On another system Not changing any settings
that you can not create the problem.

I'll leave it up to you to draw the (a ?) conclusion ......

So, tell us :
Your - all - the device details.
Your - all - settings.

I know, this is silly - and hard to answer.
But where would I start to debug test this ? By nuking my own systems ..... no thanks.

Update: I increased the DNS cache size from 20k to 50k, and that seems to have resolved the long average recursion time dropped from 100+ seconds to less than 2 seconds. Number of DNS queries dropped from about 40k per min to less than 400 per min. I guess the too small cache size was the key root cause.

@timber988 said in Connect to PLC on different subnet (STAIC IP) than interface IP (DHCP):

Seems like I am missing the final piece.

Do you have "gateway" set on the PLC? This would be pfsense IP address on the plc_lan interface.

Its not possible for a device to answer something from a network other then its local network without a default gateway, or route telling it who to send the answer to that knows how to get back to that other than its local network address.

There is no rules needed on the plc_lan interface.. Rules to allow access from your lan to the plc_lan would be on the lan interface, and by default this is any any..

BTW - these are different dumb switches that are on your lan and your plc_lan right?? Connecting both lan and plc_lan interfaces into the same dumb switch is not a good idea!! Your not actually isolating anything if you do it that way.

I have added firewall rules

What rules - again the default any any rule on your lan would allow you to talk to any other network/vlan connected to pfsense. No extra rules would be needed.

@gertjan My issue is already resolved with whatever netgate did with 2.5.1. My DHCP leases screen works without issue now. I didn't have to change anything. Just updated and it started working again.

How slow? How did you test it?

Actual objective numbers required here.

Did you ever open a ticket with us about it?

Steve

Ich kann leider nicht, versuche das nächste mal wieder mit dabei zu sein.

@viktor_g

Yes, we have 3 x Netgate SG-3100. TBH I didn't realise the CPU was 32 bit, not 64.

I think I'll wait with an update as it doesn't cause any practical issues and only sends that alert. I was just wondering if it's directly related but seems like it's not.

Who's preconfigured system was that? I assume not from PCEngines directly.

You didn't have to install originally? That is UFS on mSATA?

Steve

After a discussion with support I decided my new upgrade procedure will be:

Download img for current install version (if I don't already have it). Download img for new release. Backup my config. Run the upgrade from the console. If it is successful -> done If it fails install the img from the new release with the retain config option. If the new img is successful but the config failed restore the config from backup. If the new img install fails do #6/7 using the old img.

Determining what is successful can be subjective or could take a while to realize. Fortunately our firewall configuration is somewhat static so we can run on a new release for a while and still roll back relatively easily.

For major releases (21.02) I'm leaning towards going directly to a img install on those.

Ha!

@stephenw10 Yes. This is handled by ngctl within the provided script and applied to the virtual interface. The only thing I added to my setup was the Shellcmd package in order to run the script at startup.

@johnpoz said in My Security Cams do not working:

Sorry if that maybe came off a bit harsh ;)

Not at all, everything is cool

@gertjan said in Most secure for WPA enterprise (FreeRadius):

** we're all dummies ..... otherwise we wouldn't be posting here ^^

Haha ;) dude that made me laugh.. Guess I will go away now ;) And you prob have little need to be here as well ;)

@openwifi I had tried that as well, and for me it didn't work. I then tried restarting the ntopng service, and once it restarted I was able to see the host's detail when I clicked on the IP or the three lines/hamburger icon.

@viktor_g said in Configuring High Availability CARP:

чтобы в случае отвала одного из ISP, pfSense направлял трафик через другой файрвол

Спасибо за ответ. Желание было не так резервировать канал\доступ в интернет, как подстраховаться от неисправности собственно pfSense, неважно "железного" или виртуализированного.

I set my Pace to forward everything to the psSense firewall, then normal firewall rules on pfSense to port forward to the inside. pfSense is in the DMZ with the outside address. I have not had any issues.

Finally, the problem was that this IP is from an NDS server (it is a DC) that is delivered by DHCP to Pfsense and it creates the route as local, although it is on the other side of the VPN tunnel.
We have configured the DNS of the manual Pfsense and we have not added that server and the problem has been fixed.

@netboy1990-0 said in Wireguard zurück als Paket:

Wisst ihr oder weiß man schon grob, wann die das für 2.5.x bauen wollen oder erhältlich machen?

Aktuell gilt dafür der Teil aus meinem letzten Post

@jegr said in Wireguard zurück als Paket:

Für 2.5.x wird das aktuell wohl (noch?) nicht gebaut. Wer es in 2.5.1+ nutzen möchte, kann sich aber vom Release Tree aus Chris' GitHub das Package installieren:
https://github.com/theonemcdonald/pfSense-pkg-WireGuard/releases

Ich habe auf Twitter und Co aber auch nachgehakt. Ich gehe aber nicht von naher Zukunft aus, daher entweder manuell installieren via GitHub Download oder warten. Grund ist u.a. auch:

Message from wireguard-kmod-0.0.20210502:
...
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission critical environments.

Der Wireguard Teil aus dem KernelMod Part ist immer noch "experimental". Nachdem man da mit dem zu schnellen Backport von WG in 2.5 ziemlich auf den Bauch gefallen ist, will man da IMHO keine Experimente mehr eingehen und das erst abwarten, bis Upstream den WG Code als Stable klassifiziert bevor man den Code auch in eine stable pfSense Version packt.

Was ich als Randbemerkung durchaus begrüße. :)

@ibbetsion not at the moment (on reddit there was an exchange between netgate and speedtest so their may be one in the future), you need to install it via cli and it will be gone after update. However during my last update the python version was also gone.

@bob-dig said in pfSense Usergroup #006 - 2021-05-07 - 17:00:

@jegr Was ist es denn geworden, Moderna, AstraZeneca oder BioNTech?

Comirnaty (BioNTech), was anderes ist aktuell für mein Bracket ja nicht zugelassen weil sie sich wegen AZ ja nicht einkriegen und Moderna ist noch nicht so viel im Zulauf. Mir wärs wurscht gewesen, aber wenn ich ggf. auch bei DRK und Co mal vor Ort helfen kann/soll, bin ich natürlich froh überhaupt mal rangekommen zu sein. Bei dem ganzen Sch... Chaos muss man da echt froh sein...

@nocling said in pfSense Usergroup #006 - 2021-05-07 - 17:00:

a dann gute Besserung.
Ich versuche mal pünktlich zu sein.

Ja hoffentlich nicht nur ihr ;) Würde mich über mehr Zulauf freuen ;)

@mitchell-0 High Availability on the interfaces should be enough justification for /29s on the interfaces.

Mal 2 Cent einwerfen in die Uhr hier:

@roline said in Anfängerfragen zur Konfiguration der UEFI-Installation Version 2.5.1:

Nur für mich zum Verständnis. Das heisst, ich kann den seriellen Anschluss gar nicht nutzen, da ich das falsche Grundimage hergenommen habe.

Nein aber das heißt dass deine Installation jetzt falsche Boot-, Kernel- und pfSense Settings hat und damit keinen Output via Serial rausgibt.

Man kann das umständlich umkonfigurieren oder du installierst die richtige Serial Version halt drüber, machst ein Config Recovery bei der Installation (also vorhandene Config suchen und gleich mit installieren) und dann hast du in ~15min eben eine korrekte Installation.

@roline said in Anfängerfragen zur Konfiguration der UEFI-Installation Version 2.5.1:

Das ist ein starkes Argument, aber ich bin davon ausgegangen das man das noch einstellen kann. Egal ob ich die Serielle oder die Video-Instalation nutze.

Siehe oben. 15min "Drüber-/Neuinstallieren" geht schneller.

@roline said in Anfängerfragen zur Konfiguration der UEFI-Installation Version 2.5.1:

Das müsstest du mir näher erklären.
Ich habe doch zwischen Fritzbox (192.168.15.1/29) und pfsense WAN (192.168.15.2/29) ein Transitnetz.
Dann zwischen pfSense LAN (192.168.8.1/24) geht es zu Switch 1 (192.168.30.1/24) und Endgeräten und zu Switch 2 (192.168.30.2/24).
pfSense Port 1 zu Switch 1 Port 1 und weiter zu Switch 2 Port 1.

Genau und du siehst selbst dass das ein einziges Chaos an verschiedenen 192.168er Netzen ist und du mit deinem Transfer Netz auch noch mittendrin im 192er bist und zwischen dem LAN der Sense und dem Switch dahinter. Unnötig umständlich und kompliziert.

Wenn man als Transfernetze bspw. 192.168er nimmt und diese nur als XFER hat oder bspw. vorne bei der FB nutzt und ansonsten alles andere HINTER der pfSense bspw. mit 172.23.x.0/24 bestückt, genügt auf der Fritte bspw. eine einzige Route: 172.23.0.0/16 auf 192.168.xy.2 (pfSense) Und dann kannst du dich hinter der pfSense oder mit Switchen oder mit anderen Konstrukten in 256 verschiedenen 172.23er Netzen austoben wie du lustig bist ohne einmal die Fritte anfassen zu müssen oder sonst wo in Kollisionen reinzukommen.

Netzplanung ist alles.

@roline said in Anfängerfragen zur Konfiguration der UEFI-Installation Version 2.5.1:

Die 10er Schritte habe ich mir so ausgedacht, da ich ja eh nur mein Zuhause habe und nichts vergrößere oder erweitern möchte.

🤣 🤣 🤣
Sei mir nicht böse, aber da musste ich lachen! 😃
JEDER hat das mal gesagt. Das reicht, da muss nichts mehr rein, da kommt nichts mehr dazu.
Spoiler: Es kommt immer was dazu. Und immer dann und so, dass es nicht passt oder man es nicht gebrauchen kann und sich dann hinterher verflucht, warum man es nicht so-und-so gemacht hat. Deshalb gilt der Merksatz wie bei Aufbau-Spielen oder Titeln wie Factorio oder Satisfactory:
Du denkst zu klein 😁

Lieber mit mehr Luft und Platz jetzt planen und später freuen, dass man doch noch Luft hat und seine Netze dann da platzieren kann und ordentlich aufbauen und nutzen kann 😄

@roline said in Anfängerfragen zur Konfiguration der UEFI-Installation Version 2.5.1:

Die 10er Schritte habe ich mir so ausgedacht, da ich ja eh nur mein Zuhause habe und nichts vergrößere oder erweitern möchte.

Deshalb oben der Vorschlag, sich das sauber mit einem einzelnen /16 Abschnitt zu planen und genug Luft zu lassen, dass man auch noch Dinge erweitern kann. Und das geht schnell. Einwahlnetz für OVPN, dann spielt man mit Wireguard, schwupp wieder 2 Netze verbraten. Dann hat man doch mal noch den Kumpel/Kollegen/Familie mit an irgendwas drangeflanscht, dann möchte man plötzlich ein paar Geräte/Rechner isoliert behandeln, etc. etc.
Sowas wächst immer :)

@viragomann said in Anfängerfragen zur Konfiguration der UEFI-Installation Version 2.5.1:

System > Advanced > Admin Access > Serial Terminal

Damit wird aber nur der Serial Port konfiguriert, der Bootvorgang und die Parametrierung von Bootloader und Kernel fehlen dann aber IMHO immer noch und damit siehst du während dem Booten nüscht von der Gurke 😉

Cheers
\jens

That indicates the system does not have an interface with a subnet covering that IP for the kernel add it to.
Usually it means the WAN has gone down and that IP is the WAN gateway.

Steve

@danilosv-03 entrando nesse topico ja que poucos ou ninguém responde uns que ja postei e vi que vc sempre tenta ajudar, me tira uma duvida, trabalho em uma empresa onde uso hoje o endian, mas estou migrando para o pfsense porem estou com um grande problema configurar para acesso por grupo, pois como você deve saber em ambientes corporativos alguns tem que acessar determinados sites que outros não podem, o problema é que eu não quero usar proxy autenticado pois da muito problemas com as ferramentas que hoje utilizamos para reuniões remotas como google meet entre outras, sem contar com as sincronizações com googledrive do pc dropbox , então se eu usar o proxy transparente nesses aplicativos funcionam perfeito, porém para bloqueios por grupo e liberações so terei a opção das acls no squid proxy serve usando black list e colocando os ips que não quero que sejam filtrados pela regra no Unrestricted IPs, vi que vc tem bom conhecimento na ferramenta , então você teria alguma dica para me ajudar , temos um cenario que usamos mais de 300 computadores em rede. com proxy autenticado eu ja conseguir fazer tudo porem como falei as plataformas de reuniões on-line não funcionam bem como tb googledrive dropbox entre outros , msm fazendo todo tipo de liberação que a ferramenta fornece.

Things changed.
As things do, over time.

www.cnn.com is using DNSSEC now.

See it for yourself :https://dnsviz.net/d/www.cnn.com/dnssec/

Although, not with issues, as there are warnings.

I tend to say : call them to have it fixed ?!

Hi! I setup pfSense 2.6 on my Hyper-V lab and was able to get setup a Wireguard tunnel with TorGuard. Looks promising! I did notice a little more cpu load then I expected when running speedtests but I was able to utilize my 100Mbit internet connection.

WGTUN Interface (opt1, tun_wg0) Status up IPv4 Address 10.13.XX.XX Subnet mask IPv4 255.255.255.0 Gateway IPv4 10.13.XX.XX MTU 1500 In/out packets 509239/443583 (536.63 MiB/360.12 MiB) In/out packets (pass) 509239/443583 (536.63 MiB/360.12 MiB) In/out packets (block) 0/0 (0 B/0 B) In/out errors 0/0 Collisions 0

wg01.png

@nogbadthebad
Cool, looks interesting. Thank you. I'll try.
Yes, the Google OTP is per user, so it looks like I'll have to create every user twice (not huge effort).

@kps1234

Per what connection?