@Gradius said in Unable to use BCM57810 properly, need new drivers: https://redmine.pfsense.org/issues/16321 Mmm, that's the same patch that's in 2.8.1 though.

@stephenw10 I did not know about that. Thanks - implemented and it's working!

@DouggaDit said in pfSense blocking all DNS: The firewall is simply unstable. Integrated network aliases don't function. The firewall simply doesn't work. Rules to allow all on specific ports appear to be the only type of rule that work consistently. Attempting to narrow the 'allow' to specific ip addresses or networks fail. User defined and system defined interface-related aliases don't function. This forum is not a good use of my time. I assume the silence is simply bait to get people to switch to paid support. Safe to file this one under did-a-derp-and-kept-digging.

@SteveITS Thanks.

@daltonch Did you ever find a solution for this? I had the exact same thing happen to me - I remove ATT from my failover group and then disabled it, which fixed it but I'm totally with you, I would think pfSense would be able to handle this... Thanks, B.

@terryzb said in Printer losing its DHCP lease in 25.07.1: printer because with DHCP it would fail back to link-local after 6 hours or so So around 3 hours from the initial printer power up == initial 'BOOT' DHCP request, start some time before, like 30 minutes or so, like at initial lease+150 minutes, you should be able to packet capture with the printer MAC to see if pfSense actually receives a DHCP request from the printer.

@Jeremy11one said in Confused about DNS forwarding and local domains: Here's a 2018 Microsoft page I found with contrary advice: link. I'm interested in your opinion to see if there's something that article hasn't taken into consideration. While generally @johnpoz does have a point on the issues with leaky DNS when using public domains internally, it should be noted it only happens if mistakes are made in internal DNS setup (like fx. Transparent vs. Static, and searchdomains and such). There are a lot of arguments for using a public internal domain when it comes to user transparency/understanding and just generally making lives easier because of “easy use” of short hostnames instead of FQDN. Also, I highly disagree with the argument that a private domain internally makes things easier - it does not in the majority of management cases with large userbases. It will create a lot of double maintenance in DNS, proxies and firewall setups (reflection) if your userbase generally are using webbased tools in their interaction with company ressources that are a mix of internally and externally hosted servers. Much easier to maintain with a public internal domain, and no need for NAT reflection which is a PITA. So both solutions works and each have their advantages. It’s safe to assume MS made that recommendation from years of support and understanding what problems was caused by each model. Yes, a private domain is the “correct” technical solution, but ease of use and maintenance has a tendency to win ;-) It should be noted as we increasingly move towards SAAS in cloudservices, the public internal domain advantage in maintenance does “diminish” as those require you to make double maintenance in DNS if they are named in the public domain.

Well, I spent some time tonight playing around with this and I think I have it. Some suggestions for others: Generate the OAuth client in the Tailscale admin before anything else. Make sure to create the tag you'll need. One per pfSense instance (and clearly, one OAuth client per pfSense instance). Give the OAuth client the permissions you think appropriate. Very Important: make sure that you can generate an API key with the OAuth creds. The OAuth creds are, apparently, used by the CLI to generate an API key. The latter is what does the trick in tailscale up. Do this from the pfSense console: curl -d "client_id=kY5Mv4h8kQ11CNTRL" -d "client_secret=tskey-client-kY5[invalidchars]CNTRL-ZXo2FfBbb[moreinvalidchars]GVT" "https://api.tailscale.com/api/v2/oauth/token" If you don't get back something like this, you'll never be able to get it to work: {"access_token":"tskey-api-kM[lotsofinvalidchars]NTRL-[stillmoreinvalidchars]9YevL","token_type":"Bearer","expires_in":3600,"scope":"all"} Here's what worked for me if the above returned an API token: /usr/local/bin/tailscale up --auth-key=tskey-client-[greekedout]GVT\?ephemeral=false\&preauthorized=true --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=192.168.211.0/24 --advertise-tags=tag:[yourtaghere] Make sure you have the cron package installed. Then add a @reboot entry using the full path (see above). I also added a cron entry every six hours as if Tailscale is up, this command does not interrupt or reset any sessions. I've left some bytes of the creds in these examples to make it clearer where your full creds should go. The curl command requires the escape symbol (\) in the parameters that will be passed to the control plane. FWIW, I lost an hour or more because I had (God only knows why) set Tailscale on one pfSense instance to accept DNS. Do this and the router cannot resolve the control plane API endpoint. Dumb. And I own it. I don't know if this "fixes" everything. But it's a lot of work and it shouldn't be necessary. Somehow, this package to be useful needs to survive reboot without the need to go to these lengths.

918MB is potentially not enough available space. You should remove some older BEs and retry. I would normally expect to see the 'not enough space' alert if it hits that though.

@Antibiotic No it’s not possible with NtopNG as it is not a Netflow collector. You need nProbe for that which will “translate” recieved netflows into flows that NtopNG understands and can visualize (with very very little detail might I add as Netflows has no additonal information apart from sender/reciever and volume). The NtopNG package and the product in general is more geared towards visualising and recording traffic details from actual packet captures. This contains MUCH more metadata about the sessions than netflows (DNS names, protocol information and myriads of other things). But pffSense Plus has a builtin Netflow exporter if you have an external netflow collector on hand.

Fyi, I had previously opened a ticket with the website administrators but have had no reply... until today, after I started this chat. So... they just told me that they're already aware of the issue and it probably has to do with the recaptcha quotas. This website is used by many people so, they probably will have to upgrade the plan. I'm sorry to have taken your time on this, and thank you for that.

@keyser Fantastic, thank you! Yeah, I ended up getting to the JSON settings before I saw your reply, and I had DEBUG instead of just INFO and the logs were going crazy! I think, with as active as my network is, and as chatty as the DHCP devices are, I'm going to ignore the web GUI, and just tail the logs over SSH. That way I can grep and sed to my heart's content. I also set-up log rotation using the built-in method, so that's good. Every once in a while I have these bursts of pfSense learning.

@Bob.Dig what's the right place?

Ooo, missed this. You are just adding that section to the custom Kea json config? Edit: Yup

@azalea You can read more about the specific notation you're asking about, the zone index, in this Wikipedia subsection of the "IPv6 address" article.

This is what I observe in the system logs when this event occurs: not letting me post the logs here due to ant spam filter you can see it on my post on reddit here in the reply's: https://www.reddit.com/r/PFSENSE/comments/1mrqwg3/wireguard_tunnel_disconnectreconnect_events_cause/

@SteveITS Tool tips say the following: green: Current Boot Environment yellow: Boot Verification Failed black: Upgrading Boot Environment

@Rico Ich glaube jetzt hab ich es, das System bootet automatisch vom Stick und über die Serielle Verbindung kann ich die Installation auch starten (xterm war das Mittel der Wahl bei der Konsole, für mich) und werde durch die Installation geführt. Ich hoffe ich kann mein Backup dann auch wieder einspielen

@malindsay Your welcome, and I would say stay back a version, or switch to Legacy BIOS mode, either works. Was going to give you a thumbs up, but apparently my reputation isn't good enough here yet.. LOL Trying to remember how many years I have been around this place, just not always active.. -Howard