I went the lazy route and cloned my SSD that runs my current pfsense (2.1.5) machine to create a backup machine with the same config. Instead of doing a fresh reinstall and copying the config. Both machines have the exact same hardware and BIOS settings. Both SSD's I used, main and clone are the same (size and brand). I used clonezilla to create the clone. During the boot of my "backup" machine I got the error: Trying to mount root from ufs:/dev/ad4s1a ROOT MOUNT ERROR Following the ?: It's so weird that this happend as it was a 1:1 clone. Also /dev/ad4s1a exists Anyone have any ideas how to: 1. Solve my current problem? 2. Avoid this during a clone? Thanks

working I installed and setup Bind9 official package to test DNS forward zones based on source IP/subnets which unbound doesn't support I properly set NAT forwards, changed listening ports on Bind9 and configured it for DNS over TLS (see below) All works properly and DNS requests are properly forwarded and use TLS until I uncomment remote-hostname and/or ca-file options. Without them, as per Bind9 doc, encryption is granted but not TLS authentication If I enable those options to ensure strict TLS authentication, clients cannot resolve DNS entries and I get the below errors in logs:

Jul 29 00:50:29	named	92197	query-errors: debug 4: fetch completed for readaloud.googleapis.com.intranet/A in 0.056869: TLS peer certificate verification failed/success [domain:.,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Jul 29 00:50:29	named	92197	query-errors: info: client @0x1414c4b10800 10.0.31.62#9512 (readaloud.googleapis.com.intranet): query failed (TLS peer certificate verification failed) for readaloud.googleapis.com.intranet/IN/A at query.c:7836

I tried with different ca-file values, but no success **My working Bind9 config (with remote-hostname commented):**

tls cloudflare-tls {
//    ca-file "/usr/local/share/certs/ca-root-nss.crt";
//    ca-file "/usr/local/etc/ssl/cert.pem";
//    ca-file "/usr/share/certs/trusted/IdenTrust_Commercial_Root_CA_1.pem";
//    remote-hostname "one.one.one.one";
    prefer-server-ciphers yes;
};

options {
    forwarders {
        1.1.1.1 port 853 tls cloudflare-tls;
        1.0.0.1 port 853 tls cloudflare-tls;
        2606:4700:4700::1111 port 853 tls "cloudflare-tls";
        2606:4700:4700::1001 port 853 tls "cloudflare-tls";
    };
};

* **Bind9 Docs:** [https://bind9.readthedocs.io/en/v9.18.14/reference.html#namedconf-statement-prefer-server-ciphers](https://bind9.readthedocs.io/en/v9.18.14/reference.html#namedconf-statement-prefer-server-ciphers) > Strict TLS provides server authentication via a pre-configured > hostname for outgoing connections. This mechanism offers both channel > confidentiality and channel authentication (of the server). In order > to achieve Strict TLS, one needs to use remote-hostname and, > optionally, ca-file options in the tls statements used for > establishing outgoing connections (e.g. the ones used to download zone > from primaries via TLS). Providing any of the mentioned options will > enable server authentication. If remote-hostname is provided but > ca-file is missed, then the platform-specific certificate authority > certificates are used for authentication. The set roughly corresponds > to the one used by WEB-browsers to authenticate HTTPS hosts. On the > other hand, if ca-file is provided but remote-hostname is missing, > then the remote side’s IP address is used instead. Any help why enabling tls auth fails?

Ok, so I have 1 server with pfSense and many virtual servers. I'm using Nginx upstream functionality to run multiplies WEB servers on same public IP. Of course I need to know REAL users IP not Nginx proxy which is 192.168.2.2, but after switching to pfSense (recently had simple consumer router) web servers can't see real users IP. I have tried to change various settings in System / Advanced / Firewall & NAT like: NAT Reflection mode for port forwards Enable automatic outbound NAT for Reflection Also in Firewall / NAT / Outbound tried every mode, nothing helped still every user have IP of my Proxy server. So how to disable masquarading, or how to pass real client IP. **Update** Ok, so it seams problem is with subdomains not domains. Situation now: If client go to domain.com - everything is fine backend server can see real clinet IP If client go to subdomain.domain.com - backend server see proxy server IP All domains A records points to external IP, then pfSense forward 80 port to proxy, then proxy depending on domain forward to corresponding internal server. I have 2 physical servers, 1 - pfSense router and another with virtualbox running many VM's in this example 4 VM's Another one interesting thing, when i try to reach troublesome subdomain.domain1.com from inside local network I get this: Again, no problems with domain1.com and domain2.com and so on...

i have some problems connecting to openvpn server with pfsense. For my tests i got 2 network interfaces both on my pfsense openvpn server and my windows 10 openvpn client. On my pfsense i have 1 network interface on WAN configure with DHCP : -WAN 192.168.0.28/24 -LAN interface static 192.168.10.10/24 On my Windows 10 client : -WAN DHCP 192.168.0.30/24 -LAN interface static 192.168.10.15/24 The first time i tryed to use udp but i had "tls key negotiation failed to occur within 60 seconds tls handshake failed" so i tryed to connect with tcp but i got this error : My OpenVPN configuration is : Server mode Remote Access (SSL/TLS + User Auth) Backend for authentication Local Database Protocol TCP Device mode tun Interface WAN Local port 1194 Description VPN TLS authentication Enable authentication of TLS packets Key ... Peer Certificate Authority OpenVPN CA Server certificate ServerCertificate (Server: Yes, CA: OpenVPN CA, In Use) DH Parameter length 2048 Encryption Algorithm AES-256-CBC(256 bit key, 128 bit block) Auth digest algorithm SHA1(160-bit) Hardware Crypto No Hardware Crypto Acceleration Certificate Depth One(Client+Server) IPv4 Tunnel Network 192.168.15.0/24 IPv4 Local network 192.168.10.0/24 Concurrent connections 5 Compression No Preference Dynamic IP Allow connected client to retain their connections if their IP address changes Address Pool Provide a virtual adapter IP address to clients DNS Server enable Provide a DNS server list to clients DNS Server 1 8.8.8.8 Force DNS cache update Run "net stop dnscache" ... My Client configuration is : client dev tun proto tcp remote 192.168.0.28 1194 resolv-retry infinite nobind persist-key persist-tun ca OpenVPN+CA.crt cert UserCertificate.crt key UserCertificate.key cipher AES-256-CBC verb 5 I created the certificate authority and the server/user certificate : Then i had some firewall and NAT rules : I checked firewall on pfsense it's seems like the port 1194 is open : The firewall on my windows client is down too. Thanks in advance ! EDIT 20:42 : I searched for log on the server and client, i feel like i don't get any logs on the server after the failing login, i just get logs when i start/restart the service this is my logs on the server : Apr 7 18:34:54 openvpn 13595 OpenVPN 2.3.14 i386-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Apr 7 18:34:54 openvpn 13595 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Apr 7 18:34:54 openvpn 13883 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Apr 7 18:34:54 openvpn 13883 Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file Apr 7 18:34:54 openvpn 13883 TUN/TAP device ovpns1 exists previously, keep at program end Apr 7 18:34:54 openvpn 13883 TUN/TAP device /dev/tun1 opened Apr 7 18:34:54 openvpn 13883 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Apr 7 18:34:54 openvpn 13883 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Apr 7 18:34:54 openvpn 13883 /sbin/ifconfig ovpns1 192.168.15.1 192.168.15.2 mtu 1500 netmask 255.255.255.0 up Apr 7 18:34:54 openvpn 13883 /usr/local/sbin/ovpn-linkup ovpns1 1500 1559 192.168.15.1 255.255.255.0 init Apr 7 18:34:54 openvpn 13883 Listening for incoming TCP connection on [AF_INET]192.168.0.25:1194 Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.25:1194 Apr 7 18:34:54 openvpn 13883 TCPv4_SERVER link remote: [undef] Apr 7 18:34:54 openvpn 13883 Initialization Sequence Completed logs on the client : Sat Apr 07 20:31:33 2018 OpenVPN 2.4.5 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 1 2018 Sat Apr 07 20:31:33 2018 Windows version 6.2 (Windows 8 or greater) 64bit Sat Apr 07 20:31:33 2018 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10 Enter Management Password: Sat Apr 07 20:31:33 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sat Apr 07 20:31:33 2018 Need hold release from management interface, waiting... Sat Apr 07 20:31:33 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'state on' Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'log all on' Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'echo all on' Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'bytecount 5' Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold off' Sat Apr 07 20:31:33 2018 MANAGEMENT: CMD 'hold release' Sat Apr 07 20:31:33 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sat Apr 07 20:31:33 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.28:1194 Sat Apr 07 20:31:33 2018 Socket Buffers: R=[65536->65536] S=[65536->65536] Sat Apr 07 20:31:33 2018 Attempting to establish TCP connection with [AF_INET]192.168.0.28:1194 [nonblock] Sat Apr 07 20:31:33 2018 MANAGEMENT: >STATE:1523125893,TCP_CONNECT,,,,,, Sat Apr 07 20:33:34 2018 TCP: connect to [AF_INET]192.168.0.28:1194 failed: Unknown error Sat Apr 07 20:33:34 2018 SIGUSR1[connection failed(soft),init_instance] received, process restarting Sat Apr 07 20:33:34 2018 MANAGEMENT: >STATE:1523126014,RECONNECTING,init_instance,,,,, Sat Apr 07 20:33:34 2018 Restart pause, 5 second(s) Sat Apr 07 20:33:39 2018 SIGTERM[hard,init_instance] received, process exiting Sat Apr 07 20:33:39 2018 MANAGEMENT: >STATE:1523126019,EXITING,init_instance,,,,,

I tried to use this link to solve my problem but to no avail; https://unix.stackexchange.com/questions/117023/expanding-the-disk-size-on-pfsense-under-vmware-esxi . I'm using pfSense and I wish to increase the disk drive from 11 GB to 200 GB. Steps followed: 1. View the initial partition sizes:

# gpart show
    =>       63  419430337  da0  MBR  (200G)
             63          1       - free -  (512B)
             64  419430336    1  freebsd  [active]  (200G)
    
    =>        0  419430336  da0s1  BSD  (200G)
              0   23068672      1  freebsd-ufs  (11G)
       23068672    1257472      2  freebsd-ufs  (614M)
       24326144  395104192         - free -  (188G)

2. Resize da0:

# gpart resize -i 1 da0
    da0s1 resized

3. View the new partition sizes:

# gpart show da0
    =>       63  419430337  da0  MBR  (200G)
             63          1       - free -  (512B)
             64  419430336    1  freebsd  [active]  (200G)

4. Tried to edit the value onto the size of c: line and got error message below:

# bsdlabel -e /dev/da0s1
    bsdlabel: cannot open provider /dev/da0s1 for writing label: Operation not permitted
    bsdlabel: Try to use gpart(8).
    re-edit the label? [y]:

Please advise. I also want to increase the swap to 20 GB.

I've just noticed that the same code for for loop in bash doesn't work in FreeBSD wolf@linux:~$ echo $SHELL /bin/bash wolf@linux:~$ wolf@linux:~$ for i in {1..3}; do echo $i; done 1 2 3 wolf@linux:~$ Is there any alternative for this? [2.5.0-RELEASE][admin@pfSense]/root: echo $SHELL /etc/rc.initial [2.5.0-RELEASE][admin@pfSense]/root: [2.5.0-RELEASE][admin@pfSense]/root: for i in {1..3}; do echo $i; done for: Command not found. i: Undefined variable. [2.5.0-RELEASE][admin@pfSense]/root:

Ive got a routing issue on my pfSense box that shows the response to a ping request being routed to a IP in a separate subnet/vlan. 10:25:13.239238 IP 10.2.0.2 > 8.8.8.8: ICMP echo request, id 9374, seq 15401, length 9 10:25:13.369458 IP 8.8.8.8 > 192.168.20.21: ICMP echo reply, id 9374, seq 15401, length 9 I've recently added a wireguard VPN to the box, and assigned it an interface (VPN). The internet gateway is set to send a health check to 8.8.8.8, its reporting down based on 100% packet loss based on this routing issue. I also believe that I am seeing: - the response come through the WAN interface and not the VPN interface. - the packet doesnt appear to have the reply-to flag (cant find anywhere to set this from the IG) - the wireguard tunnel remains active throughout - the VPN provider is PRotonVPN I cant explain why this would happen, and have checked - Nat rules - UPNP - Firewall rules - Interface Why would a ping response not return to its point of origin?

I have an iptables firewall (machine 1) and a centos 7 based gateway (machine 2), which is having 2 interfaces (machine-2:int-1) from WAN [/30] and (machine-2:int-2) is LAN [/28] one of the static IP provided by ISP. Now this setup is working fine, machine-1:LAN-subnets are doing iptables based NATing and machine-1:LAN-subnet-int's gateway is machine-2's:int-2. All routes for NATed IPs gateway are set as iptables firewall.

LAN
   ^
   |
   |
FIREWALL (NAT) --> Other int's *-- IPTABLES
   ^
   |
   |
GATEWAY (no NAT) *-- PFSense
   ^
   |
   | 
  WAN (ISP)

Now I would like to replace the CentOS based gateway with PFSense. As soon as I replaced the Gateway machine with PFSense, NATed addresses are not passing thru. I tweaked the NAT outbounds rules, disabled it. Still I could not make this happen. I need to make rules and routing in PFSense, that allows all the traffic from LAN to WAN as is (no NATing - since iptables firewall is taking care of it). Please suggest.

On pfSense, I've enabled Prometheus Node Exporter, but it gives the following log errors each 15 seconds: Feb 15 09:53:57 vault node_exporter: ts=2024-02-15T08:53:57.164Z caller=collector.go:169 level=error msg="collector failed" name=uname duration_seconds=1.9687e-05 err="cannot allocate memory" Feb 15 09:53:57 vault node_exporter: ts=2024-02-15T08:53:57.164Z caller=collector.go:169 level=error msg="collector failed" name=zfs duration_seconds=1.6108e-05 err="couldn't get sysctl: no such file or directory" This is my Node Exporter settings: I'm not sure which collector gives the errors (on second thought, it seems to be some collectors that are not enabled, but still trying to collect). In any case, if I need it I might not be able to disable it, so another option would be to suppress the error messages in the log. I've tried: - Setting --log.level=none, but this is apparently not a valid log level - Creating a 01-node-exporter.conf file to suppress the messages, like this: if $msg contains "collector failed" then { stop } And put it inside /var/etc/syslog.d/. But this doesn't seem to suppress the messages either (this is working for me on Ubuntu). - I also tried [this advice](https://www.rsyslog.com/discarding-unwanted-messages/) , and instead put this into the 01-node-exporter.conf file, but to no avail: :msg, contains, "collector failed" ~ In addition, I've found the node_exporter config file, which is located at /usr/local/etc/rc.conf.d. This file contains: # This file is generated by the pfSense node_exporter package. # Do not edit this file, it will be overwritten automatically. node_exporter_enable="YES" node_exporter_listen_address="10.10.1.1:9100" node_exporter_args=" --collector.boottime --collector.cpu --collector.exec --collector.filesystem --collector.loadavg --collector.meminfo --collector.netdev --collector.textfile --collector.time --log.level=error" I'm inclined to think the erroneous log messages is a bug in Node Exporter for FreeBSD (because the collectors uname and zfs doesn't even seem to be enabled), so the short term solution would be to suppress the log messages.

I have a strange problem when trying to display logs on pfSense (and I can reproduce the same problem on Ubuntu server also). The problem is this (with examples): I'm trying to display a running dhcp log with tail -f. This works without problem when I just use it, like this: $ tail -n 48 -f /var/log/dhcpd.log Feb 4 10:43:01 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 dc:e5:5b:91:28:97], cid=[01:dc:e5:5b:91:28:97], tid=0x2cbc27bf: lease 10.10.1.62 has been allocated for 7200 seconds Feb 4 10:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup Feb 4 10:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/local/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path Feb 4 10:59:03 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 10:59:03 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 10:59:03 vault dhclient: RENEW Feb 4 10:59:03 vault dhclient: Creating resolv.conf Feb 4 10:59:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 11:00:53 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 11:00:53 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 11:00:53 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 11:00:53 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 dc:a6:32:9a:15:72], cid=[ff:92:39:3b:55:00:02:00:00:ab:11:ac:47:9e:3e:13:09:39:5f], tid=0x656556fb: lease 10.10.2.4 has been allocated for 7200 seconds Feb 4 11:03:43 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 11:03:43 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 11:03:43 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 11:03:43 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 04:d4:c4:76:16:b5], cid=[01:04:d4:c4:76:16:b5], tid=0x18d711b8: lease 10.10.2.22 has been allocated for 7200 seconds Feb 4 11:06:14 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 11:06:14 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 11:06:14 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d058d0000] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 11:06:14 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 3c:ec:ef:06:a1:c1], cid=[01:3c:ec:ef:06:a1:c1], tid=0x26a022f: lease 10.10.2.1 has been allocated for 7200 seconds Feb 4 11:29:04 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 11:29:04 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 11:29:04 vault dhclient: RENEW Feb 4 11:29:04 vault dhclient: Creating resolv.conf Feb 4 11:29:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 11:43:01 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05818900] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 11:43:01 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05818900] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 11:43:01 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05818900] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 11:43:01 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05818900] DHCP4_LEASE_ALLOC [hwtype=1 dc:e5:5b:91:28:97], cid=[01:dc:e5:5b:91:28:97], tid=0xac0108b7: lease 10.10.1.62 has been allocated for 7200 seconds Feb 4 11:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup Feb 4 11:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/local/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path Feb 4 11:59:04 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 11:59:04 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 11:59:04 vault dhclient: RENEW Feb 4 11:59:04 vault dhclient: Creating resolv.conf Feb 4 11:59:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 12:00:53 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 12:00:53 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 12:00:53 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 12:00:53 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 dc:a6:32:9a:15:72], cid=[ff:92:39:3b:55:00:02:00:00:ab:11:ac:47:9e:3e:13:09:39:5f], tid=0x656556fb: lease 10.10.2.4 has been allocated for 7200 seconds Feb 4 12:03:44 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 12:03:44 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 12:03:44 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 12:03:44 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 04:d4:c4:76:16:b5], cid=[01:04:d4:c4:76:16:b5], tid=0x6ba6e88e: lease 10.10.2.22 has been allocated for 7200 seconds Feb 4 12:06:14 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_lan_0 evaluated to 1 Feb 4 12:06:14 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_opt4_0 evaluated to 1 Feb 4 12:06:14 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05817400] EVAL_RESULT Expression pool_opt5_0 evaluated to 1 Feb 4 12:06:14 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 3c:ec:ef:06:a1:c1], cid=[01:3c:ec:ef:06:a1:c1], tid=0x26a022f: lease 10.10.2.1 has been allocated for 7200 seconds I'll then filter the results with grep, which still works as expected: $ tail -n 48 -f /var/log/dhcpd.log | grep -v 'Expression pool' Feb 4 10:43:01 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 dc:e5:5b:91:28:97], cid=[01:dc:e5:5b:91:28:97], tid=0x2cbc27bf: lease 10.10.1.62 has been allocated for 7200 seconds Feb 4 10:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup Feb 4 10:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/local/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path Feb 4 10:59:03 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 10:59:03 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 10:59:03 vault dhclient: RENEW Feb 4 10:59:03 vault dhclient: Creating resolv.conf Feb 4 10:59:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 11:00:53 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 dc:a6:32:9a:15:72], cid=[ff:92:39:3b:55:00:02:00:00:ab:11:ac:47:9e:3e:13:09:39:5f], tid=0x656556fb: lease 10.10.2.4 has been allocated for 7200 seconds Feb 4 11:03:43 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 04:d4:c4:76:16:b5], cid=[01:04:d4:c4:76:16:b5], tid=0x18d711b8: lease 10.10.2.22 has been allocated for 7200 seconds Feb 4 11:06:14 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 3c:ec:ef:06:a1:c1], cid=[01:3c:ec:ef:06:a1:c1], tid=0x26a022f: lease 10.10.2.1 has been allocated for 7200 seconds Feb 4 11:29:04 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 11:29:04 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 11:29:04 vault dhclient: RENEW Feb 4 11:29:04 vault dhclient: Creating resolv.conf Feb 4 11:29:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 11:43:01 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05818900] DHCP4_LEASE_ALLOC [hwtype=1 dc:e5:5b:91:28:97], cid=[01:dc:e5:5b:91:28:97], tid=0xac0108b7: lease 10.10.1.62 has been allocated for 7200 seconds Feb 4 11:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup Feb 4 11:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/local/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp4.leases.1 -o /var/lib/kea/dhcp4.leases.output -f /var/lib/kea/dhcp4.leases.completed -p /var/lib/kea/dhcp4.leases.pid -c ignored-path Feb 4 11:59:04 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 11:59:04 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 11:59:04 vault dhclient: RENEW Feb 4 11:59:04 vault dhclient: Creating resolv.conf Feb 4 11:59:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 12:00:53 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 dc:a6:32:9a:15:72], cid=[ff:92:39:3b:55:00:02:00:00:ab:11:ac:47:9e:3e:13:09:39:5f], tid=0x656556fb: lease 10.10.2.4 has been allocated for 7200 seconds Feb 4 12:03:44 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 04:d4:c4:76:16:b5], cid=[01:04:d4:c4:76:16:b5], tid=0x6ba6e88e: lease 10.10.2.22 has been allocated for 7200 seconds Feb 4 12:06:14 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 3c:ec:ef:06:a1:c1], cid=[01:3c:ec:ef:06:a1:c1], tid=0x26a022f: lease 10.10.2.1 has been allocated for 7200 seconds Finally, I want to cut the column width with cut (or make string manipulation with sed), but then the problems begin. As you can see from the output, this results in the latest line of the log not being included. $ tail -n 48 -f /var/log/dhcpd.log | grep -v 'Expression pool' | cut -c -223 Feb 4 10:43:01 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05817400] DHCP4_LEASE_ALLOC [hwtype=1 dc:e5:5b:91:28:97], cid=[01:dc:e5:5b:91:28:97], tid=0x2cbc27bf: lease 10.10.1.62 has been allocated for 7200 second Feb 4 10:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup Feb 4 10:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/local/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp Feb 4 10:59:03 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 10:59:03 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 10:59:03 vault dhclient: RENEW Feb 4 10:59:03 vault dhclient: Creating resolv.conf Feb 4 10:59:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 11:00:53 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 dc:a6:32:9a:15:72], cid=[ff:92:39:3b:55:00:02:00:00:ab:11:ac:47:9e:3e:13:09:39:5f], tid=0x656556fb: lease 10.10.2.4 Feb 4 11:03:43 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 04:d4:c4:76:16:b5], cid=[01:04:d4:c4:76:16:b5], tid=0x18d711b8: lease 10.10.2.22 has been allocated for 7200 second Feb 4 11:06:14 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d058d0000] DHCP4_LEASE_ALLOC [hwtype=1 3c:ec:ef:06:a1:c1], cid=[01:3c:ec:ef:06:a1:c1], tid=0x26a022f: lease 10.10.2.1 has been allocated for 7200 seconds Feb 4 11:29:04 vault dhclient: DHCPREQUEST on igc2 to 147.78.28.48 port 67 Feb 4 11:29:04 vault dhclient: DHCPACK from 147.78.28.48 Feb 4 11:29:04 vault dhclient: RENEW Feb 4 11:29:04 vault dhclient: Creating resolv.conf Feb 4 11:29:04 vault dhclient: bound to XX.XX.XX.XX -- renewal in 1800 seconds. Feb 4 11:43:01 vault kea-dhcp4: INFO [kea-dhcp4.leases.0x313d05818900] DHCP4_LEASE_ALLOC [hwtype=1 dc:e5:5b:91:28:97], cid=[01:dc:e5:5b:91:28:97], tid=0xac0108b7: lease 10.10.1.62 has been allocated for 7200 second Feb 4 11:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_START starting Lease File Cleanup Feb 4 11:51:54 vault kea-dhcp4: INFO [kea-dhcp4.dhcpsrv.0x313d05812000] DHCPSRV_MEMFILE_LFC_EXECUTE executing Lease File Cleanup using: /usr/local/sbin/kea-lfc -4 -x /var/lib/kea/dhcp4.leases.2 -i /var/lib/kea/dhcp As you can see, the timestamps with cut stop with 11:51:54, while the latest entry is in fact 12:06:14. This is completely reproducible, but it differs how much of the log tail is not included. Also, this is both tested on pfSense and Ubuntu, with cut and sed, and I get the same behavior of the entire log tail not getting included most of the time. Can anyone explain what's happening here? And any suggestions for a working method to do this? I would like to follow the log tail, while at the same time being able to filter the output with cut and/or sed, and be sure that the latest lines are always included.

Would a Netgate 1100 with pfSense Plus Software support SquidGuard? I'd like to be able to do web filtering using that software / hardware combination. P.S. Apologies if I have posted this in an incorrect StackExchange, if so please move the question to the appropriate StackExchange.

I have ovpn file, which allows me to connect to remote server successfully from desktop OpenVPN GUI. Now I want to copy content of this file to OpenVPN client of pfSense. The problem is that fields are not 1:1 correspondent. I have the following in OVPN file BEGIN PRIVATE KEY ... BEGIN CERTIFICATE ... BEGIN CERTIFICATE BEGIN OpenVPN Static Key V1 What are these fields?

I started playing with wireguard on a pfsense router to try to see if I could overcome a CG Nat on a hotspot I want to use when visiting my mother a couple hours from home. I stay in an RV when up there and have a couple of options for internet (cellular and local wifi) that I now connect to using Wifi offloading on a new Netgear Nighthawk hotspot. I would like to have the ability to access my home and work networks when I'm in the RV, but would also find it very useful to be able to access the computer(s) I have set up in the RV any time I leave it on-site. (if I can find a reliable way through the CG Nat, I'm considering putting a solar-powered system running year round to monitor the RV via the hotspot/cellular connection to play with IoT type devices, remote camera, etc) I was initially going to try routing all of this through home, but I also have a small website set up on the amazon cloud on an ubuntu based EC2 and figure that will make for a better, 'always on' routing hub. I can post my existing configs if necessary, but they are bare-bones at the moment. The things I am confused the most about is what I enter on each side for 'AllowedIps' and what I do for Pre/Post rules. Most of the examples use some kind of dns masq or snat configuration, but I would prefer something akin to bridging with routing rules. My goal would be to have any pc connected to associated subnets to see the others as specified in the 'access to' entries for each. Any assistance is greatly appreciated! SW wireguard subnet: 10.10.90.0/24 amazon ec2 running ubuntu: (primary routing hub in cloud) wireguard ip: 10.10.90.1 public ip: 11.11.11.11 (obfuscated - not the real ip) private ip: 172.31.18.77 would like to access: 10.10.20.0/24 and 10.3.141.0/24 home network: (comcast/xfinity cable w/public ip) wireguard ip: 10.10.90.2 home subnet outer nat: 10.10.10.0/24 (tp-link router on 10.10.10.1) home subnet inner nat: 10.10.20.0/24 (pfsense firewall on 10.10.10.254) would like to access: 172.31.18.77/32 (aws server), 10.3.141.0/24 (remote rv inner nat) and 192.168.0.0/23 (work) remote RV network: (AT&T hotspot behind cgnat) wireguard ip: 10.10.90.3 remote subnet outer nat: 192.168.10.0/24 (Netgear Nighthawk on 192.168.10.1) remote subnet inner nat: 10.3.141.0 (RaspAp wlan 10.3.141.1 via USB tether 192.168.10.4) would like to access: 172.31.18.77/32 (aws server), 10.10.20.0/24 (home inner nat) and 192.168.0.0/23 (work) work network: (pfsense on xfinity fiber) wireguard ip 10.10.90.4 subnet: 192.168.0.0/23 would only need limited access to home ips: (optional if possible but not a priority seeing 'out') 10.10.20.35 port 22 TCP (ssh) 10.10.20.39 port 22 TCP (ssh) and 3389 TCP (rdp) 10.10.20.45 port 80 TCP (octopi web interface) 10.10.20.1 (or 10.10.10.254) port 443 TCP (pfsense web interface) 10.10.10.1 port 443 TCP (tp-link management) optional/additional: cellphone: (AT&T Galaxy Note 10) wireguard ip: 10.10.90.5 would like to access: 172.31.18.77/32 (aws server), 10.3.141.0/24 (remote rv inner nat), 10.10.20.0/24 (home inner nat) and 192.168.0.0/23 (work)

I have the following topology and from myhost I can ping router2 but can't ping router1. With tcpdump I can observe how my pings go and I see that both router1 and router2 reply. But only replies from router2 are appearing in re2. I.e. NAT back translation doesn't work. Any other traffic also doesn't return. Is it possible to diagnose the situation, may be with ipfw command? Is it possible to see firewall logs in realtime and discover if it blocks the traffic? # Details ## Experiment 1 myhost> ping router1 pfSense> tcpdump -n -i re1 icmp pfSense> tcpdump -n -i re2 icmp ## Experiment 2 myhost> ping router2 pfSense> tcpdump -n -i re3 icmp pfSense> tcpdump -n -i re2 icmp *** # Update 2 I have 3 ISPs: behind re0, re1 and re3. ISPs behind re1 and re3 uses their own modems (router1 and router2 on the diagram) and ISP behind re0 is plain twisted pair. re2 is LAN Routing table > netstat -nr -f inet default 192.168.100.1 UGS re3 link#1 UHS re0 link#1 UHS re0 .0/23 link#1 U re0 .151 link#7 UHS lo0 127.0.0.1 link#7 UH lo0 192.168.0.0/24 link#2 U re1 192.168.0.2 link#7 UHS lo0 192.168.10.0/24 link#3 U re2 192.168.10.1 link#7 UHS lo0 192.168.17.0/24 link#11 U ovpns1 192.168.17.1 link#7 UHS lo0 192.168.18.0/24 link#12 U ovpns2 192.168.18.1 link#7 UHS lo0 192.168.19.0/24 link#13 U ovpns3 192.168.19.1 link#7 UHS lo0 192.168.27.0/24 link#14 U ovpns4 192.168.27.1 link#7 UHS lo0 192.168.29.0/24 link#15 U ovpns5 192.168.29.1 link#7 UHS lo0 192.168.100.0/24 link#4 U re3 192.168.100.2 link#7 UHS lo0

I'm interested in learning more about UEFI HTTPBoot and setting it up for my LAN as a netboot option, but the details are notably sparse. The best docs I've found are [Suse Docs](https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-deployment-prep-uefi-httpboot.html) for configuring an HTTP Boot server, but it's lacking some information I'm wondering about. I use PFSense as my DHCP/DNS server. According to [this blog](https://mrguitar.net/?p=2393) , the option for HTTP boot in PFSense became available in 2.6, which is a pretty recent release. According to the blog post, PFSense must be configured with a specialty option to get this to work: vendor-class-identifier “HTTPClient” with a "Number" of 60. There's very little information about the boot process or requirements of the Network Boot Program (NBP), or the process to prep the payload for netboot. Have several questions: * Can any linux distro that supports UEFI (and has a *.efi file) be pointed to for HTTP Boot? * What is the process to prep the NBP? Extract a given distro's ISO contents to any HTTP static server and point to the *.efi file in the URL? * It seems once the EFI file is loaded, a bootloader is initiated? Will any bootloader work, or does it need to be something that specifically supports HTTPBoot? How is the bootloader configured such that the *.efi or some other process understands to launch that specific bootloader? * Is the root file system specified as just the path relative to the host in the URI file? * Once I have a bootloader configured, if I wanted to have several different available distros, do I just need to configure them accordingly in the bootloader config, and I can just pick one of the *.efi files to launch it? * What is the vendor-class-identifier option, and the "Number" associated with it?

## Context I have set up a site-to-site IPSec tunnel between a Raspberry Pi located in an office and a pfSense firewall in the cloud. I am using Strongswan for the Raspberry Pi side. ## Issue My tunnel establishes and works fine for a while, but when it has to rekey itself, the negotiation fails. Is there something obvious I am missing? ### Logs (Raspberry side) #### Initial connection

raspberrypi charon: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
raspberrypi charon: 09[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
raspberrypi charon: 09[IKE] CHILD_SA net-net{1} established with SPIs c3eaa3c7_i c944ab71_o and TS RASPI_NET/24 === PFSENSE_NET/16
raspberrypi charon: 09[IKE] CHILD_SA net-net{1} established with SPIs c3eaa3c7_i c944ab71_o and TS RASPI_NET/24 === PFSENSE_NET/16

#### Rekeying (that's where it goes wrong)

raspberrypi charon: 11[NET] received packet: from PFSENSE_IP to RASPI_LOCAL_IP (80 bytes)
raspberrypi charon: 11[ENC] parsed INFORMATIONAL request 153 [ D ]
raspberrypi charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI ce632e5b
raspberrypi charon: 11[IKE] closing CHILD_SA net-net{1} with SPIs ccc38dd0_i (94042284 bytes) ce632e5b_o (5169556 bytes) and TS RASPI_NET/24 === PFSENSE_NET/16
raspberrypi charon: 11[IKE] closing CHILD_SA net-net{1} with SPIs ccc38dd0_i (94042284 bytes) ce632e5b_o (5169556 bytes) and TS RASPI_NET/24 === PFSENSE_NET/16
raspberrypi charon: 11[IKE] sending DELETE for ESP CHILD_SA with SPI ccc38dd0
raspberrypi charon: 11[IKE] CHILD_SA closed
raspberrypi charon: 11[ENC] generating INFORMATIONAL response 153 [ D ]
raspberrypi charon: 11[NET] sending packet: from RASPI_LOCAL_IP to PFSENSE_IP (80 bytes)
raspberrypi charon: 12[NET] received packet: from PFSENSE_IP to RASPI_LOCAL_IP (80 bytes)
raspberrypi charon: 12[ENC] parsed INFORMATIONAL request 154 [ ]
raspberrypi charon: 12[ENC] generating INFORMATIONAL response 154 [ ]
raspberrypi charon: 12[NET] sending packet: from RASPI_LOCAL_IP to PFSENSE_IP (80 bytes)
raspberrypi charon: 06[NET] received packet: from PFSENSE_IP to RASPI_LOCAL_IP (640 bytes)
raspberrypi charon: 06[ENC] parsed CREATE_CHILD_SA request 155 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
raspberrypi charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
raspberrypi charon: 06[CFG] received proposals: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_12_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_8_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
raspberrypi charon: 06[CFG] configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
raspberrypi charon: 06[IKE] no acceptable proposal found
raspberrypi charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
raspberrypi charon: 06[ENC] generating CREATE_CHILD_SA response 155 [ N(NO_PROP) ]
raspberrypi charon: 06[NET] sending packet: from RASPI_LOCAL_IP to PFSENSE_IP (80 bytes)
raspberrypi charon: 01[JOB] CHILD_SA ESP/0xccc38dd0/RASPI_LOCAL_IP not found for rekey
raspberrypi charon: 08[JOB] CHILD_SA ESP/0xccc38dd0/RASPI_LOCAL_IP not found for rekey

## What I have tried to do If I SSH to the Raspberry and run ipsec restart, the tunnel establishes again and works fine until the next rekeying. I am having trouble understanding why the proposals do not match on rekeying if they do for the initial connection. Furthermore, I did ask for different algorithms inside of my swanctl configuration file. I tried changing the configuration both sides, but it seems that the issue is always located on the side of the Raspberry (by the way, the pfSense is responder-only). ## Configuration files ### /etc/swanctl/conf.d/myfile.conf

connections {
  gw-gw {
    local_addrs = RASPI_LAN_IP
    remote_addrs = PFSENSE_IP
    local {
      auth = psk
      id = RASPI_PUBLIC_IP
    }
    remote {
      auth = psk
      id = PFSENSE_IP
    }
    children {
      net-net {
        local_ts = RASPI_NET/24
        remote_ts = PFSENSE_NET/16
        start_action = start
        dpd_action = restart
      }
    }
    version = 2
    dpd_delay = 60
    mobike = no
    proposals = aes128-sha256-modp2048,default
  }
}

secrets {
  ike-1 {
    id-1 = RASPI_PUBLIC_IP
    id-2 = PFSENSE_IP
    secret = "MYPSK"
  }
}

### pfSense #### Phase 1 #### Phase 2

I have 1GB RAM installed and I want to enlarge both nodes md0 and md1 /dev/md0 38M 216K 35M 1% /tmp /dev/md1 58M 20M 33M 39% /var I tried this but it fails: # mdconfig -r -s 128M -u 0 mdconfig: ioctl(/dev/mdctl): Operation not supported` What command should I use?

I have configured the following s2s VPN (in pfSense) connection which is working in general. Unfortunately, I can connect (ping, netcat, ssh) only from client to the server, but not back. If I can ssh normally, it means that firewall is not the problem, right? Since packages are travelling in both directions? How to diagnose the problem with the means of command line tools? *** I made a mistake, I can't netcat backwards. But I can see ping traffic with packet capture on a client when pining it from server. Also, I did add explicit route route add -net 192.168.31.0/24 192.168.27.2 on a server. *** Here is what I see when dumping packets on client when pinging it (.31.1) or it's network counterpars (.31.155) from the server $ tcpdump -n -i ovpnc2 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ovpnc2, link-type NULL (BSD loopback), capture size 262144 bytes 20:04:44.123925 IP 192.168.27.1 > 192.168.31.1: ICMP echo request, id 14862, seq 0, length 64 20:04:45.133435 IP 192.168.27.1 > 192.168.31.1: ICMP echo request, id 14862, seq 1, length 64 20:04:46.146100 IP 192.168.27.1 > 192.168.31.1: ICMP echo request, id 14862, seq 2, length 64 20:04:49.664935 IP 192.168.27.1 > 192.168.31.155: ICMP echo request, id 1295, seq 0, length 64 20:04:50.663422 IP 192.168.27.1 > 192.168.31.155: ICMP echo request, id 1295, seq 1, length 64 20:04:51.679393 IP 192.168.27.1 > 192.168.31.155: ICMP echo request, id 1295, seq 2, length 64 20:04:52.688367 IP 192.168.27.1 > 192.168.31.155: ICMP echo request, id 1295, seq 3, length 64 Apparently, a client end sees ping packets, but doesn't respond, right?

I've set up my pfsense server with tftp to support PXE booting. I've configured it to boot the latest (as of posting) version of netboot.xyz. This works to a point, but I've tried loading a few Linux images and they all seem to die with the same error messages. Key output text includes: ... mount: mounting tmpfs on /cdrom failed: Invalid argument ... curl: (23) Failed writing body (0 != 16384) Unable to find a live file system on the network ... Screenshot: I'm not sure if this is a tftp issue (I doubt it), a pfsense issue (I doubt it), a netboot.xyz issue (my main guess) or something else.

Pfsense (HAproxy as reverse proxy)—->Unraid I run postfix on Debian Bullseye VM (under Unraid) on my home server. It is up and running. I can send the mail out but can’t receive any incoming mail. I’m wondering whether I’ve set a wrong host name or not. At home local network, I can access my Debian server with either debiantest or debiantest.local. When installing Debian, I input hostname “debiantest”, domain “mydomain.com”. My mx record at cloudflare for “mydomain.com” is mail.mydomain.com. In postfix main.cf, I tried specifying hostname as debiantest, debiantest.local, debiantest.mydomain.com. Same results, ie. can receive any mails, but can send mails out. Welcome any suggestion.