Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jpns

Pages: [1]
I have this issue too on a NanoBSD system. At boot I get the following in console:

Welcome to pfSense 2.3.4-RELEASE on the 'nanobsd' platform...

rm: /usr/local/etc/ipsec.d: Read-only file system
rm: /usr/local/etc/ipsec.conf: Read-only file system
rm: /usr/local/etc/strongswan.conf: Read-only file system
Creating symlinks......ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/ipsec /usr/local/lib/perl5/5.24/mach/CORE
32-bit compatibility ldconfig path: /usr/lib32
cap_mkdb: /etc/login.conf.db: Read-only file system
/usr/local/libexec/pfSense-upgrade: cannot create /usr/local/etc/pkg.conf: Read-only file system
/usr/local/libexec/pfSense-upgrade: cannot create /usr/local/etc/pkg.conf: Read-only file system
Failed to write core file for process php (error 14)
pid 191 (php), uid 0: exited on signal 11

Is a reinstall the only way to fix?

Actually, it looks like there's already an open pull request to fix this problem.

Great, I see the pull request has been approved too, does that mean the fix will make it into the next update?

I rely quite heavily on this feature working properly, so it would be great if it is  8)

I host some services at home, and I use Cloudflare for DNS and to hide my IP address. I use the dynamic DNS client in pfSense to keep the IP up to date with the domain in Cloudflare.

However, when pfSense detects an IP address change and updates the domain in Cloudflare, it also grey-clouds* it. This means my home IP is exposed until I log into Cloudflare and manually orange-cloud the domain again. Obviously, this is not ideal.

I did look at the Cloudflare dynamic DNS API a while ago and I seem to remember it's a single part of the string which can set either orange-cloud, grey-cloud, or do not change. It seems that pfSense is hard coded to grey-cloud.

*grey cloud = Cloudflare provides DNS only, and origin server IP address is exposed
*orange cloud = Cloudflare provides DNS and proxying; all requests to the domain go through Cloudflare and origin server is not exposed

This is going to hurt me.

I manage about 40 sites which are mainly using re-purposed Dell small form factor desktops and APU devices with the AMD G-T40E CPU. None of them use VPN (except me to log in to them remotely) and I have no interest in using cloud management either. Even my home firewall is running on a Dell Optiplex 780 with Intel Core 2 Duo E7500 which does not have AES-NI but is plenty powerful for what I use it for. There are no socket 775 CPU's with AES-NI so a complete hardware upgrade will be required.

I can understand the need to have good encryption between the cloud service and remote firewalls, but I imagine the vast majority of "home" users will not ever use the cloud service.

Can't you consider some other options, such as only making AES-NI a requirement IF you want to use the cloud service? Or perhaps consider ChaCha20, which has higher performance than AES on devices without AES-NI? It works well enough for Wikipedia and Cloudflare.

My business is primarily providing low cost networking to SOHO environments. I'm sure you can understand how pfSense and older/cheaper hardware plays a part in this. Things will be much more difficult from 2.5 onward because I won't simply be able to use $50 refurbished hardware, and will instead need to spend 5x as much on Netgate stuff.

I appreciate the long advance warning, but please consider my points above.

Thank you, and keep up the great work.

Packages / Re: Automating ACME Letsencrypt
« on: March 23, 2017, 06:11:14 am »
Is domain ownership validation performed on every renewal, or only on the initial issuance?

DHCP and DNS / Re: Dynamic DNS Cloudflare v4 API issues with pfSense
« on: March 17, 2017, 03:55:17 am »
OK... my bad.

Have to put Global API key as password, do not put your account password as password.

User = user
Password = Global API Key

Works great... Thanks  :)

As far as I know, Cloudflare has always required use of your global API key as password for dynamic DNS update. I have the same issue where I cannot update a root domain (blah.tld), as it requires a subdomain. The patch linked in the earlier posts works for me.

DHCP and DNS / DDNS client and Cloudflare
« on: February 15, 2017, 07:14:19 pm »
I'm using the built in DDNS client to update A records at Cloudflare. When pfSense update an IP, it also "grey clouds" the domain. This is ABSOLUTELY not what I want to happen, as I am using Cloudflare to hide the origin server IP address and it is revealed when the domain is grey clouded.

I believe it's possible to set orange/grey cloud with a simple variable on the command line which calls the Cloudflare API however this is not configurable in pfSense. There doesn't seem to be anything Cloudflare can do about it either.

Is it possible that an option can be added to stop this behaviour?

You can probably do it with Squid, but the question is why?

Also in your example I don't think it would even be successful as Yahoo (like many) force HTTPS by default, and if you try injecting non-HTTPS content into the request the end users' web browser will almost certainly block it and tell the user that they are experiencing a man-in-the-middle attack.

The only way I could see this being successful (for HTTPS traffic) is if you man in the middle ALL of the traffic, but you'd need to have access to all of your clients devices to install your own root certificate into their trusted CA store, to avoid their browsers giving serious warnings or blocking the requests all together.

General Questions / Re: pfSense CA manager in 2.3
« on: December 17, 2016, 05:53:01 am »
Create an internal certificate authority in pfsense. This will generate a root CA cert which you will use to sign your certificates.

Create an internal certificate and make sure you sign it with your root CA cert.

No need to provide a CSR or private key as pfsense will generate these internally. You can export the certificates and keys directly from the certificate manager (the little buttons in the Actions column).

You can then import both sets of certs and keys into whatever you like. Obviously be aware that no devices will trust any certificates signed by your CA unless you manually import the root CA cert into your trusted certificate store.

Packages / Re: Letsencrypt working in 2.3
« on: December 17, 2016, 04:31:17 am »
Great to see this is getting some traction. I don't get all the hate towards LE. It seems even cPanel have implemented Letsencrypt into their AutoSSL feature.

I too am using a StartCom free DV cert to secure my pfsense webGUI, and a captive portal authentication page.

I intend to start using HAProxy soon to serve content from local webservers to the outside world directly from pfsense, rather than from a transparent Apache proxy inside the LAN. I'm already using Letsencrypt on this but I would much prefer to have this moved to the firewall.

I'll be watching this with great interest. Thanks for the great work guys.

Installation and Upgrades / Re: 2.3.1
« on: May 19, 2016, 03:59:15 am »
I have three almost identical setups at separate sites running APU1D boards with nanobsd, upgraded the first of them remotely from 2.2.6 to 2.3.1 this morning and it all went smoothly.

Will do the other two in early hours of tomorrow morning when the networks are quiet.

Thanks pfsense team for a fantastic product and support.

Installation and Upgrades / Re: Erroneous duplicated DNS IP warning
« on: May 19, 2016, 02:25:07 am »
Put on one WAN and on the other.

Has fixed it.


Installation and Upgrades / Erroneous duplicated DNS IP warning
« on: May 18, 2016, 11:20:05 pm »
Just updated to 2.3.1-RELEASE from 2.2.6

Now if I try to make any changes in System -> General Setup

I get this error:

The following input errors were detected:
Each configured DNS server must have a unique IP address. Remove the duplicated IP.

I have two WAN and each has both Google DNS servers and configured as backup.

My assumption is that pfsense is wrongly seeing these as duplicates even though each WAN do not have duplicate DNS servers.

I am using embedded system on APU1D

DHCP and DNS / Re: Unbound seems to be restarting frequently
« on: October 14, 2015, 09:50:57 am »
I have the same problem with unbound constantly reloading and having no DNS resolution for about 30 seconds every few minutes. I did have both the dynamic and static DHCP clients options ticked for DNS but I disabled them both and it didn't fix it. I have come to the conclusion that unbound is so broken that I've had to switch back to dnsmasq and now it's all working fine. I was using forwarding in unbound anyway (I am running multi-WAN with failover), so it doesn't really bother me having to switch.

Pages: [1]