Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - PiBa

Pages: [1] 2 3 4 5 ... 56
Packages / Re: Letsencrypt + DigitalOcean = problems for me
« on: February 12, 2018, 05:20:27 pm »
Pretty much all decent browsers and other SSL clients send SNI. Lots of webservers running multiple sites and multiple certificates, need it to pick the right certificate to return to the client.
(IE on XP was notorious a few years ago, but that shouldn't be connected to the internet anyhow these days..)

It should be working OK, if you do experience issues please do tell though.

Packages / Re: Letsencrypt + DigitalOcean = problems for me
« on: February 12, 2018, 12:33:56 pm »
HAProxy can't forward on encrypted headers.
True, but, HAProxy CAN forward to a specific backend based on SNI ServerNameIndication from the SSL layer.

Without offloading you do have SNI available from the SSL layer. Just no Host HTTP header.

NAT / Re: Revisit: Redirect Inbound HTTPS/HTTP Requests Based on URL
« on: February 11, 2018, 07:31:20 am »
Indeed a firewall rule needs to allow traffic but you found that :).

With the current settings:
-frontend that listens on :443 without 'ssl offloading' checked behind it. (And probably no certificate selected at the bottom)
-the 'Type' you have selected "http/https(offloading)"
These 2 settings don't match.. You will likely be sending https traffic to that 443 port, but are not using offloading..

So you need to decide do you want to use ssl-offloading or not.?.
-With offloading, certificates need to be present on pfSense, configured on haproxy, and haproxy can use and modify host headers, keep stats of different response codes.
-Without offloading, haproxy can only use SNI to determine the proper backend, and will not be able to read or modify headers.

So to 'fix' the configuration:
-So enable offloading on the external address, and configure certificates.
-Change type to https(tcp), and change the acl's to use SNI - Server Name Indication.

Hardware / Re: PC Engines apu2 experiences
« on: February 09, 2018, 12:58:39 pm »
On a sidenote, does anyone else have 2x haproxy services?
I havn't seen that should only have the lowercase 'haproxy' service.. Probably need to edit the config.xml to remove the wrong service tag.. (backup>edit>restore)or the more tricky:(edit /conf/config.xml,delete /tmp/config.cache) just make sure to keep the xml format valid..

2.4 Development Snapshots / Re: Gateway monitor help
« on: February 01, 2018, 02:03:16 pm »
In System\Routing edit the gateway, and configure a 'monitor ip' you should be able to use something like, or perhaps run a traceroute and find some 'pingable' ip from your isp that does respond.

Ok great :).
Next issue, please do fill in a different 'monitor ip' on your wan gateway, one that that responds to ping, so the gateway wont show as 'down' with 100% loss, and the quality monitoring rrd's will contain some better data ;). But well that should probably go into a different topic 8).

Looks like its only 9656 lines, while there should be 14354 like in the link so definitely not ok..

Can you run the pkg command mentioned, and check again.?

Not sure what happened there.. that line should be longer.: and should be still quite a few lines after it as well..

Can you check with diagnostics\editfile or perhaps your favorite SCP client what the file "/usr/local/www/vendor/nvd3/nv.d3.js" on pfSense itself looks like? Is it complete?

If the file is incomplete you could try and run:  pkg install -f pfSense-base    on the pfSense console or ssh connection to re-install it..

What does line 9656 of that file look like?

And a bit around it.

Is it possible to click on the "Uncaught SyntaxError: Invalid or unexpected token" line? Does it show some other file/script where that syntax error is present.?

The second error where 'nv' is not defined is probably caused by the first syntax error skipping parts of code that is available..

no java errors
Perhaps no java error..
But your screenshot shows at the bottom some 'red' text in the 'console' tab, that surely looks like a Javascript error ;). (p.s. Java is not related to Javascript..)

Can you copy that text in full into a code # block here on the forum? It might help tell whats going on..

In chrome you would press F12, then on network tab you could filter on the name ifstats and a new requests would show there. Possibly refresh the page with F5 to be sure everything gets shown.. Click one of those ifstats requests and you will be able to view the headers of the send request and also the response, make sure it looks valid from begin with a { until the end }.

Is the request for ifstats.php send by the timer in the browser? What interfaces are requested? And what does it return?

There is no fix as there isn't anything reproducible broken (that i know of anyhow).

You will have to investigate a bit more to find why it is not working on your machine. Check browser developer network tab are there any javascript errors? Do requests for ifstat.php get a valid reply? Did already try to clear browser cache right?

Pages: [1] 2 3 4 5 ... 56