Yeah if you don't disable the blacklist you will only get one queue for Rx and Tx on a vmx NIC. As you say for a PPP connection that won't make any difference but for anything else it will.

That is fixed in 23.05: https://redmine.pfsense.org/issues/14117 The patch for it is also included in the recommend patches list in the System Patches package. Steve

Me too!

@stephenw10 I just started to remove all additional scripts running from /usr/local/etc/rc.d and found that removing dyndns.sh does help. I can now reboot the system without problem. #!/usr/local/bin/bash while true; do IP_ADDRESS=$(ifconfig pppoe0 | grep "inet " | awk '{print $2}') if [ -z "$IP_ADDRESS" ]; then # PPPoE connection does not have a valid IP address logger "PPPoE connection does not have a valid IP address" else # PPPoE connection has a valid IP address /etc/rc.dyndns.update logger "PPPoE connection has a valid IP address, force DYNDNS" fi sleep 3600 done I don't really remember if that some manual script I have been some years ago installed, or it is part of pfSense+ but it is the same on the secondary firewall and just works… Can not explain what exactly triggering this issue with reboot. My clean VM just do not have any scripts… but… it's not PPPoE and there are no hosts configured… Ok. Changed this to: #!/usr/local/bin/bash case "$1" in start) while true; do IP_ADDRESS=$(ifconfig pppoe0 | grep "inet " | awk '{print $2}') if [ -z "$IP_ADDRESS" ]; then # PPPoE connection does not have a valid IP address logger "PPPoE connection does not have a valid IP address" else # PPPoE connection has a valid IP address /etc/rc.dyndns.update logger "PPPoE connection has a valid IP address, force DYNDNS" fi sleep 3600 done ;; stop) exit 0 ;; esac exit 0 And reboot works just fine... so it possible that sometime ago I have just generated this problem that was so hard to debug. Anyway, thank you for trying to help me! Edited: Yes, definitely it was manual script added, just because for some reason dynDNS was not updated.

Backtrace: db:1:pfs> bt Tracing pid 79686 tid 100334 td 0xfffffe010ce053a0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe010bfa8900 vpanic() at vpanic+0x182/frame 0xfffffe010bfa8950 panic() at panic+0x43/frame 0xfffffe010bfa89b0 trap_fatal() at trap_fatal+0x409/frame 0xfffffe010bfa8a10 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe010bfa8a70 calltrap() at calltrap+0x8/frame 0xfffffe010bfa8a70 --- trap 0xc, rip = 0xffffffff80f9352c, rsp = 0xfffffe010bfa8b40, rbp = 0xfffffe010bfa8b70 --- X_ip_mrouter_done() at X_ip_mrouter_done+0x31c/frame 0xfffffe010bfa8b70 rip_detach() at rip_detach+0x3f/frame 0xfffffe010bfa8ba0 sorele_locked() at sorele_locked+0x89/frame 0xfffffe010bfa8bc0 soclose() at soclose+0xeb/frame 0xfffffe010bfa8c20 _fdrop() at _fdrop+0x11/frame 0xfffffe010bfa8c40 closef() at closef+0x24b/frame 0xfffffe010bfa8cd0 fdescfree() at fdescfree+0x4b3/frame 0xfffffe010bfa8d90 exit1() at exit1+0x4c7/frame 0xfffffe010bfa8df0 sys_exit() at sys_exit+0xd/frame 0xfffffe010bfa8e00 amd64_syscall() at amd64_syscall+0x10c/frame 0xfffffe010bfa8f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe010bfa8f30 --- syscall (1, FreeBSD ELF64, sys_exit), rip = 0x822b5786a, rsp = 0x820a03288, rbp = 0x820a032a0 --- Panic: Fatal trap 12: page fault while in kernel mode cpuid = 6; apic id = 06 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80f9352c stack pointer = 0x28:0xfffffe010bfa8b40 frame pointer = 0x28:0xfffffe010bfa8b70 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 79686 (pimd) rdi: fffffe00e204ad18 rsi: 4 rdx: 1 rcx: 0 r8: 0 r9: fffff80010067000 rax: 100 rbx: fffffe010ce053a0 rbp: fffffe010bfa8b70 r10: 0 r11: 800000044d83ed99 r12: fffffe010ce053a0 r13: 0 r14: fffff805734b4700 r15: 0 trap number = 12 panic: page fault cpuid = 6 time = 1680781157 KDB: enter: panic Console also shows: config_aqm Unable to configure flowset, flowset busy! config_aqm Unable to configure flowset, flowset busy! It's probably this or related to it: https://redmine.pfsense.org/issues/12079 Except it's in pimd rather than igmpproxy hence the differences. Steve

If you're able to replicate it then a bug would be helpful. We would need to know what the config was in 22.01 in order to prevent it failing it upgrade. Steve

@nocling I can't thank you enough. This worked! I've read so much documentation, posted in numerous forums, etc. No one brought up the switch aspect. Thanks!!!

@soupdiver said in Unable to Register pfSense Plus: I guess some kind of user error would be nice here Hmm, I agree. Let me see what we can do there.

@riggi Yes, the first boot after you restore the config to the bare metal device, pfSense will prompt you to correct/assign interfaces. You can also edit the config.xml file to change the interface names before restoring with a tool like NotePad++. Being careful to replace the names individually and not just do a lazy-man 'replace all'. Simple and effective.

@stephenw10 Well I have not tested on 23.01 but I used to get similar issues for many of my installations with 2.6. Yes, Ofcourse, Rebooting firewall or restarting service makes the gateway come online. Recently I found a work around, if it gives some kind of pointer. I have set the WAN as static IP instead of dhcp. This solves the pending issue. I guess it is more of an issue in uplink modem, unable to assign a dhcp address to WAN port of firewall. So i guess there is no issue with pfsense.

@jknott The earliest computer I had was an At&t PC6300 it had a DB-9 for the keyboard, monochrome guy. I also remember my Tandy 102 my uncle got us one christmas had a DB25 on the back. My Dad had a Commodore 64 I never got to play with it. The thing was disconnected by the time I was able to. Again, the monitor was dead that went with it and it was outdated at that point but that guy had some connections on the back also. Today I have the C64 mini so I got to play with it in the end, Thank you Santa!!!

You could do this using an alias with all the client subnets in it and then use that as the source in the firewall rule at site A on the IPSec tab. That wouldn't filter clients that are at site A that don't use tunnel so you'd still need a rule on the client VLAN there directly. Or as you say you could put that rule as floating outbound on the resources VLAN at site A.

There are some ways to realize it; Each LAN Port gets an own subnet like 192.168.1.0/24 and on the next one 192.168.2.0/24 You can also add a switch to each LAN port and enrich that scenario for more users or devices. You may be able to work with VLANs for privat and home VLAN10 = Home - 192.168.1.0/24 VLAN20 = Work - 192.168.2.0/24 VLAN30 = WiFi - 172.xxx You may be able to set up behind the pfSense also a small MikroTik router for each network if you want. There are many ways you may be able to walk on.

You can use rewrites in Squidguard. It's limited though, it might do what you need. [image: 1681494331759-screenshot-from-2023-04-14-18-45-20.png] Steve

Um....yes we will need a lot more information to offer any sort of solution here!

@stephenw10 ah that makes sense. Thanks. The 8200 already has uc-18 so it was just a BIOS update.

Probably. I have no insight there. I imagine the intention was to have the widget display flash in some way to alert the user.

@stephenw10 said in Network wide compliance policy: Right, I'm not sure that's in the open source server. Ugh that is the paid server for 180 dollars a month "built on the open-source structure". I think I am gonna stay away from that. Anyways seems like my quest has hit a rough end. I will try to harden my network in a different way. Thanks for all of the replies. Great community!

@stephenw10 this worked. Thanks!

@rubensan112 I'm pretty sure that IP, 192.168.1.1, is very close to you. Like 3 foot away, the cable between pfSense and your ISP router. The idea is that you use another, public, IP, one that is further down "the road", a gateway IP of your ISP. If that one is to hard to find, you could use some other "nearby" IP, like 8.8.8.8. I'm using the IP of one of my servers somewhere nearby the main 'ISP gateway' : [image: 1681396433050-ececd44b-0e5d-4945-99ec-7b2f9438d480-image.png] Now I see : [image: 1681396266666-8f8df7d3-43ff-4671-90b1-f7a38245e45a-image.png] Which means : 192.168.10.1 is the IP of the LAN of my ISP router, just 30 away from me and pfSense. 188.165.5x.87 is my server IP, and that one is just to 'test' my uplink. The whole ieda of all this is : If I (pfSense) can reach (receive answers to my pings) from 188.165.5x.87, I know (and pfSEse) that my connection is ok. Pinging your upstream router on your site/home makes no sense. That says nothing about the 'quality' of your uplink. Test this yourself : remove the cable (phone/adsl/coax/satellite disk/fiber/whatever you use) from your ISP router : you will see no alerts in the pfSense GUI dashboard, as your 1921.168.1.1 is still answering, so pfSense thinks the connection is ok. Well, it's not.