CE did come preinstalled on some Netgate devices. The Minnowboard Turbot (MBT) for example. But, yes, from 2.7.0 run certctl rehash to see the update.

No. YOu can only policy route traffic as it enters the firewall so usually from some internal subnet. Traffic from localhost is already inside the firewall. By the time it is leaving an interface and could be filtered outbound the routing decision has already been taken.

@viragomann I wish to do this using a proxy service that I have subscribe to however they provide a hostname and port so I don't think I can use the GW method here.

@brookheather ~ After almost 8 days up time, this is what it shows: MTU: 1400 In/out packets: 116406954/41636681 (134.50 GiB/6.15 GiB) In/out errors: 0/2 Collisions: 0 Also, my Internet connection is 1Gbps up and down fiber. RPSmith...

@Gertjan said in Normal traffic graph in "idle"?: A Windows OS ? You ever heard about telemetry data ? The keylogger you installed on your PC It's Ubuntu though ;) @Gertjan said in Normal traffic graph in "idle"?: What is that ? A website to check what is behind an IP. For example: https://otx.alienvault.com/indicator/ip/34.149.144.89 @Gertjan said in Normal traffic graph in "idle"?: That's your browser doing auto-captive-portal detection. This is port destination 80 TCP traffic, right ? Yep port 80 traffic @Gertjan said in Normal traffic graph in "idle"?: You were actually using all this stuff all the time. It's always a good thing to find out how things work. I am still trying to figure things out. I haven't gotten into the packet capture part yet. Only superficially by checking Snort captures. I also googled what TCP Dup ACK is but I don't know if it is something to worry about or a normal occurance. The last couple of days I saw 3 out of 5 Windows computers make outgoing connections to malicious IPs that are flagged on otx.alienvault and it makes me worried. Even on a fresh Windows install I had this happen by a service that should only communicate on LAN (Windows LanmanServer). I just blocked the whole IP range to be safe. It was also blocked by Snort with "ET INFO Packed Executable Download", Misc activity 3. I hope it's just a false positive. @stephenw10 said in Normal traffic graph in "idle"?: No. The source and destination are stll the same. Ok great. Thank you :)

@stephenw10 Yes, I meant Wh it went from ~900 watt hours to ~825 watt hours per day. [image: 1749559632523-2025-06-10-13_46_34-microsoft-excel-yesterday.txt.png]

Yup the system patches package can only update run-time scripts. Some things that are packages can be updated separately so you can pkg upgrade them in the current branch. But a new release will have fixes and patches to core components that cannot be applied so would be considered more secure. However at this point there are no known issues with 2.7.2 that would concern me.

@stephenw10 Not my day, something is blocking pings... Tried SSH and it connected. For future generations this is the outbound NAT rule. [image: 1749507450200-672df450-669b-4b8f-bc26-593dc0025cdb-image.png] VLAN42 is where my PC sits. Thank you for the help. Easier than I thought it would be.

If it works better for XBox live then sure. I don't have one to test so I can't really comment. Just be aware that anything you do to make states last longer is going to increase the total state count at any time. That might be no problem for you with 4G to play with. In many use cases it would be though.

@stephenw10 yes you are correct. It was to their own 853 servers (apple’s pricate browsing feature). I’m not sure exactly what I changed but the warning is gone now.

Aha! Well in that case you should really find out what the asymmetry is and correct that. Using interface bound states is more secure. You may hit that asymmetry still in some other way and see more problems in the future. It's almost certainly because that server is multi-homed and doesn't need to be.

@stephenw10 Thank you! After applying all the patches, I no longer encountered any crashes in the pfSense GUI. Will monitor the system status and this error message; nginx 2025/06/05 07:28:56 [error] 12856#100360: send() failed (54: Connection reset by peer) while logging to syslog, server: unix:/var/run/log

@courtalj You can of course. There are a few ways to reduce writing, and one ZFS change coming in 25.03. https://forum.netgate.com/topic/195879/netgate-2100-life-expectancy/8

@stephenw10 said in upgraded from SG-2220 to 4200 Max and Internet performance is extremely improved... why?: Disk speed would only make much difference if you're proxying/caching a lot on the firewall. Which you probably aren't. But when it's running at the limits of the CPU everything is getting queued. Other services, like DNS, will be slower to respond. It cannot prioritise anything unless it's already dropping/queing at some lower bandwidth. That's it! It is that the CPU is just bogged down because my Internet has grown to rates that the CPU load (or maybe just bus/RAM load) is taking longer to respond. Not because it's maxed out, but because it's just highly loaded. Glad you like the 4200! Yah. I wish I had done this a while ago now. I can't believe how snappy things are.

If you send me your NDI in chat I can make it ineligible for Plus.

Hi guys, first of all sorry for the delay, and thank you for your help. Tonight I started working on it again and I downloaded pfSense version 2.7.2 again from here: https://atxfiles.netgate.com/mirror/downloads/. I didn't use Balena Enhancer anymore, and after trying to reinstall everything, this time it worked.

@stephenw10 The best of times, the worst of times.

Unlikely to hurt in most setups. 100 pings a second is more than most pfSense install should ever see. Disabling redirect shouldn't cause a problem if your network is configured correctly. In reality you would probably see a stuff stop working in a lot of networks that were being redirected. It will allow you to find those misconfigured devices though.

Yes, exactly that. You cannot downgrade and 2.8 is newer than 24.11. When 25.03 is released it show as an available branch for eligible devices.

@kdmiller61 setup a dynamic dns for your pfsense wan IP that changes. Use that fqdn to access pfsense wan IP, setup a port forward for whatever you want to be forwarded to behind pfsense.