"10.10.0.0/16 does the job after all." Does the job of what - a firewall rule?  A summary route - those are really the only valid uses of such a CIDR.. Do you have 65k some hosts you need on the same network? ;) Use a more appropriate CIDR would be my suggestion.. Say a /24 or /23 if you have a lot of hosts..

You can have two dhcp pools but you cannot tell this client should select from pool A and this client should select from pool B. So all the clients you want to be in pool B give them fixed ip. But remember if any other client which was suppose to get dhcp address from Pool A, fix his ip to pool B then he'll be allowed. So to avoid this you should either use Managed switch or go for vlan. If you have all wireless devices, then setting up vlans is quite simple. Only thing then required will be device which can tag the clients. Most of the APs now a days come vlan tagging facility. If you have desktops then you have to invest in managed switch. I can help you setup vlans, incase you decide to do so.

They are stored in the xml… You could do a backup, and then pull them out and then reload them on a new system via edit of xml and restore.  I do not see a specific for just backup of them..  But with a bit of manipulation you could do it that way.. How many do you have to move?  You can also just export them in the cert manager and then import them into your new system.  That is how I did the few certs I wanted to move over from my old system when I got my sg4860.. I wanted to save my CA since had certs deployed that it had signed, etc. [image: certs-cas.png] [image: certs-cas.png_thumb]

Hi, Enter console mode. Option 8. Enter : ls -al /usr/local/sbin/ntpd You should see : -r-xr-xr-x  1 root  wheel  692424 Oct  9 00:12 /usr/local/sbin/ntpd This program, the time deamon, is part of a basic FreeBSD/pfSense setup. It isn't possible that it isn't there. I really advise you to do a clean install. True, the "Watchdog"  isn't very smart neither, trying to (re) start a program that isn't there. Not being able to check for updates could be the proof of other missing system files - or just a broken DNS setup. Don't spend more time, wipe it clean ;)

Hi, What are you captive portal settings ? What is the captive portal status pages showing ? What does the captive portal log tels us ?

I would do a clean install and then restore from your backup.

Hi, The device you use to connect to pfSEnse, did it get an IP from the DHCP server running on pfSense ?

Linux normally uses PMTUD to set packet size.  Do you see the ICMP "too big" messages?  I'm not sure about IPSec settings, as I haven't used IPSec with pfSense.  The MSS is normally used when setting up a TCP connection to tell the other end the maximum supported packet size.  It has nothing to do with any router, including pfSense.  It is PMTUD that's used to determine the maximum packet size that will fit the smallest MTU along the path.

Thanks!  I use to run this, but had yet to get it moved over to the sg-4860 once I switched to that from my vm setup. The summary emails from dshield were nice to get.  I will have set this back up soon.

@kpa: If there is a switch in between pfSense and modem then the only link state changes pfSense is going to see are the ones with the switch. Thanks. Just talked to the ISP, it seems it's actually the gateway router. They are going to replace it.

So was going to swap the firewall out today so I could bench it and test and figure out what was going on and as soon as I fired up the temp firewall, exact same model and case but version 1.1a BIOS, it did the same thing. So I suspected it was likely being caused by something plugged in and since the only thing plugged in was the Tripplite battery backup, I unplugged it, restarted it a few times and it never hung with the error until I plugged the UPS back in. So, in short the kernel is handing on the UPS during boot. Should I report this as a bug? It has to be a FreeBSD kernel bug. I plan to work around it by changing the UPS from USB to serial. The only other issue I was running into was "AutoConfigBackup service started" would seemingly hang forever. Not always, but periodically.

I am totally open to feedback from the community if this is setup correctly but here is what I did: I did manage to get my set up to work….my DLink switch configuration is as Follows: Ethernet 1 -> Trunk to pfSense/LAN Later Edit:  (eth 1 & 5 untagged and eth 2 & 3 tagged) Ethernet 2 -> Unifi AP VLAN10  (eth 1 & 2 tagged) - Nothing untagged VLAN20  (eth 1 & 2 tagged) - Nothing untagged VLAN30  (eth 1 & 2 tagged) - Nothing untagged Ethernet 3 - VLAN40/AppleTV(not Vlan capable) (eth1 tagged and eth 3 untagged) Ethernet 5 -> Management Computer VLAN 4093 (eth 2 untagged and 5 tagged Later edit: eth 1, 2, 4 &5 untagged, 3 not a member ) - I thought this would connect to a VLAN 4093 on my pfSense box I created but it doesn't, it gets an IP for the LAN interface on my pfSense box. I think this is OK as it allows me to be on the same L2 as my Unifi AP. I was able to have the Unifi AP adopt my computer with this setup. Does this look right? (Modesty…I'll comment on your post and do what I can to help!)