So turns out there is no loop. pfSense rewrites ICMP errors IP addresses. Asking more details about that in https://forum.netgate.com/topic/152252/pfsense-rewrites-source-ip-for-icmp-errors-breaking-traceroute

@NKOADMIN Awesome...congrats!

No problem.

Still should conflict with 192.168.30.0/24 where the printer is. Also it would be an all-or-nothing type deal. If you can connect at all to the printer it is not a conflict. Steve

I went ahead and just blew everything away and started over. Once I rebooted and everything was down I figured it was time to start over.

@jlw52761 Thank you for your time and professionalism in presenting...I really appreciate that. Neither is I a Netgate sales person...The OP is an informed network person having taken a Cisco course...he stated, his needing multiple network such as a DMZ...he stated, he "would like advice on what Netgate product would suit me the best." He stated, his having multiple network toys and his looking at the SG-3100. Personally, I would have recommend the XG-7100 desktop longterm...I am even thinking now of getting that SG-3100 from Amazon and flip it...on a second look, I get the reality check...it's the SG-1100. https://www.amazon.com/SG-3100-pfSense-Security-Gateway-Appliance/dp/B07JBWRQ3K

thanks @jlw52761 that is a great dashboard, and so much easier than what I was trying to do with the above.

Thank you for clearing that up. -Rico

@jlw52761 said in Downgrade packages: Unfortunately your comparison doesn't hold much weight because every software vendor I've ever dealt with, Microsoft, Apple, VMware, Cisco, Palo Alto, Ubuntu, etc all maintain support for multiple versions and don't force folks to the "bleeding edge" regardless of issues. In fact, look at what has happened to Microsoft and Apple over the last 2 years, they are having to move to the stance of allowing users to defer updates instead of forcing issues, like loss of data. By saying the majority of folks don't have issues and only those that have problems post is discouraging those folks from posting or pointing out problems due to fear of being singled out. Now I don't know about some folks, but 20+ years in the enterprise infrastructure has taught me one constant, bleeding edge in production is the quickest route to disaster, and the method that Netgate is taking flies in the face of stable production. Now, with that, I have upgraded both of my firewalls to the 2.4.5 release, and guess what, frr still will not start on one and not run reliably on the other, and there's no log entries or indications of why the situation is occurring. If I had this running in my business and I lost BGP in this fashion, I would no longer have this vendor in my environment. Plain and simple. I understand Netgate tries to test and validate as much as possible before releasing new software, but the reality is they cannot test for every possible use case and scenario, and I wouldn't expect them to be able to either, which is why I would rather have the option of testing a new release in my lab before being forced to place it in production, or have the option to hold off any new releases for several weeks. Personally, I do not want my production to be anyone's guinea pig environment, and I avoid testing in production at all costs, and the current way Netgate does the software push doesn't allow me to easily do this. What I said about who posts and who does not is generally true. It's not meant to single anyone out. Just to point out that it is not a reliable indicator of how "bad" some particular issue may be. No matter. My intent was not to pick a fight with you or argue. Just wanted to point out there are reasons for how some things are handled when it comes to free open-source software. However, in this instance Netgate/pfSense has taken a rather out-of-the-ordinary step of making the prior 2.4.4_p3 release available again, including packages compiled for 2.4.4._p3. Search the recent forum posts and you will see how to roll back.

@Gertjan said in pf 2.4.4-RELEASE Navigation Link Broken: Thanks for the confidence in the latest pfBlockerNG-devel. Still a bit hesitant to pull the trigger.

@BlankSpace No...your built-in graphic card maybe going out but again that's not a pfSense issue.

@stephenw10 said in First Crash after upgrading to 2.4.5: What were the two tunables required, for reference? e.g dev.igb.3.fc = 0, and dev.netmap.buf_size= 2048

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html -Rico

I presume by sniff you mean diagnostics -> packet capture? I'll try that, and feed it into wireshark. I've only used wireshark really briefly before and I'm definitely no network whizz! Thanks!

@Simbad said in Edit /usr/local/lib/php-fpm.conf: /usr/local/lib/php-fpm.conf i would like to change: pm.max_children = 8 pm.start_servers = 2 pm.max_requests = 5000 pm.min_spare_servers=1 pm.max_spare_servers= 7 and process.max = 8

Yup, because Python was upgraded, that is effectively a different package. Steve

i'ved added two new reject rules on interface vlan876. still not working =( [image: 1585995854849-a7c72de6-08ff-4ad7-be15-ed2020d987f9-image.png]

@Gertjan Both are LAN type interfaces ? Or one of then a WAN ? Suricata is not set for WAN igb0 however is set for LAN igb1, WLAN igb2 If so, and you have not have any NAT rules that you want to protect - or classic firewall rules that permit IPv6 to enter your network(s), you could remove that interface from the list used by Suricata. "There is no need to protect a closed door." @kiekar said in Loosing connectivity between pfsense and webserver: pfSense is consuming 56% That is : pfSense uses more like 6 % on your system - mine is - and your packages ( Suricata ?) is using that wopping 2 gigs. That van double on rule reload, so be careful what option you choose. You'll be close of using swap space with all the drastic consequences that comes with it. Will look into it