@NogBadTheBad Thanks, for support

Well it is up to the ISP device to provide reasonable support for a customer-owned firewall device while still providing the necessary IPTV, etc functionality.

That blog post is wrong (at least partially ). You should add that to /boot/loader.conf.local to avoid it being overwritten. See our intructions for that here: https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html?highlight=kern%20vty#upgrading-from-versions-older-than-pfsense-2-4-4 Steve

Yes, if you create a single interface bridge and use that as the VLAN parent you can set a MAC address for the bridge. I've never tried more than one though. Steve

I confirm. All virtual NICs were connected to one switch, this switch was not connected to physical NIC of course. Now I have recreated the setup. Each virtual NIC is connected to separate virtual switch. Problem is gone. Thank you for your help!

@johnpoz ok, i didn't understand where to look. but now i have new problem. the sg-1100 seems to have failed. i t seems to be completely dead. the pwr light comes on but none of the ports do anything. i tried connecting to the console via putty, no response. also it doesn't get warm any more. i emailed support to see what to do.

It's not an nmap package problem, but a general problem that affects several packages the way they display output from certain utilities: https://redmine.pfsense.org/issues/8502

It's been a while but the Business Hub was BTs device they gave you if you ordered a subnet of static IPv4s as well as some other "business" features. But I think it used a numberless PPP connection or something similar to give you the entire subnet on the LAN which pfSense cannot replicate. That may have changed, it was a few years ago I hit that. Steve

I know I had some trouble with my DHCP address that if I made changes on the physical or hypervisor side, pfsense would not pick up the changes without a restart. Though I have since rebuilt the pfsense VM and am not having this issue on this install. I made the DHCP address as WAN1 instead of WAN2, not sure that it made a difference or not.

If you are using putty in Windows (or Linux) you can just enable logging there to get a file directly. Most terminal clients will have enough scroll back anyway to just copy and paste it out. You would need to just leave it connected and wait for it to reboot unless you are able to predict when it will happen. Steve

Here is a rule I setup (but it's currently disabled as you can see from the screenshot) to keep 1 single device from accessing anything off it's own subnet, thru the firewall. In my example, the host at 10.0.1.116 is blocked to any destination. [image: 1572463430021-screen-shot-2019-10-30-at-2.17.13-pm.png] Like @johnpoz says, you have to have this rule above the default allow any to any rule. Jeff

Maybe if it's sending enough queries to be limited.

@johnpoz said in Please drag your screenshots into the message if you want help: emailing a bunch of bots or spammers When signing up - spammer or real person, a mail validation is used. I wasn't proposing a new mail .... just an extra line in the already existing mail with "see here for some help about how to ask questions ...."

@johnpoz Noted sir, Thank you. I will post another topic regarding failover, again that one is with VLAN problem :) Thank you for early christmas gift. new Knowledge ehehe

I can't say I can ever remember seeing a 'bug' that resulted in a loss of interface configuration like you describe. Maybe the filesystem was so trashed that the configuration was lost, but in that case you'd have to do a lot more than just reassign interfaces. So I suspect that maybe it's not quite exactly as you describe. But since you don't have a monitor hooked up when it fails, you can't really tell what happened for sure. When it does fail, you need to look back in the boot log and see what it's really complaining about. (Press scroll lock on the hardware console keyboard and then use the page up key to go back in the buffer, then scroll lock again to get out) It wouldn't surprise me if it's related to that hardware, given its track record/reputation, but it's entirely possible it's a red herring and you're chasing the wrong end of the problem.

You can get it done in a short maintenance window without bothering with the insecure old version. Get the new hardware up on 2.4.4-p3 without any extra configuration Restore your current config to this box -- it will be your new primary Swap in the new box in place of the old If it all works, then you take the old hardware, install 2.4.4-p3 on it and now that's your new secondary. If it didn't work, then you still have your current 2.4.4-p2 box and can swap it back in place and then investigate why it failed. If you want an extra dose of safety, then swap out the disk in the current system so you have the running copy of 2.4.2-p1 preserved. If you can't get enough of a maintenance window to do it properly, it's a management issue, not a technical one. Trying to force you to work with zero downtime is insane and shouldn't be encouraged.