That's nice! Thanks for the reply, that solves much of the issue. I simply did not find the Serial for next certificate since I had my mind wrapped around looking in the settings for the certificate creation, not editing the CA. My bad! how much help you give the user is always something that can be discussed, but sure I can agree with this as long as the serial can be changed. Thanks for the quick reply!

@Derelict said in Gigabit installed but speed tests are sub 300 Mbits, Verizon says it's pfsense but can't prove it's not.: @kiokoman I don't understand the reluctance to pay a knowledgeable professional for something so important. I just don't. It's all about cutting costs, forgetting that also costs in what's delivered. I believe the term is "false economy". Also, I have worked as a tech for many years. One thing I've often noticed is many others only learn as much as they need to do the job and little else. As a result, they can generally do their job, but get stuck when something unusual comes along. I have always tried to learn more.

@kiokoman Thanks - that should work

Run a packet capture on WAN and see what's there. You should see some traffic even if it's only failing ARP messages. Steve

From 2013?! Even if he did, whatever issues he may have been hitting have probably been fixed. Guessing I'd say thay user's ISP was not routing those IPs to him. So either the ISP had not enabled it yet or he needed VIPs on WAN they can ARP for. Reading your other thread I would say your ISP is not routing that IP to you. Call them. Steve

Urgh. I hate when that sort of solution works! At least it does work though. Steve

"sudo pfSsh.php playback changepassword admin" worked. Thank you very much. "sudo passwd admin" - goes through the motion but admin password doesn't change.

Nope. That is the current release version. We'd need to see the error to advise further. You might also try running at the command line pkg update That may also throw errors but with more verbose output. Steve

What did you have in mind? You could open a feature request: https://redmine.pfsense.org Steve

Yes, probably. The new system will be much better in that respect. https://redmine.pfsense.org/issues/9693 Steve

The pfSense base system itself cannot do that, but a reverse proxy such as the HAProxy package can. It has to be a proxy and not at the firewall because the hostname being requested isn't visible in the packet headers when the connection is initiated, it's sent by the client when making the request after the connection is established. At that point it's too late for the firewall itself to do anything. But a proxy can accept the connection, read the request, and hand it off as needed.

The only way to validate rules on an interface is to check from client on that network, you can not test them from pfsense directly.

Well then your not ttalking to pfsense is the only thing I can think of dude.. did you do my test of trying to sync a different client to that same IP your using..

sorted.. the damn modem had port mappings in it, removing and rebooting to clear to state table fixed it. '....Shakes head'

Thanks Steve, Yes, It's quite difficult to nail it down to why I get these speed variations between WIFI and ethernet. The master socket is one side of a door frame and the other is a phone extension socket along with a twin power socket. Don't worry I won't get the PCI version. The whole idea is to have separate devices. It's a pity the V130 isn't POE that would make life easier. I did think about using an existing phone wire (4pairs) as a power cable(12V) for the V130 and power it from another location over that. That would put a V130 right next to the incoming master socket. Then I could use another pair in the same cable as a VOIP extension to the existing phone extension socket. I would only need put CAT6 up the wall next to the phone cable into the loft.

@chpalmer, @chpalmer chpalmer thanks for the response: @chpalmer said in How can I backup a production image?: @guardian said in How can I backup a production image?: Am I missing something? What Ive done in the past is to keep a spare storage device.. Identical to the drive that is in my box.. loaded and ready to go for my site here. I might have to buy another drive and do a fresh install to that drive, but I would rather not have to open the box. And a spare box ready to go that I can back up to that is kept for several of my remote sites. Great idea, it's simple a matter of economics I would ask- what if during the action of re-imaging a drive you have problems? You could be fighting an unknown for a longer period and possibly not get there. Then how do you ask for help from a community that has not themselves attempted what you are trying to do? And on a production system that people are counting on.. That is a possibility, but nothing is risk free. IIUC what I am trying to do should be as simple as: Boot an install USB into the single user rescue mode Mount the internal partition Mounti the ZFS slice on the flash drive Doing a tar czvf. A restore would replace step 4 with rm -rf on the botched install tar xzvf Is there any reason this should not work? My first question of my people would be- "why did you choose to take that course of action when the manufacturer recommends another?" The course of action that I am considering is a fallback only. May plan is to run the upgrade first, if it works, job done, If that fails run a new install, if that fails then use the backup. If your connection is in deed that important.. that you have no down time, then you should have a standby at the very least. And you should already know that the latest installer is going to work on the standby. IMHO I agree entirely, economics often rules, especially in a home installation. @stephenw10 said in How can I backup a production image?: Having a recovery plan is pretty much vital even for a home user if you have any sort of reliance on your connection. Agreed Your points about a newer version being incompatible with your hardware are valid. Though unlikely IMO. In a commercial setting I would suggest setting up a test install (preferably on identical hardware) and updating that before doing so on the production equipment. That's impractical for most home users. However the cost of small SSDs is relatively low these days. You could get a new SSD swap that out and install 2.5 on it. Restore your config and see what happens. Swapping back to the 2.4.4 SSD is trivial if it doesn't go smoothly. That's what I may be forced to do, but I can't see why what I have outlined above shouldn't work. I would certainly work with a linux system (If boot were a separate partition, I would have to make a second tar file for boot). I don't know enough about FreeBSD, but maybe I would need to run some other utility to preserve the boot code.

And that solution would be.......?

Yes you can set the monitoring preferences for each gateway by editing it in System > Routing > Gateways. If you are using packet loss or latency rather than only member down on the group it will trigger the failover. The default settings for throwing an alarm of 20% packet loss and 500ms latency are usually good though unless you have an unusual WAN like a satellite link. Steve

This isn't anything specific to FreeBSD, but rather how VMWare maps the NICs into the guest OS. The same issue occurs with Linux. While it isn't always possible to add all the interfaces you think you might need in advance, if you get stuck with this issue, you will need to go match up the MAC addresses VMWare has assigned to the NICs to the MAC addresses seen by pfSense, and reconfigure the interfaces appropriately if they have changed.