@stephenw10 Understood. Yes, it seems like it was populated wrong. I'll check if the trick with /32 as @bingo600 mentioned will work. Thank you for your reply's.

@stephenw10 Great. Thank you!

@viragomann Awesome!

Set the GUI to authenticate against a RADIUS server, setup MFA on the RADIUS server. You can even do this with the FreeRADIUS package and OTP/Google Authenticator, but it's better when done on a dedicated RADIUS server.

discs.inc is a new file on 21.02 and 2.6.0 snapshots, it is not on 2.5.2. Sounds to me like your system pulled in some parts of snapshots, likely from selecting the snapshot update branch and then making a change to packages without upgrading the firmware first. There isn't likely a bug here, but something broken locally on your system.

The GUI uses 1.2 and 1.3 by default on the current version. Why is it you need to change or restrict this? There are no user options for it. /var/etc/nginx-webConfigurator.conf: ssl_protocols TLSv1.2 TLSv1.3; The captive portal web server config also allows 1.1 because it needs to accept connections from a wider range of clients, such as older clients. If you are using something like haproxy it has its own mechanisms for changing or limiting TLS versions.

Well, it will work. Try it and see. What hardware? What bandwidth? Steve

You can get alerts for gateway events so you only need tune your gateway monitoring to trigger at those levels. I would also set it to monitor something external, like 1.1.1.1. Yes, the usual solution here would be to apply a Limiter to all traffic from a guest subnet so they cannot saturate your WAN upload. Steve

@johnstonf See also here. @johnstonf said in Notification when outgoing rate exceeds limit for time specified: I'm finding that my upload is being loaded, and then slows my whole internet. Then stop doing so !! ;) Btw : You should know this effect exists.

Hmm, you shouldn't normally see any packet loss on the gateway but it may just be the gateway itself under load. Try changing the monitoring IP the gateway is using for something external like 8.8.8.8. Do that in Sys > Routing > Gateways > Edit Gateway. You might also disable the gateway monitoring action (not the actual monitoring) since you only have one gateway. Steve

You can see the state table is the gui in Diag > States but with that many states you would need to enable the state filter requirement in Sys > General setup. Otherwise it will try to display the entire table and at 4M that will hang the GUI. You can also do it from the CLI using: pfctl -ss | grep ??? where ??? is whatever you're looking for. Steve

@ehj-52n said in Mail-Notifications not working: Secure Connection: [X] In that case, it isn't (shouldn't) be port 587 - but port 465. If you have access to the mail server, you should have port 587 which start 'in clear', and after a STARTTLS is issued from the client, the connections switches over to TLS (SSL). Port 465 is like 587 (called submission), asks for authentication etc but everything from bit 0 will by TLS encrypted. This is a classic 'gmail' setup : [image: 1636382726081-24ce6ecf-a0c2-4bf9-ae37-8fe6f7b2712d-image.png] (but, be careful, it might be possible that gmail won't accept connection from an 'unknown' device - mail client like 'pfsense'. See your gmail / Google security settings) You could even consider abbandning port 587 usage, because you control your won devcies, right ? Make them use port 465 (SSL only) and stop having port 587 being used = open to the internet. It's just 'one risk less' to handle. Delivering mails from a client to a mail server is all 'port 465' these days. Nothings goes (shouldn't) out in the open any more. Very comparable to what happened to 'http' : it's game over. It's https now. : be careful with this one. The certificate the (your !) mail server is using should be recognized as valid, like a Letsenscrypt certificate. A self signed cert will fail. I'm using Letenscrypt certs for my Debian + postfix mail server, works great.

@stephenw10 I did not note it down, and compare thoroughly, but in general yes - Same IP / subnet, gateway, mtu / linkspeed. I havent had the opportunity to reconnect pfsense and check the difference, as i have a narrow window in the evening, defined by how tired I am that night :) I tried booting from an opnsense USB, and I had the exact same issue. I then broadened my search to include FreeBSD, and I found a few posts with similar issues for the first time. https://forum.opnsense.org/index.php?topic=11015.0 for instance.

Mmm, where exactly are these 'extra firewalls' ? Like a software firewall on the server(s)?

There would be nothing preventing it connecting out so I would look for it requiring incoming connections (which also seems unlikely). UPnP would definitely fail in a double NAT situation. Can you test it without the Google Nest NAT? Steve

@mrmogoboya said in PFSense Device Unreachable After Reboot: Please Help. It's a PC .... so you could look at the the screen to see what happens. We can't see that screen, so you have yo detail de problem. Billions reasons exist, I can't list them all here ;) A simple advice would be : re install, assign interfaces - and don't change anything else. pfSense will work out of the box, if the hardware is ok.

@viragomann I was not sure but .fortiddns.com domain was not not resolving, I mean it was in DNS lookup and ping but for some strange reason pfsens did not want to use it to let me in. I tested with mikrotik ddns it let me in straightaway, went back to fortigate and swap ddns from "fortiddns.com" to "float-zone.com" also one of the 3 the fortigate you can chose from and pfsense let me in straightway too. glad i tested with the other ddns, just a bizarre error thank you for your help

@rmoran the SG-1100 can not handle 1 Gbps. Take a look at the IMIX traffic speeds - https://www.netgate.com/appliances If you need gigabit down then you bought the wrong device, see this article Choosing the Right Netgate Appliance

I just want to confirm that this is absolutely same experience i had with two completely different machines. I saved the XML configuration from my Protectli box. Then i got brand new desktop machine for my friend which is going to be used as a pfSense firewall. This machine has onboard Realtek NIC and PCIx Realtek NIC. I did fresh install of pfSense on this machine and i was able to access web UI. From there, i restored XML configuration from my Protectli box. Machine rebooted, and interface configuration wizard popped up. Once configured, pfSense booted up and i was again able to access web interface again. Only this time, i was notified that the packages are downloading in the background and that i should not touch anything until its done. Keep in mind guys that Protectli box and this new desktop PC are completely different machines when it comes to hardware specs. The only thing they have in common is that they are x86 machines. Nothing else. And i was able to fully restore my Protectli configuration on it with zero issues. I just had to remove my oink ID in snort, and change web access UI access password and that was it. All packages were installed and configured exactly the same. Even interface assignment in Snort and Squid were correct. I was blown away. The way that pfSense is handling configuration files is absolutely flawless.

@converge The capability is built into pfSense. There are varying ways to set it up, routing certain traffic over one or the other, or prioritizing one over the other. Budget/estimate yourself a few hours to go through it and decide if that is worth setting it all up. :)