@viragomann OK many thanks to you and to Mr. SteveITS also you helped me so much.

@itpp21 Maybe if you have read up before posting you would understand why the suggestion. https://docs.netgate.com/pfsense/en/latest/recipes/example-basic-configuration.html

@townsenk64 Hi! Indeed stay away from the 2.5 line of releases. I would love to get back to 2.4.5 -p1 but unfortunately the latest version of pfblockerng is not available on that older version of pfsense. For now 2.5.0 is running fine after I manually upgraded unbound but honestly I am watching it like a hawk. I don’t trust it :(. The moment I can pinpoint some weird behavior in my network to pfsense I am going back to 2.4.5 -p1 with a separate Adguard Home server for adblocking. It is sad. I ran 2.5.1 but that was horrible and nat just kept on dying and the only solution was rebooting. What other solutions are you looking for? I can use some ideas ...

@cog008 Yes Netgate does now offer a certification program! https://www.netgate.com/blog/netgate-offers-self-paced-training-certificataion-for-pfsense-plus.html

I have reinstalled pfsense on zfs without swap encryption, dashboard shows AES is active. Consider this question as closed.

Yes it's quit stable right now, as long dev doesn't change anything, we should be ok.

It is possible that you enable "Block private network and loopback addresses" on your LAN. Just disable it. Go to Interfaces > Lan > Reserved Networks.

@gertjan said in upgrade to 2.5.1 no internet: The best log in this case is the DHCP server log. Disconnect any of the PC that isn't working. Look at the DHCP log. Connect the PC back in the network. Do you see a DHCP negotiation between your PC and pfSense in the log ? If yes : check with your PC the network settings : mask, network, IP, DNS and gateway. All these 4 settings are ok ? Concerning pfSense : You changed any DNS setting ? As an update, I have been so busy with work (I run my own business so that problem is a good problem to have) that I have not had time to get through all your (above) suggestions. It did dawn on me that I am running a Pi-hole to capture all the ad junk. To test if Pi-hole was the issue, I disabled it and restarted Pfsense and computer on LAN. No luck, still no internet for computers or tablets. Let me get through your above list and I'll be back here this weekend. Patience is needed for this, I know.

For Cyberghost settings, please look at this post. https://forum.netgate.com/topic/163029/cyberghost-openvpn-on-pfsense/

Yeah I get it while its still in use. And I agree laziness is top of list ;) What is sad is that your camera system is how old.. That they thought ftp was fine when it was designed is the real problem. While sure they could still have it as an "option" it doesn't support sftp? Or webdav or just plain https for moving files? So pretty much the rest of the net is all encrypted these days.. But ftp - yeah lets send username and password in the clear, and not encrypt any of the data being sent. But someone "reading" a website public data - yeah that needs to be secured via https ;) Not that long ago, many websites were just http, and only the login info was sent via https. Asking for a IP of a public website for via a couple of udp packets - yeah lets wrap that in encryption and overhead of tcp.. Think we have gotten a bit off topic ;)

@bhjitsense I did two upgrades to 2.5.1 and both failed. the one in my house the openvpn did not work. I had to re-install and restore. Also had to change the VPN configuration to NordVPN. The one in my office which is multiwan also failed in WAN1 (email and webserver). I had to reinstall 2.4.5 and restore. I do not know what is wrong on 2.5.1 but next time I will check the forums before I upgrade again

My concern here is not leaving the LB2120 LTE modem powered-on all the time. My concern is that to have the LB2120 handle fail-over it will sit powered-on between my cable modem/LTE connection and my SG-1100 with just the Netgear firmware to protect against attack. From what I can determine from the manual, it would need to be in router mode so it's IP address doesn't change when failing-over to LTE with the SG-1100 in the DMZ with only the LB2120 password to protect it. I'm not sure I trust Netgear that much. For pfSense to handle the fail-over, the LB2120 will be connected to OPT1 or another interface as another gateway. The issue is that the LB2120 provides no control over when to dial-out or disconnect. So it just sits there connected, and slowly using my monthly data allotment. Is there a LTE modem that will automatically dial-out and then disconnect the line when not used after some period of time? Frank

@remie2000 said in Logging still not working properly with v2.5: Due to compliance rules I need to log everything that hits the firewall. So your not from planet earth. Or you have to oblige to rules created by people that really don't know what they talk about. Really, 'they' asked you to store all incoming data in a file on a disk ? Throw this in Google : " can I record a DDOS attack ? " The TCO would be millions. If you want to be part of a public network you should accept that every member of that network can communicate with you when they want. Up to you to try to record to record every packet that's thrown at you. Start by buying a box with very good cigars. Edit : OVH, in France, co - developed an anti DOS system - called "VAC". The price tag is/was mind blowing. And they don't record, just keep traffic in memory, the time it takes to judge if it's part of a DOS or not.

There is a built in wizard already. With it you set up the basics of the virtual interface, create a certificate, automatically makes the firewall entries, generate certificates for users, I'm not quite sure where this request is going. There is in fact a large market for this request...If it were truly auto-configured out of the box, that would be what most people call a 'back door'. People pay good money for reliable back doors. One can't also assume every installation has a failover partner. Certificates are good, and generating them is simple. If you want something with a 8 character username password combination instead of a large cryptographic cypher...well that isn't a VPN at all...

@kiokoman said in Shutting down by Windows command?: "C:\Program files (x86)\puTTY\plink.exe" -ssh -root@pfsenseip -pw <password> poweroff That's great! I'll try and post later. Thanks, guys!