@ifixit not enought information but if i have to guess you need to set the vswitch to vlan10 or vlan4095 if you have configured vlans on pfsense

I would suggest as a first move installing some monitoring tools with historical data, for example telegraf (influxdb + grafana on separate machine) will show dropped packets, pf metrics, system ....

The interfaces themselves must be set as static. You would only set them to DHCP there if you want them to pull an IP from some other DHCP server, like you would for a WAN interface. You to enable a DHCP server instance on those interfaces in Services > DHCP Server. Doing that will allow a client connected to them to pull a lease in the correct subnet. Steve

EXTRA CONTENT: Configure the WebGUI to use HTTPS (port 443) using pfSense's terminal/console/shell. Using option 12 ("12) PHP shell + pfSense tools") perform the commands... $config['system']['webgui']['protocol'] = "https"; $config['system']['webgui']['port'] = "443"; write_config(); exec; ... and exit... exit Use option 11 ("11) Restart webConfigurator") to restart the WebGui. Test WebGUI access (HTTPS, port 443)... curl -k https://10.2.0.101 NOTE: Use "-k" flag to avoid "curl" give the "SSL certificate problem" error message. This will workaround it allowing insecure connections. [Ref(s).: https connection using CURL from command line ] NOTE: Requests on port 80 (HTTP) will automatically be redirected to port 443 (HTTPS). TIP: This file contains many of the ways that pfSense uses to consume its settings... vi /conf/config.xml ... based on these templates we can define ways to use option 12 ("12) PHP shell + pfSense tools") to perform configurations like this example... $config['system']['webgui']['port'] = "443"; write_config(); exec; . Thanks! =D

@sdok said in Install Plex Media Server along side?: I donno if it will come out 1:1 in the end. Yeah there for sure would be some config issues with interface names.. em vs vmx, igb, etc. depending on what the hardware is and vm naming, etc. How complicated is the config - rules, other packages, vlans, etc. etc. A vanilla sort of config can be up in minutes for sure.. Just clean without any restore, etc. You could spend way more time trying to figure out how to manipulate the xml to work as restore on different vm software vs just doing clean from scratch setup - depending on how far your away from just base install.. wan/lan = internet sort of thing.

@gabacho4 I thought i was alone on this issue but it seems there are few people having this issue https://redmine.pfsense.org/issues/11979

@viragomann, thanks a lot buddy!! that's totally fixed the GW off-line issue. That's the way it came from the ISP but never actually noticed the mask is 255.255.255.255. Good catch! hats -off!!! I can now carry one with rest of the config. -San

@stex there was bugs in privileges. Maybe this helps: docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html

Thank you for the link, however sadly it does not cover the questions that were asked and only covers a basic network setup and the most useful add-ons to install. I know putting the pfsense in front of the UDM Pro would be the easiest thing to do however would this not log all traffic shown as coming from the WAN interface IP address of the UDM Pro? This is not what I want to achieve as I want to monitor all traffic from all internal Vlans showing the original devices IP address. In and out? Sorry if I did not make it clear.

@viragomann Ah, okay got it. I thought I could do it with the admin user I setup through the GUI but I had to SSH into the machine using root@192... all good now, thanks!

Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network... Using option 8 ("8) Shell") turning off the firewall with the command... pfctl -d ... and access pfSense server through the ssh (port 22)... ssh root@<PFSENSE_SRV_IP> ... using the initial password "pfsense". TIP: We recommend changing the initial password. Using option 12 ("12) PHP shell + pfSense tools") perform the commands... unset($config['interfaces']['wan']['blockpriv']); write_config(); exec; ... and exit... exit Using option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface... easyrule pass wan tcp any any 22 TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively. NOTE: The above command will turn on the firewall (same as pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed. PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.

If you're actually hitting the max processes limit something is amiss. If you are though you should see it in Status > Monitoring. Do you see a slow rise in the processes number or a spike just before it crashes? Steve

You don't really have a choice there if the CA changes. You don't need to adjust the clients if the server cert changes (even the key) so long as it uses the same CA, perhaps that's what you were thinking of. There may be some song-and-dance you can do with an intermediate cert but if the root expires, clients still need to know about the new root. Browsers solve this by stuffing the new root CAs in various updates as they go, VPN clients have to do the same. Users should be conditioned to be periodically updating their VPN client software anyhow. OpenVPN frequently has updates for security and other issues. There won't be a real "fire and forget" setup where you can get away with never updating the client, especially with OpenVPN.

I suspect it would have. That's what has happened in the past during similar situations when I've tried it. Granted the last time I tried any time-based shenanigans with RRD was many many years ago. I don't think it's changed that much in its core though.

Thanks Kiokoman

Hi @stephenw10, Thank you! You're correct regarding using bridges with HA configuration. As sample, below is the scenario that I have tested. [image: 1623309908498-screen-shot-2021-06-10-at-15.46.59.png] As shown the switches SW3 and SW4 aren't interconnected to avoid loops. For redundancy I use a combination of LACP in failover mode and VRRP IP as default gateway instead of use pfSense CARP configuration. The reason to enable HA is to have the pfSense Sessions, Alias and Rules synchronized. For the servers behind, as shown WB1, there's two connectivity ways; Master to SW3 (SW4 as Backup) WB1 Master to SW4 (SW3 as Backup) * WB2 Image It means, both pfSense can handle traffic simultaneously. Although being configured as HA Master / Backup they work as Active / Active. Did you had some experience like that before? Regarding the hight CPU interrupt time % issue. After change the parameters below, the performance looks better then before. I still monitoring it. System Tunables net.link.bridge.pfil_bridge = 0 to 1 net.link.bridge.pfil_member = 1 to 0 MY

@godhead83 pfSense WAN interface needs to be configured as PPPoE VLAN ID 101 is default and assigned by the Modem. BT uses VLAN101 by default. When you configure the WAN interface do you see a IP Address ? Contact Vodaphone and ask them for a Username and Password if you haven't already.