@kiokoman it's a production node so it's hard :( And to disable a VTI requires to unassign the interface, and so on, I cannot simply disable the P1. Meantime I've found a small workaround. I noticed in logs many events related to "change of dynamic IP address" related to my IPSEC tunnels (please note that I work only with static IPs). This triggered some kind of refresh of configuration, and php started to consume all CPU during that refresh. So I disable monitoring on all tunnels, and this mitigate the problem because it seems that pfSense does not reload configuration many times every day as before. Still the problem is on, so if I manually save changes and reload config it starts to eat CPU

@LakeWorthB I have since rebuild the pfsense box, so I can't confirmed what caused it.

I think this worked for me also. Is there a way to check? When I place the usb drive in a Windows box I can not see the file. Also how will I restore it after rebuilding the broken PfSense box? Thanks Joe

did you disable Hardware Checksum Offloading ? Wow, just straight to the point. This was it. Thank you so much!! btw, also interesting: This will take effect after a machine reboot or re-configure of each interface. the GUI says at this option, but it worked immediately when I hit save. Anyway, thanks for taking your time, I had already lost hope it would be so easy in the end

There are people here I have come to trust. I value their experience and their judgement. Taking their advice is sometimes not comforting or confirming. It's not like running off to your media bubble. The truth is they have, collectively, a few lifetimes of experience and the wisdom that comes from the scar tissue they have accumulated. Please also keep in mind you're getting this for free.

@sdh9 said in Can't get Thinkpad to connect: The only things I see blocked for this client's IP are: Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:60943 [ff02::c]:3702 UDP Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:64844 [fec0:0:0:ffff::1]:53 TCP:S Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::1]:53 UDP Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:59977 [ff02::c]:3702 UDP Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::2]:53 UDP Nov 14 14:48:30 LAN Default deny rule IPv6 (1000000105) [fe80::31d1:ca81:6370:f0e4]:56567 [fec0:0:0:ffff::3]:53 UDP My provider does not give me an IPv6 address, so I'm not sure what is happening here. The fe80 addresses are link local. Every IPv6 capable device has one of those. The fec0 addresses are the deprecated site local addresses. I have no idea where they are coming from. Perhaps the MAC addresses will tell you.

Yeah thats the PPPoE issue, I saw it in the fixed issues list for 2.5.0 and that its targeting that release so I assumed it wasnt in yet? Thats the exact same behavior im seeing on 2.4.5-RELEASE-p1, if I make a change to any interface PPPoE goes down and theres no way to recover (reliably) without a reboot. I am also doing PPPoE over vlan. The NAS is not configured to route traffic as far as I can tell, I didnt set that up or at least not intentionally. It used to use just the gigabit ethernet connection but I got a 10gig card for it a few months ago and set that up. Rather than remove the old networking config I just unplugged the cable. I agree its probably bridge as a switch issue. Even after 2 hours combing through every config and every log, I still cant make heads or tails of it. The only thing I can think is that because Port 1 is the "main" bridge interface, maybe it didnt like having so many different machines connecting on it? Because aside from being the main interface, thats absolutely no difference in configs between it and Port 4 that I can see. The only difference physically is that Port 1 has a single, non-switched connection, where as Port 4 has 10 different machines across 2 switches on it. At some point I will get a 10gbe sfp+ capable switch so I can have just one each WAN/LAN interface in pfsense and really simplify the config, but theyre just too expensive to justify right now when this config works, at least when im not breaking it by being dumb :)

@kpa said in User Password Maximum Length/accepted characters?: I wonder what are you trying to accomplish with such long passwords  ::) Password length is irrelevant as the hash length should remain the same. In fact, there could be an infinite number of passwords that return the same hash. Your mission, should you decide to accept it, is to find all those passwords.

Yup I initially assumed this was spam but doesn't appear to be. And, yes, there are many good options here that don't require installing nano. However it is in our repo so it can be installed using pkg install nano. Steve

Hello, I found out of this problem in the end. It seems like the EgdeSwitch X10 was the reason of the dropouts. Have not happend for over 10 days now. Thank you for all the help!

@AKEGEC do you have a content extension that works with 7.3.3 CE version? I have installed the Netgate pfSense DSM but I am experiencing problems while installing Polo's pfSense content extension.

@serbus said in SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://: Hello! https://redmine.pfsense.org/issues/10317 John That one was solved 2.4.5-p1 is good.

It's working! for the first time in over a month! I was on the phone with Centurylink and tried it again and it worked!

Clients may not need a certificate if it's an auth-only setup. The client GUI can't know what the server expects, the user has to configure it properly. There is only so much foot-shooting the GUI can prevent.

I assume that was not during a test since it shows 100% idle on all CPU cores. Can we see the loaded output during a test? Steve

As a hint: see here why do not use schedeule for block rules ! https://forum.netgate.com/topic/156963/scheduled-block-rule-does-not-seem-to-block-existing-established-connections/5?_=1600535854178 is there no other way round ? than to shut down the interface ? brNP

@edmond this is a sweet one ! thx gonna try this ;)

Thanks. I updated it to 4000000. Hopefully I will not see all those errors again as was reported by others in those threads

Yes you can keep the other settings in place. That way if you have clients that are not using pfSense, for DNS for whatever reason, they will still be able to hit the servers using the url. Steve