Yes, the ntpd daemon is not the same as the ntp client. Yes, the server listens on all interfaces by default but that's not a problem unless you are allowing ntp traffic into WAN with a firewall rule. Steve

@stephenw10 Thank Steve for your reply. Switch 2 was connected to igb2 and was not communicating. DHCP works correctly for both vlan1 and vlan67 on Switch 1, which connects to igb1. I had added rules to both LAN (bridge0) and WiredLAN2 (igb2) to log any rejected events but there were nothing when Switch 2 was plugged in/out igb2. Worst still, I started to observe about 0.5% errors out in LAN interface even with igb2 open. Snort was not reporting anything on LAN under the bridge config. These 2 factors are enough for me to pull back from this bridged config. Thanks again for your advice anyway.

@stephenw10 said in Tagged & Untagged traffic on a LAGG interface: There is a while thread on here about a switch that does just that. I have one. That is a well known defective switch. TP-Link had the same problem with an access point as well. I haven't heard of that happening with any other brand. Again though, if you're running VLANs on a LAN, you're still going to need untagged to talk to many devices that do not work with VLANs. BTW, you can do what I did with my TP-Link switch. I configured it as a data tap, where that tagged VLAN problem is not an issue.

Yes, it is official, I am stupid! I use limiters and I had them also acting on my LAN interface! I've now updated the relevant firewall rule to only apply when "destination NOT LAN net." With that change, iperf is now back to normal. Connecting to host 192.168.7.1, port 5201 [ 5] local 192.168.7.2 port 58164 connected to 192.168.7.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 74.1 MBytes 622 Mbits/sec 0 840 KBytes [ 5] 1.00-2.00 sec 70.0 MBytes 587 Mbits/sec 0 1.53 MBytes [ 5] 2.00-3.00 sec 70.0 MBytes 587 Mbits/sec 0 1.70 MBytes [ 5] 3.00-4.00 sec 71.2 MBytes 598 Mbits/sec 1 1.24 MBytes [ 5] 4.00-5.00 sec 70.0 MBytes 587 Mbits/sec 0 1.37 MBytes [ 5] 5.00-6.00 sec 70.0 MBytes 587 Mbits/sec 0 1.47 MBytes [ 5] 6.00-7.00 sec 70.0 MBytes 587 Mbits/sec 0 1.55 MBytes [ 5] 7.00-8.00 sec 70.0 MBytes 587 Mbits/sec 0 1.61 MBytes [ 5] 8.00-9.00 sec 70.0 MBytes 587 Mbits/sec 1 1.18 MBytes [ 5] 9.00-10.00 sec 70.0 MBytes 587 Mbits/sec 0 1.26 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 705 MBytes 592 Mbits/sec 2 sender [ 5] 0.00-10.02 sec 703 MBytes 588 Mbits/sec receiver iperf Done. Thank you @johnpoz @stephenw10 for the hints and setting my mind on the right path.

Then the safest and fastest thing to do is backup your config, install 2.4.5p1 clean and restore the config into it. Steve

@chrcoluk I did try that. Nothing, unfortunately, another ticket that I didn't was a restart to factory defaults.

@nbctcp said in SSH admin password should be the same as web admin right?: Could pfsense using port knocking like linux did? I mean telnet other port 3x then it will open port 22 Way back - like last century, I used such a method to gain access to private resources, while published on public networks. It worked well. These days we have (Open)VPN ;)

Hi @ACNiC - I've got a similar setup as yours with Pi-hole as the first DNS server and pfSense upstream. Avahi works just fine and I've never had any trouble with mDNS even with the IoT devices (such as Google Chromecasts, etc.) located on a different network segment than other devices. Couple questions: What exactly do you mean by "casting is not working"? Is is that you can't see / connect to e.g. Chromecasts from a device in a different network segment? Are your firewall rules setup properly to allow the necessary traffic to flow between device and IoT network so that casting can work? What options do you have checked under "Advanced DNS Settings" in Pi-hole? Hope this helps.

@serbus what command in php shell to reboot webconfigurator because I don't want to reboot system After testing various methods. Only viconfig and php shell work perfectly GOAL: Change Web GUI from http to https OPTION1 open http://ipaddress go to System/Advanced/Admin Access STATUS OK OPTION2 open gui console 8) Shell viconfig change webgui part from http to https /etc/rc.restart_webgui STATUS OK OPTION3 open gui console 12) PHP shell + pfSense tools parse_config(true); $config['system']['webgui']['protocol'] = "https"; write_config(); exec exit open gui console 11) Restart webConfigurator STATUS OK GOAL: Change Web GUI from https to http OPTION1 open http://ipaddress go to System/Advanced/Admin Access go to gui console 11) Restart webConfigurator STATUS GUI appeared, type username/password but can't login Shell shown "php-fpm[341]: /index.php: Successful login for user 'admin' from: 10.0.1.1" OPTION2 open gui console 8) Shell viconfig change webgui part from https to http /etc/rc.restart_webgui STATUS OK OPTION3 open gui console 12) PHP shell + pfSense tools parse_config(true); $config['system']['webgui']['protocol'] = "http"; write_config(); exec exit open gui console 11) Restart webConfigurator STATUS OK

Yes I would just move the required elements to the new install and you still wouldn't have to change the clients. But, yes, you could just forward traffic through the new unit to the old device as a VPN server. It's very easy to end up with an asymmetric route if you do that though. Steve

Doing fsck -y 4 times found more errors each time and after that, it all started up!! Thanks!

Update. I have swapped out the cable modem and this has solved my issue. Old modem was an Arris TG1682G. Upthread I said technicolor, I was wrong. New one is an Arris SB6190. I don't know if it was swapping the hardware or if the provisioning at comcast reset something, but it has been working for the last hour.

We are using Google's DNS servers, nslookups don't fail.

This happens with any web browser, too. Non-https web browsing works mostly fine when switched over to that mode but the status "up/no carrier" images on the Interfaces widget, the Traffic Graphs, the circle refresh symbol, etc. do not load immediately or correctly.

The system in production I've seen this first is SG-5100 with WAN igb0 and WAN2 ix1. My lab testing is VMware. -Rico

Hello, what problem is this? Crash report begins. Anonymous machine information: amd64 11.2-RELEASE-p10 FreeBSD 11.2-RELEASE-p10 #9 4a2bfdce133(RELENG_2_4_4): Wed May 15 18:54:42 EDT 2019 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-244/obj/amd64/ZfGpH5cd/build/ce-crossbuild-244/pfSense/tmp/FreeBSD-src/sys/pfSense Crash report details: No PHP errors found. Filename: /var/crash/info.0 Dump header from device: /dev/label/swap0 Architecture: amd64 Architecture Version: 1 Dump Length: 71680 Blocksize: 512 Dumptime: Thu Aug 20 22:23:13 2020 Hostname: Pfsense5.mtz.jovenclub.cu Magic: FreeBSD Text Dump Version String: FreeBSD 11.2-RELEASE-p10 #9 4a2bfdce133(RELENG_2_4_4): Wed May 15 18:54:42 EDT 2019 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-244/obj/amd64/ZfGpH5cd/build/ce-crossbuild-244/pfS Panic String: Dump Parity: 692791847 Bounds: 0 Dump Status: good Filename: /var/crash/textdump.tar.0 ddb.txt?????????????????????????????????????????????????????????????????????????????????????????????0600????0???????0???????140000??????13717630021? 7072? ?????????????????????????????????????????????????????????????????????????????????????????????????????ustar???root????????????????????????????wheel??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????db:0:kdb.enter.default> run lockinfo db:1:lockinfo> show locks No such command; use "help" to list available commands db:1:lockinfo> show alllocks No such command; use "help" to list available commands db:1:lockinfo> show lockedvnods Locked vnodes db:0:kdb.enter.default> show pcpu cpuid = 0 dynamic pcpu = 0x898380 curthread = 0xfffff8000481d000: pid 12 "irq21: fxp0" curpcb = 0xfffffe004d975cc0 fpcurthread = none idlethread = 0xfffff800042e7000: tid 100003 "idle: cpu0" curpmap = 0xffffffff82b85998 tssp = 0xffffffff82bb6810 commontssp = 0xffffffff82bb6810 rsp0 = 0xfffffe004d975cc0 gs32p = 0xffffffff82bbd068 ldt = 0xffffffff82bbd0a8 tss = 0xffffffff82bbd098 db:0:kdb.enter.default> bt Tracing pid 12 tid 100066 td 0xfffff8000481d000 __mtx_lock_sleep() at __mtx_lock_sleep+0xcd/frame 0xfffffe004d975620 syncache_lookup() at syncache_lookup+0xc9/frame 0xfffffe004d975650 syncache_add() at syncache_add+0x16e/frame 0xfffffe004d9757a0 tcp_input() at tcp_input+0x1410/frame 0xfffffe004d9758e0 ip_input() at ip_input+0x139/frame 0xfffffe004d975940 netisr_dispatch_src() at netisr_dispatch_src+0xa8/frame 0xfffffe004d975990 ether_demux() at ether_demux+0x173/frame 0xfffffe004d9759c0 ether_nh_input() at ether_nh_input+0x32b/frame 0xfffffe004d975a20 netisr_dispatch_src() at netisr_dispatch_src+0xa8/frame 0xfffffe004d975a70 ether_input() at ether_input+0x26/frame 0xfffffe004d975a90 if_input() at if_input+0xa/frame 0xfffffe004d975aa0 fxp_intr() at fxp_intr+0x411/frame 0xfffffe004d975b20 intr_event_execute_handlers() at intr_event_execute_handlers+0xe9/frame 0xfffffe004d975b60 ithread_loop() at ithread_loop+0xe7/frame 0xfffffe004d975bb0 fork_exit() at fork_exit+0x83/frame 0xfffffe004d975bf0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe004d975bf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- db:0:kdb.enter.default> ps

That thread hit the nail right on the head as far as I can tell! Awesome! I knew I wasn't searching the right terms, but I couldn't figure out what to use. Thanks for the help!