I finally got to make the change and have been monitoring the last week with great success. We haven't had one error in the last 10 days which leads me to believe that changing the time has fixed the issue we were experiencing. Before we had it set to 00:00 CEST now it's set to 12.00 CEST.

The firewalling and NAT are done in pf, not ipfw. If you enable the captive portal, it uses ipfw for the CP blocking functions. Perhaps you were thinking of ipfwSense.

@JKnott said in Increase swap size: @Raffi_ I also wonder why you'd need more swap on a router. However, in the Linux world, it's possible to create a swap file, which serves the same function as a swap partition. Perhaps the same is possible with FreeBSD. Thanks, that's a good point. I will not spend any time looking into ways to do it even if it is possible. It was just something I was curious about more than something I needed. If for example it was a single command I could have run and it was fool proof, I would have gone for that. But being that in the case of pfsense it would be a partition adjustment. There is no way I'm doing that. Especially, for something that really isn't necessary as you point out.

@stephenw10 First of all, thanks for your answer. I tried with Outbound NAT in automatic mode and in manual mode with the rules: WAN1 10.128.10.0/24 * * * WAN1 address * this is not a rule to the WAN 2 where the 192.168.104.0 network exists. Should i make a NAT rule to WAN2 ? Something like: WAN2 192.168.104.0/24 * * * WAN2 address * ? I also tried to enable the Bypass firewall rules for traffic on the same interface setting. Unfortunately i still not able to reach the 192.168.104.0 network from the 10.128.10.0 or visa versa. I thought adding a static route on each firewall and add the correct firewall rule (to allow traffic from the other network on the concerning interface) should do the trick? but how i understand from you i miss something (NAT?) ? Note that i can ping the Zyxel USG200 interface and devices of the 192.168.104.0 network from the Pfsense diagnostics ping tool but not from my computer.

@stephenw10 , Thank You

Steve, thank you. I read through your post and went at it again after factory resetting the switch and basically putting the OPT interfaces back to how they were when I received the SG5100 from Netgate. OPT1 (ix0), OPT2 (ix1), OPT3 (ix2), OPT4 (ix3) = added but not enabled From there I went to Interfaces => VLANs Define VLAN tag 10 interface ix0 (opt1), VLAN tag 20 interface ix0 (opt1) Enabled VLAN 10 and VLAN 20. Assigned static IPv4. Defined DHCP for VLAN 10 set range but added a static IP address for the Cisco switch outside of the pool range. Defined DHCP for VLAN 20, set range. On another computer connected directly to the Cisco switch, I defined VLAN 10 and 20. Set port 1 as a trunk. Tagged VLAN 10 and 20. Set port 8 as access. Untagged for VLAN 20. Added an IPv4 interface for VLAN 10, DHCP. Usually this is where I get kicked off but this time after I connected port 1 from the switch to ix0, the switch was listed under DHCP and Online in pfSense. In addition, my other computer that is directly connected to the switch was still connected using the switches default IP address. I’m assuming it’s because VLAN 1 and VLAN 10 are both active on the switch and I have that computer plugged into a port that I didn’t mess around with. I plugged a device into port 8 and confirmed it got an IP address in the VLAN 20 range. One issue I found is that I cannot connect to the switch from my laptop that’s on the LAN connection. But I’m guessing that’s probably a firewall issue. I can still connect to the switch directly from my other computer so I can do switch configuration from there. I’m going to back up the settings on the switch and pfSense before I go any further. I guess for most people getting to where I am now seems trivial. After all, I don’t even know if the device works on port 8 since I just did a simple connectivity test, but after spending the last several weekends setting up, resetting, plugging in, and unplugging, I’m happy that I can finally move onto the next steps. Thank you very much for your help!

Just want to add to this in case someone else runs into it. There is in fact some sort of issue with passwords that have special symbols which work just fine in OpenDNS (and special symbols are required), but in pfsense, the login doesn't work. For example, changing my password to not include an "&" but to instead use a "$" fixed my issue. I'm guessing there is some bug in how the password is being encoded from the html form field or something. As others have mentioned, checking the verbose logging flag is encourage so you can go into the system logs after you force an update and see if it logged in successfully or not. Hope that helps someone!

@bereby said in New machine, Hardware question: XG-7100 you're right: look at its original configuration, which has an i7 CPU and a 200W power supply ..... who is already looking at the XG-7100, wants serious hardware... (many just like to experiment or want a significant reserve in their system) only this "ugly" hardware originally outlined, should be conjured up a bit of a network appliance type 35 -50W power consuption / rack case / all-in-one face / Intel NIC / etc. (and for sure 10 Gig SFP+ WAN or other interface...) jahhh and don't think I'm against Netgate hardware, (since I've already said that) it's also perfect, but you only have a choice if you know what you can do and choose (Intel vs. AMD in network appliance theme)

Not in pfSense. At least not without changing your network configuration. That traffic goes from 192.168.90.3 to 192.168.90.5 directly at layer 3. It probably goes through at least 1 switch at layer 2. It never goes to pfSense at all so there's nothing it can do to see that. What you could do, for example, is configure a mirror port on the switch and then analyse the traffic on that to get flow data. You could bridge two ports in pfSense and make sure those systems were connected to different sides of the bridge. Then traffic would go through pfSense so you could see it and filter it. That is generally considered a bad idea unless you absolutely need it though. Steve

Yup, those Ethernet connected Netgear LTE modems work well. You can use many USB LTE modems directly with pfSense though. What exactly is the device you have? Steve

it’s not a problem, everyone starts somewhere in which slot (on MOBO) do you put the new NIC, what version of HP device do you have? HP Technical Reference Guide according to Google [image: 1589733654843-524afccc-ca32-401f-8050-fc3c4e10e059-image.png] INTEL PRO PT 1000 Quad Port Network Adapter [image: 1589733727921-c285dceb-dba9-415a-883f-93e2e002462d-image.png]

@gyahoo said in DNS domain forwarder stopped working: I am at a loss as to how to proceed. Get on a current version of pfsense - the 2.3 line is DEAD, has been for over a year, shoot Oct will be 2 years... There were like 2 years of warning that 2.3 was going to be DEAD! Once you get on current.. Come back if your having issues. So 2.3.4 is from 2017... You honestly thought it was up to date, with zero updates in like 3 years - on security software? its not a notepad app you downloaded from some guy that wrote something he needed and shared it. How did you not check on that? Simple 2 minute visit to the website would of told you if your current or not, etc.

according to https://docs.netgate.com/pfsense/en/latest/monitoring/raw-filter-log-format.html#bnf-grammar the purpose of the tracker id is <tracker> ::= <integer> -- Unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug I've written this script to fix my rules and make the tracker id numbers unique import xml.etree.ElementTree as ET ONE_SECOND = 1 def main(): start_epoch = 1585650686 root_element = ET.fromstring(XML_DATA) rule_elements = root_element.findall('rule') for rule_index, rule_element in enumerate(rule_elements): rule_id = str(start_epoch + (rule_index * ONE_SECOND)) tracker_element = rule_element.find('tracker') tracker_element.text = rule_id created_time_element = rule_element.find('created').find('time') created_time_element.text = rule_id updated_time_element = rule_element.find('updated').find('time') updated_time_element.text = rule_id fixed_xml = ET.tostring(root_element, encoding='unicode') with open('fixed-firewall-rules.xml', 'w+') as f: f.write(fixed_xml) XML_DATA = ''' <filter> <rule> ... // copy and paste the exported rules here </filter> ''' if __name__ == '__main__': main()

You will continue to have problems as long as you're on 2.3. That was only current for about 1 month waaay back in April 2016: https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html#id7 You could try creating the file /boot/loader.conf.local (if it doesn't already exist) and adding to it the line: kern.smp.disabled=1 Then rebooting. Otherwise you might have to disable all but one CPU core manually which we did as a workaround at the time for a few systems. It was fixed for 2.3.1. Steve

So I wasn't able to figure out exactly what the problem is because I reinstalled pfsense completely and it did the same thing but I tried using a different old pc and switched my intel network card over and now it's working again, i guess it has something to do with the other pc, no idea what though.

Use policy routing https://docs.netgate.com/pfsense/en/latest/routing/directing-traffic-with-policy-routing.html https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html

Hi, I have upgraded to 2.4.5. please find screenshots requested below. still does not authenticate. [image: 1589561497823-24c8657b-7bef-4d5e-9656-dddeb6686050-image.png] [image: 1589561530662-58141b71-156b-465b-97d7-71340053b0ec-image.png]

There isn't any way for the firewall to tell two MACs apart. You'll need something more. If it's that bad, you need L2 auth (802.1x) in your APs, not firewall controls.

@markgca said in SNORT Enable Performance stats not working: When i check the "enable performance stats' feature on Preproc page of services/snort/interface, the interface restarts but never quite gets there. Turn that feature off, and it works again i have several snort instances running on different vlans and they continue to work. Is this indicative that i need to allocate more space or change some option? i have 24gb of ram, and only about half of that is used. thanks for any thoughts Have you looked in the pfSense system log to see what, if anything, is being logged by Snort when attempting to start it? Are you running the performance stats on those other instances successfully? You will generally have better responses to IDS/IPS package questions when you post your inquiry in the IDS/IPS sub-forum under the PACKAGES section here on the board.

Hi all, Looks like the GPON gateway had locked on to the previous devices hardware address. After power-cycling it the latest version connected without issue. (Piece of junk unnamed cheap manufacturer). May be good to get some output added as to why the process is terminated, to assist others - if there is anything useful that can be logged - just an idea. Very happy now PPPoE is running as it should! :) Please mark as solved and close thanks.