@stephenw10 hi, thanks to your post you made me think to check an interface that I use for the Wifi Guests, and in fact I used them the same subnet, changed that one it is solved now everything works perfectly A thousand thanks

@stephenw10 Good call. I may have to upgrade my NICs to get the most out of all of this. I'm not sure they are up to snuff.

Yeah, there is an issue with the RSC feature which is enabled in hn(4) in FreeBSD 12.3 and hence in 2.6. Depending on how you are hitting it you can workaround it by disabling RSC on the vSwitches or in the VM interfaces. The vSwitch change is permanent, the VM interface change is not. Since you are seeing slowness to the WAN you may be able to resolve it using only the switches. Steve

That's expected if it's using a self signed cert. What cert is it presenting that's showing that error? What did you upgrade from? I assume it wasn't showing a cert error before upgrading? Steve

That's not an error if it's actually not ZFS. Just an artifact produced by switching the ramdisks. I would not worry about it unless you're seeing issues with logging. Steve

@steveits Oh Really ?? thanks a lot. I have upgrade the Ram to 8GB so i can go 2 million. Thanks a lot.

SOLUTION @stephenw10 Jepp, changed from chrome to edge, now i see the info. Thanks

@packetpirate said in WAN and LAN Traffic Graph at Idle: Looks like about 10 requests of length 46 per second I get more than that ;) heheh Just checked and about 32 a second worth of arp.. Its horrible the isp should really limit that, its not hard to do.. I hit my 100 packet limit of my capture in like 3 seconds.

@a1itto said in Unable to edit rules due to bogonsv6? (I've tried the Max Table Entries setting): when my setup can support IPv6. Dude that could be 10-20 years before they start turning off IPv4.. Maybe even longer - do you really think say next week amazon.com is going to say you know what, only IPv6 now.. They don't even have it now ;) Either does twitter ;).. Or ebay even.. While sure IPv6 is the future, that future is not any time soon that is for sure. Even like 4th biggest site really on the planet.. baidu.com doesn't have it.. Again - set the table limit up, mine is at 1.6 million, set it 3.2 million your trying to load a lot of tables like you know china's IPv6 space in pfblocker..

@johnpoz said in Default LAN - is it possible to tag as x VLAN?: @d2freak82 create a vlan on pfsense, and then set your lan interface to use the vlan on parent interface that is your lan. Thank you! That's exactly what I was after

@jimp said in SSH + Plink + Pfsense 2.6.0 = Security Risk: I haven't seen a prompt like that before, it may be something in how plink is authenticating. I got it working again. The inial problem consists of 2 problems. By default, Plink could only work when the admin account was enabled, but this was resolved by installing Sudo The second problem of asking to press return at the end op the Plink command, after getting access granted, was caused by Plink itself. When i first encountered the Plink malfunction problem after the Pfsense update to version 2.6.0 , my thought was, that maybe my Plink was not compatible anymore, so i downloaded and install the latest Plink version (0.76) But in fact it's Plink itself that caused the second problem. After some Googling with the "Access granted. press return to begin session" message, i discovered that this is caused since Plink version 0.71 and beyond. My old version of Plink was apparently before 0.71 , i have now installed the latest version (0.70) that don't have this extra need for interaction and now everything works back fully automatic. I know that using a old version of Plink is also a security risk, but SSH access from the WAN side is blocked, and can only be used from my internal network. The admin user is also disabled for login, like it was before. Big thank you to Jimp and nogbadthebad for the help. Grtz DeLorean

@stephenw10 I didn't realize that I was able to create an interface for VPN. I did that (and it booted the remote users, lol), and was able to configure the FTP Proxy Client plugin to work with it. Thank you for your help!

@nollipfsense Also of note USB NICs will change the NDI, too. They're not the only thing that goes into the NDI but they're the most likely to cause a change.

@mrpete said in page fault kernel panics after 2.5.2 upgrade: the fact that it is a UFS panic proves fsck is needed? Yes, that. You would not see that panic if ZFS was used. Steve

@anetde said in sshd trying to connect to ports 25/ 465/ 587: the default deny rule on the WAN interface logs lots of blocked connection attempts sourced from the gateways WAN IP to public IPs in the wild on the mentioned dest-ports. That implies blocking outbound connections which would normally be allowed. Can we see these actual firewall logs? I would run ps -auxwwd and look for some script openning ssh sessions. But note this is sshd, the server, logging that. This looks more like someone use ssh as proxy/tunnel and trying to send mail across it. So just look for ssh connections inbound when that happens. Could be an admin connecting from a compromised machine without knowing. Steve

Indeed it's not ready yet. We had a basic patch that worked past the issue for most situations but was still broken for the allow MAC table. However further testing showed other issues with more complex setups. Now that we know the root cause though we should be able to patch the ruleset to allow for it. We are testing patches now. Steve

@gwaitsi Yep. Since my Qotom mini PC has a serial port, I enabled it when I installed pfsense, but normally use a keyboard & monitor.

@gertjan Thanks for that Thanks for your help!

@stephenw10 ok- I will investigate after work. Thanks for the info.

For everyone having the same problem: DO NOT add something custom to the DHCP configuration of WAN via "Custom Override" before connecting once on WAN. It will fuck up your automatic rule generation in NAT and resolve in not getting any ipv4 connection on anything but WAN. If this rule generation has happend...then it is ok to add whatever you want. For my specific situation I only had to add the string of my conf-file into the "Send" options of the advanced DHCP settings (as @stephenw10 mentioned) and it works better than it has ever had! [image: 1646168771888-91084322-bdfb-48a7-a21f-0fc5a3627541-image.png] Thank you netgate community!