@jjoaquina: I do believe the time spent to have this working is beyond acceptable. I think I'm just going to switch the display off despite some policies I should follow indicates the other way. Thanks you all for your insights! Run an old windows machine and ssh in using putty. Set the screensaver on that machine to work the way your want. The BSD install is manicured to be a firewall and certain elements may or may not be there from release to release. You can never count of non standard elements/add ons to work post upgrade.      ;)

You will only get the assign interfaces prompt if you are not using common nics. pfSense will auto assign em, igb, and other commonly used nics.

Not that I know of.  Post questions/issues either here in General Questions or Virtualization.

@DennisT: We already use OpenDNS but that isn't effective unless the attacker is using DNS (which many don't). Thanks !!! Just fine like that. This one goes to my ;D list …

Well, your server issues are not pfSense issues. Need to do whatever it is that they support.

Comes down to what method of sharing your your going to use.. Just simple windows sharing of the printer SMB? or IPP, or 9100 which is common jetdirect port. But yes you would need firewall rule to allow whatever port/protocol you use to access the shared printer.  From a security point of view this normally not all that bad of thing - you limit who has access to the printer, and its just a printer. Is your printer not able to just direct connect to the network via wire or wireless.. USB printers are pretty old school if you ask me..  Even your $70 throw away inkjets come with wifi normally these days.

Just run a packet capture on tcp port 110 on WAN and run another shields up test. If you do not see the traffic on the WAN port, shields up is seeing a response from something upstream.

AFAIK the only way of doing this is Diagnostics -> Backup & Restore -> Config History and do a diff between changes and create individual user ids. Increase the Configuration Backup Cache Settings size too.

thank you PiBa

Amazing.

yet something else to ponder: Tried to unistall a package and it failed. >>> Removing pfSense-pkg-ntopng... pkg-static: Warning: Major OS version upgrade detected.  Running "pkg-static install -f pkg" recommended Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 1 packages (of 0 packages in the universe): Installed packages to be REMOVED: pfSense-pkg-ntopng-0.8.10 Number of packages to be removed: 1 [1/1] Deinstalling pfSense-pkg-ntopng-0.8.10... Warning: Module 'session' already loaded in Unknown on line 0 Warning: Module 'bcmath' already loaded in Unknown on line 0 Warning: Module 'ctype' already loaded in Unknown on line 0 Warning: Module 'curl' already loaded in Unknown on line 0 Warning: Module 'dom' already loaded in Unknown on line 0 Warning: Module 'filter' already loaded in Unknown on line 0 Warning: Module 'gettext' already loaded in Unknown on line 0 Warning: Module 'hash' already loaded in Unknown on line 0 Warning: Module 'json' already loaded in Unknown on line 0 Warning: Module 'ldap' already loaded in Unknown on line 0 Warning: Module 'mbstring' already loaded in Unknown on line 0 Warning: Module 'mcrypt' already loaded in Unknown on line 0 Warning: Module 'openssl' already loaded in Unknown on line 0 Warning: Module 'pcntl' already loaded in Unknown on line 0 Warning: Module 'pfSense' already loaded in Unknown on line 0 Warning: Module 'posix' already loaded in Unknown on line 0 Warning: Module 'radius' already loaded in Unknown on line 0 Warning: Module 'readline' already loaded in Unknown on line 0 Warning: Module 'rrd' already loaded in Unknown on line 0 Warning: Module 'shmop' already loaded in Unknown on line 0 Warning: Module 'sqlite3' already loaded in Unknown on line 0 Warning: Module 'ssh2' already loaded in Unknown on line 0 Warning: Module 'xml' already loaded in Unknown on line 0 Warning: Module 'xmlwriter' already loaded in Unknown on line 0 Warning: Module 'zlib' already loaded in Unknown on line 0 Warning: Module 'zmq' already loaded in Unknown on line 0 Warning: Module 'suhosin' already loaded in Unknown on line 0 Warning: Module 'xmlreader' already loaded in Unknown on line 0 Removing ntopng components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. [1/1] Deleting files for pfSense-pkg-ntopng-0.8.10: ........ done Warning: Module 'session' already loaded in Unknown on line 0 Warning: Module 'bcmath' already loaded in Unknown on line 0 Warning: Module 'ctype' already loaded in Unknown on line 0 Warning: Module 'curl' already loaded in Unknown on line 0 Warning: Module 'dom' already loaded in Unknown on line 0 Warning: Module 'filter' already loaded in Unknown on line 0 Warning: Module 'gettext' already loaded in Unknown on line 0 Warning: Module 'hash' already loaded in Unknown on line 0 Warning: Module 'json' already loaded in Unknown on line 0 Warning: Module 'ldap' already loaded in Unknown on line 0 Warning: Module 'mbstring' already loaded in Unknown on line 0 Warning: Module 'mcrypt' already loaded in Unknown on line 0 Warning: Module 'openssl' already loaded in Unknown on line 0 Warning: Module 'pcntl' already loaded in Unknown on line 0 Warning: Module 'pfSense' already loaded in Unknown on line 0 Warning: Module 'posix' already loaded in Unknown on line 0 Warning: Module 'radius' already loaded in Unknown on line 0 Warning: Module 'readline' already loaded in Unknown on line 0 Warning: Module 'rrd' already loaded in Unknown on line 0 Warning: Module 'shmop' already loaded in Unknown on line 0 Warning: Module 'sqlite3' already loaded in Unknown on line 0 Warning: Module 'ssh2' already loaded in Unknown on line 0 Warning: Module 'xml' already loaded in Unknown on line 0 Warning: Module 'xmlwriter' already loaded in Unknown on line 0 Warning: Module 'zlib' already loaded in Unknown on line 0 Warning: Module 'zmq' already loaded in Unknown on line 0 Warning: Module 'suhosin' already loaded in Unknown on line 0 Warning: Module 'xmlreader' already loaded in Unknown on line 0 Removing ntopng components... Configuration... done. >>> Removing stale packages.. Very close to just wiping it and reloading it.

In case anybody runs into this issue, it was caused by having the time sync services turned on in Hyper-V. We disabled the time sync services offered by Hyper-V (in the Hyper-V manager) and the issue went away.

Thanks for the reply, the issue re-appeared today. Here is the log of the WAN in question: Nov 27 14:35:08 dpinger: OPT4_WAN_DHCP_DHCP 8.8.8.8: Clear latency 497157us stddev 968654us loss 0% Nov 27 14:34:14 dpinger: OPT4_WAN_DHCP_DHCP 8.8.8.8: Alarm latency 517317us stddev 803024us loss 0% The mail messages stated that: _MONITOR: OPT4_WAN_DHCP_DHCP is down, omitting from routing group MainOut 8.8.8.8|10.11.1.2|OPT4_WAN_DHCP_DHCP|517.759ms|802.821ms|0.0%|down MONITOR: OPT4_WAN_DHCP_DHCP is available now, adding to routing group MainOut 8.8.8.8|10.11.1.2|OPT4_WAN_DHCP_DHCP|499.966ms|814.632ms|0.0%|delay_ I guess the WAN was ommited due to high latency, which occurs when a line is really busy. Maybe change the latency thresholds (200/500)? Best regards Kostas

Now that I understand, at least I think, that a tagged port is expecting tagged packets, instead of tagging them. No, a tagged port is an access port that accepts untagged frames and then tags them.  A trunk port accepts all frames, tagged or not.

@NogBadTheBad: Put your IOT equipment on its own subnet and do the following on the IOT interface:- 1st rule allow IOT net to this firewall DHCP, NTP, etc … 2nd rule block IOT net to LAN net 3rd rule allow IOT net to any Thanks for your advise, but here that was already the case, all IOT devices are in a different subnet and are rejected when trying to access any other subnet. Only a few selected subnets can reach this IOT subnet through a NAT rule.