@jlw52761 said in Downgrade packages: Unfortunately your comparison doesn't hold much weight because every software vendor I've ever dealt with, Microsoft, Apple, VMware, Cisco, Palo Alto, Ubuntu, etc all maintain support for multiple versions and don't force folks to the "bleeding edge" regardless of issues. In fact, look at what has happened to Microsoft and Apple over the last 2 years, they are having to move to the stance of allowing users to defer updates instead of forcing issues, like loss of data. By saying the majority of folks don't have issues and only those that have problems post is discouraging those folks from posting or pointing out problems due to fear of being singled out. Now I don't know about some folks, but 20+ years in the enterprise infrastructure has taught me one constant, bleeding edge in production is the quickest route to disaster, and the method that Netgate is taking flies in the face of stable production. Now, with that, I have upgraded both of my firewalls to the 2.4.5 release, and guess what, frr still will not start on one and not run reliably on the other, and there's no log entries or indications of why the situation is occurring. If I had this running in my business and I lost BGP in this fashion, I would no longer have this vendor in my environment. Plain and simple. I understand Netgate tries to test and validate as much as possible before releasing new software, but the reality is they cannot test for every possible use case and scenario, and I wouldn't expect them to be able to either, which is why I would rather have the option of testing a new release in my lab before being forced to place it in production, or have the option to hold off any new releases for several weeks. Personally, I do not want my production to be anyone's guinea pig environment, and I avoid testing in production at all costs, and the current way Netgate does the software push doesn't allow me to easily do this. What I said about who posts and who does not is generally true. It's not meant to single anyone out. Just to point out that it is not a reliable indicator of how "bad" some particular issue may be. No matter. My intent was not to pick a fight with you or argue. Just wanted to point out there are reasons for how some things are handled when it comes to free open-source software. However, in this instance Netgate/pfSense has taken a rather out-of-the-ordinary step of making the prior 2.4.4_p3 release available again, including packages compiled for 2.4.4._p3. Search the recent forum posts and you will see how to roll back.

@Gertjan said in pf 2.4.4-RELEASE Navigation Link Broken: Thanks for the confidence in the latest pfBlockerNG-devel. Still a bit hesitant to pull the trigger.

@BlankSpace No...your built-in graphic card maybe going out but again that's not a pfSense issue.

@stephenw10 said in First Crash after upgrading to 2.4.5: What were the two tunables required, for reference? e.g dev.igb.3.fc = 0, and dev.netmap.buf_size= 2048

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html -Rico

I presume by sniff you mean diagnostics -> packet capture? I'll try that, and feed it into wireshark. I've only used wireshark really briefly before and I'm definitely no network whizz! Thanks!

@Simbad said in Edit /usr/local/lib/php-fpm.conf: /usr/local/lib/php-fpm.conf i would like to change: pm.max_children = 8 pm.start_servers = 2 pm.max_requests = 5000 pm.min_spare_servers=1 pm.max_spare_servers= 7 and process.max = 8

Yup, because Python was upgraded, that is effectively a different package. Steve

i'ved added two new reject rules on interface vlan876. still not working =( [image: 1585995854849-a7c72de6-08ff-4ad7-be15-ed2020d987f9-image.png]

@Gertjan Both are LAN type interfaces ? Or one of then a WAN ? Suricata is not set for WAN igb0 however is set for LAN igb1, WLAN igb2 If so, and you have not have any NAT rules that you want to protect - or classic firewall rules that permit IPv6 to enter your network(s), you could remove that interface from the list used by Suricata. "There is no need to protect a closed door." @kiekar said in Loosing connectivity between pfsense and webserver: pfSense is consuming 56% That is : pfSense uses more like 6 % on your system - mine is - and your packages ( Suricata ?) is using that wopping 2 gigs. That van double on rule reload, so be careful what option you choose. You'll be close of using swap space with all the drastic consequences that comes with it. Will look into it

Hi, Troubleshooting network problems : you shouldn't be using them to get needed info. Which means you have to use most important interface : the console access. That one will stay functional when an interface goes down. You'll be able to check the logs and other system specs - the place where all the answers are. You'll see that the system isn't down at all, most probably only the NIC (driver). Also : is your WAN not a Realteck ? Then swap WAN and LAN interfaces. Realteck NIC's are strange animals. I'm using several of them right now. Other, probably most, came in from Amazon, lasted a day, and are piling up in some box somewhere, being completely useless. You shouldn't doing complicated things with them like "heavy load" and VLAN's at the same time ... that's asking way to much. Btw : have a look in this forum. There are post that mention an alternative Realteck driver with rather good results, better as the build in stock driver.

First thing I suggest you check is that the DNS is resolving from the firewall: diagnostics dns lookup enter 'system76.com' and press lookup and you should get a reply from all of them. [image: 1585876768453-b9bf19ae-2cd3-4919-b12b-20941884bf18-image.png]

Here's what I'm seeing. Custom view from 12PM - 5PM today. Processes has been removed from the graph. What I'm seeing here is not just barely 5% CPU? [image: 1585868481330-monitoring.png]

yes of course, but when you want to restore that section you need to select the same section on the drop down menu

@VirtuousMight I don't know that you can do anything to cause leases to renew. They'll renew when the clients are ready to renew. The server only responds to the requests. What you can do is disconnect/reconnect the Ethernet cable to a device. It will then do a renew.

@kevindd992002 said in pkg update -f and pkf upgrade -f: apt-get does, but not apt. Anyway, will doing a pkg update -f do any potential damage compared to just letting its thing do without the switch? No, so long as you have not manually monkeyed with the repo.conf file and say pointed it at some other remote repository that might contain different versions of stuff. But with a stock pfSense installation there is no harm in using the -f switch other than just downloading and rewriting data that strictly does not require such.

@araujovitorpaulo said in Help trying to get a new repo on my 2.4.4 p1: @NollipfSense that was an alternative at the beginning, but when I search for updates, it says that the server is up to date (http://prntscr.com/rrnrc0). The only way to recover it is making a brand new server with the 2.4.4p3 installation? 2.4.5 is the new current version. Unless you have an existing copy of the 2.4.4_p3 install media, it is no longer available from official sources. You may find unofficial copies out there someplace on the web, but I would be wary of such things. You can do a frresh install using 2.4.5 media and import your existing configuration. There are instructions for doing that in the Netgate docs.

Hi, I'm not using VLAN's (on pfSense) neither VLAN capable switches. But I have a private entreprise LAN 192.168.1.0/24 which contains several AirPrint printers. I also have a second LAN, a public network 192.168.2.0/24 that can't access my LAN at all - just the gateway to the Intyernet. It's a pfSense Captive portal, available for the companie'ss visitors and clients (a hotel). I created this rule on the captive portal's interface : [image: 1585813144489-d563e8e8-4ca9-4f37-9e9f-c7734afb1ffc-image.png] You - as a network admin should also ask yourself : how does AirPrint work ? This question isn't optional any more as soon as you have multiple LAN's, and you want devices on one LAN network use devices on the other network. You discover that the question is already known ^^ and you install the pfSense package Avahi. Test on your device with a software tool like Discovery on an iPhone or iPad and you'll see that Avahi works : devices that expose Airprint - and many other - services are listed, and you can print ... Btw : again : I'm not using VLAN (yet). Note : if your printer and devices that want to print are on the same (V)LAN, that your issue isn't a pfSense issue. Redo your VLAN settings which might include your printer. remember : VLAN are like LAN's, they just need more hardware and hassle.