+1 for this. I want to use the single serial port on my device using NanoBSD as a GPS-timed NTP server, and NTP keeps complaining that /dev/cuau0 is busy. How to free up the serial port?

I am now running on 2.3.2-RELEASE-p1. The drop-outs have been continuing - about every 2-3 days now, sometimes multiple times per day. I'll have further logs to upload later - can't do right now as I'm in work away from the router at home. What I have discovered, while trying to migrate the PPPoE connection from re0 to re1, is that physically removing and then reconnecting the ethernet cable on re0 will fairly reliably cause the crash - PPPoE starts failing to dial out and the pfctl process goes crazy on CPU usage. What's the best way of determining if this is a software/driver issue, or a hardware issue?

@balubeto: @KOM: I have no idea what nominal means in this context, but if you want to see a realtime view of your traffic, try Status - Traffic Graph.  If you need more detail, there are packages like ntopng that can help. Using pfSense, how do I display the maximum speed of download/upload on my Internet connection set by my provider? Thanks Bye There's nothing pfSense itself can do to detect the speed limits set by your ISP, for example your WAN connection might say a 100Mbit/sec connection on the pfSense dashboard because it's connected to a modem with a 100Mbit/sec port but the real speed can be anything between the practical maximum of a 100Mbit/sec connection to something like 256Kbit/sec if your ISP has set the limit that low. Your ISP can tell you the nominal speed limits and in some cases you can see them from the management page of your cable/dsl modem.

(No replies as yet, so I guess I will wait for the technical folks to see the OP, but in the meantime…) Following on from my "bigger question" in the last paragraph above, I can think of three ways around the problem:- 1. As above, turn off relayd on the firewall, spin up a small(ish) VM running Nginx as a load balancer and have that deal with all the certificates for all LBed sites. 2. Leave relayd running and temporarily make the pool 1 server deep when creating/renewing certs. 3. Make /.well-known an NFS share from a "master" within the pool, and mount it on all the pool members. I see 2. as being a stupid solution and I'm going to discount it immediately (it's an obvious answer, but manually managing a pool like that scares the bejesus outta me, and doing it automatically brings me out in a cold sweat). Technically, 3. intrigues me, but I really don't know NFS at all. Is this feasible from a "lag" standpoint - will it operate fast enough for letsencrypt to be happy? All the VMs are on the same host, the "network" between them is 4 x 1Gb. By the same token, it could be a gluster brick (but again, I have no direct knowledge of gluster - just repeating something I've just read in the Safari copy of the High Performance Drupal book)... EDIT I'm throwing a little glusterfs lab setup together and will have a play. Finally 1. is the first thing that came to mind, and would answer the problem by moving the target to the LB (which is the most sensible place for it to reside in this situation, from what I've read), but again, this feels "klunky" to me; it's reinventing the wheel (not that we all likely haven't done that before now). Any and all opinions welcomed at this juncture.

@KOM: This has been asked & answered a few times now.  It's a serial for the Netgate hardware to identify the unit for support purposes.  If you have genuine hardware, your serial number will be shown.  If you have a generic box, the system UUID will be shown.  That's it. Not just Netgate hardware. We have many customers running pfSense on their own hardware. Anyone can buy support.

If they are getting the lease from isp, they are not behind the firewall. I'm suspecting your setup to be wrong. Think (and do): isp <-> modem <-> pfSense <-> switch <-> clients Read this a couple of times: http://www.cisco.com/networkers/nw04/presos/docs/SEC-1N20.pdf for the first 20 slides or so, it's a bit dated but hopefully explains a bit where a Firewall should be positioned etc. and practice on your google-foo  ;) , lookup all things you don't fully understand….

LACP to each HA node (4 ports) 4 ports total two from each HA node, one each to each switch. You will chew up switch ports quickly. Then you need to decide how to configure the LAN side. You need at least two switches, stacked, or using some other technology that allows them to make LACP groups with ports on each switch (Multi-Chassis trunking, or whatever your vendor calls it. At this scale, stacking is likely your best bet). You can also use Spanning Tree and something like this without going to LACP: https://portal.pfsense.org/docs/book/highavailability/layer-2-redundancy.html

I completely agree and understand.  Will be posting a new question on that board Thanks again for your assistance.

reason being is it is possible at that edge - Using a PFSense with multiple GBit Ports Trunk Not necessary just was wondering if possible.. would have preferred for it to handle DHCP but see that isn't possible if it is not handling the Routing for the VLANs correct? Just have it on the transit Network - agreed - just need to make sure add the routes for the other vlans so it knows where to send the traffic…  or yes use /16 if networks are within the B ranges - just prefer the routed method sometimes.

@floydque: Can you help me do a CSV reporting that it lists latency loss. Example: Oct 13 16:29:57 dpinger WAN_DHCP 222...*: Alarm latency 82880us stddev 46313us loss 21% That's what you are getting in the CSV. The header you will see is: ,packet loss,delay average,delay std. dev., The first field (with the missing header description) is is a timestamp. The timestamp is a standard Unix timestamp with 3 digits of milliseconds appended. You will have to convert this field to the date/time format you want. The packet field is in percent, and the delay fields are in milliseconds. The timestamp is pretty easy to convert in Python or Perl. However, if your target is a spreadsheet, you can convert the timestamp with a formula: =((A1/1000)/86400)+25569 Hope this helps.

Thanks; we're not running Unify; we're using java for a very secure internal program. pfSense can't finish booting

Thanks for the suggestion, Harvy66. I have not enabled any proxy… However, I just found the problem. For whatever reason, the LAN NIC associated with the ESXi vSwitch was not auto negotiating to gigabit ethernet, but showing the speed as 100MB Full Duplex. I forced it to 1000MB Full Duplex, reran the speed test and am now getting in excess of 233 Mbps on the download, as it should be. All is once again good with the world.  :-) Thanks again.

Any lease requested from pfSense's dhcpd, will show in the corresponding status page I suggest you spend some time here: https://doc.pfsense.org/index.php/Main_Page Enjoy the reading!

What Port is PFSense plugged into on the 3Com what is the port Set as? Trunked? or not trunked. if you set to full trunk and all tagged no - untagged what happens - lose all traffic? did you disable the port then re-enable on the switch? Cisco sometimes helps me on older switches to cycle the interface to get a trunk to line up. PFSense - did you setup you vlans on PFSense matching the VLAN Tags? Shouldn't need to setup IP address for the VLANS… thinking through it.... technically if the 3Com is doing the routing - then all you need is simple uplink to PFSense and add Routes manually to PFSense not even vlans or deal with trunking... think that is how I've done it on my old firewalls - works but is probably wrong to the PFSense guys... basically why trunk if you're not needing to tag out of other ports on your PFsense box? think that logic is right... then the routes can determine / manage traffic... basically VLAN1 in your case is 10.1.1.0/24 VLAN2 10.1.2.0/24 and PFSense is ignoring 10.1.2.0 because it has no idea what to do with it.... A: Dirty Method - setup your PFSense IP in a /16 CDR (255.255.0.0) and bam it should work. B: Add route for 10.1.2.0 via 10.1.1.X (3Com Switch VLAN1 IP) This should also work... - if I'm thinking of it logically. C: add the VLANS which should create the 802.1q trunks (not sure if you have to set an IP for each vlan - which in my book enables VLAN Routing in PFSense and you don't want/need that) Hopefully one of the Experts will clear me up!

Ahoy. CAPTAINS must be some sort of translation to EXPERTS, which is also common. Create an alias using the FQDN you want to block, create a a pass rule source the address you want to control destination that alias with a schedule for when you want to allow access followed by a reject rule with the same source/dest without a schedule. Based on the information given that's the best I can do.

@KOM: If anyone know about port 80 whats wrong please update. Are you running WebGUI in HTTP mode?… yes sir running pfsense web gui on http port 80 but trying to forward port 80 no success :( **Why is the destination address on your 8008 port forward not WAN address? @Derelict ok sir i changed it to Wan Addres**

In all likelihood there is no problem. It's the graph glitching when a counter wraps around.