@neiltiffin See this is precisely the issue, it's important to actually read into the vulnerabilities before just saying CVSS 9.8 it's the end of the world. If you knew what the actual issue was, it's basically a non issue. No one should be exposing their firewall webGUI to the public internet anyway, or any untrusted network for that matter, it should be accessed over a VPN. The whole purpose of that general best practice advise is to avoid issues like this being a problem (which BTW basically every other firewall has had similar login related CVEs that were super bad, many worse than just brute force allowance) when they do pop up. While it's important for things like this to be fixed (and it is fixed) regardless, admins still need to practice best security advise. Additionally, all this vuln lets you do is brute force without any restrictions, but if you're following another best practice and using good strong login credentials, it shouldn't matter anyway. I also don't understand this: "at least one major vulnerability that went un-resolved in pfsense 2.6", so what you are saying is that something got fixed but since it wasn't fixed in the version you wanted it to be fixed in it's not ok? IDK what to tell you at that point. IDK this is all seeming like a common internet post where someone wants attention so they just complain about stuff without really knowing what they're talking about.

Thanks to all for the support. Issue is resolved successfully with the following steps. Created a new network ( different from LAN subnet ) in one of the unused port of the backup pfsense box. Connected the laptop to this new port. Laptop gets an IP. The backup pfsense WAN port is connected to the LAN of main pfsense box Disabled LAN network on the backup pfsense box ( temporary ) Now the backup pfsense box can connect to internet. Did the upgrade. Disconnect WAN. Enable the LAN network on the backup pfsense box ( We can leave the new network as is or disable it ). Works well for my use case. Thanks again for the support!

@johnpoz Hello, that's works, to resume, i have to add a nat port and fixed the port on the Plex serveur and now works realy thanks to help me to found this thanks all !!!

@stephenw10 Yes, that was the first time. I did not try using Google LDAP until after I upgraded to 23.05.1.

@stephenw10 I work with RTSP streams with various brands all over US. If he port forwarded everything correctly it should work without any problems.

I'm assuming that was a typo.

Seeing fragmented packets like that implies some type of MTU mismatch so I'd look for that. Perhaps something changed on your WAN. Or maybe you added a VLAN the traffic is using.

@buzzhussman but where does that say that traffic on host A would be seen by some box on host B. I could guess its possible that traffic coming in from the real network on host A from some vm on host B might be seen by all devices on the vswitch on host A.. But then again that only might happen for traffic that is local to the vswitch on host A.. If you want to see traffic from some VM on host B talking to pfsense on host A - why do you not just sniff on pfsense itself?

@stephenw10 Just an update only one of the firewalls went down still trying to get into the console for that but the other firewall just had an issue with OpenVPN configuration.

Nothing in the logs that stands out. I ended up rebooting things and everything is running fine so far.

What interfaces do you have configured? Something obscure? The reason it stops there is that one of the configured interfaces is not present at that point. Most virtual interface types are ignored to allow that. Since it then allows you to configure them it must be present when you do that.

@johnpoz All right, fair enough. Thank you.

@NicS ?! I mentioned above that I saw the branch had been pushed?!

@stephenw10 Thank you, its resolved and I have failed to update here. Exactly as you said one of mate from pfsense official fb group suggested to remove gateways, once I removed all back to normal. Thanks & Regards, Babin

@stephenw10 I've backup all of the pkgs :)

It's not an official mirror. You can check the file checksums here though: https://files.netgate.com/hashes/ 2.3.4p1 was never available as an image though only as an update to 2.3.4. Steve

@yoyoSE156d I mean if the NAS is not accessible externally (from the internet), and you filter traffic from the other devices to the NAS you are off to a good start. Other than that make sure to keep things up to date, and use good passwords. Unless you have some reason to think that you would be directly targeted I think that would pretty much be enough.