Let me try to replicate it with the values I have first.

@johnpoz said in How to avoid bridge?: You have this? What sfps do you have in it? I have a few SFP+ WDM12-R20/WDM13-R20 for fiber and S-RJ01 for RJ45 (pic above). My main problem is that one of my pfSense interfaces comes from my IPTV router and goes to my TV boxes. I get IPTV signal on all devices. On pfSense with option "Allow packets with IP options to pass." it goes perfectly fine but if I use my CRS317 instead I get no signal flowing from one SFP to another.... that's why I gave up on CRS switching... [image: 1630001319342-img-6163.jpg]

@gertjan Thank you for your reply. Sorry for taking so long to get back to you. I've just renamed the file to .old, re-enabled graphing and everything is back and working. Thanks for your help. Chris.

@jknott Yep. I had tried, but that didn't work. No connection. No ping, no nothing. Reported elsewhere. ARP or what, no clue yet. Had to (1) re-allocate interfaces (in this case, swapping). Trouble is also physical access, after a reboot. Crawling into some dungeons. The box has neither monitor nor keyboard. No, it must be pre-set. (Don't want to whine about 'good old days', and yet, my former Soekris/m0n0wall was just running along. Power off - power on and I had access through the web interface for everything else. Have tried hard, but not found anything on the same level of ease and reliability. Well, updates and performance made it a no-go.)

The config file is in /cf/conf/config.xml. If you edit it live you often have to remove the cached copy: https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html#edit-in-place But I would recommend exporting it from Diag > Backup, editing it and then restoring it again. The system will reboot into the modified config. Steve

@bygiuse said in Transfer sw configuration to an hw appliance: do you think it's possible to transfer the xml backup file from the Server installation to a dedicated netgate hardware appliance? Yes. Depending on the appliance you may need some modification but we can help with that. Most config imports only require re-assigning the interfaces though. Steve

Yes, that sounds like what's happening. Of course with the switch routing between the VLANs pfSense never sees it and cannot filter it. It's significantly different to the previous network setup. That Lanner is Atom D410 or D510. Not the fastest but either can run pfSense 2.5.2. Steve

@worldhopp said in SG-2100 suricata - good performance?: the 2100 is not good enough for Suricata and that it will throttle the system Any system will have it's throughput reduced by Suricata or Snort. What matters is if that reduced level is still higher than your available WAN bandwidth. It's also very hard to put any definitive numbers on it because performance can vary wildly depending on what signatures you have loaded and the detection engine settings. Steve

Thanks for the replies. I installed ChronyControl on both my Macs and disabled the inbuilt NTP client and it seems to be working. Unfortunately I don't have enough time to investigate it all much further now, and in any case I like the functionality that ChronyControl brings so will stick with that for now.

@knight said in Trying to add serial card, does not get recognized...: (in reference to your latest avatar... ) Yah, thought I'd update it a bit... how shitty the internet is here (Hungary) I forgot this is DOCSIS (50/300)... - instead of GPON I already miss my chair and the rush... / RTOS

Yeah, for some reason, you can disable it globally with the loader variable and then enable it again per interface with a sysctl but not the other way around. For ix at least. Steve

@bingo600 said in is it possible to run multi DNS Resolver via IP Range?: I don't think you can solve this issue with just one lancache That. pfSense, or the DNS service in it, cannot see the client IP queries come from, it sees only LANcache IP. That means it will do the same thing for all queries. If you have twp LANcache servers you can setup pfSense to send queries via different upstream DNS servers. Or just configure that on the LANcache boxes directly. You could also do this if one group of hosts doesn't go via the LANcache but there is no way to separate them if both do. Steve

I doubt this is going to be a problem but i will list the packages that the py38-openssl needs to have. pkg install py38-openssl Updating FreeBSD repository catalogue... FreeBSD repository is up to date. Updating pfSense-core repository catalogue... pkg: https://files00.netgate.com/pfSense_v2_5_2_amd64-core/packagesite.pkg: Not Found pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 20 package(s) will be affected (of 0 checked): New packages to be INSTALLED: cyrus-sasl: 2.1.27_2 [FreeBSD] fontconfig: 2.13.94,1 [FreeBSD] freetype2: 2.10.4 [FreeBSD] gmp: 6.2.1 [FreeBSD] jbigkit: 2.1_1 [FreeBSD] jpeg-turbo: 2.0.6 [FreeBSD] libfontenc: 1.1.4 [FreeBSD] libssh2: 1.9.0_3,3 [FreeBSD] libunwind: 20201110 [FreeBSD] lua53: 5.3.6 [FreeBSD] nettle: 3.7.3 [FreeBSD] pixman: 0.40.0_1 [FreeBSD] png: 1.6.37_1 [FreeBSD] py38-cffi: 1.14.6 [FreeBSD] py38-cryptography: 3.3.2 [FreeBSD] py38-openssl: 20.0.1 [FreeBSD] py38-pycparser: 2.20 [FreeBSD] py38-six: 1.16.0 [FreeBSD] tcl86: 8.6.11_1 [FreeBSD] zstd: 1.5.0 [FreeBSD] Number of packages to be installed: 20 i don't believe that any of the packages listed here are already part of the standard pfsense repo and should be fine to have loaded in.

I also figured out why the 1:1 NAT (the (3) from above) wasn't working. It looks like you not only have to setup the 1:1 NAT and firewall rules, but you also have to define the outside IP under Firewall / Virtual IPs, otherwise the firewall will not respond. (Found this here: PFSense: 1:1 NAT Configuration) With that, all problems are resolved. Thanks everyone.

That's almost certainly nothing to do with pfSense. Most APs continue broadcasting an SSID whatever is happening upstream of them. Some do not but if you're still able to login into it to reboot it that's not the issue. Steve

@tyler-montney-0 said in AutoConfig Backup Location: I mean from the GUI. The file you download is a backup, meant to be stored on a device that you trust ^^ ( as any backup ...) @tyler-montney-0 said in AutoConfig Backup Location: Opened #12296 on redmine. You have a point. "We all know" what ABC is, where it's stored, and under what conditions you can retrieve it. ABC uses a server @Netgate where our copies are saved. They are encrypted, and can only be read back if you have kept that key (and ID etc) on a safe (local !) place. ABC was, in the past, on option that was not free. It was a package that you had to add, and set up. The doc doesn't really state clearly that is actually a 'cloud' thing. That it isn't a perfect solution. That it needs a working connection to the Internet. That you should backup the access credentials. Etc etc. @tyler-montney-0 said in AutoConfig Backup Location: I've opted to go the scp route, using the cron package (to set a cron job from the web interface). If you created a small shell script, you could add your own encryption. Take a copy of the config file, encrypt it before sending it away to some local device.

I do not disable the firewall function in PFsence. Disable the function will lose the basic protection for my firewall.

@cfrudolphy thanks for the reply. We ended up calling and requesting a level 2 they said they had enough calls on level 1 which is a lot of calls to go to level 2. He fixed it on the first try. It's been working great hooked up to Calix ONT > pfsense. Level 1 was blaming our equipment but this guy did not & actually listened to our problem which was on their end. We worked on this for 3 weeks and calling in constantly. This was some kind of DDoS attack coming through on that VLAN maybe? But the level 3s are going to have to look at it on their end. Solution: Switched to a static IP and to a different VLAN on their network. I would try to call in and ask for a level 2.