Yes, export the CA cert, not the key, as x.509 if you want to import it into pfSense.

Yes, it's something we would like to see. A new front-end for accessing and managing backups outside the pfSense interface is something we are working towards. Steve

Yeah, it depends on the order it was applied and what version that change was made in since I believe there is now code to prevent it. I looks like you hit that new code by switching to a Eth interface and back. Good to know. Steve

Ah, yup that will do it. And it sure makes for a crappy experience at the client end! Disabling v6 on the LAN in pfSense will prevent it. Or setting it up correctly if your ISP gives you a PD you can use. Steve

Thanks for your help everyone. I had only two interfaces configured (wan1 and lan1) even though the sophos device had 4 physical lans only one was needed. I backed up the Community Edition that was originally installed & configured onto the sophos. I then booted up the Netgate SG-2100 and did a restore through the menu options in the web config. Everything worked for me. I think I might have had to name and/or assign the eth ports. For not being familiar with the product and concerned if help would be available when I needed it this went well for me. I hope it helps anyone in the future who is contemplating a change from the Community edition to the netgate hardware. Thanks again everyone

@jimp Thank you for the clarification.

If you have build tools on the firewall you have to ensure only the right users can run them or the result, which is an attack surface in itself. Yeah, there are a number of threads here on the forum from people trying to use this card and I don't see anyone who managed to build a driver for it. Steve

@areckethennu said in Memory Usage High in 22.01?: I also switched to ZFS. That alone will cause the system to use more RAM than it would with UFS.

Mmm, it could always be some coincidental fault and nothing to do with the update.

None of that stuff has been necessary for some versions now. But likely won't hurt. If you need custom loader variables though you should put them in /boot/loader.conf.local (create that file). The loader.conf will be overwritten with pfSense changes/upgrades. You see any errors on the interfaces? Anything in the system logs? Clearly not a loading issue. Steve

@bbcan177 said in updated to 22.01 - SG1100 high CPU usage '/sbin/pfctl -vvsr': https://www.reddit.com/r/pfBlockerNG/comments/sk9txi/ip_block_logging_not_working_pfsense_260rc/hvv99s1/?utm_source=reddit&utm_medium=web2x&context=3 Installed the patch and it solved it! Thanks!

You can policy route specific destinations to use the VPN gateway but you need to define them. That means it's easy for small sites with static IPs but more difficult for anything with a lot of IPs and almost impossible to match 100% for something like facebook.com. It is possible to define an alias using an ASNumber which can be used. pfBlocker can update that automatically. Steve

@chpalmer WOW! At least I have worked in an cable head end. I find I tend to know more about some of the things than the "support" people do. Then again, half a century of experience in telecom, computers and networks may contribute to that. When I had a problem with IPv6 about 3 years ago, I found I had to teach even 2nd level support and a senior tech the finer points about it. BTW, I used to do 3rd level support at IBM.

How are those interfaces physically connected? You have log entries there showing the NICs losing link, like the cable was disconnected or whatever they are attached to rebooted. Now I would normally call into question the Realtek NICs have but there are also logs for em0 losing link. Steve

Hmm, odd. I wouldn't expect anything to change there unless the NICs themselves were changed. Sometimes editing the config file directly is the easiest way. You just have to be careful. It's all too easy to make a typo and end up with something that won't load. Re-assigning interfaces like that is a typical scenario where editing the file is often the simplest solution. You shouldn't need to change anything in the rules, the only definitions using the physical NICs would be the Interafaces and LAGG. Even the VLAN should noy be in your case because they are on lagg0. Steve

OK thanks. There's definitely some issue there. We are trying to pin it down.

Nice. I would recommend moving to a symmetric routing design though. At some point that will come back to bite you otherwise. Steve

@mer I did have to do some hardware config with my proxmox server that also have pfsense so I did have to shutdown a few minutes. When I did power up everything I notice now the firewall show right time so now everything works :) Feel strange that I have to do a restart of pfsense :) Thanks alot for all the help and support.

Yes, if you hit that issue the install/uninstall script hangs when it's finished. That stalls the package reinstall process so any other packages that haven't yet been installed will not be until you kill the script. It should then install the others though. Steve

@jknott I know the difference between UDP and TCP. I have started to isolate traffic. You gave me an idea. I will get a raspberry pi, and will connect it to ISP router, and will record any interruptions, to see if it occurs at the same time of my netgate. I've being using pfsense for the pass 5 years (VMs and netgate boxs from small to medium sizes like 7100 series) and never encounter any issue like this, but you know, sometimes after a while we start questioning all the parts.