Not easily. That is usually accomplished by having staff and student VLANs where you can apply different firewall rules to the traffic. So if it's wifi for example you can have a separate ssid with 802.1x authentication that only staff can connect to. Steve

@jegr said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired): @bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired): And a ... I'm not giving up kinda moment. I haven't even bothered implementing that "trick" on the Job ones .... I appreciate it! I have some 2.4.5 systems in the wild myself that customers aren't able to update right now and those had rising numbers of dead/zombie processes (dying bogon procs) that we were able to fix that way - so thumbs up from me for the fact finding mission Glad to be able to give a little back And ... Now i know that to tomorrow on the job for 7 firewalls Done .... And home fwall Fresh install w. ZFS , and config restoren only one minor "quirk" iftop didn't install , but the pkgmgr. was informing about that [image: 1635060752074-0cae61d6-e22b-46aa-b42e-6eaa8ab59577-image.png] /Bingo

@dialsoft Did you get this figured out?

@johnpoz https://redmine.pfsense.org/issues/12480 thank you ;)

@macwarrior said in Dual Port WAN (6100 is not available) HELP!: Hello all, I built an ASUS ProArt B550-Creator with 2x2.5G ethernet ports to use for pfSense (I know, probably overkill but Netgate 6100 is not available right now) and I added a SolorFlare 4-port SFP card. Can I turn 1-port of the SolorFlare SFP card into 1 WAN and a 2.5G ethernet port into a WAN (to = 2 WAN's) and the other 3 SolorFlare SFP ports into LAN's? Thank you in advance, MacWarrior Yes, you can turn all but one ports into WAN if you wish. PfSense allows you to use/define ports as you see fit. Only requirement is that the NIC’s are supported and has a driver in the pfSense distribution (Which may be an issue with that SFP card).

@stephenw10 Re-saving the ACB settings fixed the inconsistent schedule on both boxes.

@jc1976 said in Driver Update: I've gone through all the documentation and whatnot, and it's all just very odd to me. My nic is a genuine intel.. it's not an intel by HP or Dell.. straight intel.. and i would've thought by now the drivers would've been updated. the I340 is a fairly old card, and considering that intel has cards that are running at 10Gb+, what happens to those who are running pfsense on connections such as that at the enterprise level? what about the latest 800 series cards? Will the iflib work with them? Agree that it can be very confusing, especially with Intel, because for a while (and it may still be true) the version numbering scheme used by Intel on their web site for various NIC drivers differed from the scheme used for the same Intel drivers in FreeBSD. That makes it hard to determine which is actually the most "current" version. But for the most part, FreeBSD depends on Intel contributors to provide updates for Intel NIC drivers in FreeBSD.

The 21.09 release has been postponed. There are a few reasons for this such as some issues found in late-stage testing. We want to make sure the next release will be a quality release. There is a high focus on 22.01. We are confident it will be worth the wait.

@patch You can create whatever rule you want be it allow or block or reject - and set it not to log.. But unless you were using something like avahi to pass on the mdns query - pfsense really has no use for such traffic, and wouldn't be doing anything with it. If you allowed it. Pfsense is clearly blocking it already, what interface your seeing the traffic on would be the interface you create the rule on to block it and "not" log it.

@stephenw10 Thanks

@zatco said in Unable to Reach CloudFlare IP address via DNS/IP: Is it possible ISP could be blocking the IP? anything is possible - but that shouldn't create a ping permission denied.. Do a sniff on your wan - do you see the ping go out? I would assume no if your getting permission denied on the send to.. But if see it go out - maybe your getting a specific reject back? Or maybe that IP specifically is blocking your IP.. But again that really shouldn't create that error, unless there is a specific reject that comes back.. Sniff on your wan will show for sure be it your sending it out the wire.. Traceroute via linux normally defaults to UDP, and is not a icmp message other than ttl expired that comes back.

@gertjan So this time I tried in putty: /usr/local/bin/wol -v -i 192.168.1.255 d0:50:99:92:11:e7 And it did work. Then I tried cron, also does work! So the key is to use .255 at the end. I still wonder why the web-GUI-thingy works with the MAC only, but on the other hand, when I first added the host to the Wake-on-LAN Devices list, it had an IP-address, so it might have saved it there. Thank you @Gertjan !!

@albgen said in high CPU usage bzip: @viktor_g thanks. can i disable at all PC/SC and if yes how? i have experienced another bug on this feature which i'm not using.. It will be disabled after the patch is applied.

@pzanga said in looking for advice on implementing site to site VPN: @stephenw10 Thanks again. The test worked. So now I'll update the individual PCs as needed. And thanks for the reading material. I really appreciate it. If your Windows devices are part of an Active Directory Domain, you can easily manage the Windows Firewall policies via Group Policy. Here's a link to some Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security. What you will want to do is add "allow" rules for traffic inbound from your remote site networks.

@atreides I wholeheartedly agree, there should be a 'discard changes' option. Thanks for your suggestion. Pity it has not been implemented to-date!

@bingo600 Cool thing! Adding aliases is not that big deal even if there are >100 Adding and merging FW rules is a whole other ball game at least for me.... Burned my fingers a couple of times...

@stephenw10 @johnpoz So, that rule I sent was the only rule I had set up on the OPT1 interface. I also failed to mention that I modeled the OPT1 interface after what I had the WAN interface configured to- which was to NOT block private or bogon networks. But I just found out with more testing that my comcast router cannot actually ping any of my devices...So, not worried about that. My devices (including Pfsense) can ping the CC router and that's fine. My only worry now is why the WAN interface didnt work with all the same settings configured as OPT1. Everything is the same between the two, but I'll take that up with Protectli if my own troubleshooting doesnt do anything. Thank you both for the help! I'm hoping to become more proficient with Pfsense and incorporate it into my career, so it's been great to have good support just starting out. Appreciate ya'll

Overriding: all depends on how you do it. If you force a speed/duplex on one end, leave the other end at autoneg, it typically gets the speed correct, but mucks up duplex. If instead of forcing you leave autoneg but specifically advertise a speed and duplex, if the other side is autoneg it works correctly. So a 1G NIC can do 10/100/1000 for speed, and full/half for duplex. If you force "1000/full" leaving other side autoneg, you'll wind up with 1000/half. If you advertise "I only do 1000/full" the autoneg works.

Indeed, it won't hurt anything.

In my case I imported the OpenVPN configuration which defined an interface. I had previously defined and deleted a physical interface which I had configured DHCP. The 2 aligned to the same name, OPT3. This may be an uncommon result.