Thanks. I believe the issues you are seeing are largely due to pfBlocker which updates the pfSense configuration system (and hence triggers a backup) on a very frequent basis. I have increased the capacity of the server to the highest reasonable value which may help a little. A couple of years ago a mechanism was introduced to allow pfBlocker to bypass the backup system, but so far it has not found much employment. I plan to contact the developer as well as a member of our own development team to see if we can can some movement there. In addition, some filtering has been added to pfSense to help alleviate the situation. You should see that in the next release.

@steveits good tips, thank you!

Just a quick note that I'm using 2.5.2-RELEASE which is FreeBSD 12.2 In order too get tux and mosh to work I had to copy both en_US.UTF-8 and C.UTF-8 from the 12.2 base into /usr/share/locale since LC_CTYPE is a link.

Nice. If you need to use the 2nd WAN change the subnet the upstream router is using. Steve

@johnpoz said in advice on physical layout plans for new PFSsense router setup: stephenw10 dude - bet you beer that is spammer.. Look at his other posts. Just his question made me wonder if he's serious. Physical layout? Really?

If you add the Nmap package it will show the MAC vendor ID if thats of any help. As per the above screenshot.

@stephenw10 Thank you, I did not know of this. It is back to reading on how to configure unbound (many things I do not know). Thank you for your thoughts. pfsense has many things that are not in the books, at least not that I understand what they do. elmo

@jimp thank you, I've reloaded the manually edited xml, now the errors are gone! BR

ok, bad new so... Thank you for your reply.

@mk873425 said in Adding a second drive to pfSense 2.5.2: but once I reboot the machine it refuses to boot, and goes into a read-only state. Any ideas? When rebooted, the drive is 'umount' properly ?

Thanks. Just ended up moding it a bit. Access all rule with no restrictions on the bottom. Above it is a rule to block WAN at the scheduled times. I can now go in and disable that rule for holidays and non school day week nights.

It can sometimes fail if the initial restore sets an invalid pkg repo or if the installed version needs to pull a repo update before it can access them. However if that does happen you should just be able to restore the same config again and it will work the second time. Steve

@testcb00 said in Virtualize pfSense, two WAN, one switch, possible?: I am not familiar with VLAN Here's your chance to get familiar! Traffic from the modems is almost certainly untagged. Which is very much not the same thing as VLAN1 but is a surprising common misconception. https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan1 Port based VLANs is probably not what you want here. That is typically used for separating switch ports into groups but not for trunking tagged traffic which is what you need to do here. You need to use 802.1Q based VLANs to tag the traffic and trunk it to pfSense. So, yes, set the PVID / Default VLAN ID (whatever it's named on that switch) on the WAN ports to 50 and 51. Then set the port connected to pfSense to trunk those VLANs. The traffic from each will arrive tagged to the pfSense NIC. In pfSense setup VLAN interfaces for 50 and 51 on the parent Mellanox NIC. Assign those interfaces as WAN1 and WAN2. Done! You can the same with other VLANs. You only actually need one NIC there, all the interfaces could be VLANs on it. Steve

@norsak-0 said in Strategy for site to site VPN, when one site is a cloud provider without a pre-built pfsense image?: What is the strategy for site-to-site VPN when you 'only' have a linux box at the remote site? If you really only have a Linux box at one end then you could only run pfSense virtualised there as has been said. But you can run whatever VPN client/server you need there and connect to it with pfSense. Any of the supported VPN types would work. Steve

@stephenw10 Yes resolved.

Be aware that disabling CARP either there or in the GUI is also temporary. As soon as anything makes a change to the interface config section, or just reloads it, it will be re-enabled. Steve

@stephenw10 ... it finally worked. Created new CA/Certificates for Freeradius. Created new CA/certificates for Captive Portal. Finally what actually worked : User Manage : Authentication Server : Selected Radius Server and saved it again. And every thing started working. Kept it under testing (finger crossed)