There is currently no pagination in the logs.

btw i can ping the hostvm but not the ip of the set 192.168.1.1 at lan

Same problem here.  Doesn't happen particularly often, but usually it is terminal (i.e. it doesn't recover).  The firewall still does all it is supposed to do, but web console just doesn't respond.  Our firewall box has several IPSec and OpenVPN VPNs set up on it, but there doesn't seem to be a specific action that causes it.

Isn't that related to port security of your switch? I'm pretty sure that can be handled by SNMP and the various tools available. Wait, with ports you refer to IP ports, not switch ports, right? Something in the SNMP MIBs for pfSense maybe?

If you disabled IPv6 in the GUI then it's doing what you asked. It's blocking and logging IPv6 since that's what the option does. You could instead make a floating tab rule to block – and not log -- IPv6 from any/to any, and make sure all of your interfaces have IPv6 set to "None" as well. You could also use a block (and not log) rule on each of the interface tabs.

Does he want to use static arp?  I can not tell what the OP wants to be honest.. But I like the use your switch post from Derelict ;)

Thanks everyone for the input everyone… You've helped me think this over... and given: I want/need ease of maintenance-simple backup/restore. Custom scripts with least privilege possible-under an user with minimal rights. It's only a couple of scripts and a few kb of disk space. (A partition is not warranted.) /root is not completely under user control… file backup plugin uses it. I'm thinking that it would be hard to do better than: creating a user: custom (with minimal rights). Stick everything in /home/custom Write a quick script to tar.gz /home/custom and scp to my FreeNAS box for backup (or maybe use the file backup plugin, but given that it doesn't do time versions automatically or allow granular restore or multiple backup profiles.) A normal configuration restore will recreate everything except the actual scripts in /home/custom If I'm missing something or anyone has any other suggestions, be glad to hear them.

@pfcode: Hi, I found this in the system log, Unbound fatal error: could not open ports, then unbound stopped working. Only occurred under the combination of IPv6 and pfBlockerNG DNSBL.  What was happened: when the IP changes, it tries to stop/start Unbound… But unbound takes a little more time to do that with DNSBL enabled... So it fails to start .... I was told that its not a package issue, but something in pfSense code. I experienced a similar issue last night with my HE.NET IPv6 Tunnel. I am running on the latest dev (2.3.2-DEVELOPMENT (amd64) built on Mon Jul 18 23:27:23 CDT 2016 FreeBSD 10.3-RELEASE-p5)

Why are you running statics on your lan? Well if you don't have dhcp on your wired lan, then no wireless isn't going to have it either..  To turn ANY wifi router into an AP 3 things. Set its lan IP to be on the network your going to connect it to turn off its dhcp server connect it to your network via on of its LAN ports not its wan…

Well, with Plex adding more and more capability (like Sonos access), and the ability to share servers among family members and/or friends, VPN may not be an option for some. BTW, with their Sonos integration that appeared yesterday, I found the need to enable NAT Reflection for my Plex port forward. The NAT+Proxy mode needed to be selected; pure NAT did not work. This allowed my Sonos system within my network to be able to access my Plex server (also within my network), and also allowed the external web-based Plex client to function as well (which I don't really need to use while I'm on my home network, but it did make things work a lot smoother). I'm guessing that Plex's "directory" system tracks servers using the external IP address, which would make sense for mobile devices while on the go… but I'm surprised that they don't also note the internal IP address for when you're on-network. So if the OP hasn't tried enabling NAT Reflection (NAT + Proxy) on the NAT rule for Plex, that might make things a whole lot better for using Plex while at home. :)

PFSense works with almost any kind of ISP connection, myself, I have two DSL modems in bridge mode.  Both use PPPoE and have never had a problem. As for the server, some use laptops, but you will need two interfaces, one for the modem and another for your network.  You could leave you modem (no-bridge) and put everything into a switch, but that really defeats the purpose of using PFSense. If you have not read the documentation on PFSense, of which I presume you have not, when you install PFSense, it will wipe out your drive and load onto it FREEBSD a Linux flavor operating system.  So if you have anything you want to keep on either machine, back it up.

Well, did you seen user manual for consumer devices, like TVs or microwave, where you have "Device doesn't work - Plug power cord to wall outlet" in Troubleshooting section? :D

@SnowGhost: If it was ME I'd do this 1. Take a full backup of the current working config. 2. Pull the HDD and mark it, then put it somewhere safe 3. Insert a different HDD 4. Install new 2.3 version and restore the backup taken in step 1 If it all goes to shit, reinstall the HDD and just carry as as if nothing ever happened.  Figure out what went to shit and start the entire process again (including step 1).  This way if something terrible happens (or you just misread the release notes) you have a simple revert process with no changes.  And the back up is just in case the HDD dies on you just when you really don't want it to. I have already done something similar. That's what I did for my 2.2.6 build and it's working great. but I'm still wanting more…. Please read below... @Derelict: Yes it will generally be faster to just reinstall and restore the config than it would be to do a "traditional" restore (like sector-by-sector, or a dump/restore, etc) in almost every circumstance. Why not just build the VM offline and restore a backup config to it and see how it goes? Existing firewall can just run the whole time. I'm not wanting a config backup, but an image. When restoring from backup config, how well does it handle installing of packages and the setup of pfSense being 100% exactly like the one that the config was taken from? I know that the config backup only does config settings and RRD data if selected. If I have other data on the drive…. Pcaps... or w/e I will not get that as part of the config backup. That is why I was wanting a full image backup of my install. Anyone have experience with an image backup of a FreeBSD box?

That was it!  Well, kind of. At one time I switched over to the backup and shortly there after I ran that ntopng.  Went into the settings and Deleted the historic data.  Spun for a long time eventually I grew impatient and went back to the dashboard and not it's dropped from 88% -> 41%. Curious thing is that I didn't enable the historical data to be kept.  Not sure why pressing the Delete (historical) data would have worked… Oh well.  It solved my problem. Thanks for your help!!

"General best practice is to leave the native VLAN on a trunk port unused" It is best design practice not to leave native vlan 1 on your trunk ports, even when you have changed all other ports to other than vlan 1, and sure not to use vlan 1 as your managment vlan. But I have never heard anything wrong with use of a different native vlan. Where is that stated as best practice not to use native vlans?  That sure is not cisco gospel.. Maybe that is the gospel according to cmb ;) hehehe As a way of graphing traffic so all your traffic is in a specific tagged vlan vs the native vlan that would show all traffic going over that interface even tagged ok very clever solution to the graphing oddity, but I wouldn't agree that its best practice to only use tags.. I can think of one example where its going to cause you a problem not using native, the unifi accesspoints do not allow you to set vlan tag on their management IP.  They have to be untagged, ie native.  Sure doesn't have to be vlan 1, but they do not allow you set tag for the IP of the AP.. This might be considered a design flaw, and it should be an option to set tag on this - maybe in the future but currently if your not using native vlan here you would have issues.  Quite sure there are other such devices, but off the top of my head that was the first one that came to mind.  That would require trunk and tagged traffic to the device, but also untagged traffic.