It's a known issue but it's only cosmetic. The duplicate entries don't hurt anything. Steve

@stewart glad you got it sorted.. I don't really do sudo much on pfsense. But I do it it on other linux boxes and my nas.. I hate having to type my user password all the time on my nas when I want to su up to root.. Its lazy sure - but there are no hostiles on my network, its on an isolated vlan, etc. So I just let that account su up without having to reauth.

Ok, that should work. What sort of bandwidth do you need to pass?

@johnpoz said in Problems with Certificate Generation: @guardian said in Problems with Certificate Generation: Is it normal practice to install the intermediate CA along with the server certificate on the server? Its normal practice to install the full chain.. But if the CA is public trusted then you don't - the server will hand out the intermediate CA to the client, who since he trusts that signing CA of that intermediate will trust it. OK, so that is clearly what I have been missing. I need to find out how to install the chain in TrueNAS. There appears to be a Certificate Authority Section which is similar to the one in pfSense. Maybe if I just import them there things might work. @johnpoz said in Problems with Certificate Generation: There is nothing wrong with the CA manager in pfsense. @guardian said in Problems with Certificate Generation: I was expecting to see the entire chain of trust when displaying the certificate. You did - see the cert info I show for the cert in my browser - shows the full chain. Yes, I saw that.... it's how that chain got generated that I didn't understand. IIUC the server is assembling the trust bundle on demand from the component parts, not from a prebuilt certificate bundle.

When you say it's 'super slow' what are you actually seeing? If you ping the server across the tunnel what are the ping times? Steve

@stephenw10 Thanks Stephen! That fixed it. I put my WAN Upstream Gateway to 192.168.1.1 and WAN subnet to /24. I am able to connect to the internet now. I did have to perform an ipconfig /release and ipconfig /renew towards the ends before it started working for me.

@rcoleman-netgate said in Edited console on video, full console on serial on 22.05: @vollans What hardware is this on? It's a little 4-port no-name Intel N5105 special from Aliexpress.

You could setup a ramdisk and mount it at the console for some other purpose. You can't set /tmp and/or /var to be ramdisks without rebooting. Steve

Why do you have a static route there at all? The routing should be dynamic from BGP. Does BGP show both neighbours as up and valid? At both ends? Steve

@lohphat your more then welcome to implement a package ;) if you feel something like this should run on your firewall.. If there was such driving want for such a thing on pfsense, and it was so easy to implement - curious why it already hasn't been done.. Maybe because its normally not worth it to open up a burger joint next to a wendys and burger king and McDonald. Like I said this cat has already been skinned long time ago.. I don't see how adding such a feature would bring all the boys to the pfsense yard - but hey if you can make the best milkshake ;)

@stephenw10 correct i dont need any of these and my internet works. i just wanted to learn from you in case something like that happens here in Hawaii. Thank you again for everything and for the knowledge you taught me in this case.

Thx, that worked. [image: 1660552748922-09ce9608-39b9-4d67-a970-078bb743482f-image.png]

@stephenw10 hello, we once again checked the BGP settings on cisco, noticed a couple of parameters related to the announcing the default route, transferred these parameters to pfsense and everything worked, thanks for trying to help me.

@rcoleman-netgate I just finished the reinstall a few minutes ago but still having the same issues. The HA sync is not working and it's required to restart the php-fpm in the backup node every 20-25 minutes I found information in the following link https://redmine.pfsense.org/issues/11583 I'm going to check and let you know how it goes

Sure just go to Interfaces > Assignments and set the WAN to mvneta0. By default it's configured as mvneta2. https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/io-ports.html#routed-ethernet You will have to unassign OPT1 or use mvneta2 for that instead. Steve

Yes, that's what it shows. I don't use Darkstat personally beyond testing it's functionality.

@stephenw10 I put the swap there for emergencies, but it's really never used. I can increase the memory. I wonder, is there a way to delay the starting of snort? Because it all works eventually without any intervention. (Obviously the crash didn't think so) It seems to be too much going on at startup. EDIT: Although, now that I think of it, I'm not sure I want Snort off at all. Thanks for your help! I will bump the memory.

Thanks to everyone for the suggestions, it eventually turned out this was just cable internet provider doing what it does. Customer complains, they turn the speed up for a few days, and it shows a bit over 200Mbps , then over the course of another 2 weeks or so it drops back to under 100Mbps. Customer makes another call, tech shows up, they turn the speed up again for a while and say everything's OK, rinse & repeat. I went ahead and did the upgrade to pfSense 2.6.0-Release to stay current, but both pfSense and the hardware it's on are working perfectly, everything else was typical ISP shenanigans.

It would be much better if the ISP did route the /29 to you via the WAN IP. A much more flexible setup. You might want to contact them and ask if they can do that. Steve