@marchand-guy I would say most firewalls have a deny by default setup. However most/many software firewalls have a rule to allow their own subnet. Windows for instance accounts for that by defining different rules for public or private marked networks.

@patient0
Ohh.
I got it.Thanks a lot.

@joseb as @marcg pointed out, it depends.

If the unmanaged switch is connected to a managed switch access port configured to pass only traffic for one specific vlan the unmanaged switch should continue to pass that traffic down to it’s connected nodes and any traffic coming back from those nodes via the unmanaged switch will get tagged by the managed switch on the way to wherever they’re going.

This should be true whether or not the unmanaged switch strips tags or not. But you’ll only get traffic to and from the one vlan you configured at the managed switch port for all of your unmanaged switch. No different than plugging your computer into the managed switch port.

@marcg has a point: managed switches can be had brand new, cheaply. I use Netgear gs308ep managed switches and they work well. And I don’t have to worry about the distinction. I send a trunk line down to my access switches and then set the ports up as access ports for the specific vlans I want for each endpoint or a trunk for a Wi-Fi access point.

@ngr2001 said in Web Traffic Reporting Question:

Perhaps this could be a feature request for PFSense ?

Reply

You could install it their way with an appropriate license key that will give you the features you want.

https://www.ntop.org/guides/ntopng/third_party_integrations/pfsense.html

@Gertjan

It works!

You need to turn on the new machine and check in which order the network cards are recognized.
You edit the backup file of the old machine with the names of the interfaces in the right order you want and then perform the restore.

Issue was the isp router modem combo, bridge mode was trying to give private ip after initially assigning public ip. It would drop the public and then assign a private ip. I reset the modem to factory and re applied bridge mode after and seems to be wiring fine now.

@stephenw10 I agree. I think I did iperf-tests some months ago that looked much better than the scp/sftp-stuff. Sure, it has to be faster, but it was way better.

I will repeat that asap.

We are having this same issue on 2.7.2 on a Hyper V VM. Seems this is a new issue after upgrading from 2.7, but can't be 100% sure of that. However I can report that as we've been moving some policy based VPNs to VTIs (and in that process deleting certain P2s under a given P1, or deleting all the P2s and P1s related to the site we're moving to VTIs), other P2s, for separate P1s that we've left untouched as policy based VPNs, will disappear. This has happened repeatably, each time we delete another set of P2s. So late night I moved five VPNs from policy based to VTI, and I had to rebuild 16 P2s (most of our policy based tunnels have four P2s each).

Anyway, just adding to the discussion.

@stephenw10 said in installing pfsense 2.7.2:

Hmm, well that's interesting. I wouldn't have expected that to work at all. 🤔

Me neither but maybe to do with a quirk of coreboot, if that device is flashed with it.

The resizing or /var filling?

If you see /var filling try restarting the syslogd service. That will be fixed in the next beta.

@Gblenn said in Dynamic DNS keeps using the old WAN IP:

@tomasenskede Log in to your Bahnhof account and request a public IP, or call their customer service. It will only take a few minutes...
They need your MAC address.
I assume you have the router they sent out, so you could clone the MAC from that and then restart the WAN interface on pfsense. Perhaps you already have a public IP, but it is locked to that MAC.

Otherwise fill out this: https://bahnhof.se/privat/kundservice/bestall-publik-ip/

Thanks! I didn't realize the issue with the private IP at first. In fact, I had asked Bahnhof earlier about updating the MAC address and was told it wasn’t necessary. However, it turns out it still needed to be updated.

Now it's fixed and running smoothly.

Appreciate the quick and great support, guys!

@stephenw10
what? surely this is of the highest importance! 🤣

@1octet said in Amazon Prime Video issue -- resolved by restarting pfsense every few days.:

I get the following error "prime video error code 7131".
Is anybody else experiencing similar issue

prime video error code 7131 is 'very' known.

On the amazon support forum .... the question exists, and is never (?!) answered - have a look for yourself, I spend only 5 minutes over there.
Some one said : It's a amazon error ! ..... and they don't know about it ? ( 😊 ) ?!!

So, imho, knowing that pfSense 'out of the box', which means : no (like none !) settings changed, exception : the password, the error probably won't show up anymore.
You've changed DNS settings ? That's a very known reason why people post here : stuff stops working well ^^ (It's always the DNS !)
Adding pfBlockerng in the mix (and a load of DNSBL feeds) : yeah : 'errors' will show up all the time. That's normal. Check the Alert logs, and see if you need to white list some DNSBL (amazon) host name.

@stephenw10

oh my man, These silly mistakes is wasting my time.
The gateway was being considered as offline, So I had to disable gateway monitoring. and it solved the problem.

alt text

Thank you so much

@Justin7
Yes well that will not work since you have your TPLink connected on the LAN port (as an AP only). The parental control function requires traffic to go out on Internet via it's firewall. This you can do whilst maintaining pfsense as the main firewall but it means double NATing...

What type of control are you trying to enforce? If it's access to specific sites or applications you could take a look at AdGuard Home. Then you go back to using pfsense as the DHCP server and hand out the IP of AdGuard as your DNS. And change the TPLink into a simple AP... I'm sure you can use some of the access control functions still. Perhaps schedule wifi access??

But in AdGuard you can set and block not just Ad's, malicious sites etc, but a whole range of applications as well. The App blocking is very simple to use with a nice UI and then the ability to set a schedule for the blocking.

Then there is pfBlockerNG as a plugin for pfsense.

@Gertjan

The "old" pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz worked! I'm now up and running on my new hardware with a 10Gbps WAN connection... swoosh! 🚀

Thanks for the quick and great support!

Lesson learned: Always perform a clean barebone install using the legacy USB installer, then restore the backup, reconfigure the WAN/LAN NICs, reinstall packages, and restart.

@jonatremoteeyes

Have you simply tried reaching out to xvpn support and ask them for a either a list of IPs they use or a CIDR block they own?

https://xvpn.io/help-center/how-to-choose-the-right-vpn-server-location

###### If you have more specific needs, such as a server that is better suited for downloading content, please contact us or write to support@xvpn.io and we will provide you with a recommendation for a targeted solution.

I would look in notices.inc and gateways.inc for where the emails are triggered.

That won't help with log errors from dpinger though

If you have the ID you can just search the ruleset for it:

[25.03-BETA][root@fw1.stevew.lan]/root: pfctl -vsr | grep 1736810441 pass in log quick on mvneta0 inet proto tcp from <LAN__NETWORK> to 208.123.73.69 flags S/SA keep state (if-bound) label "USER_RULE: Connections to ews" label "id:1736810441" ridentifier 1736810441

Or if you have the ID you likely have the rule number like:
Screenshot from 2025-03-31 22-45-14.png

In which case you can use the rules view in Diag > pftop