@johnpoz said in What rule blocks this ?!?: short block You mean an invalid short packet? Edit: Oh the log reason is 'short'. Hmm I don't think I've ever seen that before. Yeah it's doesn't have to match a rule so no id etc.

Thanks Guys... that explains everything. The other drive is a M.2 Samsung 250GB, worked OK on that.

So you're seeing the boot process on a screen attached to the device with a CVGA/HDLI cable ? The kernel boot probably switched over to the serial USB console from that point on, so nothing shows up on the screen anymore. This might help you : Troubleshooting Boot Issues. @basketball superstars said in Keyboard stops responding after booting: is due to needing to disable DHCP You disabled the DHCP server on LAN ? Thanks for your answer. I got it.

Hmm, so is that shown in the main system log? It may just not be in the console log.

Hmm, I'm not sure why you would need NAT there if each site is advertising the correct subnets. But yes that would be a problem if you needed to do it. In pfSense you need to assign an interface to apply NAT on it.

@stephenw10 Yeah that's what I'm thinking, maybe the ONT itself can't handle it or something along those lines. I know many ISPs do throttle torrents, but you'd usually see that as the torrent traffic itself having higher latency and stuff, not just dropped packets on the entire connection, though it doesn't appear the later is unheard of. Pretty confident at this point it isn't pfSense, so at least that's good. May also see if my ISP can get a tech out, after I test both VPNs and possibly direct fiber connectivity instead of the ONT.

@ahole4sure said in SSH with public key and new macbook pro: could you possibly send a screenshot of what all is in your config file? :) ... no, I can't do that. It is full of information not to be shown in public. But I can paste an example and you'll find a lot on the internet. Include ~/.orbstack/ssh/config # my firewall, e.g. pfSense, non-standard port # and specify which ssh private key to use Host firewall-at-home 192.168.1.1 User root Port 20022 IdentityFile ~/.ssh/id_rsa HostName 192.168.1.1 # my Synology DS920+ Host ds920plus User admin # default settings for hosts not matched # in above rules Host * User jane

Do you see blocked traffic on secondary? It sure looks like it's failing to authenticate there. Are you using a complex password? Are you using the admin user for the xml sync?

@stephenw10 Thanks. I monitored the WireGuard traffic on the underlying interface at the same time and sure enough every 15 seconds the remote peer sends a 32 byte UDP packet. This ties up with the client's setting 'PersistentKeepalive = 15' so it is just the keep alive traffic. Mystery solved.

@stephenw10 No it doesn't install a 3rd party repo. However... it could possibly Mess with shared libraries (libmd.so, libssl.so, etc.) getting replaced or misaligned. Create conflicts in /etc/rc.conf, init scripts, or pkg metadata. OS version expectations (pkg or pfSense-upgrade behaving strangely).

Hmm, well hard to be sure I'd guess that Unbound was restarted when pfBlocker updated and then failed to restart for some reason. However that wouldn't prevent pinging 8.8.8.8. So another possibility is that one of the pfBlocker feeds had some rogue entry blocking far too much when it updated.

@stephenw10 Thank you. I will do some research on this option

Skipping the untrusted certs there is expected in any install. CE is not supported in Azure.

Yes upgrading CE in Azure is not supported. And that includes to Plus. The only supported deployment in Azure is from the tested Netgate image.

Yes, in the dynamic repo system ugrades are supported from the previous two versions. So you can skip one version. For 25.07 that's 24.03 and 24.11 so you would have needed to upgrade to one of those first from 23.09.

Technically is was but as long as we can still build for it without too much difficulty we will try. There are some packages that no linger build for arm32 and are not available there. At some point the work required to make it build will become impractical and it will no longer upgradable.

Yup mpd5/netgraph ignores those errors. It should be fixed by this: https://github.com/pfsense/FreeBSD-src/commit/7a623f854217be1dc7a04ce0b3f47303ea2ce7a9 That's in main so it should land in 25.11/2.9.0.

@dennypage said in netisr running close to 100% on a single core: @Gustas said in netisr running close to 100% on a single core: Do you have both WAN and LAN enabled as Monitored Interfaces in ntopng by chance? Yes, we do. Can that be the issue? Certainly a contributor. There is a caution in the pfSense ntopng package when selection interfaces to monitor that says "It is generally not recommended to monitor WAN interfaces." At a minimum, it will double your load. You should remove any WAN interfaces from the list of Monitored Interfaces. Also, if you have any form of active discovery enabled inside ntopng itself, be sure to turn that off as well. Sorry, I just checked and monitoring in ntop is configured only for internal interfaces, WAN is not being monitored. Sorry for misleading you.

The VLAN you would need would be on the switch in order to separate the WAN and LAN network segments. Or connect the pfSense WAN to whatever upstream router you have directly so the switch is only the LAN.