@bongo-nations
You don’t need a console using only Unifi APs. I setup two U6-Lites in 5 minutes using the Unify Network app from the Apple store on iPhone and iPad. You only need a console to do more than basic setup , which is all I needed. Last week, I upgraded the U6-Lites I used for a year to two U6-Pros since they became available in my area. It took 5 minutes each to setup on the IOS app and they work perfect.

They all work flawlessly with Pfsense 2.6 with no changes once setup using the app. However, if you need more than what’s available in the app, such as VLANs, you need a console. I tested the console on a Mac out of curiosity and setup an AP. After playing around I reset the AP and went back to the app. It’s all surprisingly easy.

A tip which has nothing to do with getting them to work but may help: I recently got 1.2Gig from Comcast and upgraded the modem to S33 and U6-Lites to U6-Pros (I will upgrade my Protecli FW6A and HP 2520-24 switch eventually). But wifi topped about 475-500, the trick was to bump the 5Gz channel width from 40Mhz to 80Mhz in the IOS app and bingo, I got 899 on my iPad Pro 11 connected to one of the U6 Pros. Not bad considering my best wired speed is 937.

@jknott I agree, this opens a can of worms for cyber security, just one website and one wrong web cookie could direct DoH DNS requests to a another server, I just noticed you can disable it in Chrome and on the OS side. I use Squidguard and block a list of DoH domains, many servers are in different countries. I just started looking into this with one.one.one.one and other cloudflare DoH servers.

https://forum.netgate.com/topic/176693/dns-over-443?_=1672162126374

Another post with lists of DoH servers.
Combined DoH servers list if you want to create a block list.

Positive when it is turned off in the OS I do not see any requests on the proxy anymore. So you can block it that way.

1672081401354-combineddohlist.txt

The example on TrueNAS is auto-decrypting the data drives but not the boot drive as see it. So it's probably not directly applicable here.
To do the same with an encrypted boot drive it pretty much has to be in the bootloader I would think.

Maybe moving the config file onto USB would suffice? pfSense would still boot but would be useless without the config. Many years ago m0n0wall had that option. It would require some work in current pfSense.

Steve

@lexxai
Answer by himself.
I do test

dd if=/dev/zero of=/var/db/testets.db bs=1M count=100 dd if=/dev/zero of=/var/log/testets.db bs=1M count=100

Used space only on RAM disk, so ZFS not used.
Question closed.

Screenshot_20221227_015132.png

@johnpoz Thanks again. I realized I also have some cloud servers available to me too, so I ran nmap from there. Confirmed that nothing is open.

Disregard, a shotgun reboot seem to resolved this. "have you tried turning it off and on again?"

That did it. Outlook emails now fly out of the outbox and send numbers are back to normal. Thank you so much @SteveITS for all the assistance, greatly appreciate it.

Just to follow up on this, I found this post from Feb '22 on the FreeBSD forum:

"The extension for FreeBSD packages changed from .txz to .pkg recently. The static pkg tool in base still expects the old name.t"

@louis2 personal advice / opinion:
It is always a good idea to not allow your iot vlan to access any other vlan you have running.
Then: get rid of that tuya bridge and look for alternatives such as home assistant which can integrate many different providers in smart home equipment and is run in your own personal cloud, no internet needed (except updates).
So you have your smart home stuff in a seperated, isolated vlan, can access with mobile and lan devices, can restrict traffic outbound for iot...and no provider cloud somewhere else...

Ok, if you can ping out clearly WAN is working. And the OS is still running.

Do all the internal interfaces stop responding?

I would try to find out exactly what's failed at that point. Run ifconfig and check the NIC status. Run netstat -rn and make sure the routing is good.

@stephenw10: I have not ever used the captive portal. However, when I get home, I will check to see, whether I had ever initiated setting it up, but not finalized the configuration.

Otherwise, I will see, whether a reboot will stop it.

@SteveITS: My SG-1100 is less than two years old. I doubt that there is anything wrong with the SSD.

Ah, nice. Yes I would have those set to autoselect or default unless you have a very good reason not to.

Steve

I found it somehow under "Status/Monitoring" ;-)

Support for QAT in general was added in Plus 21.02 and is only in Plus.

Over time as the underlying OS and drivers get updated, more cards/chips are supported. The card you have was probably not supported by the driver until 22.05.

The QAT drivers in the upcoming 23.01 release support even more. Such is the nature of progress.

We don't backport drivers like that to older/prior releases, and there is little reason to not be on 22.05 at this point.

What are you actually seeing? The backtraces above are different.

Steve

@stephenw10. It has resumed working, attached directly to the UPS. !!
Nothing was forever damaged.
The way the SG-1000 was attached to its DIN rail, I had not noticed that there were two micro-usb connectors on the SG-1000 bottom. Further, I had not seen on the notice the mention that one of these ports (the one I was attempting to use, in error) is reserved for console access. Further, some cables simply do not work.
After having tested, some of my cables demonstrated they worked, but only in the proper hole on the SG-1000.

Thanks, Steve, for the help. My tiny SG-1000 still works with all its glory. As long as I do not need the fiber speed, I will get him to do the required work for my home.

@viragomann Sorry the pictures above where outdated, heres my updated frontend information

Screenshot_99.png Screenshot_98.png