Did Protectli ever get back to you? Is it resolved? Im curious because I have a similar issue with my hardware. I have it sitting at the BIOS screen to see if it may be hardware rather than software based.

Thanks!

2.7.2 does include that functionality yes. It's the ability to check the current or any available repo for updates:

[2.7.2-RELEASE][admin@t70.stevew.lan]/root: pfSense-upgrade -h Usage: pfSense-upgrade [-46bdfhnRUy] [-l logfile] [-p socket] [-c|-u|[-i|-d] pkg_name] -4 - Force IPv4 -6 - Force IPv6 -b - Platform is booting -d - Turn on debug -f - Force package installation -h - Show this usage help -l logfile - Logfile path (defaults to /cf/conf/upgrade_log.txt) -n - Dry run -p socket - Write pkg progress to socket -R - Do not reboot (this can be dangerous) -U - Do not update repository information -y - Assume yes as the answer to any possible interaction The following parameters are mutually exclusive: -c - Check if update is available in the current repo -C - Check if upgrade is available in any of the available repos -i pkg_name - Install package PKG_NAME -r pkg_name - Remove package PKG_NAME -u - Update repository information

But 2.7.2 is latest version anyway so safe to upgrade rsync there.

@MacUsers
By default pfSense blocks all private address ranges on WAN. To disable this, go into the WAN interface setting and remove the check at "block private networks".

Also you need to add a rule to the WAN to allow access to the web GUI.

Yup so that's only the grep command you're running. Kea is not running.

If states have already been opened they will continue to pass traffic even if new rules would prevent those states.

Hmm, I not aware of any blacklisting there. Could be co-incidental I guess.

@stephenw10 Done! Thanks for reviewing; let me know if you need anything else from me.

SG

Well you test there seems to show it's possible with the right NICs. There have been a few other similar posts. Most systems will not though.

I haven't tried it personally, I can only dream of 1G where I am! 🙄

If you have a paid Plus subscription then open a ticket with TAC to discuss. Usually it can be migrated if you had to replace failed hardware for example.

@stephenw10 I did shut it down twice while troubleshooting, to make it restart. This was while the network was down, and I was trying to figure out why, before I connected a monitor directly to it.
I'll go through the logs again, and see if I can find any clues to why it went down in the first place ( and what caused the config file to be left empty ).

@allsome Yup I was about to respond that unchecking it should do what you need, at least as far as I can tell. I am still using it with this firewall and Proton's SMTP service and it's working fine.

@Gertjan

thank you very much
i have removed the VLAN ID from the network card settings directly
and i try the config on the unifi control and now work on allow device.

The option is moved to the DHCP server setup page when Kea is running in 24.11. You can now choose to register leases from each interface separately if required.

@Gertjan as a last resort i will enable that ;). If i would be owner of hotel i also would not enable that ;)

@snunez Configure pfSense to send logs to a remote log server (Status / System Logs / Settings / Remote Logging Options) and use syslog-ng on the remote system to provide the integration.

That said, have you considered a log system like Graylog instead of a messaging system?

@Gertjan said in pfSense behind pfSense - Not getting WAN IP from PFS1:

edit : and if this doesn't work, then you have to place a smart switch between PS1 and PS2. Split out the VLAN ID from PS1 out on this switch, and connect the assigned port to the pfSense 2 WAN.

I have several managed switchs and PFS2 was connected to one of the ports on one of the switches, which was configured with that VLAN-id. When I said I could ping the PFS1 IP address but nothing beyond, I assumed that it will be understood that internal networking was setup okay.

BTW, in the 7th post, I posted the reason for not working in the first place and then it started working as expected after the reboot, then it becomes very obvious that VLAN, tagging, managed switch etc. weren't the issue at all. 😃

The question was why PFS1 couldn't provide an IP to PFS2 in the first place, via DHCP.

@Gertjan i know htop exist but it lacks some features. I understand security reasons and i appreciate them, but having btop would be nice :)

@bdeprez said in pfsense dns lookup (netgate.com) every 30 seconds:

Is there a reason for this?

As said above : a TTL for a domain zone (whatever zone), I still don't know why that would be needed (exception : mega zones like Microsoft.com google.com facebook.com etc - and, afaik, netgate.com isn't that big as a company - or, for example, load scheduling over en entire server park)
But as we all learn on this forum, people do things with DNS that can't be explained by reasoning.

It gets even better : while posting here on the forum, I used - that is, my browser is, polling forum.netgate.com constantly. Exactly what you found. Guess what, "forum.netgate.com" also has a 60 sec TTL : so

1b3794a9-ed4e-43eb-bd57-d3d30edbb93f-image.png

All request are received, and answered out of the (local !) unbound cache.
Not sure why it asks for a IPv4. I used IPv6, and IPv4 exists as a fallback 😊

But ... I have this option checked :

7bc6aab6-136b-402d-bb90-1a77ea3c1998-image.png

which does what it says that it does (or, probably better : what I make of it ^^ )
If an already resolved domain name, now in the resolver cache, starts to reach a zero TTL unbound will re-resolve automatically so it can answer a requesting client always right away, without going out and do the entire resolve process 'while I'm waiting (the give to take 100 ( ? ? msec this will take).

So, I, the admin, was asking for it.
As always, to see stupid things you need to be two : the one who creates them, and the other, who sees them.

So, ones a "forum.netgate.com" resolved host name exists in my local unbound resolver cache, it will stay there, and get refreshed every TTL-10% = 54 seconds.
Let's contact "netgate.com", and ask if they can lower that 60 to 1 seconds, because "why not ?!".
Their domain name servers will get smacked with requests ...

Btw : No, pfSEnse isn't polling netgate.com for "telemetry" reasons.
pfSenses wants to resolves "netgate.com" a couple of time per day ( ? ) while checking for possible updates and some more reasons.

@stephenw10 said in Netgate 8200 connection questions:

Nice! Yes I think we have seen reports of those WD 520 series working but not available new any longer AFAIK.

yeah, that's the only issue; I wish I could buy new 😑
I think, I'll buy another pair, to keep as the spare.

Did you move the support screw or use adapters for those?

Just moved the support screws.
d6e918e8-a1b7-40cb-9eda-c79290216ddc-image.png

Was pleased to see that mainboard has the native support of diffrent-length M.2 and Netgate was kind enough to supply the extra screws. 😇