...tl;dr don't browse the web from the same session you admin your firewall. And also: run the browser for administering pfSense under a different OS account than the one you use for browsing, and add an OS firewall rule to prevent inadvertent general browsing from the pfSense browser.

@stephenw10 I only tried from 22.01 to 2.6.0; there, the same issue appears.

@linkp FWIW, I just came across this video, though I haven't watched it yet. Why The ZFS Copy On Write File System Is Better Than A Journaling One

@stiu81 For the CA : Export a Certificate Authority You will also find Export a Certificate. Btw : You have to go here Diagnostics > Backup & Restore >Backup & Restore very regularly. The backup file that you export will include the all certificates.

@stephenw10 said in Source address not NATed during OpenVPN startup?: Mmm, indeed. Can you see what rule 122 is or was when the OpenVPN is up? That rule is from after OpenVPN came up. I don't know what the numbering was before it came up; it would be tricky to get; I'd probably need to write a script. This starts to look like a stale state somehow. Well, I did find that setting Reset All States in System/Advanced/Networking reduces (but does not zero) the number of bad packets.

@hellegaard1 a vlan is a vlan is a vlan... it is supposed to divide networks. As johnpoz said, you can´t discover across vlans, without some special configurations. But just use an unc path to access your devices, if you would like to stay with different vlans for your devices. But all this is outside Pfsense stuff. If you have an AD Server you can go with Group policies ... but this is beyound the scope of yr question.

First of all i want to thank everybody for their help and suggestions. After more than a week testing and changing settings, the issue is discovered. In my setup i was using a switch that not supports VLAN. I immediately bought one that supports it and now there are no more drops. Totally forgot to check that part of my setup, but i'm glad it all has been solved. Again thanks for the support of this community!

Ok, well of you are outbound NATing that traffic from pfSense to WAN2 you might be OK. I could still imagine it receiving and ICMP redirect though. It you're not outbounf NATing in pfSense it's definitely asymmetric. https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html You should remove the asymmetry anyway, it will bite you at some point. Put the WAN2 gateway device in a separate transport subnet so all traffic passes pfSense. Steve

When you ping from pfSense and leave the source set to auto it will use the closest logical IP. In this case that's probably the Wireguard tunnel address. Try setting that as the source. Then try setting the LAN as source. It looks like you have either a missing route or firewall rule. Probably at the node2 end. Steve

Yes, export the CA cert, not the key, as x.509 if you want to import it into pfSense.

Yes, it's something we would like to see. A new front-end for accessing and managing backups outside the pfSense interface is something we are working towards. Steve

Yeah, it depends on the order it was applied and what version that change was made in since I believe there is now code to prevent it. I looks like you hit that new code by switching to a Eth interface and back. Good to know. Steve

Ah, yup that will do it. And it sure makes for a crappy experience at the client end! Disabling v6 on the LAN in pfSense will prevent it. Or setting it up correctly if your ISP gives you a PD you can use. Steve

Thanks for your help everyone. I had only two interfaces configured (wan1 and lan1) even though the sophos device had 4 physical lans only one was needed. I backed up the Community Edition that was originally installed & configured onto the sophos. I then booted up the Netgate SG-2100 and did a restore through the menu options in the web config. Everything worked for me. I think I might have had to name and/or assign the eth ports. For not being familiar with the product and concerned if help would be available when I needed it this went well for me. I hope it helps anyone in the future who is contemplating a change from the Community edition to the netgate hardware. Thanks again everyone

@jimp Thank you for the clarification.

If you have build tools on the firewall you have to ensure only the right users can run them or the result, which is an attack surface in itself. Yeah, there are a number of threads here on the forum from people trying to use this card and I don't see anyone who managed to build a driver for it. Steve

@areckethennu said in Memory Usage High in 22.01?: I also switched to ZFS. That alone will cause the system to use more RAM than it would with UFS.

Mmm, it could always be some coincidental fault and nothing to do with the update.

None of that stuff has been necessary for some versions now. But likely won't hurt. If you need custom loader variables though you should put them in /boot/loader.conf.local (create that file). The loader.conf will be overwritten with pfSense changes/upgrades. You see any errors on the interfaces? Anything in the system logs? Clearly not a loading issue. Steve

@bbcan177 said in updated to 22.01 - SG1100 high CPU usage '/sbin/pfctl -vvsr': https://www.reddit.com/r/pfBlockerNG/comments/sk9txi/ip_block_logging_not_working_pfsense_260rc/hvv99s1/?utm_source=reddit&utm_medium=web2x&context=3 Installed the patch and it solved it! Thanks!