@albgen said in high CPU usage bzip: @viktor_g thanks. can i disable at all PC/SC and if yes how? i have experienced another bug on this feature which i'm not using.. It will be disabled after the patch is applied.

@pzanga said in looking for advice on implementing site to site VPN: @stephenw10 Thanks again. The test worked. So now I'll update the individual PCs as needed. And thanks for the reading material. I really appreciate it. If your Windows devices are part of an Active Directory Domain, you can easily manage the Windows Firewall policies via Group Policy. Here's a link to some Microsoft documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security. What you will want to do is add "allow" rules for traffic inbound from your remote site networks.

@atreides I wholeheartedly agree, there should be a 'discard changes' option. Thanks for your suggestion. Pity it has not been implemented to-date!

@bingo600 Cool thing! Adding aliases is not that big deal even if there are >100 Adding and merging FW rules is a whole other ball game at least for me.... Burned my fingers a couple of times...

@stephenw10 @johnpoz So, that rule I sent was the only rule I had set up on the OPT1 interface. I also failed to mention that I modeled the OPT1 interface after what I had the WAN interface configured to- which was to NOT block private or bogon networks. But I just found out with more testing that my comcast router cannot actually ping any of my devices...So, not worried about that. My devices (including Pfsense) can ping the CC router and that's fine. My only worry now is why the WAN interface didnt work with all the same settings configured as OPT1. Everything is the same between the two, but I'll take that up with Protectli if my own troubleshooting doesnt do anything. Thank you both for the help! I'm hoping to become more proficient with Pfsense and incorporate it into my career, so it's been great to have good support just starting out. Appreciate ya'll

Overriding: all depends on how you do it. If you force a speed/duplex on one end, leave the other end at autoneg, it typically gets the speed correct, but mucks up duplex. If instead of forcing you leave autoneg but specifically advertise a speed and duplex, if the other side is autoneg it works correctly. So a 1G NIC can do 10/100/1000 for speed, and full/half for duplex. If you force "1000/full" leaving other side autoneg, you'll wind up with 1000/half. If you advertise "I only do 1000/full" the autoneg works.

Indeed, it won't hurt anything.

In my case I imported the OpenVPN configuration which defined an interface. I had previously defined and deleted a physical interface which I had configured DHCP. The 2 aligned to the same name, OPT3. This may be an uncommon result.

Does it link if you connect it to the LAN port? Try spoofing the MAC address on the WAN.

@guardian said in [SOLVED] How to access cable modem login [Rogers Hitron 192.168.100.1]: I do agree with you that 80/443 is the most likely and more or less impossible to close from a practical point of view. Its impossible to really block those ports at firewall, if you want the internet to work ;) Stopping C&C would be a list of bad IPs/Networks - there are many of these lists available. To those you can block all ports, not just 80/443

@johnpoz so, after a hiccup, somehow i forgot to assign static dhcp address to the server and the access to docker server stopped working. Once the DHCP static ip was set, everything went back to normal..

@stephenw10 Thank you. I was able to get in. I needed to set the local LAN to a different subnet.

If you renew the certificate in the GUI it keeps most of the attributes the same (DN info, key, etc) but updates the certificate. If you use the CLI command mentioned above it creates and activates a completely new certificate for the GUI. The renewal method is usually less of a pain in the long run, but the other method works as well if the GUI method isn't viable.

I couldn't update bogons on my 2.4.5-p1 , due to fetch using the expired certificate. I spend quite some time to solve it here , due to my FreeBSD inexperience. https://forum.netgate.com/topic/167276/solved-can-t-update-bogons-on-a-2-4-5-p1-cert-expired Success in the end. /Bingo

@stephenw10 Thank you steve for your answer.

@xavier8854 said in Cannot ping WAN gateway: ? (192.168.1.254) at (incomplete) on mvneta0.4090 expired [vlan] As already mentioned if you can not arp it, you can not ping it - and no nothing is going to work if that your gateway to the internet. You need to figure out why you can not arp for that.. Even if dupe you should see answer to arp..

You should test in 2.5.2. However it looks like this known issue: https://redmine.pfsense.org/issues/9889 Also see: https://redmine.pfsense.org/issues/12327 Steve

OK, using syslog-ng is fun and opens up a lot of options but.... it shouldn't be necessary! I opened a bug for this and created a patch to log as Level NOTICE: https://redmine.pfsense.org/issues/12464 You can apply that diff against 2.5.2 using the System Patches package. Steve

@pontiac In either Dashboard widget or Status/Traffic Graph, select the wrench icon and change the setting, and save. [image: 1634366162011-e31a8ccf-7682-4962-9933-e39166307762-image.png]

@stephenw10 I was going to get the port forwarding working through a double NAT, but worried about leaving open ports to hackers. I decided to go with adding to my unraid server a docker container for Nginx, cloudflare with free argo tunnel, bought a domain .com from Go Daddy for $20, and used three youtube videos from IBRACORP for setting up ngix with cloudflare and free argo tunnel. Cloudflare CDN: How to Setup + Purchase Domain + NGINX Proxy Manager on Unraid (2021) (sets up SSL full encrypt) Cloudflare: How to Set up Cloudflare Argo Tunnel FREE on Unraid - Bypass CGNAT (sets up argo tunnel (IP obfuscation)) NGINX Proxy Manager: How to Install and Setup Reverse Proxy on Unraid (2021) (sets up nginx)