@viragomann, thanks a lot buddy!! that's totally fixed the GW off-line issue. That's the way it came from the ISP but never actually noticed the mask is 255.255.255.255. Good catch! hats -off!!! I can now carry one with rest of the config. -San

@stex there was bugs in privileges. Maybe this helps: docs.netgate.com/pfsense/en/latest/troubleshooting/authentication.html

Thank you for the link, however sadly it does not cover the questions that were asked and only covers a basic network setup and the most useful add-ons to install. I know putting the pfsense in front of the UDM Pro would be the easiest thing to do however would this not log all traffic shown as coming from the WAN interface IP address of the UDM Pro? This is not what I want to achieve as I want to monitor all traffic from all internal Vlans showing the original devices IP address. In and out? Sorry if I did not make it clear.

@viragomann Ah, okay got it. I thought I could do it with the admin user I setup through the GUI but I had to SSH into the machine using root@192... all good now, thanks!

Below is the complete process to enable access to the pfSense's server sshd (ssh, port 22) from a private network... Using option 8 ("8) Shell") turning off the firewall with the command... pfctl -d ... and access pfSense server through the ssh (port 22)... ssh root@<PFSENSE_SRV_IP> ... using the initial password "pfsense". TIP: We recommend changing the initial password. Using option 12 ("12) PHP shell + pfSense tools") perform the commands... unset($config['interfaces']['wan']['blockpriv']); write_config(); exec; ... and exit... exit Using option 8 ("8) Shell") again, add a rule to allow access through port 22 on the wan interface... easyrule pass wan tcp any any 22 TIP: The "any any" parameters allow you to restrict the source IP and destination IP respectively. NOTE: The above command will turn on the firewall (same as pfctl -e) and this will drop the ssh connection (port 22), but the ssh connection will be allowed. PLUS: For more explanations about why private networks and loopback addresses are blocked by default on WAN here Block private networks - What does that do, what is it used for ? and here Address Allocation for Private Internets.

If you're actually hitting the max processes limit something is amiss. If you are though you should see it in Status > Monitoring. Do you see a slow rise in the processes number or a spike just before it crashes? Steve

You don't really have a choice there if the CA changes. You don't need to adjust the clients if the server cert changes (even the key) so long as it uses the same CA, perhaps that's what you were thinking of. There may be some song-and-dance you can do with an intermediate cert but if the root expires, clients still need to know about the new root. Browsers solve this by stuffing the new root CAs in various updates as they go, VPN clients have to do the same. Users should be conditioned to be periodically updating their VPN client software anyhow. OpenVPN frequently has updates for security and other issues. There won't be a real "fire and forget" setup where you can get away with never updating the client, especially with OpenVPN.

I suspect it would have. That's what has happened in the past during similar situations when I've tried it. Granted the last time I tried any time-based shenanigans with RRD was many many years ago. I don't think it's changed that much in its core though.

Thanks Kiokoman

Hi @stephenw10, Thank you! You're correct regarding using bridges with HA configuration. As sample, below is the scenario that I have tested. [image: 1623309908498-screen-shot-2021-06-10-at-15.46.59.png] As shown the switches SW3 and SW4 aren't interconnected to avoid loops. For redundancy I use a combination of LACP in failover mode and VRRP IP as default gateway instead of use pfSense CARP configuration. The reason to enable HA is to have the pfSense Sessions, Alias and Rules synchronized. For the servers behind, as shown WB1, there's two connectivity ways; Master to SW3 (SW4 as Backup) WB1 Master to SW4 (SW3 as Backup) * WB2 Image It means, both pfSense can handle traffic simultaneously. Although being configured as HA Master / Backup they work as Active / Active. Did you had some experience like that before? Regarding the hight CPU interrupt time % issue. After change the parameters below, the performance looks better then before. I still monitoring it. System Tunables net.link.bridge.pfil_bridge = 0 to 1 net.link.bridge.pfil_member = 1 to 0 MY

@godhead83 pfSense WAN interface needs to be configured as PPPoE VLAN ID 101 is default and assigned by the Modem. BT uses VLAN101 by default. When you configure the WAN interface do you see a IP Address ? Contact Vodaphone and ask them for a Username and Password if you haven't already.

@andyrh said in How to set PfSense to do auto re-reboot in 5 minutes or [any min] after power was auto restored.: That is a reboot loop. yes true ! thanks for the reminder ;) quick n dirty not always gonna work like a charm brNP

@steveits got ya. I’ll give it a shot later today. Thanks again

But did the device with MAC XYZ actually pull that IP? And do either of those MACs appear in the ARP table?

@kom Nope, that doesn't work either I'm afraid What DOES work is selecting option 2 from menu, then re-entering ip address for LAN, and hey presto it's enabled again :) Thanks for your help in this, much appreciated regards

@habitat said in Internet speeds throttled: which was originally for a very specialized immersive art installation Yeah, I guess you'd need CAT 6 for that.

@stephenw10 Yes i saw that at all website . i uncheck the following options in dns resolver configuration : Register DHCP leases in the DNS Resolver Register DHCP static mappings in the DNS Resolver and its working normaly now .THANKS for your suggestions

@thatguy Hello there, thanks for your help, although I do not understand where the code to be copy-pasted is, could you guide me please since I am still a noob at programming.