I have reinstalled pfsense on zfs without swap encryption, dashboard shows AES is active. Consider this question as closed.

Yes it's quit stable right now, as long dev doesn't change anything, we should be ok.

It is possible that you enable "Block private network and loopback addresses" on your LAN. Just disable it. Go to Interfaces > Lan > Reserved Networks.

@gertjan said in upgrade to 2.5.1 no internet: The best log in this case is the DHCP server log. Disconnect any of the PC that isn't working. Look at the DHCP log. Connect the PC back in the network. Do you see a DHCP negotiation between your PC and pfSense in the log ? If yes : check with your PC the network settings : mask, network, IP, DNS and gateway. All these 4 settings are ok ? Concerning pfSense : You changed any DNS setting ? As an update, I have been so busy with work (I run my own business so that problem is a good problem to have) that I have not had time to get through all your (above) suggestions. It did dawn on me that I am running a Pi-hole to capture all the ad junk. To test if Pi-hole was the issue, I disabled it and restarted Pfsense and computer on LAN. No luck, still no internet for computers or tablets. Let me get through your above list and I'll be back here this weekend. Patience is needed for this, I know.

For Cyberghost settings, please look at this post. https://forum.netgate.com/topic/163029/cyberghost-openvpn-on-pfsense/

Yeah I get it while its still in use. And I agree laziness is top of list ;) What is sad is that your camera system is how old.. That they thought ftp was fine when it was designed is the real problem. While sure they could still have it as an "option" it doesn't support sftp? Or webdav or just plain https for moving files? So pretty much the rest of the net is all encrypted these days.. But ftp - yeah lets send username and password in the clear, and not encrypt any of the data being sent. But someone "reading" a website public data - yeah that needs to be secured via https ;) Not that long ago, many websites were just http, and only the login info was sent via https. Asking for a IP of a public website for via a couple of udp packets - yeah lets wrap that in encryption and overhead of tcp.. Think we have gotten a bit off topic ;)

@bhjitsense I did two upgrades to 2.5.1 and both failed. the one in my house the openvpn did not work. I had to re-install and restore. Also had to change the VPN configuration to NordVPN. The one in my office which is multiwan also failed in WAN1 (email and webserver). I had to reinstall 2.4.5 and restore. I do not know what is wrong on 2.5.1 but next time I will check the forums before I upgrade again

My concern here is not leaving the LB2120 LTE modem powered-on all the time. My concern is that to have the LB2120 handle fail-over it will sit powered-on between my cable modem/LTE connection and my SG-1100 with just the Netgear firmware to protect against attack. From what I can determine from the manual, it would need to be in router mode so it's IP address doesn't change when failing-over to LTE with the SG-1100 in the DMZ with only the LB2120 password to protect it. I'm not sure I trust Netgear that much. For pfSense to handle the fail-over, the LB2120 will be connected to OPT1 or another interface as another gateway. The issue is that the LB2120 provides no control over when to dial-out or disconnect. So it just sits there connected, and slowly using my monthly data allotment. Is there a LTE modem that will automatically dial-out and then disconnect the line when not used after some period of time? Frank

@remie2000 said in Logging still not working properly with v2.5: Due to compliance rules I need to log everything that hits the firewall. So your not from planet earth. Or you have to oblige to rules created by people that really don't know what they talk about. Really, 'they' asked you to store all incoming data in a file on a disk ? Throw this in Google : " can I record a DDOS attack ? " The TCO would be millions. If you want to be part of a public network you should accept that every member of that network can communicate with you when they want. Up to you to try to record to record every packet that's thrown at you. Start by buying a box with very good cigars. Edit : OVH, in France, co - developed an anti DOS system - called "VAC". The price tag is/was mind blowing. And they don't record, just keep traffic in memory, the time it takes to judge if it's part of a DOS or not.

There is a built in wizard already. With it you set up the basics of the virtual interface, create a certificate, automatically makes the firewall entries, generate certificates for users, I'm not quite sure where this request is going. There is in fact a large market for this request...If it were truly auto-configured out of the box, that would be what most people call a 'back door'. People pay good money for reliable back doors. One can't also assume every installation has a failover partner. Certificates are good, and generating them is simple. If you want something with a 8 character username password combination instead of a large cryptographic cypher...well that isn't a VPN at all...

@kiokoman said in Shutting down by Windows command?: "C:\Program files (x86)\puTTY\plink.exe" -ssh -root@pfsenseip -pw <password> poweroff That's great! I'll try and post later. Thanks, guys!

@gertjan said in Pfsense with Microsof Teams: @yacud : By any chance, you're not running a cloud based bitcoin cracker in the background ? More serious : pfSense could be used on a POTS modem based 33.6 kbits land line. Video wouldn't work then - sound would be bad. The very same pfSense can be used to connect an entire "1000 employees" company over a 10 Gig line. Some factors : The hardware you use. This includes your own device, and wifi AP if you use them. The settings you use (the default settings doesn't limit you at all). The interconnections you use - your LAN's and WAN's. So, make up the complete list - and you won't be needing us to find your answer. Hi. I was just wondering if you were able to implement your idea? A very interesting version of implementing an ordinary project.

@thetevfik said in Random Reboot with Exiting on signal 15: What can I check? Stop using snort (and any other 'big' packages) and recheck. syslog received a sigterm 15, that's probably part of a process restart, which can happen and is not extraordinary. The system goes down without any special log lines6 minutes later. Check other log files for events during the couple of minutes before Apr 25 07:24:16.

@mtarbox said in sshguard and oddities in the daily system log email: Nothing is hammering on the logs Most probably because it isn't the 'ssh' server that hammers itself. Some other process still keeps on going on port 22, but doesn't know that the ones living there has moved. So sshguard won't see the warning messages from the ssh server in the logs and doesn't add its own. Nothing in the logs doesn't mean nothing is happening. If there is a rogue ssh client running somewhere, it should be detected and be accounted for. wireshark on interface LAN host adresses "192.168.2.1" TCP port 22" and see what pops up. Try all the interfaces.

SOLVED I since upgraded to 2.6.0-DEVELOPMENT and the GUI as well as environment has been stable for about 6 hours now with no packet loss.

@fireix Possibly a sort of state timeout. Basically, connections which are in use (while transmitting packets) don't timeout. The timeout counter starts after the last packet is transmitted. However, I'm not familiar with your tool. Maybe it opens multiple connections to the other host which are partly idle while syncing. You may look up the docs for details on state timeouts in pfSense: https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html. For troubleshooting you can add a pass rule to the top of the rule set allowing the access to the remote host and set a high timeout in the advanced options.

Anyone who can help or familiar with this?