@johnpoz Awesome! Thanks soooooooooo much!

If it's a supernet to include a number of subnets that's fine. As long as there is a reason for using it. You'd be surprised how many people believe there are only 3 private subnets available. Steve

Ah, never mind. Figured it out. Wasn't exactly my fault. One of the lists I had added had suddenly included a block for github which is the location for many of my other lists... so many that I thought all or almost all were suddenly failing. The whole SSL thing was a red herring. DNSBL was blocking DNSBL list updates. Once I figured out the offending list, I disabled it and redid the downloads and everything is happy again now.

In the shaping wizard there was an option for VoIP and has one enter the remote IPs. Otherwise there's not a great way for pfSense to know what is VoIP traffic. And since you don't know what IPs all of those use it becomes difficult to maintain. One option might be to prioritize all UDP traffic from your device using those services, but there is a caveat noted in the docs, that the shaper works on outgoing traffic and on the WAN (upload) that happens after NAT. So you can't use your private IPs in the rule that applies the outgoing shaping. What you can do is tag the packets from those IPs, and use that tag. https://docs.netgate.com/pfsense/en/latest/trafficshaper/advanced.html#shaper-rule-matching-tips rule with source of your PC IP: [image: 1605803792376-e59b8ab6-0347-4380-9573-63ff7acd758e-image.png] rule with source and dest of Any that only applies to the tag, and assigns the queue: [image: 1605803840620-08a4ee1e-f89e-4dc1-9782-b3858f424b2f-image.png]

Playback restartallwan from developers shell might do what ya want

I'll leave it at it is. Thanks for the insights!

Yeah, I'm seeing it in all 2.5 snaps now. No idea what I was looking at earlier. Too many test boxes!

@Gertjan said in Cert expired on snapshots.pfsense.org: Anyway. Case closed. Mmm, not really since it should have been swapped out when it was created. We continue to investigate... Anyway thanks for reporting. Steve

@david-williams It has 256MB of RAM so even in late 2020 I would encourage you to try out OpenBSD, FreeBSD or NetBSD on it. A minimal install of Debian Linux would work also. I'm of course suggesting you build a router/firewall completely from scratch. Note this would only work if you can replace the 64MB flash card with something larger. At least 1GB but that's only if you perform a very minimal install. I would suggest installing the system in virtualbox first then convert the vdi to an img in order to copy it onto the asa's flash card. https://www.router-switch.com/pdf/asa5510-bun-k9-datasheet.pdf

You mean in the 'Alternate Hostnames' field in Sys > Adv > Admin Access? It has to be a hostname. So: firewall.mydomain.com for example. Steve

@EddyT Hi - I am trying to create graphs with ntopng and pfsense like yours - do you mind to share your json

Replacing the existing router with pfSense would be a much better plan unless there is a very good reason not to. Bridging can work OK but it's also easy to get wrong. Bridging VLAN interfaces even more so. Steve

Testing or recovering a device temporarily like this is about the only time I would use two subnets on one interface. I have done that numerous times in the past. (but it does always feel dirty! ) Steve

Hi all, Ok solved by myself. Strange was those "Permission denied" errors, so I've ended first trying a factory reset and restoring a backup, then, 'cause this didn't help, I've reinstalled the whole box and restored the configuration. After that, all went back to work. Hope that helps someone. Cheers, Simon

@kiokoman it's a production node so it's hard :( And to disable a VTI requires to unassign the interface, and so on, I cannot simply disable the P1. Meantime I've found a small workaround. I noticed in logs many events related to "change of dynamic IP address" related to my IPSEC tunnels (please note that I work only with static IPs). This triggered some kind of refresh of configuration, and php started to consume all CPU during that refresh. So I disable monitoring on all tunnels, and this mitigate the problem because it seems that pfSense does not reload configuration many times every day as before. Still the problem is on, so if I manually save changes and reload config it starts to eat CPU

@LakeWorthB I have since rebuild the pfsense box, so I can't confirmed what caused it.

I think this worked for me also. Is there a way to check? When I place the usb drive in a Windows box I can not see the file. Also how will I restore it after rebuilding the broken PfSense box? Thanks Joe

did you disable Hardware Checksum Offloading ? Wow, just straight to the point. This was it. Thank you so much!! btw, also interesting: This will take effect after a machine reboot or re-configure of each interface. the GUI says at this option, but it worked immediately when I hit save. Anyway, thanks for taking your time, I had already lost hope it would be so easy in the end

There are people here I have come to trust. I value their experience and their judgement. Taking their advice is sometimes not comforting or confirming. It's not like running off to your media bubble. The truth is they have, collectively, a few lifetimes of experience and the wisdom that comes from the scar tissue they have accumulated. Please also keep in mind you're getting this for free.