So, for anybody keeping score, I finally got this deployed to production last weekend. So far this couldn't have gone smoother. Aside from a few users messing up OTP with VPN logins everything seems to have worked fine on PFSense's new home. HA works, FW rules work, NAT all seems to work. PFBlocker is doing its thing, OpenVPN seems as good if not better than our old AnyConnect setup from Cisco. Very impressed with the solution I have here after a week. Servers are not even breathing hard and handling our traffic fine. Really happy to get this behind me and to see PFSense work so well for us. As for any crashes, so far there have been none. I'm worried this is something to do with the environment I was building this in. Everything is set to capture another crash if it happens but for now, I am just in wait and see mode. Thanks everyone for their input. Really appreciate all the guidance. Hopefully all this still yields something useful. Will let you know.

Nice! Thanks for testing.

Hmm, using syslog-ng as a proxy of sorts is what I've done in the past to make this work. Otherwise you could try the STunnel package: https://docs.netgate.com/pfsense/en/latest/packages/stunnel.html But using a VPN is probably more stable long term. Nothing custom required for that.

Hmm, that's interesting. I wouldn't expect larger packets to make any difference there.

Hmm, now I'm confused. Your screenshot above shows two igb NICs. That's a 1G Intel NIC. It can't link at 10G. Are you using different NICs there now? I expect the idrac to show the real hardware MAC for each port. The internals only vtnet ports should show a MAC generated by Proxmox.

@stephenw10 bingo...its a 10 for you sir

Failed to reproduce it here so far. So, yes, I think trying ctl+t there would be the next step.

Almost certainly this: https://redmine.pfsense.org/issues/16362

OK continuing there instead.

@jay_k indeed :) , glad you were able to resolve your problem

Yeah you cannot have two DHCP servers. You must choose one and I would use the DC for that. Configure it o use the same subnet as pfSense and pass the pfSense LAN address as a default gateway to clients.

@patient0 said in Where to report a security vulnerability in Pfsense Admin GUI: https://www.netgate.com/security Thanks mate

@joelwhrs I will bump this a bit. Not sure if you figured a way to create custom SMTP triggers, for instance: link goes down, link comes up, no internet, ACL event, etc. I'm also looking for a way to create simple event trigger. From what I understand, all notifications are "fixed", I get one when device is booting or when it finish booting, or cert about to expire. On that note, where to find list of notifications? I just upgraded to 25.07.01.

You might be hitting this bug: https://redmine.pfsense.org/issues/16362 Do you see the syslogd service stop in Status > Services? If so check for a connection refused message in the main system log against the remote server.

Yes geoip blocking is never 100% accurate. Check the alias table in Diag > Tables. Make sure it actually contains the subnets you're trying to block. It's often better to pass traffic based on an alias rather than trying to block alias. But that really depends on what traffic you need to serve there.

You may edit the PCI ordering of the devices in the vmx config file of the VM to ensure the nics stays like before and the newly created Nic will be the next available vmx<N> adapter. ethernet4.pciSlotNumber = "40" ethernet3.pciSlotNumber = "39" ethernet2.pciSlotNumber = "38" pciBridge0.pciSlotNumber = "17" pciBridge4.pciSlotNumber = "21" pciBridge5.pciSlotNumber = "22" pciBridge6.pciSlotNumber = "23" pciBridge7.pciSlotNumber = "24" scsi0.pciSlotNumber = "16" usb.pciSlotNumber = "32" ethernet0.pciSlotNumber = "33" ethernet1.pciSlotNumber = "34" ehci.pciSlotNumber = "35" vmci0.pciSlotNumber = "36" sata0.pciSlotNumber = "37" This is an example of a VM in HW Version 21. It may look different on previous versions. Key is to have the pciSlotNumber of ethernet<N> adapter in order and no conflicts with other devices.

@stephenw10 said in Reboot via ssh does not work?: Hmm, weird. Well definitely check the logs after trying and failing to reboot via SSH. So far I could not reproduce it. So will keep my eye on it.