Ok I am calling this fixed. I've got an uptime of 14 days after disabling AES/NI on this machine. Previously I couldn't make it past 4-5 days.

@slimaxpower Me?

@strike101 With that user count and speed the Netgate SG-1000 might be tempting.

Product page
https://www.netgate.com/solutions/pfsense/sg-1000.html

Speed
https://www.netgate.com/docs/pfsense/solutions/sg-1000/faq.html#what-should-my-speed-test-results-be

Price @ $150
https://store.netgate.com/SG-1000.aspx

What do you have net.link.bridge.pfil_member set to?

That needs to be set to 1 to filter traffic on the bridge member interfaces which it sounds like you're trying to do. And setting both to 1 is probably not required. Do have the bridge interface assigned even?

Do you actually need a bridged setup? You can disable NAT without bridging but you still route.

Steve

there is not enough info to go on....

Start by removing all VPN related configuration .... then reboot to be sure all routes are cleared.

a)do you get an ip from pfsenses dhcp server ?
b)can you ping from the client to pfsense?
c)can you ping from the client to 8.8.8.8?
d)can you ping from the client to google.com?

If you manage to get 'd' working, start adding the VPN stuff back in

Solved by a clean install. Something must have gotten messed up over numerous upgrades.

@ivor said in Change date format:

I'll see what can be done. Keep reporting things like these, thank you!

Just to clarify, are you talking about forum? Or about pfSense?

Pfsense you can change the format on here fine.
His post was 7 days ago forum wasn't here than =D

You're welcome

glad you get it working

No worries. It's an interesting script but it's old and clearly needs some tweaks for a current pfSense version.

All of your CPU time to create random PIDs seems extreme!  ;)

Steve

Your rules are kind of a mess.

Is this problem only happening for users on VLAN13, or is it everyone?

Hi.

Did you enable enable Transparent proxy and SSL filtering? Just in case follow the instructions in the following link.

https://www.howtoforge.com/pfsense-squid-squidguard-traffic-shaping-tutorial

I don't see how this is a bug when it clearly says

The last SAVED values will be used, not necessarily the values entered here.

Directly below the TEST button.

https://forum.pfsense.org/index.php?board=62.0

"only licensed…"  is an outdated view.  Plenty of corporations these use Linux in its many flavors to run their stuff, AS LONG AS there is a competent in-house IT staff.    "only licensed..." tells me, "if something goes wrong, there is somebody we can blame."

A wan is going to be any interface that can be used to get to other networks.  You can nat or not nat to this wan connection.  As mentioned already you have an asymmetrical problem putting this "wan" network of pfsense where there are devices..

If you want networks behind pfsense, and you want a "wan" network that will be used to get to networks not behind and directly attached to pfsense then this network should be a transit network..

Thats fine if all of these networks all connected physically on the same switch, you just need to make sure you break that switch up correctly at layer 2 to provide isolation.

Your going to run into asymmetrical problems as well if you just put all your networks behind pfsense on "lan" networks directly attached that use different gateway to get off their network other than pfsense.  You would have to do host routing on every single host, etc.

Connect this pfsense to either your layer 3 or your edge with a transit network and correctly route..  Any network your going to put behind pfsense like this 192.168.100 should be isolated on their own layer 2 and use pfsense 192.168.100.x as their default gateway.

There is no mechanism to do that automatically. You'd have to create a script to do it from scratch, using the certificate functions from /etc/inc/certs.inc and probably copying some code from the certificate management page.