@stephenw10 Well I got through the login page to the checkout page by moving to another desktop..... but it wants me to agree to the terms and conditions - and I finally realized I had to click on the whole Legalize paragraph to agree and finish the transaction.

I guess I better order some hard drives.

Again thank you for your expertise and answers.

@stephenw10 said in Is 24.03 -> 25.03 upgrade path supported?:

It's tested internally. We may enable it for RC.

That'd be great!

When you connect out from the interface address directly there is no outbound NAT required. You should be able to ping out from it.

However you are seeing some traffic from it so perhaps you're not selecting the source correctly?

The gateway monitoring would be the same, is that showing as up for WG?

@stephenw10 @Darkk

umm...

Screenshot 2025-02-21 at 10.42.22 AM.png

there are two tmpfs - one for tmp, one for var
Screenshot 2025-02-21 at 10.53.10 AM.png

/var is on a tmpfs. (that 89M shown here is mostly log files, and yes they rotate) I can force that number to near zero just by removing log files. or just watch it over time goes between about 87 and 92 as log files build out compress and rotate -- Not all of var is on the tmpfs either)

/tmp is on a tmpfs (the smaller one in my case)

to which tmp do you refer and 8GB does seem excessive

@am-steen said in Block All WEB SITES Except https://web.whatsapp.com:

note: I do not know how to open logs

Goto Status > System Logs

pfBlocker, a nice short cut is hiding in plain site :

3e1fbf6c-1210-41a4-bb06-fb168dc5a8b3-image.png

Or Firewall > pfBlockerNG > Log Browser and pick your file in de second pull down box.

For the no-mouse solution : console or SSH, menu option 8 and then

cd /var/log

Looks like those states are created outbound. I assume bxe0 is an internal NIC? The 'route-to' tag there implies policy routing in a firewall rule for that.

Only inbound states on a WAN will get tagged reply-to.

My hardware wasn't actually shutting down by holding the button. I pulled the plug and restarted and then it booted to a screen with a yellow "SHELL>" prompt.

So I downloaded the 2.7.2 installer and put it on a stick and reinstalled from scratch.
Then logged in and uploaded my latest backup.
After a restart it got stuck on this screen twice.

I then pulled the plug again expecting to have to start from scratch, but when it powered on the 3rd time I had my config back.

So I'm up and running again with the latest version installed.

Let that be a lesson to everyone. DO BACKUPS. It saved me hours of time, plus I'm sure I've forgotten all the tricks I learned while setting up the first time.

IMG_2399.jpeg

@madbrain said in Automate full config backups from a pfSense to a Synology NAS on the same network:

The command I posted yesterday did not work. It produced 0 byte files. Turns out logging in to pfSense+ 24.11 via ssh presents the user with a menu. One needs to select option 8 before executing any command. Is there any cleaner way than forcing the input of 8 + LF before the command ?

Aha .... Let "AI" the thing ... 😊
What about these 4 keywords ? :
pfsense ssh backup config

Use the very first Alternate Remote Backup Techniques | pfSense ... solution proposed.
Over there, 3 solutions. the last one, Basic SSH backup will interest you.
edit : ok ... stupid me, this link was already given above. But take note : no "menu" issues for me.

Still, this doesn't work for me, as I'm using this :

43f98ab9-41ef-4a0d-bd40-e98da3c073eb-image.png

so no root (admin) password is asked, but a key passphrase is needed.

After placing my pfsense private key in some '.ssh' directory (name : pfsense.key) I could use

Christian@DiskStation2:~/.ssh$ ssh -i /var/services/homes/Christian/.ssh/pfsense.key root@192.168.1.1 cat /cf/conf/config.xml > backup.xml Enter passphrase for key '/var/services/homes/Christian/.ssh/pfsense.key': ############

Now I have the config file "backup.xml" on my NAS :

Christian@DiskStation2:~/.ssh$ ll backup.xml -rw------- 1 Christian users 639484 Feb 20 08:41 backup.xml

Look at this if you want to automate it 100 % (somewhat not secure)

A bridge interface is tricky because there is no sent/received really. Every packet crosses it. Unless the interface is assigned in which case pfSense can send/receive from it and will use the generate bridge MAC.

@Phonix66 said in User called “internet”:

I suspect the ntopng package, I didn't login for a while and tried now to login with the "internet" user, but couldn't, nighter with my Administrator account.

The ntopng package does not create such a user. What made you suspect it?

[Edit: You can ignore this -- I just saw that you subsequently determined that it wasn't ntopng]

@stephenw10

That worked @stephenw10. I rebooted the computer and all is well.

Thanks for the assistance.

@stephenw10 said in Connecting to server on a seperate LAN from camera connected to NVR wifi LAN:

Is your NVR device there routing that traffic or NATing it?

If it's routing (a much better setup) then you need to have a static route and gateway in pfSense so it knows how to reach the 22.1.1.X subnet.

If it's NATing then you would need to setup some port forwards in the NVR and send traffic to that.

Are you really using 22.1.1.X there? That's a public subnet which may conflict with something you might want to access externally someday. Though it appears to belong to the DoD so.... 😉

Steve

A static route did the trick.
Thanl you.

@stephenw10

Now I'm really calmed down, thank you!

Hmm, well those P2s don't match so if one side tries to open a P2 with a /16 defined the other side will reject it.

You should see a bunch of errors in the logs for that though. And I wouldn't expect to see the P2s come up in the status.

Cron job @reboot the mount commands

Yes I was offered 24.11-RELEASE (arm64) after a short delay

All done - thanks again!

@alhaunts The way to sync time in pfsense is ntp.. You don't have to provide time services to anyone else. Ntp is both a client and a server..

There is no setting for like sntp that I am aware.. If you want pfsense time to be correct, you would setup ntp.. By default it just points to pool out on the internet provided by ntp.org

If you want to make sure none of your clients sync to it - then just set the listen interface to localhost only.

@jimp Thanks for responding. StephenW10 sorted me out and Jan 31st backup restored today!

@andreanet said in correct installation and configuration:

the source 10.10.10.9 is the IP address of the Lansonia router

Do you have another "router" connected or perhaps you mean wifi Access Point?
If it's an AP, and 10.10.10.9 is just the management interface for that AP, try disabling that rule. Then you will still see that all wifi clients will be able to access internet. Any traffic not targeting rule number two (destination 10.10.10.1 I suppose) will simply hit the last rule allowing internet access.