@stephenw10

Yes, that appeared to have fixed it.

Thanks again for your prompt help.

Mmm, that's not an issue I'm aware of. Hard to see what might cause that. I assume you can make other changes to the config successfully still?

You would still see version updates available if a vulnerability was discovered that warranted a pfSense Plus release. Same as an other pfSense Plus install.

It will automatically be set to 1492. If you run ifconfig you can see what the ppp interface and it's parent are using for MTU.

If your WAN/ISP supports it you may be able to set the parent NIC to 1508 in order to get the full 1500B across PPPoE.

Steve

What's the existing load on the 1Gig connection at peak times ? If it's below 100%, then there's your required bandwidth. If it's often maxed out, then you need the 10G link before confirming PfSense hardware.

@stephenw10

Yes, I see the BGP session opening sates via IPv4 but not IPv6.

@SteveITS I ended up with another TAC license - but thanks anyway 👍

@stephenw10
excellent. Solved my issue with missing packages.
Up to this point I was getting:

DBG(1)[97341]> pkg initialized Updating pfSense-core repository catalogue... DBG(1)[97341]> PkgRepo: verifying update for pfSense-core DBG(1)[97341]> PkgRepo: need forced update of pfSense-core DBG(1)[97341]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite' DBG(1)[97341]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.conf DBG(1)[97341]> curl_open DBG(1)[97341]> Fetch: fetcher used: pkg+https DBG(1)[97341]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.conf DBG(1)[97341]> CURL> attempting to fetch from , left retry 3 * Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults * Trying 208.123.73.207:443... * Connected to pkg00-atx.netgate.com (208.123.73.207) port 443 * ALPN: curl offers http/1.1 * CAfile: none * CApath: /etc/ssl/certs/ * SSL certificate problem: self-signed certificate in certificate chain * Closing connection DBG(1)[97341]> CURL> attempting to fetch from , left retry 2

After the rehash, this was fixed and the packages re-appeared in the GUI.
Many thanks.

it seems to be stable on OpenVPN... no reboots/crash at the moment.

The only setup difference with the IPSec configuration is that on IPSec I had to manually enter the default route (route -6 add default <tunnel endpoint>) because for some strange reason it was not set automatically (even if I selected the gateway as default in the routing menu).

I'll write if it happens again, but I would say that the problem only seems to be present on IPSec.

Yup VLANs are treated like any other interface in pfSense. The firewall rules on the interfaces apply to all traffic entering them and are stateful by default.

It's possible to create stateless rules there if you need to for some obscure reason but you have to try hard. 😉

@Limrick08 not stupid by any means.

Seeing root logins would peak my interest as well to understand what they are ;)

The internal NIC, mvneta1, sees traffic from the switch on port 5 exactly as if it was an external switch.

So an interface assigned as mvneta1 directly (as LAN is by default) will see untagged traffic.

You would create VLAN interfaces on mvneta1 and assign them to see the tagged traffic arriving on each VLAN.
Since it's working I assume that's what you have done.

Steve

@davidylau Sometimes the anti spam triggers, especially for accounts without upvotes.

@stephenw10

Thanks for testing and the support. I found the problem in the "unofficial" script. Somehow only using the ip-adress wasn't working anymore. Adding https to it fixed it.
Sometimes the solution is simple but the error was misleading.
This case is closed.
Thanks again.

What exactly was it you tried to import and how?

Yup, test it first is good advice.

https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html#concerns-warnings

@stephenw10

Sorry about that, had /32 instead of /24 under aliases. My fault! Thanks for your help. All good now!

Yup you need to manually check each replacement because there's a significant chance you might find the string em0 for example in the certs fields.

If you had to copy it to opt7 then you had not yet re-assigned lan as the bridge0 interface. Once you do that everythign that was applied to the original LAN interface would apply to the bridge and hence all the bridged interfaces.

I just wanted to follow up on this and let everyone know I could never get anywhere. While I did backup/restore last month I kept this box around to try to troubleshoot. No pkg command would yield any results, even trying to install from local.

If anyone winds up in the same boat, I'm afraid this post likely won't help.