@johnpoz said in Any way to share IP range on two separate LANs?:

Why exactly would you want to connect these 2 switches into 2 ports on pfsense if you want them to be on the same network anyway? Are you wanting to firewall between them? But have broadcast and multicast on both?

Just as an ans, I have this setup - three sets of switches are connected to the three ports on pfSense; one serving WiFi, one HomeLan and third one for Storage but of cource, I didn't wanna have 'em all in the same physical network.

In that way, I can manage these three services seperstely and family don't start yelling at me when I'm doing something on the Lan side or the files arer still availabe from my Storage over the WiFi or daughter can go back to her iMac when I'm updating the WiFi system (as long as pfSense is up and running) :)

@tbeaulieu said in New to pfSense. Googleads results are blocked. Advice on fixing or accepting?:

because googleads' certificate was bad

Call Google and tell them ?
You'll do them a huge favor Google's add renevu is several millions a day), they will give raise your addwords account to the sky.
Seriously ?

Their certificate is fine.
What happened this :
You installed pfBlockerng because you were totally fed up to see these adds everywhere.
pfBlockerng by itself is empty, does nothing.
You you added a DNSBL 'add block' feed.
Just for the fun : open it up in a text editor :

I'll show you :

Here are my DNSBL :

ff423602-c6c9-4df3-961c-1bc1011f7132-image.png

I'll edit second one :

2d655211-2a5b-49a1-ae9b-bc2c541843b9-image.png )

and there you have the actual file :

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

and in this file, your find :

883dd01c-864f-4329-a5bf-94a333ff67d1-image.png

and now you've found out what pfBlockerng actually does :
If a DNS request for "googleadservices.com" comes in, it will be replaced for 0.0.0.0.Even better, it isn't even pfBLockerng that does the heavy lifting. It the resolver (unbound).

So, if you, with the browser addresses bar, or as an URL on some web page that want to show you an add, a DNS call is needed, and 0.0.0.0 will come back. The browser will not try to contact 0.0.0.0 as that is the 'address does not exist' indicator.

I've explained the Null (or 0.0.0.0) blocking :

8e79642f-450c-4de5-9a48-ef22d84c0cc9-image.png

The (totally useless) Webserver/VIP blocking : the IP won't be 0.0.0.1 but 10.10.10.1.
And guess who will serve pages at that address ? The pfBlockerng web server that will tell you you wanted to visit a page that was blocked by the pfSense.
Sure enough, this web server can not have the web server certificate that Google uses for its addserver services page ( 😊 ) so it will use its own certificate.
Your browser detects that 10.10.10.1 is not Google as it will use the certificate and checks if the site it wanted to connect to is really goolgeadservcie.com.
And guess what ?? It wasn't.
The browser barks.
The add was blocked.

You said :

googleads' certificate was bad

I say :

Your browser was at that moment connected to 10.10.10.1 (pfBlockerng web server) and of course that server doesn't have the certificate that said it "googleadservice.com".
Because that's impossible.

But now, let me thank you first, as you really made my day - its always good to laugh ones in a while.
You said :

New to pfSense. Googleads results are blocked. Advice on fixing or accepting?

And then you said

Yes I have the pfBlockerng

and I presume you installed some DNSBL feeds, like the one I've shown above.

Here it comes : pfBlockerng is also known as an "add blocker".
googleadservcies.com is probably the biggest add server in the world, and present on all those DNSBL lists.

Or : what was your reason why you installed pfBlockerng ?

As said above : you can white list host names like "googleadservcies.com".
Go here :

74bcf8f4-cc17-41fa-8770-394adbb03694-image.png

and click on the green "+" and you'll be guided.

From now on, "googleadservcies.com" won't be blocked anymore.

And yes, don't worry, it took most of us a lot of time to learn how to work with pfBlockerng. We all went through it. There are no short cuts, not that I know of.

@Aadrem said in Frequent Crashes and Errors after upgrading to 24.11 pfSense Plus Version:

Unfortunately, accessing files, even through the shell, was not possible due to the frequent reboots.

Don't fact check me with your own PC type devices, so, if you're willing, imagine this situation :
Boot your PC.
Open all kind of files ....
Stand up, and walk to the power socket and rip it out.

Wait 10 seconds, put it back, and start over.

If your PC is modern enough, so its starts fast, you can do this 10 times test in less then 10 minutes.
If your PC is a portable : it will go even faster but please, these devices can have their disks soldered in so you will break your portable beyond repair by just removing the battery while it is running, for 10 times max.

But again, don't actually do it. Just imagine. (Go youtube to see them doing it - and, way better, ripping out the power while doing a BIOS upgrade - this one gives you a the full jackpot the very first time you play)

Your PC uses probably NTFS as a file system, and pfSense uses the somewhat even better 'ZFS', but still, chances are greate that 'nothing' happened. Just some current data loss.
But do this several times, and you will 'break' the filesystem.
Like in the good old days : do your CHKDSK /f and while doing so, you pray.
And then, again, you re installed Windows from those 46 floppies.*

Check this : How to Run a pfSense Software File System Check (5/2020) - some will say : not needed anymore.
Ok, maybe I lose some time while doing so, but at least, for me "data loss" or "OS broken", something that happened in century before this one.
(And if it happens, I've a daily dual copy)

Btw : a bad file system can be a symptom, not the original reason why your system went down.
Just install pfSense on some other hardware and suddenly all issue are gone ..... Doesn't that make you think ? ;)
(Yeap, motherboards, disks and our coffee machines still die on us)

@Aadrem said in Frequent Crashes and Errors after upgrading to 24.11 pfSense Plus Version:

From what I’ve read on forums and web in general, upgrade processes with pfSense often seem to cause issues

Yeah, I've seen them. Somewhat the 'same' story pops up on every OS update.
For myself, and since 2008 ( or more ? ) I'm still trying to make it fail on me.
It was always UPS protected, so it never (well : rarely) went down without the system shutting it itself.
I always reboot before upgrading it, and I go to single user mode (console !!) and do a file system check, and then let it run for several hours or a day before execute order number 13 (never GUI, I'm old school). This console session, I have it logged so I can review the upgrade process.
Some how I'm pretty sure that the upgrader process "knows" that it is watched. That would explain why it never failed on me.

Ones in a while the disk layout, or partitions, change, or new file systems comes out, like ZFS two years ago, so the phoenix method is needed.

I've always said here on the forum : go basic first : remove all installed packages before upgrading but, I admit, I don't do this myself anymore.

Before, I always asked for a (new) firmware first - I have a 4100, that I burned on a USB key. And I kept the previous version also. I still have a key with pfSense 1.2 (collector !). Now, the ZFS handles all this, but if the SSD dies, it will we "Hello, TAC ?" again. Or I'll go for the 'interactive' installer.

@djtech2k yeah I was going to say - a reject on local would make sense as default..

If device on your network wants to go to somethingblocked, might as well reject it - or he just going to retrans multiple times wanting an answer back from where he wanted to go.

If you tell him right away - hey you not going there, then it shouldn't spend any time doing retrans.

@viragomann said in CARP VIPs or Other:

@mcury
No, you need an interface IP and a CARP VIP in each VLAN.

So the VLANs are defined on the lagg and you have to assign an interface and an IP to each on the primary and secondary.
Then define the CARP VIP on each VLAN.

Thanks for clarifying things for me viragomann 👍

@stephenw10
This is not pfsense specific, just a general NLB query.

NLB > Unix vm's

Yup it's in the recommended patches list in the new patches package update.

@LaUs3r

Strange.

I've created a "a;conf" with :

( No !, and I've added the ~ )
and restated the syslog daemon.
No more

a120a7e2-fd52-4575-a76d-9a05447f4ce2-image.png

for me.

If you send me your NDI in chat I can check it.

Indeed! Even in that situation the gateway should not actually be on the LAN interface, just in the LAN subnet.

Just add the following line to your DNS Resolver Custom options:

local-zone: "duckduckgo.com" redirect

7122c48a-ec9a-4c84-891f-223556326f35-image.png

Mmm, nothing terribly exciting there.

@coffeecup25 switching the monitor off and on may help.

Or connecting a keyboard to pfSense and then press a key (not the reboot or shutdown key ;)).

@Gblenn said in pfSense behind ISP modem (Double NAT) trouble:

I kind of looks ok, although it's confusing to see that VID is listed as untagged for ports 1 - 10, which includes port 2. Perhaps it's a limitation of the UI, and I would have expected it to read 1, 3-10. Sicne you don't want any VID 1 traffic ending up on port 2... Are you sure you are actually seeing the devices picking up DHCP from pfsense or is it from the modem?

I set port 2 to PVID 10 so the traffic from this port always falls into VLAN 10, I will try to disable this port for ID 1 however.

Also I will do a pcap and report my results later.

We hope to have something sooner than that. But, as always, it depends how the development/testing goes.

When I did it I used a USB2 drive in the USB2 slot because when both drives are present it tries to boot from the USB3 slot first. You should be able to move it afterwards.

It should at least recognise both drives in the boot messages if it is booting.

Yes you should be able to access it be just assigning the VLAN parent interface and setting it in the same subnet as the modem admin page. As long as that doesn't conflict with any existing subnet on the firewall.

@stephenw10 said in Awfully slow transfer speeds from remote NAS over ZeroTier:

Yup good to know that about zerotier, I wouldn't have thought it was required.

According to the documentation, it is not required for holepunching, but they do refer to challenges with symmetric NAT.
https://docs.zerotier.com/corporate-firewalls/#:~:text=Default%20zerotier%2Done%20listening%20ports,ZeroTier%20hole%20punching%20to%20work))

@rheuer22 Perhaps try to set Static Port (Hybrid outbound rules), to see if that has a similar effect?