Well it's presented that way because the vast majority of users are either reinstalling Plus on an eligible device or installing CE on one that isn't. But I agree it could be clearer. I'll raise it.

You should open a request here: https://redmine.pfsense.org/

I can remove your NDI if you send it to me in chat. Or if you upgrade to 2.7.2 first you will see 2.8.0 offered.

@ChrisJenk said in How to redirect IPv4 *and* IPv6 NTP traffic:

Any idea how I can redirect IPv6 NTP traffic alongside IUPv4 NTP traffic?

What I did was find what host name they were using and created an alias to my home server.

To update on this problem, it is solved with the CE 2.8 version

The 4200 must be one such model. I restored to a new one using ECL (super handy not to need to connect to it), noted it hadn't enabled the RAM disks (presumably, needed a restart), and then it remained the default 40/60 after a couple of boots. Not sure if that means the values get set sometimes, or it's been that way for months...seems like I would have noticed before now. Anyway I see it's fixed in 25.03 as noted.

For those worried about drive wear there is https://redmine.pfsense.org/issues/16210.

@stephenw10

Good news. I was able to format the USB drive as UFS, reinstalled, and everything is up and running on my (now) backup 1100.

Interestingly, on this one it configured the /VAR disk for 120MB as I had set in the configuration, rather than limiting it to 60MB as the other device did. I am guessing that the Restore process just sets it to whatever the configuration is and it doesn't have the UI glitch holding it at 60MB.

Thanks so much for your assistance (again), Stephen. Very much appreciated.

If you have Snort or Suricata installed make sure the log settings for those are saved as something useful.

Yup just install 2.8 clean and restore your config into it. There's little point in trying to upgrade an ancient 2.4.5 install.

Confirmed still an issue as of May 2025 with pfSense CE 2.8.0 and Status Traffic Totals package version 2.3.2_7

I also updated the Redmine bugtracker: https://redmine.pfsense.org/issues/11797

Mmm. Fun*. Yeah I still agree this all seems like a workaround to force something that wasn't designed to work that way. There must be a better way...

Hmm, so mostly stuff in Tailscale. Except the Ubuntu updates, which is hard to explain. Nothing should have changed there.

The beta is pretty stable. I'm running it as my edge here without issue. If you are running ZFS so you can roll back then I would try it.

@stephenw10

I've managed to get this to work. Thank you for the pointer.

@SteveITS said in Interface and Rules:

https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering

"Using this mechanism, traffic need only be permitted on the interface where it enters the firewall. When a connection matches a pass rule the firewall creates an entry in the state table. Reply traffic to connections is automatically allowed back through the firewall by matching it against the state table rather than having to check it against rules in both directions. This includes any related traffic using a different protocol, such as ICMP control messages that may be provided in response to a TCP, UDP, or other connection."

You are right. Thanks a lot!

Thanks @stephenw10 I give feedback a soon I can test it.

Then it will probably be NATing by default. You'll need to disable it if you want pfSense to see traffic from the subnet behind it.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

I assume you have no access to the ISP device config interface? What device is that exactly?

The site is in another city, but I guess it's a ZTE. It allows access on the LAN, but you cannot configure WAN, or view configuration.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

The ISP doesn't actually have to use individual credentials at all. BT in the UK for example use the same login for all devices. They know who you are by what line you're connecting on.

This one does use credentials. But they probably know who you are by the line.

@stephenw10 said in How do I discover ISP's PPPoE credentials and connection settings?:

You could probably also bridge some ports in pfSense and use that instead of the switch mirror port to pcap on.

That was my thinking exactly. I'll try that the next time. I cannot call and ask them to undo what they've just done.

@wineguy said in Unable to configure notifications using port 587:

I expected that it would default to the 'From email address', which would make a nice enhancemen

Noop.
The "From" is the mail address from which you send the mail.
This can be different one as the USER login credential, needed for submission over port 587 (smtp with authentication) to work. These two can be identical, true.

@wineguy said in Unable to configure notifications using port 587:

So, another nice enhancement would be to require a username and password when port 587 is selected.

'587' or submission means (imho - check with RFC ?) : must authenticate.

You could go one step beyond :
Set up your mail server to use plain TLS, or SMTPS, normally over port 465. Most FAI's - look how gmail does things - don't use - or should I say : don't enforce the use of 587 anymore. It's TLS all the way = port 465, which means : from byte zero all is TLS.
You can pick any port actually, as it would be used by your mail clients, the ones you control.

@johnpoz ~ I also added filter-AAAA to the DNS forwarder's Options so I think I've now killed IPv6 in every way possible on my firewalls! :o)

Roy...