Part of being security-conscious is not just using encryption but keeping the clients, settings, and other standards up-to-date. Over time weaker ciphers, hashes and so on are found to be vulnerable (sometimes in theory, sometimes in reality) so they get disabled. Time marches on. I wanted to keep using SecureCRT so I dropped some cash on a current version and made sure all my profiles had compatible ciphers, hashes, and MACs enabled. Now it's happy (aside from a keyboard-interactive issue in SecureCRT I'm still tracking before submitting a bug report). I bugged them about chacha20-poly1305, AES256-GCM, and curve25519-sha256 and they put in feature requests for them on my behalf. If you're using an older version of SecureCRT because it was the only cracked one available on a torrent site, then I have no sympathy. Otherwise, if you like it, support them and grab an upgrade. It's not cheap, but it's an excellent client with superior session management. I've used it off and on since I was in college far too many years ago. UEX for Linux was using an older libssh but they just put out a beta version that works. Recent versions of PuTTY and Filezilla and others are fine, too. There are wrappers out there that use putty or command line ssh utilities (depending on your OS, things like PAC are interesting), but there isn't much of an excuse to not keep yourself and your infrastructure secure for the sake of ssh clients suffering from bit rot. You might need to clear out older host key fingerprints from your ~/.ssh/known_hosts file if you use a command line client. See here for details: https://doc.pfsense.org/index.php/2.3.2_New_Features_and_Changes#SSH_Daemon

I don't know how the switches are configured. I will reach out to someone who either knows or can tell me how to access the switches. Thank you.

I'm seeing the same thing when trying to go from 2.2.4-RELEASE to 2.3.1.  2.3.1 is what the auto-updater selects even thought 2.3.2 is out there. In any case, updater is pulling from the following location: http://updates.pfsense.org/_updaters/amd64/latest.tgz Manually calculating sha256 on the file gives: 3cc43fbf706e33b25750064c7d1fbbdc77d6675c355d877a4b959cd5d77d9b6e While the latest.tgz.sha256 gives: 12e1e22262f9424324e86c208d7aa741c90d1c79f6120e1b365aa942faebc247 I'm assuming it's safe to proceed with latest.tgz, but wanted to check considering the hashes are there for a reason.

It's either VGA switching to serial or it's not. KVM or direct-attached monitor doesn't matter.

Latest update… Believe I have figured it out, but running some last checks to optimize/cleanup. The problem is that the Routing Tables in AWS need to be corrected, which was not part of the documentation. Briefly, as it stands with v2.3.2, there are Three Problems (but all fixable) when Installing the pfSense AMI on AWS: 1. A LAN Interface cannot be added until the Bug Fix of Disabling DHCP6 via SSH is performed. (See First Post) 2. The LAN INET Firewall Rule is broken, and needs to be fixed by either editing it, for Protocol "any" or deleted and a new LAN Default Rule is created. 3. The Route Table for the Private LAN needs, just a little... just a little explanation of how to get clients to work with pfSense.  The following steps should be part of the Install Documentation: Fixing the Routing Tables In AWS: Go to Services -> VPC -> Route Tables Select the Route which is for the Private LAN.  This will be the one, which has 0 Subnets and Yes for Main Click on the Routes Tab Click on the Edit Button Click on the Add Another Route button For the Destination, enter 0.0.0.0/0 For the Target, click in the field and see if the pfSense instance populates.  --- If so, click on it.  If not, find the Instance ID of the Instance (EC2 Console -> Instances) and copy it.  --- Paste the Instance ID into the Target.  It should then populate.  If not, may need to wait some time for AWS infrastructure to propagate with the newly created instance. Click on Save If there is an Error, in regards of multiple interfaces, then copy the Network Interface ID of the LAN (EC2 Console -> Network Interfaces), which begins with "eni". Insert the LAN's Network Interface ID into the Target Field.  It should then populate. Click on Save Click on the Subnet Associations Tab Click on the Edit Button Check the box for the Private LAN subnet Click on Save AWS Security Groups, may be another item, in which different Security Groups need access to one another. That is to have the Inbound Rules set to All Traffic with the Source of the communicating Security Group.  I have not verified this as of yet.  But as of now, I can have a Windows Client pull Updates and browse to Google… but not Bing... which is weird.... not that it really matters..... but is odd...... Will publish the steps I took in a separate thread, once I clean things up.

I've started to have this same issue and I think the "programming bug detected" started happening at the same time as yours. Did you manage to work out what the issue was? It happens at really random times… sometimes it can goes weeks without issue then experience 2 or 3 of these reboots in 15 minutes! I'm guessing it could be a hardware fault though finding the root cause would be helpful. Thanks Tim

Quality graph is still there, just under monitoring..

Who are these users, are they always the same?  Are they random guests?  What do they need to access while on this wifi?  Is it network resources that are of concern?  What hardware are they connecting to the network with?  Hardware you control or manage or their own? If you have a mix, then yeah multiple wifi networks that have different layers of access to your network or internet.. Would have a network that is from your devices that you manage that can be allowed to access your internal network stuff that they need to access, etc. Then you have a guest network that can use the internet - that would have not access to anything on your network, etc. Maybe you use eap-tls to auth to the normal wifi network, or some other eap that has user name and password even if just peap, etc.  Or sure a nice strong wpa2/aes with a good strong PSK - that maybe gets changed now and then because users leak it out, etc.  Then your guest could be something as simple wide open no auth, or maybe it has captive portal like a hotel, or maybe you use a PSK that is simple to remember and you hand out to your guests, etc.

Thanks now it is updating but i first got this error. –----- Auto upgrade aborted. Downloaded SHA256: 0683264e902d59f7190e71f582d66dbc01382e138d0e632f81dc04cbeb948a3d Needed SHA256: 1a87fd24a383624dd68aec94d100 and when i tried a couple of more times sometimes i got 2.3.1 and some times 2.3.2. but now it is installing 2.3.1.

That's the parallel port driver and should be doing nothing. I believe I remember some previous reports of it spinning on interrupt like that. See if you can disable any parallel ports in your BIOS.

aubrad04…thank you for the reply.  It fixed my issue as well.  Great catch!

From the earlier message it's having trouble reading the USB disk (installing from memstick?) If it's a USB 3 port or stick, try a USB 2 port/stick. It may just be that FreeBSD doesn't get along well with that particular piece of hardware.

Nevermind, was able to figure it out.

Thanks, I did sucessfully installed :)

Thanks, will go look at that … very much appreciated.  I thought it would have been somewhere but my search turned up nothing ...

local-service What does that have to do with resolving local hosts?  That has to do with if dnsmasq will answer you at all.. Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no –interface --except-interface, --listen-address or --auth-server options. local-service That did not change from 2.3 to 2.3.2, why would they have changed that??  It has always been that way.. Did you maybe change your interfaces from all to specific ones, or enable strict binding?  What IP do you hand out to your vpn users to use? I use the resolver, which has acl that you have to add your vpn tunnel networks too..  But when I get to work later I will switch over to the dnsforwarder and test.. leaving that config item in there, etc.

Ok, rebooted the machine and put it into safe mode and verbose. This time I'm getting the WARNING:/ like before Along with.  'Start_init: trying /sbin/init Help please.

I had some issues during my PFSense setup within Hyper-V because any online documentation seems to be out dated. However, I was finally able to get it working just fine now for last week or so. This is one of the guides I used. I'd recommend you skip the apart about using legacy network adaptors. That ended up being my problem, when I was using legacy I was getting very bad downspeeds and/or sometimes unable to connect to the web UI or even ping the gateway. Staying with the default adaptors worked great for me. https://knowledge.zomers.eu/pfsense/Pages/Install-pfSense-on-Windows-2008-Hyper-V-server.aspx I would also recommend that when you get to the section on assigning interfaces to the VM (before you start the PFSense install) that you actually statically assign the MAC addresses. This way you can not mix up which interface is WAN or LAN etc… Hope that helps ya.

@dennypage: I filed a ticket for this issue: https://redmine.pfsense.org/issues/6687 Thank you.  Sure hope someone can fix that.  Sure would be a big help.