I suspected that was the case. Generally speaking, I haven't had that many issues with reinstalling, though I've found it's best to just nuke and repave and slap in the config file. Even then, I wouldn't want to have to walk a non tech through a reinstall unless the backup was very current. An install from scratch otoh is easy enough I had considered at one point just sending each site a refurb quad port to stick in a safe place. Just add pc. I just picked some nice used supermicros from ebay - dual 5620's so they have the AES-NI extensions. In half depth chassis they just fit in my wall mount racks. By the time I have these deployed, I hope to find just a few more, so with completely mirrored hardware and interface assignments, a monkey can restore them. With a pair of 'new' refurb Intel ssd's, I only have about $250 into each unit, so keeping a shelf spare or two for overnight shipment is doable. We do only very light touch filtering, known malware sites, slapping down unencrypted bittorrent and so forth, and I'm finding I spend close to zero time babysitting the filtering as opposed to having to hover over Sophos constantly. My pci scans are due, and for the first time I can remember, I'm actually looking forward to it.

mSATA is a much better fit for that, but send a message to us via support for more info on what you can do there.

Hi, You can edit /etc/inc/pfsense-utils.inc Find: function get_dir($dir) { $dir_array = array(); $d = dir($dir); while (false !== ($entry = $d->read())) { array_push($dir_array, $entry); } $d->close(); return $dir_array; } Replace with: function get_dir($dir) { $dir_array = array(); $d = dir($dir); if(!is_object($d)) { return array(); } while (false !== ($entry = $d->read())) { array_push($dir_array, $entry); } $d->close(); return $dir_array; } This will fix that specific error.

I've seen this multiple time upgrading NANO on APU boards. I also often get a successful upgrade message but the system never comes back up. Power cycling has always brought it backup again to a successful p5 (to summarize - the upgrades are working… sometime with failed sometimes OK - but often dont re-boot without power cycling (NANO & full install - all APU)

I don;t have a smart switch handy to play with. But with ones I have done in the past I just reserved a port for that VLAN1 - e.g. leave just port 1 on VLAN1, then put ports 2-8 on VLAN2 and 9-16 on VLAN3, that sort of thing. Then I always had physical port 1 to plug into if needed.

@phunni: If I downgrade, will the dansguardian package become available? It occurs to me that, since it's no longer supported, it might just not be available anymore. For the benefit of future readers, the packages for 2.2.* are still online for installs from 2.2.* systems. But they are no longer being maintained - e.g. if there are new versions of the underlying upstream code to fix security stuff or… then you won't get them.

Yeh, it depends on the situation. In the case you describe, you want to failover even though the "primary" WAN is actually up (it is slow for a known reason). In many cases the netadmin wants to know that the link is up (even if overloaded), and keep using it (because, for example, the backup link is even slower). So "it depends".

I disabled the Gateway Monitoring Daemon and it worked for me.

pent III, still running - wow ;)

@sporkme: Any idea why the 2.3 upgrade shoved me to i386?  This is not a modern box, but it was running amd64 and the one cause I could find googling did not seem to be my issue.  My backup config had this line, which I don't think forces me to a "non-standard" update URL (or is it?): That's the standard update URL, but for 32 bit. The 64 bit URL has amd64 in it. You manually set it to that at some point. It's no longer possible to intentionally or unintentionally switch architectures in >=2.3, so it won't happen again. But you should reinstall 2.3.1 64 bit and restore your config backup to get back to 64 bit. You can include the RRD data in the backup and it'll restore post-reinstall.

@divsys: It's not likely that any of your described attempts would create an xml file that the pfSense Restore system would understand. If you're trying to do a batch setup of DHCP static addresses, try: Manually create two or three static assignments in DHCP. Export the xml data using the pfSense Backup system, selecting only DHCP for Backup. Examine the xml file using a text editor and note the key data lines Cut and paste a few lines of data from your previous attempts to modify the file exported in 2) Import the modified file using the pfSense Restore facility and verify the DHCP changes occur as you expect. Repeat the modification with rest of your data. It's not that hard once you get an idea of what the file should look like internally. I tried this and the xml files were completely different. I ended up just manually entering them in. It took a fair amount of work but it will be worth it.

anyone can help ?

So how many esxi hosts do you have that you setup.. Are you going to run pfsense in carp mode?  Since you seem pretty worried about failover.  So your esxi box has 8 nics?  So take it your wan and lan networks are going to come in on the VM vswitch.  Is this a standard vswitch or a distributed switch? IF you only have 1 switch tied to a pair of interfaces that connect into your real network, then your going to have to use vlan tagging.

@naex: Thanks for the information, this was driving me crazy. I find this option a little strange since I can still apply system patches, edit the config file manually, and grant/remove that privilege to any user. There are multiple ways in to the system. Some of the Diagnostics menu options effectively give you all privilege - Edit File and Command Prompts come to mind. If someone has either of those then they can effectively do anything they like, editing config.xml to make a user with all privs, or execute any command they like. Similarly with system patches, a user with access to that can make whatever patch they like to the code and apply it. So that is another option that is effectively "all privs".

All fixed by adding DNS.

My CP page is kinda complex with mysql, css, bootstrap and a lot of php code. Setting maximum concurrent connections from 10 to 3 decreased cpu usage from 100 to 30%. Setting keepalive 2 gave an additionnal cpu drop, usage is now 7%-15%. Maybe setting keepalive to 2 is indeed a good solution for next release ? Regards, Ozy.

@pppfsense: ….. Difference in the fstab, it looks like now they are using labels to mount filesystems. .... Even when you skip a boat load of updates and upgrades, read all release info ;)

Thanks for all the replies. I'll give it a go.

Ah ok, that makes sense. Thanks for your time.