You can ping 2.1 from your laptop because that's the interface IP in pfSense so traffic never has to leave the firewall on VLAN 10. That IP would be reachable even if it were on an unplugged physical interface. There is a layer 2 problem between the firewall and the hosts. We would need to see how the interface is configured in pfSense and how the switch is configured to know more. Steve

just an update, after trying many builds I tried yet another hdd (drive 3) and that worked fine…. I can guess that the initial drive might have been dying, the second one worked fine in other device and would accept the install files so pass on that one. anyway its back up and running on 2.3.4-RELEASE (i386)

Thanks for your reply. In the first case once without internet I was able to update it. Change the path of the repository in /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf and download the entire repository from the internet and copy it to a local folder to which I point the pfsense and manage to update it. But it was in an earlier version of PFsense. Now it does not work for me. In the second case in previous versions there was an option in PFsense to be able to change the download path and existed to add a proxy if we were behind one. I can not put myself in front of the proxy because it is very above my company. Thank you I will continue testing until it works

glad you got it solved. for future reference, issue might be the USB. Try using an old 1 or 2GB USB

Ok, I wouldn't anticipate any problems doing that. You can certainly bridge two interfaces and have NAT from a third interface. As described in that thread it would be common to assign the bridge interface and put the WAN on that complete with one of the public IPs. Steve

I would not expect to have to add anything to allow this. By default the LAN interface allows out all traffic from LAN side clients. However if you've added a VPN client you may be policy routing some traffic. That might apply whether or not the VPN is up. I assume this breaks streaming even when you;re not using the VPN? Steve

Seems like you have the right idea. Your 'modem' is already passing the public IP to the current router so it will do the same with pfSense there. The idea with blocking 192.168.100.1 as a dhcp source is to prevent the modem giving you a private IP if it looses its cable connection for nay reason. They do that to allow you easy access to it in that situation but it can prevent pfSense receiving a real IP when the connection comes back up. You can still access the modem anyway. https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall Steve

Hey, support team gave me available the link to download ADI Factory OS, solving within 30 mins. Firewall was up and running 15 minutes later. Thanks all

@belt9: For a fanless setup I'd recommend an Apollo Lake mini-itx board. J3455 is similar in performance to your current CPU on passmark. J3355 is dual core, similar clock speed to what you already have. Try the M300 w/ picoPSU for a case & PSU. http://www.mini-box.com/M300-Enclosure-w-Bootable-CF-Reader_2 http://www.mini-box.com/picoPSU-80-60W-power-kit You'll need a pci riser to fit it all in that little case, the J3455 will require an x1 to x4+ riser to fit your current NIC. Thanks for the input. I'm running a unifi lite ap and thinking of a second one so that why I was thinking of getting a unifi security gateway

Happy to report that the VPN router has been stable since the update. So if you are experiencing issues on a device that has seen multiple updates over the years, consider a bare metal rebuild.  It does not take long and can export and import all of the settings easily.

Looks to me like that second disk (ada1) has failed. There probably won't be any way around that without physically replacing the drive.

I will be keeping an eye out for 2.4.1 with 11.1. Thanks again for the info, though  It was helpful. –DT

@Derelict: Yeah the management VLAN to unifi gear can be any VLAN but it has to be untagged (the PVID) to the APs/cloud key/"controller" app/etc. There doesn't have to be a wireless SSID on it at all. When you set an SSID to have a VLAN traffic on that SSID will be tagged to and from the switch. If you do not set a VLAN it will be untagged along with the management traffic. Found the appropriate link to this - it makes sense now, but it didn't when I read it before setup: https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-Hardware Initially you need to adopt your UniFi access points or switches over the native untagged VLAN, and this will be the continued requirement. That being said, they do support L3 management, so your controller can be on a different L3 network (or remote, etc.). I didn't realise that "adopt" was a Unifi "reserved" word. Thanks again Derelict

Thanks, unlocking kernel did trick.

How exactly did you remove the interfaces? If it is trying to assign things to interfaces that don't exist that is a problem. It would normally ask you to re-assign them if that happens but there are some types it does not check. Steve

Hi; Does bell use all that odd ip stuff like Telus. in other forums you have to allow bogon networks on wan and lan etc. plus ports and 127.0.0.0/8 and some others through. here are some more : IGMP Proxy Downstream LAN 192.168.x.x/24 Upstream  WAN 207.0.0.0/8 10.0.0.0/8 FW Rules on WAN: Protocol UDP Source 207.0.0.0/8, 10.0.0.0/8 Port * Dest 224.0.0.0/4 Gateway WAN Check off the Advanced option that allows IGMP. Protocol IGMP Source 207.0.0.0/8, 10.0.0.0/8 Port * Dest 224.0.0.0/4 Gateway WAN Check off the Advanced option that allows IGMP. I'd wish they would kill wps and let me use a key if i had the cable I'd run a lan and go I want to admin the wifi router as well and not have to unplug and plug into the router to be able to. Can you pm me maybe we can chat about your setup see whats up?? @exoticsportcars: I have bell fiber here with TV service. I have my pfsense box directly connected to bell's ONT (modem). Internet comes through via VLAN 35 with no issues. TV uses VLAN 34 (36 is some areas) with a VLAN priority of 4. Without the VLAN priority, this will not work. I have this VLAN bridged to my OPT1 port. From there I have a cable going to my PVR. It gets the 10.x.x.x IP that it should from the bell network and everything works with no issues. I have no other bell equipment in use other than the modem. As for wireless, I just have an Ubiquiti AP connected to my switch. From experience, the TV service runs smooth with practically no lag. The same cannot be said if you were using bell's router. I'm guessing this setup would apply to pretty much any bell derived fiber service in Canada. The TV VLANs maybe different.

Thank you for the links and info. From my experience it's almost impossible to satisfy these scanners with out of the box deployments / versions. You can "self certify" yourself by either proving security fixes have been backported or remedies have been manually applied. PCI compliance needs to be renewed every 90 days and we try to make the process as quick and painless as possible. I was wondering if there is an easy way of quickly telling what's in a particular openssh version and what's not Something like this for Debian: https://security-tracker.debian.org/tracker/source-package/openssh ?

Try going back to the default DNS settings as a resolver instead of using google DNS. That's the way it works without you changing any settings. Check to see if your clients are getting DHCP leases. Using USB & Realtek NICs are both not recommended. The Realtek should be fine for low speed applications - the USB NIC, who knows. It could be your problem right now. A better way to use you laptop for pfSense would be with a very basic & cheap web managed switch with 802.11x VLANs. https://www.amazon.com/TP-Link-Gigabit-Ethernet-Managed-TL-SG105E/dp/B00N0OHEMA/ref=sr_1_2?s=pc&ie=UTF8&qid=1503616430&sr=1-2&keywords=web+managed+switch&refinements=p_n_feature_keywords_two_browse-bin%3A7306161011

@tcsac: @jimp: Under Update Settings, if you switch to Development Snapshots, does it find those files? It's looking in the wrong place, but it's not clear why it's looking in that specific place when it doesn't seem to be doing that for anyone else. That's what I assumed when I saw the -devel.  So I switched to development, it found those.  Switched back to stable, it found the RC.  Weird, but that works, thanks! Smells a lot of my issue https://forum.pfsense.org/index.php?topic=135618.0 /Bingo