@stephenw10 said in boot failure upgrading to 25.03.b.20250306.0140 i:

Mmm, so just to review; if you change the disk type to something other than vitio block device (modern) it finds it and boots but still fails to find the virtio (modern) NICs?

Yes, this is exactly the case.

If I change virtio ethernet to e1000, it also finds network interfaces.

@johnpoz I saw it wouldn’t let me set it to the port I needed so I improvised. That time thing only occurred when I was doing my AA in cyber security we had so many labs and also a red blue team exercise so I would not be surprised if an instructor wanted to expand our knowledge and see if someone went to authenticated NTP. Who knows. It was cool to be part of the nist.gov stuff. I know the latest software revision now includes the ntp stuff. I wonder if others had concerns also.

The reason I NAT ntp is because not everything uses the firewall but it will use it when requests are NAT to it. Example Windows 11, Raspberry PI they request some specific sites yes I could add a dns override for them but I just NAT any requests to the firewall and it uses the nist.gov encrypted time system. So it gets secure time. The systems get the right time and it works. It seems tinfoil hat, but no issues with time jumps ever again.

@rasputinthegreatest said in Can someone explain why this rule gets triggered by Snort 3:19187?:

@bmeeks I never actively blocked anything regarding FIrefox and have no IPs blocked that belong to Firefox. It only happens in a VM so it must be the Proxmox layer that blocks something but couldn't find anything online about it.

I don't think you understood my point. Firefox, unless the "use secure DNS" option is disabled, will use the DNS services of trusted partners (meaning they have a deal with eath other) for IP resolution using DoH (DNS over port 443 using SSL). If you have anything on your firewall (Snort, Suricata, pfBlockerNG, etc.) that is blocking DoH destination IPs or is attempting to do that, it would confuse the DoH lookups the Firefox browser attempts. It has nothing to do with IP addresses specifically related to FireFox itself.

@Gertjan did a good job explaining how Proxmox is pretty much going to be agnostic in terms of traffic. It is not going to be selectively blocking things unless you have have something misconfigured.

@stephenw10

oh my man, These silly mistakes is wasting my time.
The gateway was being considered as offline, So I had to disable gateway monitoring. and it solved the problem.

alt text

Thank you so much

@Gblenn

Yep TrueNas is using ZFS and a big ram cache, however the NVME-SSD should be ... fast enough to write 10G ... I think & hope. However I must admit that SSD's are not by far as fast as advertised if you are writing larger amounts of data ..

It is a 4TB WD_BLACK SN850X not the worst ssd ....

@michmoor said in Is pfSense Community Edition abandoned?:

its true...dont expect 2.8 snapshots at all today.....

It is my humour to announce this on 1 April. 😁

@KB8DOA said in Kea DHCP Server config changes not applied until reboot:

Had it happen again.

If you have some spare moments, run this while using ISC, and Kea :

7526decc-6b7f-44a0-a722-bc7d827070b1-image.png

and hit the start button.

You'll see the DHCP "client" requests in real time, the ones reaching your pfSense DHCP server, and the DHCP server answers.

@Gertjan

The "old" pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz worked! I'm now up and running on my new hardware with a 10Gbps WAN connection... swoosh! 🚀

Thanks for the quick and great support!

Lesson learned: Always perform a clean barebone install using the legacy USB installer, then restore the backup, reconfigure the WAN/LAN NICs, reinstall packages, and restart.

If you have the ID you can just search the ruleset for it:

[25.03-BETA][root@fw1.stevew.lan]/root: pfctl -vsr | grep 1736810441 pass in log quick on mvneta0 inet proto tcp from <LAN__NETWORK> to 208.123.73.69 flags S/SA keep state (if-bound) label "USER_RULE: Connections to ews" label "id:1736810441" ridentifier 1736810441

Or if you have the ID you likely have the rule number like:
Screenshot from 2025-03-31 22-45-14.png

In which case you can use the rules view in Diag > pftop

@stephenw10
what? surely this is of the highest importance! 🤣

@johnpoz I will share you all the details and snapshot tomorrow.

You must have a firewall rule allowing it since all traffic inbound is blocked by default.

So check the WAN firewall rules. If there's nothing there check for interface groups or floating rules.

Post some screenshots if you're unsure.

Edit: Ooops hit post after like 2hrs. 🙄

Oops, missed the zpool status output. Yup I would try: zpool labelclear -f /dev/mmcsd0s3

@JonathanLee @w0w

thanks I'll give this a try

@viragomann That worked. You are awesome! Thank you so much.

any other suggestions on what might be the issue?
Cheers

What switch do you have on the LAN side currently? Is it linked at 2.5G to the pfSense LAN and 1G to the clients?

Try setting the LAN side link to 1G when the WAN at 2.5G so the bandwidth change is in pfSense not the switch.

If it's in the switch you pretty much need flowcontrol active to avoid buffer overruns.

@stephenw10 said in installing pfsense 2.7.2:

Hmm, well that's interesting. I wouldn't have expected that to work at all. 🤔

Me neither but maybe to do with a quirk of coreboot, if that device is flashed with it.