@stephenw10 said in boot failure upgrading to 25.03.b.20250306.0140 i:

Mmm, so just to review; if you change the disk type to something other than vitio block device (modern) it finds it and boots but still fails to find the virtio (modern) NICs?

Yes, this is exactly the case.

If I change virtio ethernet to e1000, it also finds network interfaces.

@johnpoz I saw it wouldn’t let me set it to the port I needed so I improvised. That time thing only occurred when I was doing my AA in cyber security we had so many labs and also a red blue team exercise so I would not be surprised if an instructor wanted to expand our knowledge and see if someone went to authenticated NTP. Who knows. It was cool to be part of the nist.gov stuff. I know the latest software revision now includes the ntp stuff. I wonder if others had concerns also.

The reason I NAT ntp is because not everything uses the firewall but it will use it when requests are NAT to it. Example Windows 11, Raspberry PI they request some specific sites yes I could add a dns override for them but I just NAT any requests to the firewall and it uses the nist.gov encrypted time system. So it gets secure time. The systems get the right time and it works. It seems tinfoil hat, but no issues with time jumps ever again.

@stephenw10

oh my man, These silly mistakes is wasting my time.
The gateway was being considered as offline, So I had to disable gateway monitoring. and it solved the problem.

alt text

Thank you so much

@Gblenn

Yep TrueNas is using ZFS and a big ram cache, however the NVME-SSD should be ... fast enough to write 10G ... I think & hope. However I must admit that SSD's are not by far as fast as advertised if you are writing larger amounts of data ..

It is a 4TB WD_BLACK SN850X not the worst ssd ....

@michmoor said in Is pfSense Community Edition abandoned?:

its true...dont expect 2.8 snapshots at all today.....

It is my humour to announce this on 1 April. 😁

@robsonvitorm said in IPv6 + DHCPv6 + statefull:

tcpdump -vvnn -i vtnet1.18 "icmp6 && (ip6[40] == 133 || ip6[40] == 134 || ip6[40] == 136) || (udp port 546 or 547)"

Thanks for the command !
(but the radv IPv6 bla bla traffic is also spamming )

Your image shows the - I think - the DHCPv6 server == pfSense answer.
So it received a request. And answered.
From a pfSense pint of view, DHCPv6 works.

Here is a sequence from mine :

Client to server 22:37:59.295387 IP6 (flowlabel 0x58369, hlim 1, next-header UDP (17) payload length: 141) fe80::a6bb:6dff:feba:16a1.546 > ff02::1:2.547: [udp sum ok] dhcp6 renew (xid=b34e82 (elapsed-time 0) (client-ID hwaddr/time type 1 time 643424141 a4bb6dba16a1) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:161790829 T1:6750 T2:10800 (IA_ADDR 2a01:cb19:907:a6e2::c7 pltime:13500 vltime:21600)) (vendor-class) (Client-FQDN) (option-request vendor-specific-info DNS-server DNS-search-list Client-FQDN)) server to client 22:37:59.315289 IP6 (hlim 64, next-header UDP (17) payload length: 173) fe80::92ec:77ff:fe29:392c.547 > fe80::a6bb:6dff:feba:16a1.546: [udp sum ok] dhcp6 reply (xid=b34e82 (client-ID hwaddr/time type 1 time 643424141 a4bb6dba16a1) (server-ID hwaddr/time type 6 time 753711221 90ec7729392a) (IA_NA IAID:161790829 T1:6750 T2:10800 (IA_ADDR 2a01:cb19:907:a6e2::c7 pltime:13500 vltime:21600)) (DNS-server 2a01:cb19:907:a6e2:92ec:77ff:fe29:392c) (DNS-search-list brit-hotel-fumel.net.) (Client-FQDN)) client to server 22:37:59.568116 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::a6bb:6dff:feba:16a1 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16 source link-address option (1), length 8 (1): a4:bb:6d:ba:16:a1 0x0000: a4bb 6dba 16a1 server to client 22:37:59.568669 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 152) fe80::92ec:77ff:fe29:392c > fe80::a6bb:6dff:feba:16a1: [icmp6 sum ok] ICMP6, router advertisement, length 152 hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms prefix info option (3), length 32 (4): 2a01:dead:beef:a6e2::/64, Flags [onlink], valid time 86400s, pref. time 14400s 0x0000: 4080 0001 5180 0000 3840 0000 0000 2a01 0x0010: dead beef a6e2 0000 0000 0000 0000 route info option (24), length 8 (1): ::/0, pref=medium, lifetime=1800s 0x0000: 0000 0000 0708 rdnss option (25), length 24 (3): lifetime 1800s, addr: 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c 0x0000: 0000 0000 0708 2a01 dead beef a6e2 92ec 0x0010: 77ff fe29 392c dnssl option (31), length 56 (7): lifetime 1800s, domain(s): bhf.tld. 0x0000: 0000 0000 0708 1062 7269 742d 686f 7465 0x0010: 6c2d 6675 6d65 6c03 6e65 7400 1062 7269 0x0020: 742d 686f 7465 6c2d 6675 6d65 6c03 6e65 0x0030: 7400 0000 0000 mtu option (5), length 8 (1): 1500 0x0000: 0000 0000 05dc source link-address option (1), length 8 (1): 90:ec:77:29:39:2c 0x0000: 90ec 7729 392c

Looks like the client requests,
and the server answers 'something',
Then the client makes a second requests
and the server answers with all the details.

@pjaiswal0231 said in Switch Doesn't accept DHCP Lease after Pfsense service gets boot late after the switch is already booted.:

i changed from auto negotiation to 100 full duplex according to my switch

So this dumb switch is also ancient - 100 full duplex.. ouch..

@KB8DOA said in Kea DHCP Server config changes not applied until reboot:

Had it happen again.

If you have some spare moments, run this while using ISC, and Kea :

7526decc-6b7f-44a0-a722-bc7d827070b1-image.png

and hit the start button.

You'll see the DHCP "client" requests in real time, the ones reaching your pfSense DHCP server, and the DHCP server answers.

@Gertjan

The "old" pfSense-CE-memstick-2.7.2-RELEASE-amd64.img.gz worked! I'm now up and running on my new hardware with a 10Gbps WAN connection... swoosh! 🚀

Thanks for the quick and great support!

Lesson learned: Always perform a clean barebone install using the legacy USB installer, then restore the backup, reconfigure the WAN/LAN NICs, reinstall packages, and restart.

If you have the ID you can just search the ruleset for it:

[25.03-BETA][root@fw1.stevew.lan]/root: pfctl -vsr | grep 1736810441 pass in log quick on mvneta0 inet proto tcp from <LAN__NETWORK> to 208.123.73.69 flags S/SA keep state (if-bound) label "USER_RULE: Connections to ews" label "id:1736810441" ridentifier 1736810441

Or if you have the ID you likely have the rule number like:
Screenshot from 2025-03-31 22-45-14.png

In which case you can use the rules view in Diag > pftop

@houseofdreams said in using !rfc1918 won't work?:

But as I said, I allready got the idea that this isn't going to be possible without major changes, or am I wrong?

You are right this time. If you want to separate all servers from each other, every server needs its own (V)LAN. I do this too.

@stephenw10
what? surely this is of the highest importance! 🤣

Well that should certainly have wiped it. Does it boot from USB as expected?

@rasputinthegreatest said in Can someone explain why this rule gets triggered by Snort 3:19187?:

@bmeeks I never actively blocked anything regarding FIrefox and have no IPs blocked that belong to Firefox. It only happens in a VM so it must be the Proxmox layer that blocks something but couldn't find anything online about it.

I don't think you understood my point. Firefox, unless the "use secure DNS" option is disabled, will use the DNS services of trusted partners (meaning they have a deal with eath other) for IP resolution using DoH (DNS over port 443 using SSL). If you have anything on your firewall (Snort, Suricata, pfBlockerNG, etc.) that is blocking DoH destination IPs or is attempting to do that, it would confuse the DoH lookups the Firefox browser attempts. It has nothing to do with IP addresses specifically related to FireFox itself.

@Gertjan did a good job explaining how Proxmox is pretty much going to be agnostic in terms of traffic. It is not going to be selectively blocking things unless you have have something misconfigured.

@viragomann That worked. You are awesome! Thank you so much.

any other suggestions on what might be the issue?
Cheers

@stephenw10 said in installing pfsense 2.7.2:

Hmm, well that's interesting. I wouldn't have expected that to work at all. 🤔

Me neither but maybe to do with a quirk of coreboot, if that device is flashed with it.

@TampertK Yes, internal testing shows improved performance.

@ddbnj Awesome!