SOLVED. Okay, we have the VMware figured out, Linux kernel issue on myside. For burning to USB, I discovered an update to rufus (v4.11) which I downloaded and ran. Burnt to USB 2.0 without error. In windows, when we look at the USB drive contents, there is nothing there. Disk Manager shows the partitions accordingly, so I assigned a drive letter to the USB stick and now can see the root of the stick - not a lot there, but that's a Windows thing. On one of our ubuntu servers I could also see the parts natively. So that told me that everything burnt properly. Booted our potential pfSense system via USB and Voila - magic happened and installed. So, my take away here is to check for things like software updates (rufus) and of course pay closer attention to the OS requirements for pfSense (i.e. the OS ver). Thanks Anitbiotic, you set me on the right troubleshooting course.

Solved reset pfsense and selected dhcp. all ok (Couldnt determine if ISP had fixed it or the reset worked)

Better option is to use a self hosted VPN on pfSense to remotely connect to devices or services on your LAN. That way you are not opening ports on your firewall for miscreants to attack. Tailscale is what i use.

@Gertjan Thanks very much for the very detailed explanation. I'm not sure that I know exactly what caused the problem, but I think that I needed to set 'Check IP Mode" to "Always use the Check IP service". It was set to Automatic (Default), and for some reason I was seeing an error with the Check IP service in the logs. @stephenw10 Thanks for the reply. In this case it wasn't Cloudflare. It was something in the way I had Dynamic DNS Set up.

Yeah I usually nuke the content entirely these days just to make it cleaner but I think only admin can do that. I can at least clean that up.

@paulatz said in Skip captive portal for static ARP: some documentation Euh, it's open source. So everything you need to know is already there. No one ever wrote a book, guide or manual about these millions of lines of 'script'. If you know what 'PHP' is : ssh into your pfSense and start to discover. this will take you some time ;) If you want write scripts for a system, you have to know (some what) that system.

@Wolf666 Thank you, I will try it. Unfortunately, since I had already replaced the contents of /usr/local/etc/rc.d/tailscaled and it had been working so far, I will not be able to tell which of the two solved the problem. And of course, I can't find a copy of the old .../rc.d/tailscaled. Therefore, if none of this works, it will require yet another delete and reinstall of everything Tailscale in my system.

@SteveITS Possibly something with that ESMTPSA > SMTP > ESMTPS. But yeah, who knows.

@stephenw10 Nov 19 22:50:42 kernel re1: link state changed to DOWN Nov 19 22:50:42 kernel re1: watchdog timeout Nov 19 22:50:42 check_reload_status 1050 Linkup starting re1 Nov 19 22:50:13 check_reload_status 1050 Reloading filter Nov 19 22:50:13 php-fpm 27945 /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.

@stephenw10 , thx. I tried now the most obvious thing and booted my PC with a live Ubuntu. Therefore I get the same IP settings from my pfSense DHCP. With Linux I can access the webgui without problems. This makes me assume that my win11 settings are somehow corrupt. Before now resetting my PC or removing manually updates, would you have other suggestions? I already disabled the firewall. netstat shows a TCP connection on 192.168.0.1 port 80 on my PC. I just have the feeling that the packages from pfSense are not handled correctly on my PC Btw. changing to https didn't change anything. Connection to the vlan gw does not work either (192.168.10.1)

@alnico said in SG6100 SWAP full and high CPU - tweak suggestions?: My 1GB swap space was always 100% full, so I increased it to 4GB You should add more RAM, which is impossible. So only one option left : lower the RAM usage. Suricata/darkstat/ntopng will use all avaible memory. remove them all, and memory issues will be gone for good. Up to you to find some middle ground here. Btw : Suricata/darkstat/ntopng are processes that have to be baby-sit them : every day (Im' serious), you see what these have found, check their memory usage and disk usage (log files !!). if you don't have to time to check up with their stats, disable them, as it is useless to collect data that you waste-bin moments later. See it like this : when not swapping : every memory access is one cpu cycle. With swapping every memory access is (hundreds) thousand of cycles .... Swapping is very (!) expensive for the CPU.

@_malek said in Tracking User Interactions in Google Analytics for a Website Opened via an iFrame from a Captive Portal: I added all required URLs (including google-analytics.com) to the Allowed Hostnames, Google Analytics still doesn't record any events When you add "Allowed Hostname" to the portal, a DNS lookup is performed and an ( 1 !! ) IPv4 is rteurn so the pf firewall can filter to 'allow'. Remember : a firewall can ='can't filter hos names. Just "IP addresses" (see for yourself : [what is in an Ethernet packet header]( what is in an Ethernet packet header)). Gues what : "Google Analytics" isn't one IPv4 - it changes all the time, as that site (service) is used by billions any moment thousands of times per second (everybody want to do Google Analytics for some reason) so the load is DNS pre distributed / balanced over a lot of (major understatement) IPv4 addresses. https://docs.netgate.com/pfsense/en/latest/captiveportal/allowed-hostnames.html : [image: 1763986053001-41301874-d0e5-4a18-a5fe-8d55e22431f6-image.png] If you manage to get them all, and you add all the possible IPv4s to the "Allowed IP Addresses" list, it might work.

@stephenw10 Good Point. The laptop does not have VLAN tagging going on. I'll try playing with it again leaving tagging on for the modem and not turning it on for the router Thanks Jason

@JKnott Of course it's not required. However, when you have lots of devices of the same brand/model, especially IOT, the name they show up as in both pfSense and Unifi by default is not distinctive. Sometimes even duplicate. I have over 40 TP-Link KP125 smartplugs that all showed up as "KP125", for instance. It is mpossible to tell which is which in the controller. The 218 Wiz light bulbs use wiz_last 6 of the MAC. So, I created DHCP reservations for each of them, and described them in pfSense. The tool ensures that the description matches. Otherwise, it is a manual process - you have to update it in 2 places. And if you forget, it is very confusing. Especially if you move and repurpose a devicex which happens a fair bit with the smartplugs. With 302 Wi-Fi clients, double manual edits did not cut it. Hence why I created the tool.

@Gertjan Thanks for the hint! I saw that I had TCode wrong, but even with the example, PCode still gets truncated: { "option-data": [ { "name": "time-offset", "data": "3600" }, { "name": "tcode", "data": "Europe/Zurich", "always-send": true }, { "code": 100, "data": "EST5EDT4,M3.2.0/02:00,M11.1.0/02:00" } ] } This is what Wireshark sees: Option: (100) PCode Length: 8 TZ PCode: EST5EDT4 Option: (101) TCode Length: 13 TZ TCode: Europe/Zurich Option: (255) End

It is added to the backend IIS server logging option. It is not receiving it from HAProxy..

@johndo Verständnisfrage: du willst dass der Port 3 separat (als eigener Single-Port) agiert und der die VLANs x (17,18,...) getagged sprechen soll? Das ist das was ich aus der Konfig gerade lese? Denn das Default VLAN 1 hast du ihm weggezogen, das steht da nicht mehr in der Liste. Nur das "Mgmt" (Group 2) - aber wenn das dein gewünschtes Untagged ist, stimmt das. Wichtig wäre noch im "Ports" Bereich zu schauen, dass das richtig eingestellt ist. Sobald man vom Default abweicht, muss da der entsprechende VLAN mode aktiv werden und die Ports korrekt anzeigen. Aber wenn es sich ansonsten korrekt verhält wie du möchtest, sieht das nicht verkehrt aus. Cheers :)

@stephenw10 Yes, same box, same hypervisor. sip, ssh, rdp, web, everything works fine over dco for those on the same hypervisor (and the same subnet) Whatever lies outside the box and the same subnet only icmp works (to either the behind the dco vpn or anything on the internet behind pppoe. Same lan stations policy routed to another dhcp wan connection work FINE. And again. reverting to previous version and uploading the SAME config file resolves ALL issues.

@detox run a search on this forum for 'kea2unbound php' and you'll find some results that may help. In general: What pfSense+ version are you using and are you using pfBlockerNG (then the solutions in the mentioned search will help you)?

@Antibiotic Does Unbound support RPZ ?and the official nllabs = unbound author manual and documentation. I tend to say : yes.