@eloich Thanks, this worked. Was back online in 2 mins of reboot and I didnt remove any packages this time either.

Yes, in the dynamic repo system ugrades are supported from the previous two versions. So you can skip one version. For 25.07 that's 24.03 and 24.11 so you would have needed to upgrade to one of those first from 23.09.

@slu said in Filterdns has stopped resolving hostnames in firewall aliases: aybe its relevant how ACME is configured. Nice catch ! This : [image: 1754480078430-7f044d98-4fe3-4b61-9697-d44d3c9bd573-image.png] implies that when you set DNS Sleep to '0', it's the script itself that starts polling every 'x' seconds the domain name servers. If its using one of the Doh etc, (which you've blocked with pfBlockerng) then yeah, that fails ... Set DNS Sleep to "200" or so and solved ^^

@johnpoz Thanks John, looking forward to your findings.

For reference that's an ugly error but it's only cosmetic. It's safe to upgrade still if you see that after rolling back.

@stephenw10 again... no errors. It's kind of wild... [2.8.1-BETA][admin@waw-staff-vpn.cic.com]/root: pfSense-upgrade -dC >>> Updating repositories metadata... Updating pfSense-core repository catalogue... Fetching meta.conf: Fetching data.pkg: pfSense-core repository is up to date. Updating pfSense repository catalogue... Fetching meta.conf: Fetching data.pkg: pfSense repository is up to date. All repositories are up to date. Your system is up to date [2.8.1-BETA][admin@waw-staff-vpn.cic.com]/root:

So you're using the CARP IP address for the pfBlockerNG redirects? May I ask why that's necessary?

said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

@jimp Here it is: Aug 5 13:49:59 cleo filterlog[66564]: 247,,,1649447902,mvneta0.4092,match,block,in,6,0x00,0x00000,1,Options,0,56,fe80::417:952d:77be:4497,ff02::16,HBH,PADN,RTALERT,0x0000, which should match with this from the gui: [image: 1754416400265-screenshot-2025-08-05-at-1.52.20-pm.png]

Check mal die YT Videos von "Raspberry Pi Cloud" - der hatte kürzlich was zum Thema Fritz!Box und VPN gemacht...

Technically is was but as long as we can still build for it without too much difficulty we will try. There are some packages that no linger build for arm32 and are not available there. At some point the work required to make it build will become impractical and it will no longer upgradable.

Yup mpd5/netgraph ignores those errors. It should be fixed by this: https://github.com/pfsense/FreeBSD-src/commit/7a623f854217be1dc7a04ce0b3f47303ea2ce7a9 That's in main so it should land in 25.11/2.9.0.

Cloning the SSD should work, yes. But I would also just install clean and restore the config.

I've added an issue on redmine: https://redmine.pfsense.org/issues/16354

@chris.doldolia The 2100 has a 4 port switch. The documentation page I linked above will allow you to treat a given port as (change it to become) a separate network interface. In the default configuration the individual ports cannot have an IP address because they are all the same LAN. If you want to add a VLAN and have it work on all four ports then I think you need to add the VLAN to "port 5" which is the switch. You might post your Interfaces > Switches pages, and Interfaces > Assignments pages.

Yup it's a display issue if the system creates a log entry with no host name: https://redmine.pfsense.org/issues/15411 You can just wait for the offending entry to move off the displayed logs.

@stephenw10 Yes, both ends are 1000 auto by default and I have tried fixing them to 1000 FDX fixed with no luck. Also - If I limit the client uplink to 100Mbps so the speed cannot really put heavy pressure on the 2100, the problem still arises. So it's most definitively an issue with the stability of the link or some buffer bursting as seen from the builtin 5 port switch side.

@SteveITS yes it look like, but I have actual filterdns log entries im my log.

@micneu Hi und iHr nutzt hier openvpn ? ich habe gestern 2 Stunden lang mit Openvpn und der MTU rumgespielt - sowohl mit mssfix als auch mit tun-mtu - wie vorgeschlagen sogar in 10er schritten - ich komme maximal - auf 200mbit/s Da ich nicht genug "Kisten" da habe beide Pfsense viritualisiert auf AMD Epyc Servern... Habe dann nochmals nen Versuch mit Wireguard unternommen und erreiche hier realistische 900Mbit/s - aber auch erst nach Anpassung der MTU - dann aber sehr stabil....

@dennypage said in netisr running close to 100% on a single core: @Gustas said in netisr running close to 100% on a single core: Do you have both WAN and LAN enabled as Monitored Interfaces in ntopng by chance? Yes, we do. Can that be the issue? Certainly a contributor. There is a caution in the pfSense ntopng package when selection interfaces to monitor that says "It is generally not recommended to monitor WAN interfaces." At a minimum, it will double your load. You should remove any WAN interfaces from the list of Monitored Interfaces. Also, if you have any form of active discovery enabled inside ntopng itself, be sure to turn that off as well. Sorry, I just checked and monitoring in ntop is configured only for internal interfaces, WAN is not being monitored. Sorry for misleading you.