Well it far higher than even the 1M default we usually set and that is generally far bigger than it needs to be. But you also show only 1400 states which is nothing. If you exhaust the mbufs that would definitely cause a problem. But you should also see that logging an error.

@shady28 Are you maybe looking at IP block list feeds vs DNSBL feeds?

@fireodo thank you very much for the help I will look into the sanity check.

Is it just me, or does it seem like the KISS (Keep It Simple [redacted]) answer is to install X-Ray on an officially supported platform or a VPS and tunnel traffic through that?

@slu said in Syslog service in pfSense v2.8.1 often stop itself: @jrey years ago there was a p1 release: https://docs.netgate.com/pfsense/en/latest/releases/2-3-5-p1.html Thanks for the source

Note to self under the latest release I had to set decipher list to cipher_list = "DEFAULT@SECLEVEL=0"

@nobanzai +1 amd64 15.0-CURRENT FreeBSD 15.0-CURRENT #21 RELENG_2_8_1-n256095-47c932dcc0e9: Thu Aug 28 16:27:48 UTC 2025 root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-CE-snapshots-2_8_1-main/obj/amd64/AupY3aTL/var/jenkins/workspace/pfSense-CE- Crash report details: PHP Errors: [16-Nov-2025 21:48:05 Europe/] PHP Fatal error: Uncaught TypeError: Form_Select::__construct(): Argument #4 ($values) must be of type array, null given, called in /usr/local/www/vpn_openvpn_client.php on line 942 and defined in /usr/local/www/classes/Form/Select.class.php:31 Stack trace: #0 /usr/local/www/vpn_openvpn_client.php(942): Form_Select->__construct() #1 {main} thrown in /usr/local/www/classes/Form/Select.class.php on line 31 I'm temporery fix it. Use diag_edit.php edit /usr/local/www/vpn_openvpn_client.php & saved history version 4b9165e "Default to an empty array for functions expecting a countable value Do this for foreach() and count()." https://github.com/pfsense/pfsense/blob/4b9165e5ad3f47c36d1dec3a585a60b629bcdc3a/src/usr/local/www/vpn_openvpn_client.php and edit ciphers in client.

@dennypage Create an igmp rule on your floating rules, and do not set the direction to in. Set: Interface Leave: Direction to any Set: Protocol to IGMP only Set: Source to any Set: Destination to any Set: Quick Set: Adavanced Options, Allow IP options For example if you have pfblocker dnsbl auto rules (ping auto rule, permit auto rule) on top, it can cause trouble on the states. Check: the States of this rule. You should see tcp and upd packets as well, 443. If you set the direction on your lan intarfce to in, you should see igmp only, otherwise you have to place at the very top of all your other floating rules before everything else.

@w0w You can also run Squid on OpenWRT I am told there is so many packages I have been playing with OpenWRT because TP-Link was doing so weird data harvesting and pfsense caught it in the act after I just installed openwrt per @johnpoz recommendations. I just run it in bridge mode now

@agitelzon I have no issue connecting to LE servers from pf shell. The issue is cloudflare security setting is configured as a whitelist for api zone record changes. The whitelist includes my ipv4 address only, as a /32. As I mentioned, I could add the ipv6 prefix as a /64. Given that pf is configured to prefer ipv4, I thought that would carry over to acme as well.

@jimp Is this still a known issue somewhere? I have my session timeout set at 1440 (should be 24h) but I get logged out way sooner than that, seems like 1-2 hours. I don't see anything odd in the system log, and my client IP is not changing. I will note: I often see /tmp/sess_* files piling up. I sometimes need to clean these out. There can be dozen or more. All of them have a 0 byte size, with the exception of a single file (which I assume to be the active login session) (25.11 snapshots) screenshot [image: 1763314289448-b800a099-52d7-4523-85b3-5398bf578f29-image-resized.png]

@SteveITS Thank you!!

@tinfoilmatt Thanks! I have done that and it worked when forcing just her TV out the Centurylink.. My problem is my local box here. Im missing something because I can not get it to pass traffic from the WAN to the Wireguard tunnel. Ive got some time today so will chip away on my lab setup to see if I can finally accomplish it here first.

@provels said in CISA Update Feeds: https://www.cisa.gov/ Thank you, CISA is clearly an excellant resource. Jim

@SteveITS Thank you for your quick answer!

@FollyDude-0 I'm still trying to find it, not sure if I binned it. I might ask if I can borrow one if I can't find it. We are on FTTP with a /29 - works pretty good.

Hello everyone, Is there an update to this entry? Image 2 no longer seems to work/be available. Thank you very much.