I would agree. 18 hours in and everything continues to run smoothly. The issue related to image availability I believe is the valid answer and we can close this out as solved. Thanks everyone. -JD

Recently done four of them. Two upgrades from 2.7.2 and two net installed. All went ok & reinstalled packages after.

I agree an iso would be useful but I’ve managed without.

Next one will be an ESXI vm, so will try both methods on that.

@iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself!

Hopefully your setup will remain stable going forward.

@johnpoz This even does this with the newest CE edition inside of UTM virtualized environment outside of the 2100s

Screenshot 2025-07-17 at 10.15.51.png

It is not just the 2100s this is set up for standard stuff everything else works with it just the status page

@Belcebu-Gdl

Hola.
Cuando ocurra el problema, yo revisaría desde el ordenador con cliente openvpn (en este caso desde el ordenador con openvpn connect) si hay conectividad al servidor openvpn (pfsense).
Aunque no es lo más común, yo tengo el servidor openvpn escuchando en tcp en lugar de udp. Si está en tcp, puedes desde el ordenador cliente comprobar si hay conectividad con el comando telnet a la ip y puerto del servidor openvpn. De esta manera puedes ir acotando el problema y ver si el problema es de servidor, de red o del cliente.
Un saludo.

@mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

So setting openvpn to bind only to the CARP VIP works fine for me

Multi-WAN with HA there?
If so, it would be a better idea to run openVPN server on localhost instead.
This would allow it to receive connections from all WANs.

No need to select a VIP, just forward packets from the WANs VIPs to localhost.
You can use DNS, thus the client would connect to the WAN that is UP.
Or
You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.

Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.

It would seem the answer to my question is "/etc/rc.gateway_alarm" is run.

Nothing in there for DHCP leases from what I see. More about restarting VPN sessions and flushing states.

Mmm indeed, I would expect that to be they or it depending on whether 'peer' refers to the user or the device. More likely it's a device in that reference.

Good to hear.

Reverti o servidor para outra versão e atualizei, não funcionou a parte de Data Encryption Algorithms, ela não voltou.

Decidi parar de procurar solução, já que não obtive ajuda aqui e na internet, e resolvi colocar o wirguard no local. Mas estou ainda com algumas questões. Funcionou, estou acessando o fileserver do outro lado, mas alguns serviços como Impressora que usa SMB para fazer scaner, não envia via túnel.

You can download it here now:

https://raw.githubusercontent.com/ianb/alexa-sites/refs/heads/master/top-1m.csv

The problem is solved; it was indeed the network cable that had a loose connection.
It's in the trash!
Thank you all for your help.

@viragomann I lost oversight. The customer edited stuff on his own ... and wrote he succeeded by adding fw rules and policy-based-routing. Sounds like overkill a bit, but ok if he's happy.
I have to accept that this box is out of my control somehow now ;-)

thanks for your help. I might report back if I get access again and see things.

Yesterday we built a new pfSense 2.7.2 cluster, master firewall was running for over a week without problems, but about half an hour after setting up CARP and pfSync to the new slave it died with known hvevent problem. It then died several times, again and again.. Not sure but maybe it has something to do with either CARP/ConfigSync/pfSync or multicast traffic (because we know dying pfsense setups without carp configured, so might be multicast traffic in the network which triggers something).

We have had the same experience with our only OPNsense setup, of which the master is running smoothly since we removed the slave firewall.

@phthatcher said in SG-1100 as VPN client only (no dhcp) adding to existing network:

just assure that when the server reaches out to the web it is behind the vpn

So all you need is to configure pfSense as default gateway on the server.

The pfSense only needs a single interface (LAN, router-on-a-stick), connected to your LAN.
On the VPN interface you have to add an outbound NAT rule, as mentioned in the ExpressVPN tutorial.

@The-Party-of-Hell-No excellent. I’m glad some experimentation proved successful.

@dennypage said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

@wolffire said in Is it possible to prevent installed packages (e.g. ntopng) from accessing the Internet?:

I really like ntopng, but I'd rather it not be able to access the internet whenever it wants.

Is it possible to block package processes from doing so?

You can't block individual packages. The closest you could get is to find the domain or addresses the package is accessing and block those.

With specific regard to ntopng, I haven't examined all the callouts but I don't recall it doing much unless you were using the licensed version (activation check), or had one of ntopng's "active" modes enabled.

Make sure you have Active Network Discovery disabled in ntopng. It's in Settings / Preferences / Network Discovery / Active Network Discovery. This option should never be enabled on pfSense. Ditto for Active Monitoring.

Thanks for the quick answer.

I'm a little surprised about not being able to lockdown individual processes for those 'who watches the watcher?' types of situations. Finding a dynamic workaround will be painful.

As far as ntopng, I just don't want it to be able do anything online unless I've configured it to do so; I loath the idea of telemetry being sent off to various companies.
Not that I've found anything (I haven't taken a serious look yet); I'm just a bit weary.

Speaking of the settings, after reading that post about inadvertently scanning the Internet, I definitely ensured active monitoring and network discovery was turned off. 😆

@pst said in 25.07.r.20250709.2036: still issues with limiters:

I have yet to test limiters in combination with floating firewall rule for buffer boat mitigation, which was an issue in earlier betas.

Still an issue in the RC. UL/DL limiters on LAN work as long as I haven't configured UL/DL limiters for WAN. Once there are WAN limiters no limits on LAN are adhered to (which I think is a regression from the beta where at least one direction worked as configured). Time to shelve those ideas of using limiters I guess.

https://github.com/pfsense/FreeBSD-ports/pull/1420

Merged I could not test it but it is in there with the make file now and the distinfo file

@stephenw10

Let me know if you can test that out

Dont use this I am having issues with the MASTER SITES and patches folder it wont make clean install all the way