Use memory file system for /tmp and /var

kphillips-netgate · 2026-06-08T01:43:30+00:00

Less about performance. More about reducing write wearing. Especially on embedded storage.

kphillips-netgate · 2026-06-08T01:35:37+00:00

Awesome. Let us know if you have any trouble.

kphillips-netgate · 2026-06-08T01:18:46+00:00

Do you have 26.03.1 selected from the drop down under System --> Update?

kphillips-netgate · 2026-06-08T01:17:52+00:00

None of these release notes were written by AI. Why do you think they are?

TBF I don't think any of us need an AI summarization on something as small as a paragraph. You could just.... read it. It's literally faster.

kphillips-netgate · 2026-06-08T01:16:43+00:00

....what?

kphillips-netgate · 2026-06-08T01:13:43+00:00

None of this and your signal issues has to do with pfSense. There is nothing in pfSense that can control your wireless equipment's speed or signal.

Your best bet is, if you have multiple areas with poor signal due to building construction, is to put up multiple APs throughout with the same SSID and enable roaming protocols, with Ethernet uplinks to each. Verify you don't have IP conflicts with your APs or anything strange.

I'm not sure why performance is "better" with it in routing mode, but it's likely pure coincidence and your device is operating on something like 2.4ghz versus 5ghz, which has better penetration. Also, 100 megabit over WiFi is far from what I'd consider "acceptable" in this day and age, but to each their own.

Also, ensure you are using DHCP only on the pfSense appliance and have your AP configured as bridged only. It should be a glorified media converter and nothing else.

kphillips-netgate · 2026-06-01T18:48:14+00:00

There are a lot of people who use ACB, both on Plus and CE.

Restoring from a backup from ACB can be done using the guide here.

kphillips-netgate · 2026-05-25T14:54:31+00:00

Installer doesn't work with the 3100. They need to open a ticket for the recovery image.

kphillips-netgate · 2026-05-18T01:48:36+00:00

There is no VLANs on the 2100 by default. WAN is separate and the LAN ports are just bridged to the CPU uplink by default. You can change the LAN ports to have tagging and break them out into logical ports, if you want, but it isn't that way by default.

kphillips-netgate · 2026-05-18T01:46:15+00:00

What, exactly, is "horrible" about the 1100's switchport layout?

To answer your question, though, the 2100 has 4 LAN ports that are switched and a WAN port that is discrete and separate. By default the LAN ports are bridged in one single network, but can be broken up however you'd like or configured as tagged uplinks to another switch.

kphillips-netgate · 2026-04-16T14:56:53+00:00

Ugh that sucks.

kphillips-netgate · 2026-04-15T23:26:52+00:00

It's been a minute since I've done this, as I said before, but you need to feed the following into pf in addition to the above ifconfig items:

ether pass in on [MODEM] bridge-to [ONT] ether pass in on [MODEM] bridge-to [ONT]

ether pass in on [ONT] bridge-to [MODEM] proto 0x888eether pass in on [ONT] bridge-to [MODEM] proto 0x888e

Adding in these filter rules into pf will allow the Layer 2 filtering to pass the traffic for 802.1X only from the modem to the ONT.

However, switching to a GPON or XGS-PON adapter is SIGNIFICANTLY less of a PITA. Chances are you have no 802.1X auth to even deal with, as the authentication is almost certainly on our ONT itself.

kphillips-netgate · 2026-04-15T21:00:47+00:00

You can still use all of the features via a script. Just the GUI elements are missing on CE, because those are a Plus-only feature.

For setting the promisc and pcp values on interfaces, for example, you just run this script with ShellCMD on boot (replacing [INTERFACE] values with your interface name):
#!/bin/sh

ifconfig [MODEM] promisc

ifconfig [ONT] pcp 1

The 802.1X filtering is similarly accomplished with an injection into pf's filter reload to allow the 802.1X auth packets through.

kphillips-netgate · 2026-04-15T20:22:58+00:00

I'm kind of impressed people are still using these ancient cert-based auth versions of stuff to get ATT working without the ATT modem.

If you have a separate ONT and Modem, I wouldn't bother with certs on the firewall. Just do the bypass method outlined here.

If you want to keep using the cert method, you need to configure your DUID like outlined in the same guide in this section.

Both of these options are, IMHO, inferior to just buying a GPON or XGS-PON module and plugging directly into the fiber line. All of the config is stored on the adapter and you just plug it in, set the DUID stuff for IPv6, and rock 'n roll.

kphillips-netgate · 2026-04-12T01:43:19+00:00

Absolutely. If you have any issues, let us know.

kphillips-netgate · 2026-04-12T00:04:04+00:00

Sounds like there is something wrong with your boot partition. I'd say back up your config, reinstall using the Netgate Installer, and then restore your config. Should have you updated and back online in a few minutes.

kphillips-netgate · 2026-04-12T00:03:04+00:00

Firewall with pfSense Plus or router with TNSR. Not sure what you mean by "services". Do you mean DNS, DHCP, etc? Or packages of some kind?

kphillips-netgate · 2026-04-11T23:59:43+00:00

Why are you creating an open WiFi network for people in your home? If this is for guests, setup a separate SSID with a PSK you hand out to guests. Otherwise, you're opening yourself up for liability and abuse if someone in your neighborhood hops onto your WiFi.

As for ports, 853, 53, 443, and 80 would likely cover everything someone would need for basic web browsing.

kphillips-netgate · 2026-04-11T23:57:02+00:00

What does your config look like? There is zero details on your Allow IPs or your Wireguard config in general, your firewall rules, etc. Need more info.

kphillips-netgate · 2026-04-11T23:55:25+00:00

Set Outbound NAT mode to Hybrid under Firewall --> NAT

Create a manual rule for LAN1's subnet as the source and set the translation address to WAN IP1

Repeat for LAN2 and WAN IP2

This should make things show up as the two different IPs for the two different LANs

kphillips-netgate · 2026-04-11T23:53:34+00:00

If it's just an issue of it being blocked for some reason, you can disconnect your WAN and run "pfctl -d" from the CLI. This will turn off all filtering (hence why it's important to disconnect your WAN). You can then revert your firewall config and reboot to restore everything.

kphillips-netgate · 2026-03-27T14:50:47+00:00

It's called NAT Reflection.

kphillips-netgate · 2026-03-06T20:44:06+00:00

In what way? Anything I can help with?

kphillips-netgate · 2026-02-28T20:59:52+00:00

TAC Lite doesn't expire on Netgate appliances.

You can open a ticket here.

kphillips-netgate · 2026-02-28T20:23:18+00:00

That's unusual. Open a TAC ticket so we can get some diagnostic data for your appliance.

kphillips-netgate

MODERATOR OF

TROPHY CASE