@mhweb said in Netgate firewall ISP gateway is offline and has packet loss, how to fix it?: The problem I'm facing is that I'm getting 100% packet loss in the WAN interface; therefore, the internet connection drops. When you power up two switches, with no cables what so ever, all the port LEDS will be out on all ports on both switches. You can actually se that their is no connection now where. Now, hook up a network cable on one switch to the other switch. Both ports on both switches slight up : at this moment a connection exists. A steady, but empty -no real data - carrier is maintained between these two switches. Now you have created a typical situation that can also exist on your pfSense WAN port. The connection is UP, port LEDS are on, indicating the carrier speed) but nothing flows over it. How does pfSense knows that the connection actually works ? Simple, it sends every half a second : [image: 1727269433451-0b5249e5-4371-4d52-9e4a-7c2606d34932-image.png] a ping. And if the reply comes back, the time is used to show this info : [image: 1727269495316-39f9cbdb-f90b-4e4d-a0b7-87e2609fca6b-image.png] And here it comes : what if the IP where pfSense pings to decides to stop answering to these pings ? The "Internet" connection is still just fine, only this one and only IP stops answering you. The reaction of pfSense will be, eventually, that it decided that the connection is 'bad' and it will reset the interface. By default, the first upstream gateway device is chosen as a ping destination, but you can also chose another one yourself : [image: 1727269660170-07457f15-4630-4112-8868-0156dab94486-image.png] or you can decide not to monitor at all. After all, if your ISP is any good, why would it fail ? [image: 1727269709020-2d8ce795-8536-44a1-8e2b-946b0def10b4-image.png] and problem solved. If, when not monitoring, the connection still doesn't seem to work : the problem is also solved. Do your ISP shopping elsewhere. You are the customer, you decide. Many customers will make, or break, an ISP. @mhweb said in Netgate firewall ISP gateway is offline and has packet loss, how to fix it?: I called Verison for them to update the settings to use DHCP for WAN port, and they didn't even know what a router is. That like buying a new car at the local BMW dealer, and you ask : what type tires does my new car has ? They say " tires " ? Normally, in such a situation, get your money back, don't argue, don't say word, keep being friendly, and go some where else asap.

@MrHedgehog said in Can't route public/29 IP block to VMs on lan: strip out the virtualisation layer great idea!

@SteveITS Final update. The issue definitely seems resolved. Thanks again.

Solution for you guys having the same problem: Create an Interface on site A for both OVPN-Tunnels. Than assign the automativ created Gateways in the Gateway Group. Dont forget to do NAT on the Cloud side.

@Bambos pfSense itself never needs outbound NAT rules. It's rather the outside world, who needs it. The point is to enable the outside world to communicate with your local devices, which probably resides inside a private subnet. If the outside world has no route to your subnet pointing to your (VPN) interface IP, you need to masquerade the source IP on outgoing packets with the interface IP with an outbound NAT rule. If you have a site-to-site VPN the remote site has usually a route for your local subnets. So there is no rule needed then.

@AndyRH said in SSH cant connect: if it is enabled it is more or less just IPTables If it was iptables or ufw I would agree with you - but this firewalld is zone based.. And such a firewall coming up in a different zone or not any zone would explain his symptoms exactly. https://docs.fedoraproject.org/en-US/quick-docs/firewalld/ All Fedora Editions install, configure and activate the firewall by default. No further action is required. The only exception is Cloud Edition, which relies on the higher level cloud system. That sounds like to me its using firewalld and not iptables or ufw, etc. I would see if its running systemctl status firewalld if it is, shut it down, does ssh now work? sudo systemctl stop firewalld If it running, you should be able to see what zone its in and settings with firewall-cmd --list-all

@jecker Can you show your gateway groups? And example rules? https://docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html

@viragomann I think "skip rules, when gateway is down" in system/Advanced/Miscellaneous that you mentioned is the point that i didn't know. Thank you so much.

@rbthomas Don't know about step by step instructions, but Netgate documentation is pretty good. https://docs.netgate.com/pfsense/multiwan/load-balance-and-failover.html

@Gertjan You are right, the ipv6 adoption here is pitiful. I just wanted to try my hand on it too see what I can do with it. But, it breaks my running system so I will stick with v4 for now.

@dcreations you can use FRR package, OSPF and BFD. BFD with default settings, will try a hello packet every 50ms, and if it looses 3 packets, will switch the traffic to the backup path. You can also set one side to administratively down, and by doing that, you don't need to change the cost at the other side to shift the traffic.

I know the SG2100 only supports the older SIM cards

@marcosm said in Failback state killing with "Automatic" failover?: When you use an IP for gateway monitoring, a route is created for it via the gateway. Got it. I switched the secondary monitoring address to 9.9.9.9 since I don't use Quad9 for DNS resolution. The extra states on the secondary, while the primary is up, disappeared. Thanks! [24.03-RELEASE][admin@pfSense.home.arpa]/root: pfctl -i igc1.95 -s state igc1.95 icmp 192.168.95.2:24256 -> 9.9.9.9:24256 0:0

@not-a-bot2024 Why do you bother with the ISP DNS if it doesn't work reliably? The DNS Resolver on pfSense requests the DNS root servers directly, unless you're using the forwarding mode.

@johnpoz Thank you!

@Stee7ic So you have double NAT situation at all your sites? As in Public IP -> Modem -> 192.168.100.1 -> pfsense -> LAN IP So I'm assuming when you say pfsense is 10.120.10.254, that is the LAN IP? It shouldn't matter what the pfsense WAN IP happens to be, which would be unique for each site as well (at least the public IP). I'm assuming with double NAT that the modems are set up to do port forward of ports 500, 4500 or whatever you use for IPSec?