This seems similar to https://redmine.pfsense.org/issues/11733, which was closed for no reason (the issue was with ONT, not LAN link, so there was no reason fro web UI to stop responding).

This apparently affects all interfaces regardless of which gateway goes down.

Right now I have WAN as Tier 1 and WAN2 as Tier 2. When WAN2 (second ISP) has packet loss, I both lose Internet connectivity using WAN and web UI becomes unresponsive.
Not always, but often, which is especially annoying during video calls.

Here are the logs from the last time it happened:

Spoiler

Dec 3 07:35:44 nginx 2022/12/03 07:35:44 [crit] 39955#100173: *31629 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 192.168.1.2, server: 0.0.0.0:443 Dec 3 07:35:11 php-fpm 30078 1.0.0.1|redacted|WAN2_DHCP|2.429ms|0.833ms|0.0%|online|none Dec 3 07:35:11 php-fpm 30078 /rc.openvpn: MONITOR: WAN2_DHCP is available now, adding to routing group MultiWAN Dec 3 07:35:10 check_reload_status 381 Reloading filter Dec 3 07:35:10 check_reload_status 381 Restarting OpenVPN tunnels/interfaces Dec 3 07:35:10 check_reload_status 381 Restarting IPsec tunnels Dec 3 07:35:10 check_reload_status 381 updating dyndns WAN2_DHCP Dec 3 07:35:10 rc.gateway_alarm 44475 >>> Gateway alarm: WAN2_DHCP (Addr:1.0.0.1 Alarm:0 RTT:2.444ms RTTsd:.829ms Loss:0%) Dec 3 07:35:00 sshguard 42588 Now monitoring attacks. Dec 3 07:35:00 sshguard 48246 Exiting on signal. Dec 3 07:34:34 php-fpm 30078 1.0.0.1|redacted|WAN2_DHCP|2.533ms|0.65ms|13%|down|highloss Dec 3 07:34:34 php-fpm 30078 /rc.openvpn: MONITOR: WAN2_DHCP has packet loss, omitting from routing group MultiWAN Dec 3 07:34:34 check_reload_status 381 Reloading filter Dec 3 07:34:34 php-fpm 62018 /rc.newwanip: rc.newwanip: on (IP address: redacted) (interface: WAN2[opt1]) (real interface: vtnet1). Dec 3 07:34:34 php-fpm 62018 /rc.newwanip: rc.newwanip: Info: starting on vtnet1. Dec 3 07:34:33 check_reload_status 381 Reloading filter Dec 3 07:34:33 check_reload_status 381 Restarting OpenVPN tunnels/interfaces Dec 3 07:34:33 check_reload_status 381 Restarting IPsec tunnels Dec 3 07:34:33 check_reload_status 381 updating dyndns WAN2_DHCP Dec 3 07:34:33 rc.gateway_alarm 41178 >>> Gateway alarm: WAN2_DHCP (Addr:1.0.0.1 Alarm:1 RTT:2.530ms RTTsd:.653ms Loss:11%) Dec 3 07:34:33 check_reload_status 381 rc.newwanip starting vtnet1

I didn't have this issue before Multi-WAN. Nginx error is especially concerning. That was me trying to refresh frozen page, but I was unable to do so.

@bob-dig said in Multicast traffic between LAN interfaces on different subnets:

I think you should solve it by putting all the devices in the same subnet. If you need a switch for that and maybe a wireless access point, both with vlan support, then get those. A firewall isn't a switch.

I agree with the last one. However, a switch cannot filter anything normally, but pfSense can, even on bridged interfaces sharing the same L2.

So there are specific circumstances, where a bridge may be the preferred solution.

@viragomann

Thank you for responding, I will proceed with duplicating the rules then.

so upon disabling and re enabling the WAN interface this is when i see the issue occur. the only action that can be taken it seems is to manually select the gateway removing it off the automatic option. restarting the gateway service nor reboot changes its behaviour.

Running on 2.6.0-RELEASE (amd64) wonder if anyone else is getting the same issue?

@rcoleman-netgate Thank you very much

@jrhjr No problem here, also I don't unplug my WAN cable...
Anyway, one other thing you can try is not failing back to WAN but to another VPN-Client. As far as I have understand you, it is not WAN failing but a VPN-Client. We, in this thread, do use Gateway Groups for VPN-Clients and it is working for us.
And btw. not every redmine ticket/issue is affecting everyone.

@johnpoz Thank you kindly for your assistance, I will have to do some thinking and I will report back when I have resolved the issue.

@viragomann Thank you very much for the reply. It has helped me to learn a little more about myself and the community.

@viragomann

Thanks for the reply.

I'll the setting and give it a test.

@fatherprax no, that's not my problem. I don't use DHCPv6 either. I use RA. My WAN interface requests a 56 prefix instead of just 1 address. and my LAN interfaces are just set to 'track interface' and they get a bunch to give out to their devices.

You can go to https://ifconfig.co/
or do a
curl -6 https://ifconfig.co/
That should work on your machine, if it doesn't, then you don't have a valid ipv6

Can't figure it out.

Since i believe what i need is called router-on-a-stick i made Port 1 to pfSense a trunk.

But no matter what i try in the switch settings i cant open the Slate GUI (10.145.130.1) or the Player (10.145.130.2) on my Workstation.

Port 1: pfSense
Port 3: Slate
Port 6: Workstation

What is the correct setting:
1.png

2.png

3.png

4.png