@orangehand The parent interface is mvneta1; see step 6 in the instructions.

In addition to what mcury said the switch has 4 ports. When you're configuring the switch it's only dealing with those 4 ports not the others. See the picture for the 3100 in the upper right on this post, the 2100 is the same idea.

@daddygo Thank you for your answer.
The ISP box give mi a private IP LAN side and have a DHCP ranomly allocated public IP fiber wan side.
I will try to dig deeper in the Pfsense wan log to see if I can detect the problem

Another thing... I call it a Fiber Modem because it modulate between ELECTRICAL datas signal TO LIGHT datas signal, old phone line modem was modulating between electrical and sound datas.
But a the end, its a Fiber router also.

@fabiensch said in Gateway "dynamic":

It's curious that this "dynamic" gateway was created because my LAN interface is in static IP ... not DHCP or PPPoE

If you have a gateway you want to get to via your lan interface, this would be done via setting up the gateway, not by setting a gateway on the actual lan interface.

It is odd if your saying your lan is set as static..

Make sure the gateway is not actually set on your lan interface, this will cause pfsense to think your lan is actually a wan interface, etc.

If you have a router downstream of your lan, then create the gateway in routing / gateways - and then setup whatever routes you want to use that gateway with.

@jonthewise said in pfSense replacing a Cisco Router - not acting as expected:

It would seem most people that use pfSense either connect to a layer 1 network, or actually know something about networking (okay, I know a little bit, but mostly just enough to get myself into trouble LOL)

That should say layer2, but when I try to edit it's flagging my post as spam and won't let me save

@jcubillo
Replying to myself since a friend found this answer and might help somebody else in the future:

"""
You need to install the System Patches package: https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
And apply Patch ID 7dbe76cd5756082cbd67db1b93acb606ad84996e

Then you need to reinstall the FRR package.
see https://redmine.pfsense.org/issues/11290#note-12
"""

This is from:
https://forum.netgate.com/topic/162722/frr-doesn-t-follow-carp-after-2-5-0-upgrade/8

I did exactly that and now Zebra follows the CARP VHID status.

@phurious those all look like out of state blocks.. they are all R or FA, etc. I don't see any Syn blocks.

If you renabled the firewall while it would be expected to see out of state traffic until the devices all recreate sessions with syn and new states are created.

@pille99
hello again.
what i completly forgot to mention. the external IP is bound to a MAC. so, the esx has the interfaces with MAC configured and working. as i have seen, the mac address can only be entered at the interface page.

@dutch317 I ran into this, looks like pfsense writes the config file incorrectly?

edit /var/etc/miniupnpd.conf file, look for the listening_ip line, on my install there were 2 lines, one line per interface. This is incorrect.

The format is one listening_ip= line and then the interfaces separated by a space. I changed my file to have this,

listening_ip=igb1 igb3

then I went into the gui for miniupnp service and restarted. The interface index not matching errors went away. Hope this helps.

Hi @andyp, did you resolve this?

I also have this issue with a Vodafone broadband line - that assign a single static IP and routed IPs but DHCP does not deliver the static.

Thanks.

@milenkoc Thank you very much

RESOLVED:

Answering my own thread to give the solution for other people looking into this problem in the future.

Just for the reference this is all for the pfSense plus 21.05.2-RELEASE.

For some reason this will work if you change the Firewall filtering to be done at the VTI interface level instead of at the enc0 interface level. You can change this if you go to the VPN -> IPSec select your Routed VTI phase 2 connection settings and got to the Advanced and change the "IPsec Filter Mode" setting to "Filter IPsec VT on assigned interfaces, block all tunnel mode traffic".

Note: Of course with this setting you will have to go to the Firewall -> Rules and add the necessary ruled under your VTI interface tab (that just showed up instead of the IPSec tab that was there by default when filtering was being done at the enc0 interface level).

Note2: this will only work if you have only Routed IPSec connections and will break all your policy based IPSec connections.

@viragomann said in WAN Failover on packet loss:

What pfSense indicates as member down depends on the configured threshold settings.

If you're not happy with the preset values go to System > Routing > Gateways, edit the gateway settings, display the advanced options and change it to fit your needs.

Sweet. Thanks. Missed that knob.

@johnpoz Thank you. That was it.

@popquiz so with your any rule on lan.. There should be no reason you should not be able to talk to anything on opt2 no matter what the IP is.

Your saying from device on lan you can ping opt2 pfsense address 204.150.150.145?

But you can not ping a device on this network, say .146

Can pfsense itself ping this .146 address?

If so I would suggest a sniff - from your lan device get a ping going to the .146 address, do you see pfsense sending that out on opt2?

You can do a simple packet capture under the diagnostic menu, on the opt2 interface. If you see traffic going out the opt2 interface.. But no response - that points to this opt2 device not pointing to pfsense .145 address as its gateway. Or it is running a firewall.

@lfred yeah in the data sheet they use the term "Layer 2+/Lite L3 features"

If you would of just used it as L2 and done routing on pfsense between your vlans/networks you would of had far less trouble..

Routing at the switch level is almost never needed in any sort of home setup.. Unless what you have doing your routing is not really capable of routing at wirespeed.. And you really want some devices on their own vlans. But your really going to have way less ability to actually firewall between these segments. Even with a fully managed L3 switch, I have one the ability to limit traffic between these vlans is difficult and convoluted.

If you want to try vlans again - there are many entry level smart switches that can do vlans in the $40 price range.. which prob way less than that netgear you had.