ok resolved https://forum.netgate.com/topic/161221/proxmox-ovh-no-route-added-to-gw-after-upgrade-to-2-5-0/3

Thank you

Well yeah, which I clearly stated beginning of this thread that you would need a gateway and routes to your downstream networks https://forum.netgate.com/post/965347 I had to go under System>Routing>Gateways and created a LAN Gateway pointing to the 10.100.10.3 device So your still using 10.100 as your transit?? Again this is wrong!!

@vbman213 You'd have to look at the traffic. If s_port and d_port are always 5060 you could restrict the port in the rule, but often on the return trip the d_port will be some random port (the originating s_port), so port filtering will be impractical. In any event, you'd be filtering inbound on your providers IP address(es). And, now that I'm thinking about it I'm not sure how NAT will behave, if at all. I honestly wouldn't try it unless there really, really, really, wasn't any other choice and you had the time and patients to mess with it. TCP, if you can use it, should enhance reliability and security. Trying not to keep state on UDP will cost you time, possibly degrade security, but maybe solve your issue without having to reconfigure clients. The right tools for the job are TCP for the SIP protocol, and UDP for the RTP streams. I'm not sure what the vendor rational is for UDP as a default... other than maybe using one protocol type for both use cases, and RTP over TCP would end badly.

@wifi-will bump

@viktor_g Thank you. The patch is working fine. [image: 1613952039098-2021-02-22_00-59.png]

@viktor_g Hi, yes, seems to be pretty much exactly the same. Sometimes I ask myself if netgates quality crontrol takes a week off before releasing... I mean - IPv6 static routes, complex changes and bugs in handling of the ipsec connectsions.... these are mandatory things, and I don't think the issues are only related to the community edition, or are they? Cheers 4920441

@pfsense16v My issue was not with my main WAN connection. It was with a backup WAN2 connection via a 4G router where the router would not pass IP to the pfsense correctly after upgrading the firmware. The issue was resolved by changing the 4G router on the WAN2 for a Zyxel LTE3302-M432 4G router.

*** UPDATE *** I tried a fresh install of 21.02 and still had the same WAN dropping issues. I re-installed 2.4.5 p1 and my WAN connection is rock solid. No issues. Hoping to hear of a resolution soon before I attempt the upgrade again.

@traveller Thank you. Don't know how I missed that. Indeed, forcing a monitoring IPv6 address fixes the issue.

@taytos said in Speedtest upload always 0.1mbit when using pfsense as gateway: VirtIO FWIW https://docs.netgate.com/pfsense/en/latest/virtualization/virtio.html

@viragomann Thank you again for the most recent reply. I did a packet capture on the LAN and it appears pfsense did not release and update its assigned domain. I initially had my public domain assigned to pfsense, but changed it to local. It reflects local on the header when I log in, but the packet capture shows it looking for the A record on the IP of my public server. Is there a specific way to make the pfsense box release and take the new domain? I cannot understand why this does not affect my PC accessing the NAS boxes. Additionally, the NAS populates the setup box with the IP address of the other NAS - so I know it can see it. The NAS locator software also locates the boxes on the network with no issues.

@jeffv I have a similar issue after upgrade to 2.5 today. Wan says offline packetloss 100% Also using BT FTTP WAN DHCP.

@vbman213 I don't know if this will help any. I've been running SIP through pfSense for more than 12 years now and have come across various difficulties that I've mostly beaten into submission at this point... although, the maturity of all the moving pieces has helped a lot along the way. The following laundry list is not specific to your issue, just something to review and consider what the impact would be, if any, in your specific setup. SIP challenges IP layer addresses/ports are written in Application Layer headers. PBX may be trying to mitigate problems by predicting the public address of a server on a private subnet. It’s important to understand what behavior is enabled and determine if it’s suitable to the architecture, including all edge cases. SIP application layer header rewriting rules may be required, and if so, care must be taken to mitigate issues with edge cases When STUN is in use there will be problems if it’s used incorrectly; i.e. reached through wrong path, returns wrong answer. Care must be taken to avoid race conditions if/when failovers can dynamically change the public IP. Out-of-Band SIP application protocol negotiates a transport stream protocol with specific IP layer address/port pairs. Usually this is implemented by opening a static block to be utilized for S/RTP port assignments, rather than synchronizing the negotiation with rules dynamically. This pool MUST be synchronized with the PBX. You need to be clear on which side can initiate the S/RTP stream so the rules are in the right place. Packet filters generally can’t distinguish separate application layer streams over UDP, so a SIP REGISTER (outbound) will enable a SIP INVITE (inbound) to PASS even when there is no functional inbound rule, as long as the State continues to exist (assuming both sides are using port 5060). SIP should be implemented over TCP since the control protocol benefits from being reliable. S/RTP streams should be implemented over UDP because reliability is undesirable. In real time applications, packets arriving late or out of order have no value. You can’t play audio packets out of order, and can’t hold up real-time streams for retransmission of lost packets without introducing an unrecoverable delay. Reliable tunnels can exacerbate the problem, and certainly will contribute to judder. Real-time traffic needs to basically follow a now or never pattern. Silence is not golden. In some configurations, silence, like muting a phone while on a conference call, will cause no S/RTP packets to be sent. I’ve had issues with silence lasting more than 5-minutes causing the call to terminate. It appears that something in the path decides to timeout if no S/RTP packets are received for 5-minutes, and declares the call to be abandoned. Firewalls may expire state table entries considered stale even though the call is active from the application perspective. There is usually an option to “generate silence packets” which actually creates packets with pseudo-background noise, which then maintains a consistent S/RTP stream and lessens the likelihood calls will drop due to S/RTP timeouts. FYI: I’ve seen some phones that were too smart for their own good; generating silence packets when the audio was silent, but as soon as Mute was activates the S/RTP stream stopped anyway.

I noticed this was fixed in 2.5/21.2: https://redmine.pfsense.org/issues/10546 "In this case, pfsense will consider a gateway down when it has actually returned to a normal state, necessitating administrator action to return it back to a proper state."