To answer my own question: The problem is due to TCP packet reordering, which the default TCP stack of freeBSD 15 does not handle very well. The solution would be to activate the RACK TCP stack available in freeBSD. However, pfSense+ has this feature of stock freeBSD disabled. https://freebsdfoundation.org/our-work/journal/browser-based-edition/networking-10th-anniversary/rack-and-alternate-tcp-stacks-for-freebsd/ I created an issue on the PfSense redmine and ask anyone experiencing similar issues to support it: https://redmine.pfsense.org/issues/15813

@McMurphy Both an HAProxy (including a -devel version) and Squid package exist via Package Manager. I could not speak to which would be better for your use case as I have no use for either one.

Any further help here?

@SteveITS I think this 6100 is faulty, this WAN port initially dropped the network in its first year and had to configure WAN2 combo, assumed it was a Spectrum issue but now believe after not able to get it to work on another system, its a faulty interface.

pfSense has no auto updates. If there was an update (upgrade) you have to install that 'manually'. @hebein said in IP Adress blocked, but no idea why: I do not find any hints in suricata blocks, alerts or pfblocker. These can auto update their 'rules'. Was there an such an update recently ? If you have doubts, disable / deactivate them. If the teamviewer connection then works, you know where to look.

@SteveITS Thank you for this idea and comment, I will do this later when I go to the branch and confirm with you if it's working. Thank you

I figured out the isse, the issue was with my UDM pro not with PF sense, the problem was that the interface i was connecting on was set as WAN2 and for some reason is not working, once i set it to wan1 was working fine. Thank you

@frodet All interfaces are treated equally on pf. A wan interface has also gateway configured. While booting you just have a layer 2 switch, with no configured ip anywhere, so it doesn't exist to the ip world. As in all managed l2 switches, you need management process to boot to be able to touch anything. In this case, it is pf itself that must boot up first.

@SteveITS Many thanks for the info about this. Best regards. Gabriel

@planetinse I'm not a vmware expert, but the default route is pointing to vmx0 and 5.45.176.224 pointing to vmx1

@jimeez said in Dual WAN Fail-over Issue - Tier 1 WAN frequently failing upon activation of the second Tier 2 WAN: I also enabled UPnP & NAT-PMP. Whatever happened, everything is back to normal. Better than normal actually. Good deal. Just a guess but I would think that UPnP and/or NAT-PMP would help. Thanks to you and @chpalmer for solving this issue!

@DaHai8 Works! Just had to find the correct client ip address to create a routing exception in ServerB ! Woohoo!

@OffstageRoller Could you post a link to the guide, I am wanting to do this very thing. Thanks!

@preston my ISP is KomMITT in Germany and it makes me wonder because of the timing if one of their devices is restarting or they are kicking the connection off at fixed intervals because of the precision in the timing. The only other thing I note (also only happening after the 24.03 upgrade) when I use duckduckgo browser and search, the first time it fails to connect and then I have to refresh the page and it works.

I figured it out! This Proxmox host is running on OVHCloud. When setting up the networking, you need to order an additional IP and assign a virtual MAC to it for the WAN side. Any extra IPs must also use that virtual MAC. Once I did that, everything worked perfectly. I'm still not entirely sure why the whole network would crash without the virtual MAC in place, but hey, no complaints here—it's working now!

@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED: they should reach each other without gateways right? how would they do that if they are on different networks After I stopped the wifi interface I specifically asked if they were attached to more than 1 network. Why are you hiding rfc1918 space? I don't get it.. Do you think that gives away something.. Would be like telling you hey I live at 123 street, but not giving a city or state or country even. You must have some huge amount of devices on each network using a /16, that is like 65k devices ;) Is that your docker network? Are those overlapping with your normal network?

@senseivita check out: https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy