@preston my ISP is KomMITT in Germany and it makes me wonder because of the timing if one of their devices is restarting or they are kicking the connection off at fixed intervals because of the precision in the timing. The only other thing I note (also only happening after the 24.03 upgrade) when I use duckduckgo browser and search, the first time it fails to connect and then I have to refresh the page and it works.

I figured it out! This Proxmox host is running on OVHCloud. When setting up the networking, you need to order an additional IP and assign a virtual MAC to it for the WAN side. Any extra IPs must also use that virtual MAC. Once I did that, everything worked perfectly. I'm still not entirely sure why the whole network would crash without the virtual MAC in place, but hey, no complaints here—it's working now!

@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED: they should reach each other without gateways right? how would they do that if they are on different networks After I stopped the wifi interface I specifically asked if they were attached to more than 1 network. Why are you hiding rfc1918 space? I don't get it.. Do you think that gives away something.. Would be like telling you hey I live at 123 street, but not giving a city or state or country even. You must have some huge amount of devices on each network using a /16, that is like 65k devices ;) Is that your docker network? Are those overlapping with your normal network?

@senseivita check out: https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy

@mhweb said in Netgate firewall ISP gateway is offline and has packet loss, how to fix it?: The problem I'm facing is that I'm getting 100% packet loss in the WAN interface; therefore, the internet connection drops. When you power up two switches, with no cables what so ever, all the port LEDS will be out on all ports on both switches. You can actually se that their is no connection now where. Now, hook up a network cable on one switch to the other switch. Both ports on both switches slight up : at this moment a connection exists. A steady, but empty -no real data - carrier is maintained between these two switches. Now you have created a typical situation that can also exist on your pfSense WAN port. The connection is UP, port LEDS are on, indicating the carrier speed) but nothing flows over it. How does pfSense knows that the connection actually works ? Simple, it sends every half a second : [image: 1727269433451-0b5249e5-4371-4d52-9e4a-7c2606d34932-image.png] a ping. And if the reply comes back, the time is used to show this info : [image: 1727269495316-39f9cbdb-f90b-4e4d-a0b7-87e2609fca6b-image.png] And here it comes : what if the IP where pfSense pings to decides to stop answering to these pings ? The "Internet" connection is still just fine, only this one and only IP stops answering you. The reaction of pfSense will be, eventually, that it decided that the connection is 'bad' and it will reset the interface. By default, the first upstream gateway device is chosen as a ping destination, but you can also chose another one yourself : [image: 1727269660170-07457f15-4630-4112-8868-0156dab94486-image.png] or you can decide not to monitor at all. After all, if your ISP is any good, why would it fail ? [image: 1727269709020-2d8ce795-8536-44a1-8e2b-946b0def10b4-image.png] and problem solved. If, when not monitoring, the connection still doesn't seem to work : the problem is also solved. Do your ISP shopping elsewhere. You are the customer, you decide. Many customers will make, or break, an ISP. @mhweb said in Netgate firewall ISP gateway is offline and has packet loss, how to fix it?: I called Verison for them to update the settings to use DHCP for WAN port, and they didn't even know what a router is. That like buying a new car at the local BMW dealer, and you ask : what type tires does my new car has ? They say " tires " ? Normally, in such a situation, get your money back, don't argue, don't say word, keep being friendly, and go some where else asap.

@MrHedgehog said in Can't route public/29 IP block to VMs on lan: strip out the virtualisation layer great idea!

@SteveITS Final update. The issue definitely seems resolved. Thanks again.

Solution for you guys having the same problem: Create an Interface on site A for both OVPN-Tunnels. Than assign the automativ created Gateways in the Gateway Group. Dont forget to do NAT on the Cloud side.

@Bambos pfSense itself never needs outbound NAT rules. It's rather the outside world, who needs it. The point is to enable the outside world to communicate with your local devices, which probably resides inside a private subnet. If the outside world has no route to your subnet pointing to your (VPN) interface IP, you need to masquerade the source IP on outgoing packets with the interface IP with an outbound NAT rule. If you have a site-to-site VPN the remote site has usually a route for your local subnets. So there is no rule needed then.

@AndyRH said in SSH cant connect: if it is enabled it is more or less just IPTables If it was iptables or ufw I would agree with you - but this firewalld is zone based.. And such a firewall coming up in a different zone or not any zone would explain his symptoms exactly. https://docs.fedoraproject.org/en-US/quick-docs/firewalld/ All Fedora Editions install, configure and activate the firewall by default. No further action is required. The only exception is Cloud Edition, which relies on the higher level cloud system. That sounds like to me its using firewalld and not iptables or ufw, etc. I would see if its running systemctl status firewalld if it is, shut it down, does ssh now work? sudo systemctl stop firewalld If it running, you should be able to see what zone its in and settings with firewall-cmd --list-all

@jecker Can you show your gateway groups? And example rules? https://docs.netgate.com/pfsense/en/latest/multiwan/load-balance-and-failover.html

@viragomann I think "skip rules, when gateway is down" in system/Advanced/Miscellaneous that you mentioned is the point that i didn't know. Thank you so much.

@rbthomas Don't know about step by step instructions, but Netgate documentation is pretty good. https://docs.netgate.com/pfsense/multiwan/load-balance-and-failover.html

@Gertjan You are right, the ipv6 adoption here is pitiful. I just wanted to try my hand on it too see what I can do with it. But, it breaks my running system so I will stick with v4 for now.

@dcreations you can use FRR package, OSPF and BFD. BFD with default settings, will try a hello packet every 50ms, and if it looses 3 packets, will switch the traffic to the backup path. You can also set one side to administratively down, and by doing that, you don't need to change the cost at the other side to shift the traffic.

I know the SG2100 only supports the older SIM cards