After further investigation, the ISP was at fault and wasn't able to find a resolution with them. Moved ISPs and the issues went away.

@Charlie48 You can connect two NICs to the ISP box though, I think, but you can only state the gateway on one of them. This would not have any drawbacks, however. I expect, that the DHCP sets also the default gateway. Then just assign the static IP to the other NIC without stating a gateway.

@gld yeah normally pfsense by default will hand out the interface the dhcp server is running on as the gateway, and you can leave it blank - you should kind of see the IP of the interface in the settings just greyed out.. But it seems, that if you switch to kea, and then back this fails.. [image: 1731257211940-other.jpg] Yeah I would say its some sort of bug with moving to kea and then back? But I had moved to kea when it first came out just to see and it was working. But that was back with 23.09, maybe something in 24.03 is flaky... If still doing it when 24.11 drops I will check and see and if not already there put in a bug report. But your the 2nd person I have seen with same sort of issue, no gateway and had switch to kea and then back.

I am totally lost after several tests. If i replace my PfSense by a PC with the same setup IP 192.168.10.99 Gateway 192.168.10.254 DNS 8.8.8.8 I have internet doing well Although the 2 Wans as per first post are OK, the WANGW seems to be not usable. The ckecks I made: WANGW is tier2 of a Group Where WAN2ADSL_DHCP is Tier 1 (failover objective). If I swap Tier1 and Tier2, although WANGW states online, no more access to Internet. I suspect that the Online state of WANGW is wrong so the group does not swap to tier2. If I unplug igb0 which is the WAN plug (associated with WANGW) the state remains Online. I am lost. Help appreciated, many thanks.

@viragomann Thanks I'll have a look

@skoota said in Apple TV - VPN vs. Local Traffic Routing: I am running a Netgate 4200 with pfSense 24.03. ExpressVPN Gives .... Google : pfsense expressvpn. I' uses / played a bit with these instructions a while back, they are pretty accurate. When you are asked to create a Firewall > Aliases, and where the instructions tell you to add a network like 192.168.1.1/24, add just your Apple TV IP, or some IPs that have to use the VPN. More info in the pfSense manual : policy routing.

To answer my own question: The problem is due to TCP packet reordering, which the default TCP stack of freeBSD 15 does not handle very well. The solution would be to activate the RACK TCP stack available in freeBSD. However, pfSense+ has this feature of stock freeBSD disabled. https://freebsdfoundation.org/our-work/journal/browser-based-edition/networking-10th-anniversary/rack-and-alternate-tcp-stacks-for-freebsd/ I created an issue on the PfSense redmine and ask anyone experiencing similar issues to support it: https://redmine.pfsense.org/issues/15813

@McMurphy Both an HAProxy (including a -devel version) and Squid package exist via Package Manager. I could not speak to which would be better for your use case as I have no use for either one.

Any further help here?

@SteveITS I think this 6100 is faulty, this WAN port initially dropped the network in its first year and had to configure WAN2 combo, assumed it was a Spectrum issue but now believe after not able to get it to work on another system, its a faulty interface.

pfSense has no auto updates. If there was an update (upgrade) you have to install that 'manually'. @hebein said in IP Adress blocked, but no idea why: I do not find any hints in suricata blocks, alerts or pfblocker. These can auto update their 'rules'. Was there an such an update recently ? If you have doubts, disable / deactivate them. If the teamviewer connection then works, you know where to look.

@SteveITS Thank you for this idea and comment, I will do this later when I go to the branch and confirm with you if it's working. Thank you

I figured out the isse, the issue was with my UDM pro not with PF sense, the problem was that the interface i was connecting on was set as WAN2 and for some reason is not working, once i set it to wan1 was working fine. Thank you

@frodet All interfaces are treated equally on pf. A wan interface has also gateway configured. While booting you just have a layer 2 switch, with no configured ip anywhere, so it doesn't exist to the ip world. As in all managed l2 switches, you need management process to boot to be able to touch anything. In this case, it is pf itself that must boot up first.

@SteveITS Many thanks for the info about this. Best regards. Gabriel