@ashton324 Yes, just like you said. I'm sending you a picture. 64.96/29 is my subnet. [image: ouymqyq.jpg] [image: fvi3uus.jpg]

NATing on the VTI tunnels is one of the noted restrictions: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html#vpn-ipsec-vti-firewall You can only do that by applying it to the assigned interfaces and you can only do that by switching the IPSec filter mode which means you can no longer use policy based IPSec tunnels. You could just add an OpenVPN server at site2 and connect to it directly? Steve

Ah:- https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html "Do not edit the existing tags and change the parent interface, it will cause problems with the interface assignments. Always create new tags, switch the assignments, then remove the old tags."

Without topng, darkstat and bandwidthd is much better. See the screenshot below. I'll run a few more tests. Thank you for your help! [image: 1654060805787-02.png]

@penguinpages well just bump up this mask to something larger so you can have more IPs on this network. Normally going from say to /23 or /22 from /24 is really low impact. Only static set on the devices would have to be touched. Only issue might be if you have other vlans that bump up right next too to the ip range. Yeah if your only allowing for 50 ips in teh pool that could be limiting. That number at the bottom would be lease in the pool, static reservations are set outside the pool so those shouldn't be listed. it shows you the active pool size you have set there as well with the start and end of the pool address.

@haidymikhail There are many causes (bad cables, failing NICs, WiFi testing, bad switch configs) that are outside of the software and then a few inside (proxies, intrusion detection). What are the drivers for the NICs? Model of NIC? Are you connecting through switching hardware? The more detail you have to provide the more likely someone can help point you in the right direction.

It might be 9600bps. Or it might have reverted to defaults causing the problem? The port is a real serial port so it will be cuau0 or cuau1. The upper case U implies a USB connected serial port. Steve

@dominikhoffmann I'm late to the thread but you could use my script to have your pfSense notify you when updates are available to the base as well as any installed packages. https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts

Thanks all for your help. I just wanted to come back and things seem to now be resolved due to the above steps. Fingers crossed it stays that way. Hopefully some other newb will find this useful in the future.

Yup, see: https://docs.netgate.com/pfsense/en/latest/recipes/freebsd-pkg-repo.html pkg uses the pfSense repo by default. Be aware of the issues that can happen by installing FreeBSD packages but using individual packages directly is generally safer as it won't pull in incompatible dependencies. Steve

It not only indicates lots of fragments it indicates lots of fragments that were not fully reassembled and disposed of in a timely manner so they continued to occupy a fragmentation entry slot until there were no more available. As has been said the best course of action is to find the reason for the excessive/faulty fragmentation and fix it.

You need a firewall rule to pass traffic from VPN clients coming in over the tunnel. That either has to be on the OpenVPN tab on the firewall rules page or the assigned interface tave if you have assigned the OpenVPN server as an interface. Be aware that the OpenVPN tab acts as an interface group that includes all OpenVPN servers and clients. If you have assigned an OpenVPN interface you usually want the rules on the assigned interface tab and not on the group openvpn tab. Steve

@dmytrokoren glad you got it sorted.. You would almost never have to do a fresh install - unless something crazy wrong that you can not even get to pfsense or something. Or other times it can be a time saver vs tracking down the actual issue causing the problem.

@koby-peleg-hen well you do you - but I never got why anyone would ever do this.. Did you get it free - if so I could attempt to use one of their certs. Looks like not single domain 78$ for six years. For starters I don't ever see using an actual public domain on my pfsense gui? I own multiple domains, don't use any of them internally.. Pointless to do so.. I use local.lan - but at some point will switch over to home.arpa for local domain. But if did want to use public - why not just use free ACME cert? So did you create the CSR and have them sign it? How exactly did you go about getting the cert and key.. Without some actual details, going to be impossible to help figure out what is wrong. What does the log say? You can setup pfsense to allow both http and https access - so even if the gui doesn't like the cert for some reason, the gui should be available just over http so you can see the log, etc.

Forked this to a new thread. Is the gui even running after swapping out the cert?

@bmeeks HI Bill No blocks as of yet. Its been 23 hrs since reboot and everything is running as it should. No issues with the service behind pfsense since reboot.

@stephenw10 that worked Thanks so much for your assistance!

@johnpoz said in Block network Access with correct Static IP: @stephenw10 how would that work exactly? You would have to setup static arps for every IP that was possible. And then when you wanted a new device with IP, you would have to remove / edit that static arp.. That would be a real PITA to manage.. Yup. far more trouble than it's worth! And, yes, it only does anything for traffic going through pfSense obviously.

@igorbarrosmcz No, LAGGs are meant for binding interfaces to achieve failover, load balancing or throughput enhancement.