This should already be solved on your other thread. Once you've added the gateways you can route one group via one public IP and the other via the other IP. Then OpenDNS can respond differently to each group if you need that. But if one groups can be unfiltered you don't even need that. Just pass the OpenDNS IPs as DNS via DCP to the filtered group and allow everyone else to use pfSense (or some other DNS server) to get unfiltered results. Steve

Oh and by the way, @jimp did a great hangout: https://www.netgate.com/resources/videos/server-load-balancing-on-pfsense-24.html :-) -Rico

Do you see that same loss if you ping, for example, 8.8.8.8? If not just edit the gateway and set the monitoring IP to that instead. Or some other external IP. Do you have more than one WAN if not you can disable the monitoring action on the gateway. You will still get data but pfSense won't start reloading stuff if the loss goes over 20%. It seems like maybe the Comcast gateway IP is just not good at responding to pings and it doesn't have to be. If they ping your modem from their end they won't necessarily see that loss. Steve

Thanks everyone above, for helping.

Dude don't know what to tell you but pfsense blocks nothing out of the box... How does the game fail? Does it give you an error, says can not connect to server what? If your running blocking software be it IPS or Proxy - those for sure could be your problem.. But they would LOG it, etc.. Works some times, not works other times points to problem in your wifi network or possible dns issue? If firewall blocking - it always blocks, it doesn't block sometimes and not others. Possible you have issue with connecting to a specific server in the CDN when it fails, etc. Your going to have to give some info if you want help... You have told us nothing really other than it sometimes fails..

@stephenw10 Hey Stephen, Thank you very much for all your attempts at helping me out. I DO appreciate it. I resolved the issue by cancelling my subscription to the VPN service with the flaky client - I mean it won't even clean install ffs. Anyways, I didn't want to leave the thread hanging so thats it - it's done. Problem resolved. I won't disable frag3 for a flaky client that would be ridiculous. The other VPN service I have has a client that works flawlessly and I am tired of banging my head against the wall with level one help-desk agents that have a "upgrade to the latest client" mantra and when that doesn't work wait 3-4 days with nothing on the ticket. PIA is being overwhelmed with customer tickets right now it says so on their ticketing system "unusual wait times" and all that type of language on their site. And this came as a direct result of their latest client release so....they must've pulled a Microsoft and released little better than alpha software as a full version production release. Whatever not my problem anymore. Thanks once again for your efforts. They are appreciated.

@johnpoz Thanks for your help and sorry for the confusion. Have a good day.

hey buddy can you help me on how to set-up opt1 and opt2 and wan with the same gateway.

Yes. Logging to an external logging system is expected if you want more than basic debugging tools. I have used many "enterprise" firewalls and we never depended on them to store anything but the most cursory of logs on the devices themselves. We always logged to something external if anything historical was desired.

@akuma1x simply because you don't want to keep in memory what customers is using what addresses. It's a bit difficult when you get up to 400+ customers divided on 4 addresses, it's much easier installing some kind of load balancer dividing all traffic on several setups. but sure enough it would work, if you wouldn't mind a bit of hassle.

The SG-5100 is now at 699.00 vs 799.00: https://store.netgate.com/SG-5100.aspx

You mean this one : [image: 1551371058513-4a228a85-d762-41e8-8242-d5669f041918-image-resized.png] Did it showed available packages in the past ? It never showed any packages ? Have a look at your : [image: 1551371168695-896fba38-6eda-48cd-b35e-5eb9dbbbc225-image.png] You see the "Version information updated at Thu Feb 28 15:45:56 CET 2019" ? What is your date / time ? The question that takes care of 75 % of all "can't upgrade/update/install packages" cases : you broke the DNS, so pfSense itself can't reach out to the Internet anymore. Repair or undo your DNS settings - go back to the "always works" mode : the one that was present by default. If not, you are lined up for the conquest : "Asking a question without any useful information"

It's true and easiest disabling the DNS for DHCP clients. Thanks for all.

After contact with microsoft helpdesk I found the solution for me. For future reference: I had to turn on mss clamping and set it to 1350. This is also in the advanced IPSec settings Maybe this settings was defaulted after an update? I wasn't the one who configured it in the first place, so I wouldn't know for sure. I made sure to match my settings to this document https://docs.microsoft.com/nl-nl/azure/vpn-gateway/vpn-gateway-about-vpn-devices @stephenw10 Thanks for the reply, I had this disabled already, but the pointer was appreciated

I am having this issue as well, looks like there is a bug open: https://redmine.pfsense.org/issues/8987

@kennethw said in Pfsense 1: 1 to the outside with all_ports open.: I have entered externally with all ports open via a rule ip. What does that mean in English? Have you gone through the port-forward troubleshooting guide? https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting Post some screencaps of your config if you want someone to help you.