@stephenw10 @viragomann

Thanks.. yes, it was NAT Reflection, thank you very much.

All good now.

@AG23

https://archive.nbaset.ethernetalliance.org/wp-content/uploads/2017/05/NBASET-Downshift-WP-1217.pdf

They are presented in the order they are parsed in the config. If it really borthers you you can just manaully reorder them in the config file. There is risk to doing that, obviously.

Steve

They are surveying our customers on our behalf, yes.

It should work fine in legacy mode. It make no significant difference to pfSense.

Yes, it would have to be a com port the OS can see such that it uses dual console at boot.

Maybe unable to pull repo data for some other reason then. Does pfSense-repoc -N return without error?

Ok, let me see if I can replicate that.

@bmeeks Blocked hosts set to clear in 1 day, Snort blocking kill states is ON. Will keep monitoring for more crashes.

Yes. When gateway comes back up static routes using it are reapplied.

Yeah that module is not compiled against the pfSense 2.7.2 kernel. The instructions for dong so are in that linked thread.
Hopefully that other user may be able to re-upload their compiled module.

Some thing on a client sees the gateway reboot and tries to reconnect maybe?

Something had previously passed that traffic and the state still existed until reboot?

Hmm, what limit are you hitting?

@marcvb So it's been 7 years, are you still using pfSense and if so how are you managing them?

Use the default values unless you have a good reason not to.

If you have internal clients that try to use DoT by default it may help to enable that. Almost everything will just fall back to unencrypted DNS.

If you have clients that _only) use DoT you you need to enable that.

Generally that traffic is all internal only so there is little reason to encrypt it.

It will send the local interface address the dhcp server is running on if the pfSense DNS server is listening on it.

See: https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#servers

You can do a lot of things with syslog-ng. You can add multiple destination objects and pass traffic to them based on the source IP.

See: https://man.freebsd.org/cgi/man.cgi?query=syslog-ng.conf

@chpalmer

Hi everyone, thanks so much for all the thinking and suggestions. I am not sure why, but reading this triggered my brain to say "I have contol of both networks, why not just setup a VPN and see what happens?"

One IPsec VPN tunnel later and all is well in VOIP land here. I don't know what the problem was, but the issue is resolved. It has only been an hour, but so far working reliably.

To answer questions: the Netgate WAN IPv4 address starts: 98.97..
I am prety sure it is publically routable. No trouble setting up the VPN or other inbound connections, though other than this all inbound is just testing/incidental. I may switch the tunnel to not rely on the IP if it changes a lot. Time will tell.

I did not want to put the device outside the Netgate; I could be wrong but I think to do that I would have to take Starlink out of Bypass and end up with a NAT address on the WAN of the pfSense. And I did not see much good in the Starlink router. I am not a huge fan in general for speed, cost or reliability reasons. but any sort of cable/fiber connection due to location is over 100K installation. So . . .

Again, thanks for the help. I still feel like it should have "just worked" out of the box, but alls well that ends well.

Bob

@snigy which model? Netgate has instructions for each, though they have a new $0 installer which is hardware independent.

https://docs.netgate.com/pfsense/product-manuals.html