@stephenw10 Ok, thanks

Yup, you don't need support to get the firmware images. 👍

https://forum.netgate.com/topic/186556/how-to-run-pkg-upgrade-from-diagnostics-command-prompt/20

echo /etc/rc.initial >> ~/.tcshrc.local

Strange, it was doing it middle of the night, no one was using internet or was logged in to the firewall....

No errors sice then, all seems to be good

@dotgate
I'll add a little on my own
c) there is no problem activating these options (if the device allows it)

https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html
https://man.freebsd.org/cgi/man.cgi?qat

however, version 2.7.2 does not include the core modules of the QAT driver
(Intel QuickAssist Technology (QAT) [Plus only])

But, if you build your Freebsd 14.0 kernel on any test device, you can download this driver manually into the PF kernel (by copying several files)

1928c0d4-207f-4416-b8ac-1854b2e61e0c-image.png

When you restore the config if should pull in any packages that were installed as long as it has access to the repo.

If you have a downstream (internal) router with other subnets behind it pfSense needs static route to those so it knows where to route traffic.

https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route

@stephenw10

Thank you very much for your analysis and advice! 😊

With the configuration changes mentioned above, I no longer have pfsense blocking, it's a bit of a shame that some settings aren't more “original” configured for a (in my case) 8200.

I'm glad to have found the https://forum.netgate.com/topic/182534/just-purchased-a-netgate-8200-having-a-few-issues/13topic which helped me enormously to find a solution to my problem.

EDIT

Last test

16c681da-6cab-4ad6-b09e-d190ec1fad3f-image.png

Yes, exactly like that.

@Teddy thanks that's what I was looking for and it works in version 2.7.2

In Status > IPSec you should see traffic on the packet-counters for both P2s. If you don't they either don't match the traffic or your firewall rules don't.

@stephenw10 Ok, thanks)))

@stephenw10 Yes, indeed :-). When pinging something continually and the problem occurs it will fail until pfSense+ ages and renews the ARP table entry or, as with my script, any ARP Request containing the layer-2 and layer-3 addresses of the pfSense+ WAN interface is transmitted to the ISP.

Thanks @stephenw10.

Andrew

@Unoptanio said in About Status/DHCP Leases:

"on line"

is still shown. Here :

7751a241-64e0-4f99-93a7-035954be5abd-image.png

the green arrows.

And before you ask : "on line" or the green arrow means probably something different as what you might think.

"On line" or the green arrow means : the IP is in the "arp cache". See here Diagnostics > ARP Table

pfSense, or the DHCP server, is not 'pinging' (or something else) every (lease) IP every xx seconds to see it it replies.

Static or not : the admin knows what leases are static, as he set them up as static.
But I get it : why showing 'n/a' twice, even if it's true, if the word "Static implies the same. Not sure why that was changed.

@stephenw10

Yes.

Kids_Devices Host(s) 10.10.10.50, 10.10.10.51, 10.10.10.52, 10.10.10.53, 10.10.10.54, 10.10.10.55, 10.10.10.56, 10.10.10.57, 10.10.10.58, 10.10.10.59…

@stephenw10 hahah, but its good... I believe this comment could be considered as covering the no route problem, or wrong route

"what your pinging either sending its answer to somewhere else"

But I like the clarity of making sure route is there to send it to back to pfsense.. Will keep that in mind for next thread we get about such an issue. Which I know there will be, since it is a common question to be honest ;)

What error do you see when you try a DNS Lookup?

Are clients using pfSense for DNS?

Is Unbound running?

@markdudov said in WAN packetloss:

@stephenw10

In what cases are the gateways dropping ping requests?

Also in case for example, when You have Your ISP's device (mediaconvertor-router) ETH up, and assigned IP by ISP's DHCP, BUT PACKETS BLOCKED on ISP's core level.

That should be fine. And, just to be clear, I would have expected what you did before to also be fine. pkg shows that it sees that as an upgrade and takes appropriate action.

It shouldn't be possible to have two versions on the same pkg installed.