@DominikHoffmann said in What is the meaning of this dpinger log entry?:

What does this mean

For future reference, see here.

As @stephenw10 noted, the issue is that your immediate gateway (default route) is not reachable. A much more basic problem than what IP you decide to ping.

As for choosing a target, I usually recommend performing a traceroute to 1.1.1.1 or 8.8.8.8, to help choose a target inside your ISP's infrastructure:

traceroute -I 1.1.1.1

Look for an address that is a hop or two inside your ISPs infrastructure and has fairly consistent response times. YMMV.

@stephenw10: Thanks very much! Excellent point!

@stephenw10

THANK YOU VERY MUCH for helping me analyze this weird issue and what finally lead me to solution! Your support and input was amazing! Thank you!

Yes. 😀

Nope, it only blocks connections coming into the WAN sourced from a private IP address:

# block anything from private networks on interfaces with the option set block in log quick on $BT from 10.0.0.0/8 to any ridentifier 12006 label "Block private networks from BT block 10/8" block in log quick on $BT from 127.0.0.0/8 to any ridentifier 12007 label "Block private networks from BT block 127/8" block in log quick on $BT from 172.16.0.0/12 to any ridentifier 12008 label "Block private networks from BT block 172.16/12" block in log quick on $BT from 192.168.0.0/16 to any ridentifier 12009 label "Block private networks from BT block 192.168/16"

Thank you everyone, I figured it was safe to do so but wanted to ask before I committed, much appreciated!

And yes @keyser I am not talking about removing ix0, just the assignment for it.

@Jarhead I could go this route but I'd rather just remove it TBH.

@stephenw10 I'll get that submitted tonight. Thanks for talking through this with me. 🙂

For example using the Network tool in Firefox shows how long it took to open the page and which components took time:

Screenshot from 2024-04-05 13-04-54.png

Other browsers have similar tools.

Ok so only for file transfers? You can access the server correctly otherwise?

Do you see that traffic passed by the correct rule on WAN2?

@Gblenn The patch seems to be working here, as well. Thanks to you and @stephenw10 for your help. Much appreciated.

@stephenw10 --- After making the subnet change to the pfSense LAN, that resolved the connectivity issue. I now have an issue with the NordVPN config, but I'll create a separate thread for that. Thanks again for the help!

The problem lies in the router, I tried another Internetconnection and it works fine. I'll contact my ISP. Thank you for your help!

@stephenw10 I don't want to praise the day before sunset but the new RAM may have done the trick! So far, the router has been stably running for almost a day without crashing!

Thank you for your support and for deciphering the crash report.

@Willever Not sure what happened but reinstalling is probably the fastest way back in terms of clock time.

https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4100/reinstall-pfsense.html
(Free ticket)

https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html

Nope filter-reload doesn't clear existing states.

I'm saying if you use the kill states button in the state table page you should refresh the table afterwards to be sure the states were actually killed.

If you use the trash-can icon next to each states it kills by state ID which should always work.

@Wylbur

Again, things connected were continuing to work. Example. If duckduckgo were used for a search, that search would return hits. If clicking on a link in the hits -- would get message couldn't find that server.

So my connection to a mainframe (encrypted interactive session) continued to respond.

T-bird Email continued to fetch and send email.

Don't know what got hosed up.

[BTW did see where there is an SSH exploit -- pfsense susceptible to it?]

@fjmp24
Assuming all these devices are connected via wifi, my approach is to put all within a wifi SSID, which don't need to connect to any other. In this SSID I prohibit communication between stations on the AP.
Access to other network segments is restricted on pfSense, if even any needed.

The checksum is probably because you have hardware checksum offloading enabled. But if it's not that would be a problem.

Those clients are set to sync against stratum 1 only? Seems unlikely.

Yes, if you're using SWAP in 'normal' use there's probably a problem. The biggest use for SWAP in pfSense is to be able to store crash reports should you ever hit a kernel panic. So I would argue that having it mirrored should not really be that important. Should.

Yup, that will require a different bug ticket. We are just discussing how to handle both issues.