@stephenw10 Done 😊

@stephenw10

Thanks Steve, I'll open a ticket.

Ok so reviewing the thread are phone still failing to register when using 2.7 with IPSec enabled? Or is it just that calls fail?

Either way look at the SIP traffic from a phone. Check the states and/or run packet captures. Where does it appear? Where doesn't it appear? Is it somehow going over the VPN?

Thanks @stephenw10 appreciate your help!

it didn't allow the picture in the first post, so here goes...
48d57e1a-949e-49fc-92f2-1d7f96893a06-image.png

Ok, have a look into the DOCSIS Telemetry.

I was hell if my ISP rollout the OFDMA to the upstream some years ago. And your problem looks similar.
Idle was nice, but if you use the bandwidth, the error rat grows and grows and with it the retransmission and the latency explode.
It takes month and 2-3 construction sites to get a nice stable connection back.
Have a look into it fist.

Yes that will pass TCP traffic from 192.168.88.39 to any device in the LAN subnet.

I would have to say it's more likely a rogue DHCP server stealing the IP address. That could be at 2 hour intervals.

I would try checking the ARP table on a client when it stops and make sure it's still using the correct MAC address.

@stephenw10

Seems like changing ARP Cache TTL to 60 seconds fixed issue I was observing. Finally I have resolution to my issue such a relief. 😌

Something must have changed. Maybe the app version?

Can you test this behind some other device running pfSense CE to rule out something hardware specific?

If this was breaking whatsapp calls for everyone there would be many, many threads!

How were you testing? From some internal device? That would require NAT reflection. But actual external connections would not.

Since traffic can still reach external sites I'd say more likely a rogue dhcp server.

@stephenw10 Started to work perfectly as soon as I set the outbound NAT!

Thank you so much for your patience and your help! I've been using pfSense for quite some time now and I am slowly learning the ins and outs. Unfortunately sometime when I come to the forum the responders to my questions imply I'm an idiot for asking a question and that it is sorely lacking any relevant information. I guess they don't know we all have to start somewhere and if I was as smart as I should be I wouldn't be asking any questions! 😀

Thanks again for your help.

@zedbra That was an issue that cropped up a while ago. That’s basically the fix.
https://redmine.pfsense.org/issues/13132

Yes the gateway is almost always inside the WAN subnet so most of the IP address will be the same.

@michmoor said in netflow and graylog:

Few things ive been able to do with GROK parsing is not to clean up my unbound log files and create fields that are important to me and good for tracking.

I'm running Graylog 5.2 now, had to build gcc 11.1.0+ from source, it took a few hours in my raspberry pi 4 but it is working :)

@michmoor said in netflow and graylog:

I just dont know how to enrich data using dns for IP lookups but thats ok

I'm using PTR for that purpose, if there is something I can help, just let me know.

@michmoor said in netflow and graylog:

Few things ive been able to do with GROK parsing is not to clean up my unbound log files and create fields that are important to me and good for tracking.

Ow, that is really nice :) If it is possible, can you share how you are getting those statistics from Unbound ?

@NollipfSense I know. Ours is set to reject. We hardly see any spam at all.

@coxhaus said in PFsense hardware recommendation HELP!:

Why 12th gen? Is the CPU instruction set that much different?

It was the OP's choice and I just affirmed...

@uber949 2100 or the new 4200