Yes that does seem like the monitor target was simply not prioritising pings and dropping them under load.

@WhiteTiger-IT Generally you can comply with the official HAproxy documentation. You just need to translate it to the setting possibilities, which you can find in the pfSense web GUI.

@stephenw10 TIME!!!!!!! Leave this with me :)

@stephenw10 @viragomann Thanks.. yes, it was NAT Reflection, thank you very much. All good now.

@AG23 https://archive.nbaset.ethernetalliance.org/wp-content/uploads/2017/05/NBASET-Downshift-WP-1217.pdf

They are presented in the order they are parsed in the config. If it really borthers you you can just manaully reorder them in the config file. There is risk to doing that, obviously. Steve

They are surveying our customers on our behalf, yes.

It should work fine in legacy mode. It make no significant difference to pfSense. Yes, it would have to be a com port the OS can see such that it uses dual console at boot.

Maybe unable to pull repo data for some other reason then. Does pfSense-repoc -N return without error?

Ok, let me see if I can replicate that.

@bmeeks Blocked hosts set to clear in 1 day, Snort blocking kill states is ON. Will keep monitoring for more crashes.

Yes. When gateway comes back up static routes using it are reapplied.

Yeah that module is not compiled against the pfSense 2.7.2 kernel. The instructions for dong so are in that linked thread. Hopefully that other user may be able to re-upload their compiled module.

Some thing on a client sees the gateway reboot and tries to reconnect maybe? Something had previously passed that traffic and the state still existed until reboot?

Hmm, what limit are you hitting?

@marcvb So it's been 7 years, are you still using pfSense and if so how are you managing them?

Use the default values unless you have a good reason not to.

If you have internal clients that try to use DoT by default it may help to enable that. Almost everything will just fall back to unencrypted DNS. If you have clients that _only) use DoT you you need to enable that. Generally that traffic is all internal only so there is little reason to encrypt it.

It will send the local interface address the dhcp server is running on if the pfSense DNS server is listening on it. See: https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#servers

You can do a lot of things with syslog-ng. You can add multiple destination objects and pass traffic to them based on the source IP. See: https://man.freebsd.org/cgi/man.cgi?query=syslog-ng.conf