Thank you all, problem solved. Was onboard network card. Now i moved my wan to 4xnic and all is perfect. I did also a fresh install because i was not able to delete the pppoe witch had link with my onboard nic.

@MacUsers said in How to pass VLNAs from two seperate interfaces to main Switch?: in my case but will be able to explain why it's a bad idea in general Performance for one - there is no way your going to be able to bridge in software as fast as you can with doing it on in hardware on a switch. 2nd just complexity of configuration. Users can barely understand firewall rules on an interface, let alone on a bridge.. Are you doing the rules on the interface, or the bridge, etc. 3nd would be misuse of a router port.. A discrete interface is way more valuable as actual interface to do routing with, than to try and use it a sub optimal switch port. When switch ports are cheap!!! There are cases when bridge on your firewall makes sense - but to be honest it is almost always would be the last choice if can do it cheaper, simpler and easier config.

@stephenw10 Thank you! :-) I haven't tried the step just yet... family time. I'll get to it over the next couple of days.

First of all, and I should know this already, since I'm a 35+ old IT guy .... Never try to solve issues TIRED ... Second, it always good to have another perspective about your problem. I was so focused on the issue beeing in the proxy level, don't know why. but I was, that I forgot to deep analyse the others, snort and pfblockNG. Althoug I have tried to disable the before mentioned services I forgot to remove the block !!! from the snort, and I forgot to compare the KES cluster IP agains them ... It was only when @stephenw10 mentioned it that I tried all the three: Disable proxy; Disable snort; Disable pfblockerNG; Deleted the blocked IPs on snort; Disabled the proxy setting on server; Tried to access the page, SUCCESS !! Enabled one-by-one until it fails, Snort did it, blocking the port due to a (http_inspec) rule being triggered. [image: 1600534523049-screenshot-2020-09-19-at-17.54.48-resized.png] Again, thank you Stephen for your help. Cheers and stay sage all. JG

When you visit purinaforprofessionals.com it redirects to www.purinaforprofessionals.com which is cname xfbbc.x.incapdns.net. However both IPs should respond to ping so if you are not seeing that it's not an MTU issue. But 576 is ridiculous, you should set that back to the default. Run a pcap for those IPs on WAN while you try to ping them from a client. Do you see the requests leaving? If you don't then check for Snort or pfBlocker etc blocking that on the firewall. If you do and there are no responses then you have an upstream routing issue perhaps or those sites are blocking your IP somewhere. Steve

excellent, I shall make a cup of coffee and knuckle down with some reading.! Thanks again

@above-below_6 We use DHCP... Can’t get through to Comcast... we are trying other things at this point .. Thank you very much for replying, glad you got it figured out... it’s beyond frustrating... I’ll post once we have a solution

There were probably states open already carrying the traffic. Adding the new rule would not have removed those but they would have eventually timed out and been replaced by states with static ports when re-opened. Be aware that static source ports can occasionally be a problem if set for everything like that. If you have two clients behind the firewall trying to connect to the same external IP with the same source and destination ports one will fail. Steve

Have you tried powering off the Comcast router? We've seen more than one case where, when changing routers, the Comcast doesn't update its routing properly, especially if the WAN IP being used didn't change. (e.g. when replacing the client's router) edit: also re: pinging, if the Comcast gateway IP isn't pingable then the gateway monitoring will see it as down.

Hello! Options for notifications, like the Email Reports package for gateway events and script support, have been discussed here : https://forum.netgate.com/topic/155063/notification-on-events?_=1600390142279 My understanding is that pfsense is not an mta, and while is has its own form of "queueing", it will not send notifications if it cannot reach your smtp relay. My preference is to setup a pi along side pfsense as a support server to run things like an mta (postfix, exim, ...), local monitoring (nagios, icinga, ...), and other things that I dont want to burden pfsense with even though it might be able to handle them (squid, nmap, ...). YMMV. John

We've created a feature request/PR against the sudo package that should hopefully mean that there's no more hacking of the actual sudoers file on disk, should it get merged in: https://github.com/pfsense/FreeBSD-ports/pull/936

@M_SCHOFIELD said in OneDrive Upload causing failure: two more CPU cores as well. This is a very good idea, especially if you have a reserve

@leplik said in RRD ho: 2.4.4-RELEASE-p3 (amd64) ....... Proxmox pfctl consumes 100% of one core We know. There was an issue with - mostly - virtual versions of pfSense. It was a FreeBSD 11.2 problem. See old forum posts for what to do. FreeBSD 11.3 solved the issue. Use the latest version of pfSense and you'll be fine.

@justice41 Unless you set the MTU larger than expected, it wouldn't make a difference. You can smaller and it will only affect throughput. So, I assume you set it too big.

Solved

It should automatically boot option 1 from there (the loader menu) when the countdown finishes. What happens? However the default countdown value there is 3 so you have changed a setting there. I suggest you removed any non-default loader.conf values you may have added. Steve

You need to take your server off the transit network... Be it you want it to be a vlan hanging off your downstream router, or a vlan off of your edge router (pfsense).. But currently that network is transit (a network between 2 routers) putting hosts on it that need to talk or get talked too from network via one of the routers lead to asymmetrical traffic flow. Throw another vlan on your pfsense and put your game server there, now you can actually firewall between your downstream networks and the server..

Agree with @Rico. Sounds like ISP issue. If you did want to test something before calling the easiest thing to do it connect a PC directly to the modem and see if you get the same results.

There isn't one currently but it may not be that hard to add. Open a feature request, I don't see anything open for that: https://redmine.pfsense.org/ Steve

@DaddyGo said in New to pfsense: the world is like that now Things are crazy for sure. Stay safe. nd the Lawrence Systems youtube channel I have seen a bunch of Lawrence's videos. They are great for a lot of pfSense and Ubiquiti stuff.