Sorry for the delayed answer. @Gertjan That diagram is just to represent how it was before I change Time Capsule from that Site A to Site B, now both devices are in 10.0.10.0/24. The idea that I tried to pass it was to show you that it was indeed two differente physical NICs per device. Both Firewalls, have DHCP servers in place, but 10.0.0.0/24 uses WS DHCP server, and all of those are working properly for months/years. In 10.0.10.0/24, there is at least one device with a local setup IP (10.0.10.6). But not signed for those two IPs, and I have already changed from static to dynamic IPs in DHCP server but got the same result. Its like both devices have been assigned with the same IP, but it was not, so I really dont know why its happeaning. After 3 days being massively spammed by arpwatch, it stops, Time Capsule using the right IP. Since I am not physically present in that site, I can only assume that someone have turned off that Apple TV. @stephenw10 I have made that several times. I didnt made any sniff attempt, but next time I will have to do it, because it wasnt normal. If I got this issue again, I will let you know, even if I find the reason for this to happean. Thank you all for the help, always appreciated!

Thank you for your detail information. I will try it.

@Gertjan I have 8.8.8.8 1.1.1.1 I am not new to networking, just new to pfsense and firewalls

CARP is for a high availability setup, where at least two routers are sharing a virtual MAC. @cl1nt said in Arp Issue - No wan: The MAC not change. So it's strange that it resumes working though.

@pedro1x You will have to create a VLAN in pfSense for the guest network and create appropriate rules, etc.. You need a matching VLAN on the AP for the 2nd SSID. A managed switch will keep the VLAN off other parts of the network, but that's not essential. You do that by configuring the switch so that the VLAN only goes to the port that the AP is connected to.

@heper said in NAT couters in pfSense: from shell: root@pfSense.lan]/root: pfctl -vvsn @8(0) nat on vmx1 inet from 10.123.0.0/24 to any -> 192.168.0.203 port 1024:65535 [ Evaluations: 194138 Packets: 47019367 Bytes: 51593880791 States: 79 ] [ Inserted: pid 20145 State Creations: 31883 ] Thanks a lot @heper

hello guys thank i will debug with the above as i am curnntly away from the setup and. the clinet is using Ethernet if i connect the same port same cable to another PC i dont have any issues

Hi Folks, FYI bug is back and reported as https://redmine.pfsense.org/issues/10812 Cheers

Hi, check out the great pfSense docs about Multi WAN: https://docs.netgate.com/pfsense/en/latest/routing/multi-wan.html https://www.netgate.com/resources/videos/multi-wan-on-pfsense-23.html https://docs.netgate.com/pfsense/en/latest/routing/troubleshooting-multi-wan.html -Rico

Thank you for your support. I will check the wan quality graph and report to my ISP. Do you know why the router provided by them, don't lose the connection? Is their equipment prepared to accept the "bad" connection quality? Best regards

@stephenw10 this was the best application for the mobo, CPU, and some memory I had lying around. Plus, I got sick and tired of all the limitations of the stock gateway from Centurylink. pfSense is so much better now that it is running as expected. [image: 1596410330384-7cd2741f-aeec-4d0a-a026-36e1e56c3ab0-image.png] Being able to set things up the way I want them to be and control cross VLAN traffic is precisely what I wanted. And I did not feel like spending money on some hardware FW appliance with all the issues they usually run into.

Unfortunately there isn't (yet) ab MBIM or QMI driver for FreeBSD and hence pfSense. I would expect the current Sierra devices to work if they present a known USB PID and u3g recogises it. But limited to AT connection interface. Steve

@stephenw10 said in Sourcing default firewall blocks: TCP ack packets Makes sense. Thank you very much.

In addition to that, there have been amplification attacks based on ntp. So using an external service increases your attack surface in any future possible breach attempts. Best security practices dictates to use as less external services as possible. Same goes for dns and forwarders. (and the beauty of running a stratum 0 ntp server, over pps, remains with the few who have attempted the task. Now, I wish datacenters had glass roofs so gps could work on top of racks.. :)

Internet is back. Aug 1 10:15:24 dpinger WAN_DHCP XXX.YYY.128.1: sendto error: 65 Aug 1 10:15:27 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP " Aug 1 10:15:32 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP " Aug 1 10:24:53 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP " Aug 1 10:24:53 dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr XXX.YYY.128.1 bind_addr XXX.YYY.144.93 identifier "WAN_DHCP "

@1OF1000Quadrillion Okay.

@justice41 Yeah, you'll most likely have to search for FreeBSD support on that card, like you said. Maybe one of the pros here can comment. I don't have any 10Gb networking gear, so I can't say for sure on that one. Here's an old post from the forum: https://forum.netgate.com/topic/128108/new-firewall-with-10gbit-asus-xg-c100c-help-needed Jeff