@Gertjan you are right, actually WAN GW is 10.125.190.254 as per your advice I changed settings to no interface (wildcard) and relaunched NTP service and everything works fine now, even package manager. All packages are in the place available for downloading. Thank you

@ivanildogalvao said in Redirect traffic to a link using Proxy.: However, from the moment I start using Squid and SquidGuard this does not work, not even with NAT Outbound, Squid always throws http and https traffic to the standard link (WAN1). Hi, Please note this: https://docs.netgate.com/pfsense/en/latest/routing/multi-wan.html Under the LOCAL SERVICE "By default, traffic using a proxy such as Squid will bypass policy routing and use the default route for traffic at all times. It also bypasses expected outbound NAT and leaves via the WAN IP address directly." [image: 1596126704524-3d698f2c-5b4e-4f64-b203-75971e97cfcd-image.png]

Also worth noting is that you were correct - before I reverted my config because all routing was broken and I had no connectivity except on my fallback OPT1 HW interface, I did check the GPS settings and was able to change to 9600. On 2.5x with the baud rate able to be changed, the GPS immediately started working and had a lock, with PPS working and all was well.

Let's not mount that extra drive at boot then but well after the ECL does its thing. Where's a proper place to put the mount command? Would also need to remember to manually save (backup) any changes to the config to the extra drive or perhaps modify another script?

@DaddyGo Thank you very much for the offer. I am going to try on my own first, before tapping into your expertise. Elliott

@genfoch01 said in can not access pfsense via lan: but it was not connected as i wanted to configure pfsense before i connected it to the wan Hummm. Not really needed - except if you hooked up devices on its LAN that you do not trust at all. And worse : I can happens that you access the GUI with big delays (2 minutes) if the WAN is down. Why skipping 192.168.2.1 ? You did set up the DHCP server on LAN, right ? remove switch from LAN, hook up your PC directly. Set the device using manual IP settings like : IP = 192.168.1. mask 255.255.225.0 or /243 Now you can - should be able - to ping 192.168.1.2 - and connect to the GUI on 192.168.1.2 or, if you're sure the pfSense DHCP server on LAN is set up correctly, connect your PC to pfsense and it will obtain an IP in the 192.168.1.x-y range - the range is the pool of the DHCP server.

@Rapboy2019 After using Packet Capture, as described above, you can download the capture and view it with Wireshark to find the MAC address of the offending device.

Hello @jimp, Sorry for my late reply. Lots to do and this issue was put on hold. Your 1st option was to good one. In the <cert> part for each certificate issued by the CA, the <caref> values were missing. I added the correct caref value on each certificate and re-import the backup file into pfSense. After e reboot, everything was fine. Thanks for your answer. Kind Regards

@Gertjan Thanks you for your suggestion. I will change it and check. Because RTT is in the 10ms - 120ms range, I feel too high.

Important bit: db:0:kdb.enter.default> bt Tracing pid 369 tid 100130 td 0xfffff80016c02620 kdb_enter() at kdb_enter+0x3b/frame 0xfffffe0467e9a160 vpanic() at vpanic+0x19b/frame 0xfffffe0467e9a1c0 panic() at panic+0x43/frame 0xfffffe0467e9a220 trap_pfault() at trap_pfault/frame 0xfffffe0467e9a270 trap_pfault() at trap_pfault+0x49/frame 0xfffffe0467e9a2d0 trap() at trap+0x29d/frame 0xfffffe0467e9a3e0 calltrap() at calltrap+0x8/frame 0xfffffe0467e9a3e0 --- trap 0xc, rip = 0xffffffff80dadc55, rsp = 0xfffffe0467e9a4b0, rbp = 0xfffffe0467e9a4b0 --- strlcpy() at strlcpy+0x25/frame 0xfffffe0467e9a4b0 hn_vf_rss_fixup() at hn_vf_rss_fixup+0x73/frame 0xfffffe0467e9a5b0 hn_rxvf_change() at hn_rxvf_change+0x28b/frame 0xfffffe0467e9a630 in6_update_ifa() at in6_update_ifa+0x111b/frame 0xfffffe0467e9a700 in6_ifattach() at in6_ifattach+0x487/frame 0xfffffe0467e9a840 if_up() at if_up+0x6a/frame 0xfffffe0467e9a880 ifhwioctl() at ifhwioctl+0xaf5/frame 0xfffffe0467e9a8e0 ifioctl() at ifioctl+0x475/frame 0xfffffe0467e9a980 kern_ioctl() at kern_ioctl+0x267/frame 0xfffffe0467e9a9f0 sys_ioctl() at sys_ioctl+0x15b/frame 0xfffffe0467e9aac0 amd64_syscall() at amd64_syscall+0xa86/frame 0xfffffe0467e9abf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0467e9abf0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x802234fca, rsp = 0x7fffffffd188, rbp = 0x7fffffffd200 --- db:0:kdb.enter.default> ps <118>Configuring IPsec VTI interfaces...done. <118>Configuring WAN interface... Fatal trap 12: page fault while in kernel mode cpuid = 3; apic id = 03 fault virtual address = 0x60 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80dadc55 stack pointer = 0x28:0xfffffe0467e594b0 frame pointer = 0x28:0xfffffe0467e594b0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 370 (php-cgi) trap number = 12 panic: page fault cpuid = 3 KDB: enter: panic So some issue in the hn driver when it's trying to bring up WAN. Is you WAN configured in some unusual way? You should first try diasbling all hardware off-loading if you haven't done that yet. Steve

@sylvain613 So, you're using the bxe1 for WAN and igb0 LAN1 and igb1 LAN2? Also, could you post Status > System logs > General ... look for things that produced an error. Also, what interface are you using for IDS/IPS ... LAN1 and LAN2? Provide as much info on your setup.

Hmm looks like the APs can ping pfsense. I took turns plugging them in to ping 192.168.1.1 Now I have an entry in the ARP table for both of them and pfsense can ping them. [image: 1596040834523-b303b00c-d54c-48d6-9ead-a11e71d03196-image.png] My desktop still can't ping them or access their web gui. I still can't have both of them connected at once, but I guess that's one problem solved?

For anyone stumbling around in the future, The issue was double NATting on my CenturyLink router that was in bridged mode. I bypassed it completely by plugging directly into the modem and setting the VLAN to 201.

I figured it out! The culprit was Microsoft's new Edge Browser. I tried with Chrome and it worked perfectly. I hope this helps someone else!

Well sure if you can't do dns then internet doesn't work very well ;) Do a simple query from a client with your fav dns tool, nslookup, dig, host, etc. Does www.google.com resolve? Can pfsense resolve - go to diag menu on pfsense dns lookup for say same www.google.com do you get back an IP? Where are you pointing clients for dns? Pfsense IP I would assume? Out of the box pfsense would resolve for dns, vs forwarding.. Not sure what your trying to accomplish with those switches that seem to be doing routing? Where do the clients point for gateway? The switch IP or pfsense? What IP do you have on pfsense in those vlans? Sure hope its not .0?? How exactly are you routing between the switches - you show them connected with their e0/1 interfaces - but you list no IPs on them - is that a transit network? On a side note - why the use of /20?? Such a mask makes no sense in a lab setup, why would you not just use /24s? Makes it much easier to tell where the network breaks, etc.

@JKnott thank you very much for the information and insight greatly appreciated

@stephenw10 said in pfsense drops wan (PPPoe) when using speedtest.net: I assume the I Yes this is VDSL, the ISP device is in bridge mode and pfsense does PPPoe.

FeedBack : There is no hardware failure related issue reported in System logs. I am monitoring the system remotely. CPU usage showing 7%-8%. Memory usage is 27% (out of 4GB RAM). Approx 50-60 users are connected. Waiting for the problem to reoccur.

@stephenw10 - Thanks Steve! I've added those 4 addresses as "other" and I'm sure that will come in handy later on when I need to use those addresses for other purposes. Right now I'm using them only to temporarily solve a strange problem I'm having with two websites not responding to two of my users unless their from address is a different address then my primary one. My ISP is trying to run down this problem but for now this 1:1 NAT workaround is getting the job done. Roy...

I think i have narrowed it down. Your questions about my hardware made me look into my switch a bit more. It is "passively" cooled but as it is in a cabinet it seems it isn't getting enouch airflow. I turned it off for a period of time and back on and i'm getting good speeds with no packet drops. I have already ordered a fan that i can put inside. Thanks for all the help!