Putting a vpn server behind a edge router can be problematic yes.. Your trouble is making sure you don't run into asymmetrical traffic.. Normally you would put your vpn server into a transit network off your edge.. Running the vpn on the actual edge router is so much easier.

This area of the forum is English, if you wish to post in multiple languages, make a separate post in a language-specific category under pfSense International Support rather than putting both in a single post. That said, there isn't a way to force it to reload the entire config completely from the command line live, but you can do this: cp config.xml /conf/config.xml rm /tmp/config.cache /etc/rc.reboot

I followed this guide to the t and I still could not get my BT box to even connect to the internet. I eventually found it was because of IPv6. I disabled the DHCP server for IPv6 and changed my LAN interface to have "none2 for the IPv6 config type. I hope this helps someone :)

@jmacdonald I have the exact same question and would love to see some comments on it. Thanks! Also, what is the rule to add in order to have "Allow All"? I tried 0.0.0.0/128 but that didn't work.

I am not blaming pfSense. I ran pfSense for quite a few years up until 2016 when I moved. My internet service has since changed at my new house. My old APU2 hardware worked fine with my old 15Mbps cable connection. Now that I am on vDSL I was more leaning towards the issue being hardware related. Unfortunately I did not have the time to do any thorough troubleshooting as I had to have my network back up and running ASAP with my cameras working. Regarding the Routerboard switch, the default settings were applied. I simply unboxed it and plugged it in to the LAN port of the pfSense box. My goal of posting on here was to see if somebody experienced something similar with NEST or other security cameras. I was hoping the setup would be as easy as it was in the past but unfortunately it isn't.

Will do that Thank you both very much!

@jimp Yea I thought about it but I'd like to keep it minimal for now. Just wanted to post the solution here, took me a while to find it. Wasn't obvious to me

Are you running some soft of vpn client setup? Here is the thing out of the box rules on lan are any any... And pfsense will nat all from its lan to its wan IP. So if your WAN network is 10.1.1.0/24 with pfsense wan IP being 10.1.1.1 And your lan network is 10.1.2/24 then all clients will look like they are 10.1.1.1 when they talk to your wan network, ie pfsense wan IP. If I had to "GUESS" to your problem your forcing traffic out some vpn gateway on your lan rules - which we would know if you could post a simple screenshot vs making gifs with zero information in them. Other guess would be you have the wrong mask on your clients and they think that 10.1.1 is the same network as 10.1.2 say example a /8 which is what windows would default mask too, etc. etc. So how about you post up a config of your clients.. Show a traceroute to say 10.1.1.1 and one to 8.8.8.8 And post up a picture of your lan rules - and validate your not using any sort of vpn, and or is your clients pointing to any sort of proxy or using their own vpn client.

Why would you daily reboot your pfSense? -Rico

Thank you, that's actually the way we are currently using it (not with pfsense though) , but because of the quantity of the modems it gets really expensive to have a 4G router for each modem. I love the fact that pfsense is so easy to configure and just works out of the box with 4G modems, just the reboots are giving me headaches now )

I haven't used cacti in years but I seem to recall a FreeBSD+pf or pfSense template around that hit the pf MIBs to track some things like that. If nothing turns up here, search on the Cacti forum.

Well if you dig deep enough you can do whatever you want. You could potentially add a line to the gateway down script that restarts the PPPoE link. It would likely take some trying to get it working as you want though. Steve

You want to be able to decrypt random SSL/TLS TCP traffic, inspect the packet contents and filter based on that? No, you can't do that, short answer. If you proxied the traffic in pfSense you might be bale to do it using custom rules in Snort/Suricata. I've never seen anyone do that though. Steve

It depends on the switches, cables, network load, etc. No you shouldn't lose that amount in your switches.

There is a whole section of the forum related to using the proxy if you have questions https://forum.netgate.com/category/52/cache-proxy It includes squid proxy and such but any questions you have about haproxy would go there as well. Here is some more info on the package https://www.netgate.com/docs/pfsense/packages/haproxy-package.html

I edited the title. Not sure if you can or not, I think that might be time limited. Anyway glad I could help. Steve

working now I have DNS Forwarder enabled not DNS resolver I removed 10.4.0.1 from DHCP Server DNS, and in general / system setup I kept adding the open dns thee under dNS Servers but changing the interface to AirVPN_WAN - opt2 . When I removed this and left both interfaces as WAN the Open DNS works

They don't give you any sort of gateway IP at all? In a point to point connection technically they don't have to but it would be very unusual. So do they give you the expected static IP via PPP or something random? Who are your ISP? Someone else must have hit this is they are reasonably big. You can try just setting any gateway IP and see what happens. As long as it's outside the WAN subnet it won't try to ARP for it. Steve