@dotgate
I'll add a little on my own
c) there is no problem activating these options (if the device allows it)
https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html
https://man.freebsd.org/cgi/man.cgi?qat
however, version 2.7.2 does not include the core modules of the QAT driver
(Intel QuickAssist Technology (QAT) [Plus only])
But, if you build your Freebsd 14.0 kernel on any test device, you can download this driver manually into the PF kernel (by copying several files)
[image: 1718133204206-1928c0d4-207f-4416-b8ac-1854b2e61e0c-image.png]
If you have a downstream (internal) router with other subnets behind it pfSense needs static route to those so it knows where to route traffic.
https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route
@stephenw10
Thank you very much for your analysis and advice!
With the configuration changes mentioned above, I no longer have pfsense blocking, it's a bit of a shame that some settings aren't more “original” configured for a (in my case) 8200.
I'm glad to have found the https://forum.netgate.com/topic/182534/just-purchased-a-netgate-8200-having-a-few-issues/13topic which helped me enormously to find a solution to my problem.
EDIT
Last test
[image: 1718113901940-16c681da-6cab-4ad6-b09e-d190ec1fad3f-image.png]
In Status > IPSec you should see traffic on the packet-counters for both P2s. If you don't they either don't match the traffic or your firewall rules don't.
@stephenw10 Yes, indeed :-). When pinging something continually and the problem occurs it will fail until pfSense+ ages and renews the ARP table entry or, as with my script, any ARP Request containing the layer-2 and layer-3 addresses of the pfSense+ WAN interface is transmitted to the ISP.
Thanks @stephenw10.
Andrew
@Unoptanio said in About Status/DHCP Leases:
"on line"
is still shown. Here :
[image: 1718009737456-7751a241-64e0-4f99-93a7-035954be5abd-image.png]
the green arrows.
And before you ask : "on line" or the green arrow means probably something different as what you might think.
"On line" or the green arrow means : the IP is in the "arp cache". See here Diagnostics > ARP Table
pfSense, or the DHCP server, is not 'pinging' (or something else) every (lease) IP every xx seconds to see it it replies.
Static or not : the admin knows what leases are static, as he set them up as static.
But I get it : why showing 'n/a' twice, even if it's true, if the word "Static implies the same. Not sure why that was changed.
@stephenw10 hahah, but its good... I believe this comment could be considered as covering the no route problem, or wrong route
"what your pinging either sending its answer to somewhere else"
But I like the clarity of making sure route is there to send it to back to pfsense.. Will keep that in mind for next thread we get about such an issue. Which I know there will be, since it is a common question to be honest ;)
@markdudov said in WAN packetloss:
@stephenw10
In what cases are the gateways dropping ping requests?
Also in case for example, when You have Your ISP's device (mediaconvertor-router) ETH up, and assigned IP by ISP's DHCP, BUT PACKETS BLOCKED on ISP's core level.
That should be fine. And, just to be clear, I would have expected what you did before to also be fine. pkg shows that it sees that as an upgrade and takes appropriate action.
It shouldn't be possible to have two versions on the same pkg installed.
