@DaddyGo Thank you very much for the offer. I am going to try on my own first, before tapping into your expertise. Elliott

@genfoch01 said in can not access pfsense via lan: but it was not connected as i wanted to configure pfsense before i connected it to the wan Hummm. Not really needed - except if you hooked up devices on its LAN that you do not trust at all. And worse : I can happens that you access the GUI with big delays (2 minutes) if the WAN is down. Why skipping 192.168.2.1 ? You did set up the DHCP server on LAN, right ? remove switch from LAN, hook up your PC directly. Set the device using manual IP settings like : IP = 192.168.1. mask 255.255.225.0 or /243 Now you can - should be able - to ping 192.168.1.2 - and connect to the GUI on 192.168.1.2 or, if you're sure the pfSense DHCP server on LAN is set up correctly, connect your PC to pfsense and it will obtain an IP in the 192.168.1.x-y range - the range is the pool of the DHCP server.

@Rapboy2019 After using Packet Capture, as described above, you can download the capture and view it with Wireshark to find the MAC address of the offending device.

Hello @jimp, Sorry for my late reply. Lots to do and this issue was put on hold. Your 1st option was to good one. In the <cert> part for each certificate issued by the CA, the <caref> values were missing. I added the correct caref value on each certificate and re-import the backup file into pfSense. After e reboot, everything was fine. Thanks for your answer. Kind Regards

@Gertjan Thanks you for your suggestion. I will change it and check. Because RTT is in the 10ms - 120ms range, I feel too high.

Important bit: db:0:kdb.enter.default> bt Tracing pid 369 tid 100130 td 0xfffff80016c02620 kdb_enter() at kdb_enter+0x3b/frame 0xfffffe0467e9a160 vpanic() at vpanic+0x19b/frame 0xfffffe0467e9a1c0 panic() at panic+0x43/frame 0xfffffe0467e9a220 trap_pfault() at trap_pfault/frame 0xfffffe0467e9a270 trap_pfault() at trap_pfault+0x49/frame 0xfffffe0467e9a2d0 trap() at trap+0x29d/frame 0xfffffe0467e9a3e0 calltrap() at calltrap+0x8/frame 0xfffffe0467e9a3e0 --- trap 0xc, rip = 0xffffffff80dadc55, rsp = 0xfffffe0467e9a4b0, rbp = 0xfffffe0467e9a4b0 --- strlcpy() at strlcpy+0x25/frame 0xfffffe0467e9a4b0 hn_vf_rss_fixup() at hn_vf_rss_fixup+0x73/frame 0xfffffe0467e9a5b0 hn_rxvf_change() at hn_rxvf_change+0x28b/frame 0xfffffe0467e9a630 in6_update_ifa() at in6_update_ifa+0x111b/frame 0xfffffe0467e9a700 in6_ifattach() at in6_ifattach+0x487/frame 0xfffffe0467e9a840 if_up() at if_up+0x6a/frame 0xfffffe0467e9a880 ifhwioctl() at ifhwioctl+0xaf5/frame 0xfffffe0467e9a8e0 ifioctl() at ifioctl+0x475/frame 0xfffffe0467e9a980 kern_ioctl() at kern_ioctl+0x267/frame 0xfffffe0467e9a9f0 sys_ioctl() at sys_ioctl+0x15b/frame 0xfffffe0467e9aac0 amd64_syscall() at amd64_syscall+0xa86/frame 0xfffffe0467e9abf0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0467e9abf0 --- syscall (54, FreeBSD ELF64, sys_ioctl), rip = 0x802234fca, rsp = 0x7fffffffd188, rbp = 0x7fffffffd200 --- db:0:kdb.enter.default> ps <118>Configuring IPsec VTI interfaces...done. <118>Configuring WAN interface... Fatal trap 12: page fault while in kernel mode cpuid = 3; apic id = 03 fault virtual address = 0x60 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80dadc55 stack pointer = 0x28:0xfffffe0467e594b0 frame pointer = 0x28:0xfffffe0467e594b0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 370 (php-cgi) trap number = 12 panic: page fault cpuid = 3 KDB: enter: panic So some issue in the hn driver when it's trying to bring up WAN. Is you WAN configured in some unusual way? You should first try diasbling all hardware off-loading if you haven't done that yet. Steve

@sylvain613 So, you're using the bxe1 for WAN and igb0 LAN1 and igb1 LAN2? Also, could you post Status > System logs > General ... look for things that produced an error. Also, what interface are you using for IDS/IPS ... LAN1 and LAN2? Provide as much info on your setup.

Hmm looks like the APs can ping pfsense. I took turns plugging them in to ping 192.168.1.1 Now I have an entry in the ARP table for both of them and pfsense can ping them. [image: 1596040834523-b303b00c-d54c-48d6-9ead-a11e71d03196-image.png] My desktop still can't ping them or access their web gui. I still can't have both of them connected at once, but I guess that's one problem solved?

For anyone stumbling around in the future, The issue was double NATting on my CenturyLink router that was in bridged mode. I bypassed it completely by plugging directly into the modem and setting the VLAN to 201.

I figured it out! The culprit was Microsoft's new Edge Browser. I tried with Chrome and it worked perfectly. I hope this helps someone else!

Well sure if you can't do dns then internet doesn't work very well ;) Do a simple query from a client with your fav dns tool, nslookup, dig, host, etc. Does www.google.com resolve? Can pfsense resolve - go to diag menu on pfsense dns lookup for say same www.google.com do you get back an IP? Where are you pointing clients for dns? Pfsense IP I would assume? Out of the box pfsense would resolve for dns, vs forwarding.. Not sure what your trying to accomplish with those switches that seem to be doing routing? Where do the clients point for gateway? The switch IP or pfsense? What IP do you have on pfsense in those vlans? Sure hope its not .0?? How exactly are you routing between the switches - you show them connected with their e0/1 interfaces - but you list no IPs on them - is that a transit network? On a side note - why the use of /20?? Such a mask makes no sense in a lab setup, why would you not just use /24s? Makes it much easier to tell where the network breaks, etc.

@JKnott thank you very much for the information and insight greatly appreciated

@stephenw10 said in pfsense drops wan (PPPoe) when using speedtest.net: I assume the I Yes this is VDSL, the ISP device is in bridge mode and pfsense does PPPoe.

FeedBack : There is no hardware failure related issue reported in System logs. I am monitoring the system remotely. CPU usage showing 7%-8%. Memory usage is 27% (out of 4GB RAM). Approx 50-60 users are connected. Waiting for the problem to reoccur.

@stephenw10 - Thanks Steve! I've added those 4 addresses as "other" and I'm sure that will come in handy later on when I need to use those addresses for other purposes. Right now I'm using them only to temporarily solve a strange problem I'm having with two websites not responding to two of my users unless their from address is a different address then my primary one. My ISP is trying to run down this problem but for now this 1:1 NAT workaround is getting the job done. Roy...

I think i have narrowed it down. Your questions about my hardware made me look into my switch a bit more. It is "passively" cooled but as it is in a cabinet it seems it isn't getting enouch airflow. I turned it off for a period of time and back on and i'm getting good speeds with no packet drops. I have already ordered a fan that i can put inside. Thanks for all the help!

@serbus I have a APC UPS and then a APC 7900 PDU connected between them. I do have NUT setup and appears to be working right now. However, next time I am home I am going to manually cut the power and test just to double check. So far so good, as it has now been over 3 hours without a reboot since I forced an automatic system check on reboot. However, I did make some other changes (disabled PIMD, etc.) that may affect the frequency of the reboot. I am fully backed up and hoping for the best, but prepared for the worst. I will reinstall from scratch and restore from backup once I am back on site. I also plan on enabling RAM disks now as well.

@qtwrk Since wired devices work, it's not a pfSense problem. IPv6 relies on multicasts for several functions. As I mentioned, RAs are used to provide address info. All a router does is send out the multicast with the appropriate info. About the only thing that could cause a problem would be bad info. However, that would affect all devices, not just WiFi.

In outbound NAT rules, i specified the Interface address as VIP address, [image: 1595865822151-a19f0df6-9812-48dc-bbeb-104711785854-image.png] Now it works! Solved!

Thanks. I am running fsck now through ssh 5 F.