You welcome and Cool_Corona didn't accidentally ask the bogons, ;-)

Attached logs ? The errors were present before you tried to upgrade to 2.5.0 ? Upgraded from what version ?

@yon-0 said in How to solve ISP blocking remote UDP port?: https://github.com/bol-van/zapret/ Incredible. And impressive, the effort that has been taken to circumvent this 'MITM' thing. Using this tool asks for some serious networking knowledge. It's rather simple to know how much you need : you have to be smarter as those guys that made and put in place this 'DPI' thing. I don't know where you are, @yon-0 , I advise you to move out/away. Btw : DPI on https (TLS/SSL) : forget it, those DPI guys are not human, or aren't using terrestrial resources to do so.

I'm guessing some kind of routing issue. The tracert from both the LAN & WAN interface should be identical as they will be both routing via the same gateway - at least that what's I got when tested on my firewall. Have a look at the routing table of FW1. It's LAN interface (which is the WAN/FW2) may require a static route telling it that 192.168.1.0/24 should be routed via its 192.168.2.1 interface. This would explain why WAN/FW2 works & LAN/FW2 doesn't as WAN/FW2 is sitting on the same subnet as LAN/FW1.

I'm not aware of any issues using AES-GCM dircetly to Azure either. But, yeah, better to start a new thread for that. Steve

Nice. Yeah the automatic outbound NAT setting will NAT all traffic from internal subnets to the interface IP of any WAN type interfaces. But here it was seeing the LAN interface as a WAN so did not NAT traffic from that subnet as it left the actual WAN. Steve

I figured the problem might be with the monitoring part of the setup but that looks fine too. What other info could I provide to shed better light?

@duvel With the work from home restrictions the wife and I saw the need to upgrade our wifi and so I went from an old Asus AC66U and an older Asus used as an extender, to Netgear Orbi (3 station) in AP mode. Immediate improvement both in throughput and coverage. I wish I’d done this ages ago but was not motivated until now. No problems interfacing with pFsense, Sonos, etc.

mystery solved rawtaz in the irc channel suggested killing the state that referred to a rule it should not be referring to. When the state was re-established, it came up referencing the correct rule. The most likely scenario is that when the firewall rules are changed (i.e. adding or removing rules changes the number of the rules), the already established states do not have the rule numbers updated. This is a pf 'issue' and not pfSense since pfSense reads /dev/pf to get the states that match a particular rule.

Next time you reboot, hit Ctrl-T (^T) at the console a few times with some time in between when it's stuck there. See what that prints.

A VLAN is Layer 2 communication , MAC address oriented. The pfSense firewall is a Layer 3 device , as most firewalls are. pfSense filters (allows/deny) based on IP addresses. Your Vlan150 example uses the ip range 192.168.150.xx , so i'll assume the Vlan222 uses. On each interface where you have devices that has to reach hosts in Vlan222 , you would need to allow that "interface ip range" to send packets to the Vlan222 ip range. Ie. the fw rule on the Vlan150 would be : Action pass Interface "Vlan150" Addr Fam IPv4 Proto Any Source Vlan150 net Dest Vlan222 net Now pray that your Vlan222 hosts have def-gw on the pfSense box , or you'll have to play with routes. /Bingo

Thanks everyone for all the replies, i'm gonna try with Rico suggestion, it looks like that's the correct approach.

Thank you for your reply @stephenw10, I am able to ping from lan the dmz but not vice-versa (for security reasons won't be allowed). A-record for the dmz- pc has been manually created into the DNS of the AD. Let me open all ports, and will let you know back. Best, rickey

First check: https://docs.netgate.com/pfsense/en/latest/captiveportal/captive-portal-troubleshooting.html Can you connect to the pfSense webgui? Can it connect out? Do you see available packages for example? Steve

The only thing I would change is where the Netgear router is patched. I would patch it into one of your switches instead of the modem. As pictured, your wireless has no access to your LAN. If that was your goal, then you're fine... otherwise I'd enable AP mode and plug it into a switch. You could go for a more intricate and arguably cleaner design by consolidating down to one switch, running extra cable to each room, possibly setting up VLANs, etc, but that involves time and money. Your current setup is completely functional, so If it's meeting your needs, there's nothing wrong with it.

Unsure. That server is a tween server. On the left side ESXi is installed and the right side was not in use, so got pfSense there as needed several NICs for this setup. I think it could be CPU temps getting too high, as every time I saw pfSense showing them in yellow my network was slow. Interesting is that the other motherboard with the same pair of xeons and 24GB running ESXi 24/7, never had a problem. I can't run tests with that configuration anymore and I didn't get any others suggestions here or on the other two forums I've posted, so replaced the entire box with a spare i5 desktop and it is running very well.

I can confirm, that by cloning the MAC address everything is working !!!! thanks for the support @stephenw10, its much appreciated. Let the fun begin now !

@JohnKap said in (2) Firewalls, (2) different networks, both mostly work, 1 can't get to a specific IP: @ccgllc said in (2) Firewalls, (2) different networks, both mostly work, 1 can't get to a specific IP: Routing table: Works all the way to the last-to-next node, so don't think so - but do you have something specific I can check? I would compare the routing tables on the two devices, the fact that they're on the same subnet they should be pretty much the same. I'm thinking maybe there is an entry there that is confusing witch interface to use when going to those affected ip addresses. Routing tables are as expected: 127.0.0.1 The LAN port & network The WAN port & network No other entries. e.g. There are no "tables" I'm aware of that the firewall would build to direct traffic to a specific IP address that is not part of either its WAN or LAN group - all of those go out the default route on the WAN and passed to the next node to handle (in this case, my ISP).

Maybe that can help: https://forum.netgate.com/topic/151929/pfsense-wan-interface-wont-get-ip-address and check the DHCP log file for what it shows (Status / System / Logs / DHCP)