I have no lack of understanding what the issues could be but that wasn't the question :). Either way, I appreciate all that input and I'm sure it will help the next person that finds this. In the meantime, I'm going to use it. Thanks.

I guess it has to match the format required by those services? There's nothing like that built into pfSense but I could imagine something that run on an internal host just to query the WAN IP and then serve it up as those services expect. UPnP should be able to pull the external IP from pfSense if it's enabled. Or maybe and SSH command. Steve

It may or may not be but the important thing is if your package repo was still set to 'latest stable' and not '2.4.4 deprecated' it will have pulled in incompatible libraries causing the errors you're now seeing. To be sure I would probably backup the config and install 2.4.5p1 clean. Or wait for 2.5 at this point and then install that clean. Steve

If the server is configured as SSL/TLS with a tunnel subnet larger than /30 then all values are passed from the server to the client when it connects. As long as the client in pfSense is not configured with 'do not pull routes' then it should get a route to 10.0.0.0/24 when it connects. You can check the system routing table to make sure though. Steve

Is this just a dupe of your other ticket? https://forum.netgate.com/topic/160507/pfsense-and-openvpn

@stephenw10 thanks.

@stephenw10 Hey Steve, Thanks for your answer. No, we do not have any VIPs define on that box. The host is connected to vtnet1 arp: 10.1.0.50 moved from 00:5d:73:1e:58:98 to ea:b5:54:89:1c:9c on vtnet1 arp: 10.1.0.50 moved from ea:b5:54:89:1c:9c to 00:5d:73:1e:58:98 on vtnet1 Ah and thanks for your hint: I was false, the mac is not the interface itself but the cisco asa interface. So i think I know where to search. Prox-arp on cisco This is what the routing is like. Default 10.1.0.50 (ea:b5:54:89:1c:9c ) -> 10.1.0.1 Cisco ASA routed 10.1.0.1 (00:5d:73:1e:58:98) But on 10.1.0.50 we do have a route for 10.1.25.0/24 via 10.1.0.2 which is vtnet1 on the pfsense. So the package from 10.1.0.50 should arrive on the pfsense via vtnet1 and should not pass the ASA. So it should be the proxy-arp on cisco which reply for arp query. There is a NAT rule on the ASA pointing to 10.1.25.2 on which i will disable proxy arp now for testing. This should resolve the problem and proxy-arp is not deeded since I use different networks on each segment. Thanks for your advise.

Yup that^. You can't make that page work for https as long as you have any sort of sane security in your browser. Steve

While I don't see UPnP as an enterprise feature ;) Since + will be free for home/lab use.. In that sort of network I can still seeing people using it. I wish the protocol in its present form should just die to be honest. It was and is a horrible solution..

@overcon The web server will send responses to the default gateway. So if the USG is set as default gateway response packets will not be returned to pfSense and you will have an asymmetric routing issue which breaks TCP connections. You can either set pfSense as default gateway on the web server and some other devices you want to use it, or you have to do SNAT on packets going to theme, so that pfSense traslates the source IP into its own LAN IP (masquerading). However, consequently you're not able to determine the real source IPs of accesses on these devices, which may be desireable though on web servers and alike.

@comet424 @azdeltawye do you set that script to run like every hour? No, that simple script just runs continuously. No crontab needed. The loop timer is set to 300 seconds which is 5 minutes. Five unsuccessful pings takes 25 minutes, reboot of the modem is another 5 minutes, so 30 minutes total for a full reset cycle. You could change the timer settings to whatever works for you, I just picked 5 min because it seemed reasonable... I still run that script on a RPi now but my ISP seems to be much more reliable and it hasn't had to reboot the modem in over a year now. Originally when I first implemented that setup I was being subjected to 70+ outages per year...

How are you connected to your work vpn? On your device? What does that have to do with running a vpn server on your router? So your running a ssh tunnel through your work vpn, to be able to get back to your home network?

@johnpoz Oh yeah Thx for inspiration!! Awesome... Not gonna play with config.xml

@stephenw10 That makes a ton of sense. Will try it out today.

@stephenw10 - I already knew what was blocking it, but it's not dropping anything in the log that helps much unless it's going through google analytics on the way... If it is, I'll live without it....

@amaanx5a said in pfSense becomes unresponsive: The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles. Even if I use a switch? No, if you use a bridge as a switch. There is a common misconception that bridging somehow requires less CPU cycles and won't affect firewall performance for some reason. Not really sure where that comes from but just to be clear it does. If you use a switch the traffic never goes through the firewall and it can happily use all it's CPU cycles for more important things like VPNs. And, yes, use OpenVPN for remote access if you can. It the very least move your webgui to a different port to reduce the drive-by connection attempts. https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.html Steve

Ok. Yes, no way to do that as far as I know. Steve

pfSense cannot bridge PPPoE to DHCP. Snort cannot effectively see inside the PPPoE stream. Or at least the signatures are not intended to match that so it doesn't see the traffic as expected. Your options here as I see it are either to not run pfSense transparently. Put the Mikrotik in a private subnet on it's WAN. Or move the pfSense box behind the Mikrotik where it can be setup transparently and still see the traffic outside the PPPoE. Or lose the Mikrotik entirely and using the pfSense as the PPPoE client and router/firewall/IPS etc. Steve

@stephenw10 The past two have been the same. Im going to try different ram.