Thanks you all for the insight. The XML file and modifications worked great.

@nguser6947 You can also create some LAN firewall rules to prevent access to WebGUI by anyone except your workstation.

Downtime at my house is not a thing. It has been booted after this started and has only been up 23 days... embarrassingly short time... I just now got around to asking if there is a way to stop it. Thank you for the suggestions.

Yes. What about to a different public IP? If you are hitting something odd in the route you may not hit that to a different target.

@akegec said in Packages not updating: I remember how it used to be, no contracts and lawyers, we just used a hand shake to make a deal without any problems. EXACTLY! I have mentioned this here before

Just how 'live' do you need it to be? You could tail the filter log at the command line if you really want to see it as it happens. You might try using the ntop-ng package. Or one of the other monitoring packages: https://docs.netgate.com/pfsense/en/latest/monitoring/graphs/bandwidth-usage.html Steve

@cool_corona I did a small test with opnsense and multi-wan with port forwarding for openvpn did not work there. From what I read on their forums it is kinda a hit-and-miss depending on which build they use. Same goes for untangle. It could be me off course with my limited knowledge. But for now in the land of the blind one eye is king :(

@wgstarks Thx I’m good, was confused by n/a for off-line leases

I also noticed some of my clients experienced the same from AS30312 Netgate and AS27325 zColo. About Covid, it'll not end until mid or end 2023. My condolence for your lost.

@Artes Thanks a lot for your input. Actually your comment was right on the spot. Location B has a requirement of 1400 MTU. After changing to TCP instead of UDP, everything is working. Great help, thanks a lot both you and @JKnott for the comments! Have a nice weekend ahead! Cheers!

@gertjan Yes, I have not mentioned virtualization but that is the idea, VirtualBox runs ok with pfSense, just beware and use the NICs as Bridged and ensure they are not putting any traffic in the Host (no IP, etc) You can VBox as a service (with Linux) or AlwaysUp in Windows with a watchdog can keep the VM running if it crashes, there are many options. Immutable/Non-Persistent disks helps too.

@arbabnasir Why do you have as many states? Are you under attack? If not you may extend the state table size in System > Advanced > Firewall & NAT > Firewall Maximum States.

After some more digging it seems the tap interface is not set in promiscuous mode at startup as the tap device is missing. As I mentioned if I do some changes to the bridge, for example start packet capture and enable the promiscuous mode on the interface - the traffic starts. So the issue seems to be how to enable/create the tap interface early in the init process so it is put in promiscuous mode? Alternatively how to grammatically restart the bridge once the interface has been created?

@jimp said in 2.5.1: new VM install, a few UI glitches and bugs?: Something in the RA process must be triggering it to take the other gateway as default. That is somewhat moot though since you can't use DHCP/dynamic interfaces with HA if that's your ultimate goal. There isn't a way to make that work as-is, so you may have to forego IPv6 if you want these in HA or find a way to make it work static. I don't exactly plan to utilize them in a HA style setup (not the v6 part). But I find it strange, that it shows the 2nd IP6 as default with the globe, the system itself, the default route and everything (even a ping6, traceroute6 etc.) all default to the 1st WAN IP6 and are going out the WAN IF. So it seems that it's a displaying issue rather then RA or do I miss something? The gateway drop-down only shows up if it detects multi-WAN (e.g. multiple interfaces have gateways). If it doesn't show, then the only available gateway must be on a single interface. For static IPv4 perhaps you forgot to select the gateway on Interfaces > WAN for example. Interestingly you were right. I set up both WANs with their Gateways and configured the upstream. At some point one VM seems to have dropped it. I can see that in the config history but not why it happened. I reconfigured the WAN with missing gateway and the dropdown now shows as it should be. Weird though, that it was in (even shown in the config.xml) but somehow was dropped by something.

@mosae Ah, okay. Then we might have different issues. With me the login always succeeds, but I got permanent PL inside the vpn, like: Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=12ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Zeitüberschreitung der Anforderung. Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=15ms TTL=126 Zeitüberschreitung der Anforderung. Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=14ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=15ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126 Antwort von 172.17.1.26: Bytes=32 Zeit=13ms TTL=126

@KOM The configuration has has grown more complex recently (several VLANs), but the kernel error has occurred before that even with a very basic configuration. There are some unusual devices on the network, e.g. two internal pairs of DSL modems for bridging two long distances, and some dubious switches, but so far, I could not correlate activity via these connections with the outages. I am sometimes connected via OpenVPN, but I could also not perceive a clear correlation with activity on that connection and outages. @dotdash For me it only occurs during rush hours, and I experienced it even on 2.5.0. I am now going to make tcpdump log the sender and receiver IP addresses of fragmented packages. Maybe that will give me some hints.

@jvcomputers You might want to take a look at this thread - same subject as yours, just with web gui vs ssh. I linked to the ASV document guide.. Ie guidelines that ASVs are suppose to use when scanning. https://forum.netgate.com/topic/163844/pci-dss-compliance-vulnerabilities-found-webgui Clearly stated in that doc.. "Temporary configuration changes do not require that the scan customer “white list” or provide the ASV a higher level of network access."

@nollipfsense One down side is I downgraded to 2.4.4 and it worked i put this on my production setup and it's not working. I confirmed all my settings were exactly the same as the 2.4.4. There is no traffic on the bridge interface but the ICMP is found on the vmx0 and vmx2 interfaces.