Run a packet capture on the internal interface do you see the ping requests or replies there? Check the state table for open states using the .25 IP. Make sure you can ping out from the .25 IP in Diag > Ping. Steve

I followed the advice of bmeeks and have the VLAN routing done by pfSense. As my main goal was to ensure high throughput between my Server and domain joined clients (all on the same VLAN) and all of those devices are wired to the Netgear M4300-28G-PoE+ switch, the data is handled at L2 level by the switch and does therefore (to my understanding) not pass via the pfSense box. In the end, I also ditched the ISP Fritzbox because I didn't manage to get PPPoE passthrough working; my ISP gave me a fiber to ethernet converter instead. Everything has been working great ever since.

https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html

Yep, right here (see attachment) under the Interfaces tab. [image: 1579800525307-screen-shot-2020-01-23-at-11.27.08-am.png] Your new LAN can either be an actual network port if you have an open port on your pfsense box, or it can be virtual (VLAN) if you want to do it that way. Then see here for some setup instructions for this new interface: https://docs.netgate.com/pfsense/en/latest/interfaces/interface-settings.html Jeff

I've couldn't detect what is not working, after upper comment the ISP installed additional router between pfsense and radiolink switch. Now we're using 176.xx IP for the WAN Interface. Thanks for all comments.

secondary [image: 1579702991761-screenshot-2020-01-22-at-14.16.18.png] [image: 1579702995562-screenshot-2020-01-22-at-14.16.45.png] [image: 1579703009108-screenshot-2020-01-22-at-14.16.52.png]

@johnpoz said in Creating a backup of /Root etc.: Why would you want to do this? Just back up the config, have some install media around... Worse case you install pfsense clean and restore you backup. You can just use the ACB as well https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html @johnpoz thanks for the input - here's what I'm trying to accomplish. I have some custom stuff that I would like to backup to a flash drive and be able to restore without depending on the network or another computer (just the pfSense box). Most of it is in root, and I have also created a user CUSTOM which is under /home/custom - I hope that I won't have to use it, but just in case something gets lost I want a fallback. Also note that as it stands the backup plugin can not backup root (see note above) - I don't know if Netgate is the maintainer or if it is someone else. As for the autoconfigbackup, I would love to use it, but I would rather have it point to a box inside my firewall - call me paranoid, but I keep finding out that things we thought were secure, aren't because of error or improvements in hacking tools. If it is never in the cloud, then it can't get stolen from the cloud. @johnpoz as an aside ". Worse case you install pfsense clean and restore you backup." - I it was just the base pfSense, I would agree with you completely .... but what about a use case where there are a lot of plugins? How does one make sure none of them have changed since they were installed/disappeared from the plugin repo? I had a problems several years back where I couldn't get the config to restore properly without connectivity, and I couldn't get connectivity with a working pfSense. I think that some changes have been made since then, but it is so long ago all I can remember is that I had a very uncomfortable several hours trying to get things back up.

Yeah it's like I said you can bridge the VLAN the server is on to the WAN. So: Edit the server VLAN interface and set it to v4 type none. Create a new bridge in Intercaces > Assignments > Bridges and add the WAN and the server vlan interface to it. Set the server to be a dhcp client. Make sure you have firewall rules on the server VLAN interface to allow the dhcp client traffic. And any other traffic you may need. Be aware that rules use 'Server net' will no longer be valid since that interface no longer has an IP or subnet. Add rules to WAN to allow whatever traffic you need to reach the VoIP server. Steve

You may need a route to 10.233.2.0/24 if that is not accessible via the default route but only then. I assume you can access the pfSense webgui from 10.233.2.4? Otherwise you would only need those routes to establish connections over the VPN from the firewall itself rather than from hosts behind it. Your screenshot where you have 10.233.2.0/24 in the P2, which is required, shows 0 packets in or out on it but it also shows as established for 0 seconds. If you have that up, or both P2s there, and send traffic from either end do you see the packet counter increase in either direction? Steve

@jimp Thanks, fixed. [image: 1579540700839-annotation-2020-01-20-121352.png]

Hmm, well hard to say without more logs etc from the time. Unbound was not responding for some reason. Neither was any other DNS server configured for the system. Without anything in System > General that could only be servers handed to pfSense by the ISP via DHCP on WAN.

You're right. [image: 1579535662308-6743f69d-639a-4060-a514-af60c52ee008-image.png] Test : [image: 1579535697563-d0ba3ebe-8738-4385-ad29-69e89e3e05c5-image.png] which is correct.

@stephenw10 thank you works great (:

It's clearly maxing out something. You should definitely test over a wired connection first though you could just be seeing wifi issues. Steve

@JKnott Yep the phone was connected to the network, it had a static ip at first, then i removed its static from pfsense, which gave it a dchp address. All the internet worked, the only things that didnt work were the walmart app, amazon app, and affirm app. I could browse the internet, download off of play store, and play games. I dont understand what happened, after I formatted the pfsense hard drive and reinstalled it, my phone could connect to the apps. It was 100 percent something i did in pfsense some how, because I could connect to those apps on my other internet from a different provider, and at walmart.

@stephenw10 kk, that solves it. I'll go firewall route! Thanks!

Well that could definitely be true, why would they allow access to their DNS servers publicly? That doesn't explain why you saw the delay to IP addresses directly though. Steve

Ok, thank you!

@plrpilot When you say "from the VPN", what is the device that is initiating the VPN on the remote side? Is it OpenVPN or IPSEC VPN? Please provide additional information about the network topology, perhaps you need some specific routing.