Thanks. I'll disable pfsync until you have a fix out. Seems to be the lesser of two evils and only connection-oriented sessions (RDP, ssh and such) will have to be manually reconnected on a failover which is tolerable. Thank you for the quick assistance! Lars

@johnpoz: So when you mean they can no longer resolve stuff or can not access public IPs and resolve just fine?  My guess would be your using multiple dns servers one that can resolve public, and other than can not - like your AD server maybe? The machines can not access public IPs, but resolve just fine… I still can ping any URL, while no page are showing, giving timeout error. Just the pfSense is the DNS Server. @johnpoz: On these clients try and resolve www.google.com via either ping?  Or nslookup or dig or whatever your fav dns query tool is.  Does that not work?  What dns is pointing to - nslookup or dig will tell you that. If they do resolve try pinging something on the outside say 8.8.8.8 does that not work? I can ping and resolve google.com and 8.8.8.8 or anything outside…. Nslookup return the pfSense IP.

This issue stopped for a while and it just started again today. Sep 15 15:39:27 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:39:27 xinetd 9901 readjusting service 6969-udp Sep 15 15:39:27 xinetd 9901 Swapping defaults Sep 15 15:39:27 xinetd 9901 Starting reconfiguration Sep 15 15:39:26 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:39:26 xinetd 9901 readjusting service 6969-udp Sep 15 15:39:26 xinetd 9901 Swapping defaults Sep 15 15:39:26 xinetd 9901 Starting reconfiguration Sep 15 15:39:26 check_reload_status Reloading filter Sep 15 15:39:26 php-fpm 63247 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:39:26 php-fpm 63247 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:39:25 check_reload_status Reloading filter Sep 15 15:39:25 check_reload_status rc.newwanip starting sk0 Sep 15 15:39:25 php-fpm 63247 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:39:24 kernel sk0: link state changed to UP Sep 15 15:39:24 check_reload_status Linkup starting sk0 Sep 15 15:38:03 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:38:03 xinetd 9901 readjusting service 6969-udp Sep 15 15:38:03 xinetd 9901 Swapping defaults Sep 15 15:38:03 xinetd 9901 Starting reconfiguration Sep 15 15:38:02 check_reload_status Reloading filter Sep 15 15:38:02 php-fpm 63247 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:38:01 kernel sk0: link state changed to DOWN Sep 15 15:38:01 check_reload_status Linkup starting sk0 Sep 15 15:31:42 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:31:42 xinetd 9901 readjusting service 6969-udp Sep 15 15:31:42 xinetd 9901 Swapping defaults Sep 15 15:31:42 xinetd 9901 Starting reconfiguration Sep 15 15:31:41 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:31:41 xinetd 9901 readjusting service 6969-udp Sep 15 15:31:41 xinetd 9901 Swapping defaults Sep 15 15:31:41 xinetd 9901 Starting reconfiguration Sep 15 15:31:41 check_reload_status Reloading filter Sep 15 15:31:41 php-fpm 39526 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:31:41 php-fpm 39526 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:31:40 check_reload_status Reloading filter Sep 15 15:31:40 check_reload_status rc.newwanip starting sk0 Sep 15 15:31:40 php-fpm 56830 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:31:38 kernel sk0: link state changed to UP Sep 15 15:31:38 check_reload_status Linkup starting sk0 Sep 15 15:28:30 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:28:30 xinetd 9901 readjusting service 6969-udp Sep 15 15:28:30 xinetd 9901 Swapping defaults Sep 15 15:28:30 xinetd 9901 Starting reconfiguration Sep 15 15:28:29 check_reload_status Reloading filter Sep 15 15:28:29 php-fpm 56830 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:28:28 kernel sk0: link state changed to DOWN Sep 15 15:28:28 check_reload_status Linkup starting sk0 Sep 15 15:18:29 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:18:29 xinetd 9901 readjusting service 6969-udp Sep 15 15:18:29 xinetd 9901 Swapping defaults Sep 15 15:18:29 xinetd 9901 Starting reconfiguration Sep 15 15:18:28 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:18:28 xinetd 9901 readjusting service 6969-udp Sep 15 15:18:28 xinetd 9901 Swapping defaults Sep 15 15:18:28 xinetd 9901 Starting reconfiguration Sep 15 15:18:28 check_reload_status Reloading filter Sep 15 15:18:28 php-fpm 91971 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:18:28 php-fpm 91971 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:18:27 check_reload_status Reloading filter Sep 15 15:18:27 check_reload_status rc.newwanip starting sk0 Sep 15 15:18:27 php-fpm 34083 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:18:25 kernel sk0: link state changed to UP Sep 15 15:18:25 check_reload_status Linkup starting sk0 Sep 15 15:15:48 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:15:48 xinetd 9901 readjusting service 6969-udp Sep 15 15:15:48 xinetd 9901 Swapping defaults Sep 15 15:15:48 xinetd 9901 Starting reconfiguration Sep 15 15:15:47 check_reload_status Reloading filter Sep 15 15:15:46 php-fpm 34083 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:15:45 kernel sk0: link state changed to DOWN Sep 15 15:15:45 check_reload_status Linkup starting sk0 Sep 15 15:12:25 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:12:25 xinetd 9901 readjusting service 6969-udp Sep 15 15:12:25 xinetd 9901 Swapping defaults Sep 15 15:12:25 xinetd 9901 Starting reconfiguration Sep 15 15:12:24 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:12:24 xinetd 9901 readjusting service 6969-udp Sep 15 15:12:24 xinetd 9901 Swapping defaults Sep 15 15:12:24 xinetd 9901 Starting reconfiguration Sep 15 15:12:24 check_reload_status Reloading filter Sep 15 15:12:24 php-fpm 69749 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:12:24 php-fpm 69749 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:12:23 check_reload_status Reloading filter Sep 15 15:12:23 check_reload_status rc.newwanip starting sk0 Sep 15 15:12:23 php-fpm 69749 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:12:22 kernel sk0: link state changed to UP Sep 15 15:12:22 check_reload_status Linkup starting sk0 Sep 15 15:10:06 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:10:06 xinetd 9901 readjusting service 6969-udp Sep 15 15:10:06 xinetd 9901 Swapping defaults Sep 15 15:10:06 xinetd 9901 Starting reconfiguration Sep 15 15:10:05 check_reload_status Reloading filter Sep 15 15:10:05 php-fpm 69749 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:10:04 kernel sk0: link state changed to DOWN Sep 15 15:10:04 check_reload_status Linkup starting sk0 Sep 15 14:51:47 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 14:51:47 xinetd 9901 readjusting service 6969-udp Sep 15 14:51:47 xinetd 9901 Swapping defaults Sep 15 14:51:47 xinetd 9901 Starting reconfiguration Sep 15 14:51:46 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 14:51:46 xinetd 9901 readjusting service 6969-udp Sep 15 14:51:46 xinetd 9901 Swapping defaults Sep 15 14:51:46 xinetd 9901 Starting reconfiguration ```. I wonder if something on the network is causing this. Anyone else experiencing this?

Well yeah stun is going to try and transverse your nat ;)  Which I take is something you don't want it to do ;)  There is a way to disable webtrc in chrome browser, you could try doing that and see if that reduces your hits.. Guess your other option is just not log it..  You could still allow for dns and or quic, etc.  but all other unknown UDP just drop it in the bin without logging.

did you validate that your actually getting back the icmp unreachable message on your wan? So your lan rules are any any?  So your probing IPs you control on the public internet and you know they send back icmp redirects when hit on nonlistening/closed port? As I showed many firewalls will not do that.. Since then every single noise packet they get would generate a icmp answer..  That would be bad! ;)  You need to validate that your packet is getting to the server from the client, and then validate it is actually sending back an icmp redirect and pfsense is seeing it on its wan.  If it does then yes it should send that back into your client that created the traffic.  As you can see from my above traceroute test.

I should have asked what model the Netgear was from the start.  I assumed it was an R7000 or something similar, since those tend to be the most popular.  Or at least a relatively recent model. I doubt that Netgear Router you own has AP mode. What is the model number of the TWC equipment you have?  Can you confirm that it is a Modem/Router combo, or could it just be a Modem?

If I had to guess part of his problem could be related to running multiple layer 3 networks over the same layer 2.  There is a thread about that, and then there is also a thread about using the forwarder or the resolver what is the difference and using forwarder for cp, etc.  There there is a thread that mentions trying to go to https sites first before auth to the cp. Im with jimp though you need to post up the actual details of your CP issue.  You have multiple things going on it seems, trying to use squid and the cp from one thread is another possible issue. If you post up the full details, what packages your using how you have your network setup and your captive portal setup and what is not working with it.. Sure there are plenty of people here to work through your issues with you.

curl is in the base system, so is fetch. For most thing you'd need or want wget for on a firewall, fetch is fine, and curl will work if fetch will not. There's really no need for wget.

No, it is not possible for pfSense to act as a PPP server and route networks in that fashion.

Resetting the password is usually fairly simple, the other errors you show indicate your system has a far more serious problem. Likely you can't login because of a problem with the filesystem. Even after running fsck a few times (keep running it until it returns no errors!) it's still possible there are missing files or files with corrupted or missing contents. Reinstall and restore the config from a backup. It's also possible your disk has a problem, but reinstall first. If problems continue, replace the disk and try again. If you don't have a backup, choose "Rescue config.xml" in the installer, if it fails, reboot and try "Rescue config.xml" again (and again). If it doesn't work after 3-4 tries then you'll have to start with a blank config.

I'm not sure what your problem is.  You don't seem to have excess fragmentation.  You could try swapping out the NIC and see if it goes away but I have no other suggestions.

not one replay!!

As it is now my switch (TP-8port) is just on it's default setting: VLAN 1. The TP is connected to the LAN (NIC 2) interface on pfSense box. NIC 1 is WAN NIC 3 is Unifi AP connected with VLAN 100 (Private WLAN), VLAN 200 (Shared WLAN), VLAN 300 (Guest VLAN). Would I be able to set the switch up to do IGMP across VLANS like my current setup as in VLAN100,200,300 talk together when doing IGMP on the switch? Thanks mate! Well, as a first step I would configure all VLANs in the switch too. Just add 100,200,300 as VLANs in the switch. Designate two ports (say port 7 and port8) to have all three VLANs tagged. Designate first one port (say port 6) to be in VLAN 100 untagged, and set PVID also 100. In the switch's IP settings, where you set the IP address of the switch, set management VLAN to 100. Now unplug your UniFi from pfSense, and plug it in port 7 of the switch. Also connect port 8 of the switch to where UniFi was on pfSense. Unplug the switch from NIC3 of pfSense, you won't need that anymore (and you won't need the bridge in pfSense either). You can now access the switch through UniFi through VLAN100 directly, not around through the bridge! You can now safely set the rest of the ports in the switch to any vlans, say VLAN 100 untagged (and PVID 100 too!). From this on, proceed with Multicast configuration as described in the FAQ section I linked above.

well patience wasnt a virtue here, reloaded and back to normal for now. Just need to figure out exactly what i did to gum and since i am not taking backups yet since i am still learning this has been a good experience reconfiguring everything :-). Glass half full for sure….....

@Tantamount & @johnpoz: Thank you for responding! Tantamount, your response is very helpful. I have responded to your observation and advice below. Please tell me if I am on the right track: –------------ It looks like you've got two internal networks -- one for regular internet traffic (ISP) and one for VPN traffic (VPN).  Each has its own subnet.  I assume you use different SSID's and have to manually change between these depending on what your want your lan devices to use -- in other words you want the networks isolated from each other. So now you want to make pfsense be your first line of defense. Absolutely correct – that is exactly how I want to setup Start by making sure that the dhcp server on the pfsense is using the same subnet as (ISP).  Then for the (ISP) wifi router, configure it to dumb AP mode.  That should mirror your current setup -- lan devices would get ip addresses in the subnet they're familiar with, and you only have one nat translation occurring -- except now it's happening at pfsense and not the (ISP) router. In my current setup (Fios via Ethernet), I do not have any ISP supplied equipment. I connect one of my Cellspot (Asus) routers directly to the Ethernet cable. Ethernet from Fios ONT comes in directly to the WAN port of Router 1. So as I understand: Connect the incoming Ethernet to the WAN port of psSense box. Then change Router 1 to AP mode. From pfSense LAN port, connect AP (LAN to WAN?) Change pfSense LAN to 192.168.1.1 (Do I need to change AP to 192.168.1.2 or let psS DHCP handle that?) This just leaves the (VPN) router and that network.  Plugging the wan port of (VPN) into the lan side of pfsense should work the same as how you originally had things before pfsense was added.  Traffic coming into the LAN or wifi side of (VPN) would go through the VPN tunnel.  This tunnel is natted first from the (VPN) router to lan pfsense, and then natted again from lan pfsense to wan pfsense. pfsense shouldn't be causing any issues with this. As far as it knows, a single device on the lan network (VPN router) is trying to connect to something on the internet. I tried this past weekend however I think I could not get the OPT1 (2nd LAN port in pfSense box) configured correctly so I was getting no packets. Do I need to configure any rules? I copied the ipv4 connectivity rule from LAN to OPT1 but still couldn’t get connection I create a second subnet : 192.168.2.1 on OPT1  - Do I let pfSense DHCP handle the VPN Router? Or should I configure it to 192.168.2.2 ? Did I get the above correct? If not, please correct me. (Thanks!). If I missed stuff, please feel free to add it in. As johnpoz mentioned however, this is making things more complex then it needs to be. Ideally what you'd want to do is configure openvpn to work with AirVPN in pfsense.  Then have all internal vpn traffic go through a second LAN port of pfsense out to the other (VPN) router -- now in AP mode. This is what I ideally wanted, and perhaps once I am more confident of my abilities, I will attempt it. I did I quick search for AirVPN and it looks like there are all kinds of instructions for getting it working with various equipment, such as dd-wrt (Another router similar to pfsense).  If you cannot translate these instructions for pfsense, I suggest looking to see if AirVPN has a forum where you can get the help you need because this is definitely doable. You'll almost certainly get better performance this way due to the better hardware running pfsense vs that wifi router. Here is a link to a very comprehensive guide that I found on the airvpn forum for psSense 2.3 (https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/ ), however I think, at this time it’s a bigger bite than I can chew. Unfortunately I cannot have my network down for over an hour, and this isn’t something that I am confident of being able to achieve within that time…

If I connect via the VPN and then SSH to one of the new servers (e.g. the .145 one), then once I'm logged in there I am able to ping all of the other assigned /26 addresses.  So I can ping 68.0.0.129 (the gateway), 68.0.0.130 (live server), 68.0.0.140 (the other server that I can't reach from outside), all of those work.  So the IP is getting bound to the correct server, but it's not routable.  I tried to ping an unassigned IP in the /26 network and it was not reachable, so it's not that all of the IPs are responding by something like pfSense, only the assigned IPs are responding.

A follow up: There was indeed a baud rate mismatch when transitioning from BIOS boot messages to kernel boot messages.  But in my defense, the presence of that mismatch seemed to make the kernel "want" a carriage return to continue to load.  So yes, it's possible that loading a config file that causes that console baud rate mismatch can cause the system to hang.  YMMV of course.