@slimypizza said in Home setup issues with WiFi (advice): The thing I like about it relative to the Ubiquiti is that you don’t have to run an ethernet cable to the satellites. You don't have to run a wire to the unifi AP either - you can do wireless uplink, its just ALWAYS going to be better to run a wire to your other AP if possible. ALWAYS!!! Not say orbi or any of the other mesh systems out there won't work - but good luck doing anything above very basics.. Can you even do vlans on your wifi with Orbi - no.. So for many of us that have chosen to go with a more robust network and want to do stuff as basic as vlans - those sorts of wifi systems just don't cut it.. Why would you choose to run a Porsche for your router/firewall - and then put some crappy walmart special tires on it ;) And only do 55 mph..

@provels - Thanks for this. Of course I had to type a litany to eventually discover the problem is one I created but didn't realize I had created one. TL;DR, the AT&T WAN DHCP address specified its IP to renew from. That IP sat in the LAN on pfSense's side as a VIP. The WAN couldn't reach that IP for renewal. At expiry, a new DHCP broadcast would occur and everything would be good for another 10 minutes. I removed the VIP, everything went back to normal. Updated the original post to be more clear since I figured it out.

If you were using unifi controller, ie you had some unifi AP for example - then this would do exactly what your asking for https://store.ui.com/collections/unifi-accessories/products/unifi-smart-power The UniFi SmartPower Plug is a device installed between the AC outlet and the power plug of an internet modem or router. The UniFi Network Controller continuously monitors availability of an internet connection. If the connection drops, the UniFi SmartPower Plug automatically restarts the modem or router by disconnecting power for a short period of time. But yeah with all the smart plugs these days, I would think it would be pretty easy to rig something like this up..

Thanks for the reply Steve :) Good catch! I left off a switch sitting between the user and the Main router. I will update drawing shortly. User is single port device, both routers are multiport devices. From LAN, I am trying to ssh to an IP in the 10.1 space (say 10.1.1.10) by using the 10.1 address. I do not see any blocked data regarding 10.1.1.10 on either firewall log (just searching for that IP in the log). From the link you posted it seems that asymetrical is defined as "traffic going from A-> Z taking a different route then traffic going from Z -> A" My thought is that 10.1 traffic would go through the 192.168.1.99 port on the DMZ router, not going to the main router at all. This would be the same route that I would expect the traffic to take back. So I'm missing why it would be asymmetrical >_< Edit: Picture is updated.

Nope I have homebridge running on a raspberry pi running ubuntu on my iot lan. The rule is to pass allow udp port 9 from my homebridge server on the iot lan to all my subnets.

Check System - Advanced - Firewall & NAT. Look for "IP Random id generation". If it is checked, uncheck that box.

@liboriolibs said in pfSense + Haproxy - internal LAN redirect backend with acme valed certification: ssl offloading - check type - http / https (offloading) Try changing this to HTTP & disabling offloading. SSL Offloading seems to indicate that you want PFSense to get HTTPS and send out HTTP (implying it has the certs). I was trying to do the same thing (see link below). While I had a different problem I think it's the same solution. https://forum.netgate.com/topic/153028/haproxy-deleting-acl-on-modify-bug-or-am-i-missing-something/3

Realtek NICs/drivers are known to crash under high load. Change the NICs or try your luck with the official drivers: https://forum.netgate.com/topic/135850/official-realtek-driver-binary-1-95-for-2-4-4-release -Rico

Thanks for the quick response, Rico! You helped me a lot.

That's normal for Comcast. My ISP does the same to us from time to time.

@Gertjan Great reply it is indeed!

Cool_corona refer to this, https://forum.netgate.com/post/907662 but i don't think it's related to your problem. but you can try that

Yeah the WAN is PPPoE so you don't see the media reported, that's on the parent interface. In Diag > Command Prompt execute ifconfig -vma show us the results. Steve

Since pfsense is a firewall product and not a file server, I don't think you're going to find any kind of solution for this. You really don't want the device that's protecting your internal network(s) to be a file server anyway. If your firewall were to get compromised somehow, your attached storage devices would most likely be targeted as well. How about getting a dedicated NAS box, personal cloud storage device, or network storage adapter? These devices would sit inside your network, protected from outside access, behind the firewall. Do you have a PC on your network that's always on? That could act as a network disk server. https://www.amazon.com/TerraMaster-Transcoding-Personal-Storage-Diskless/dp/B07PWDTBJ6 https://www.amazon.com/KwiltGo-Personal-Cloud-Storage-Device/dp/B07SJHSSMP https://www.amazon.com/Synology-DS120j-DiskStation-Diskless-512MB/dp/B07ZKSLVT5 https://www.amazon.com/Usr-Ushare-Mini-NAS-Adapter/dp/B0050JRXVU/ You could even get one of the less expensive wifi routers that has USB ports on them, set it to serve no network functions, but to instead host your hard drives on the network. https://www.amazon.com/TP-Link-AC1750-Smart-WiFi-Router/dp/B079JD7F7G/ Hope that helps. Jeff

@roadrunner51 Just wanted to thank you for this solution. Fixed my problem.

Please check this https://redmine.pfsense.org/issues/8987

No, aliases do not work in reverse like that. You can use the 'i' icon next to IP addresses in the firewall log to do a reverse look-up. I don't know of any way to do that by default but it would probably intriduce unacceptable delays anyway. Steve

No worries. Better than junking it.