I'd also enable SSH now if you have not already so you can try to connect back that way. Steve

Hello, I've verified the problem. I got that notice after my rules had not been updated for some time. I followed iTestAndroid tecnique and confirmed that I had too this negate duplicate networks , so i checked "Disable Negate rules" and manually reloaded filter, which addressed the issue. but issue is not solved yet. I'have also tryed disabling nat reflection, but nothing Output of: pfctl -f /tmp/rules.debug is pfctl: pfctl_rules Following this thread after solved the duplicate ruleset, a reboot was needed. That solved the issue for me.

@stephenw10 I mostly use it for clients. I haven't had to change a server OpenVPN client in awhile. There needs to be an easier way to turn on and off OpenVPN clients.

Yup, seems there is some confusion!

Hmm, if it has a correct route and can ping the default gateway that starts to look like an upstream problem. You could run a packet capture on WAN whilst pinging just to make sure the pings are actually leaving WAN with the correct details. Steve

For reference see: https://redmine.pfsense.org/issues/13154 And the associated: https://redmine.pfsense.org/issues/13156 Steve

It's much safer to force the user to re-assign them. Imagine if you had 3 USB NICs and you disconnect one of them. Now at boot the NIC order might be different and you could end up with LAN hosts connected to a DMZ interface. Or worse. Steve

Sounds good. Thanks for the help. With the /boot/loader.conf.local variable change, I've been running for more than a day now and it all seems stable with much lower memory utilization. I feel a lot more comfortable with 58% utilized compared to the 88%, especially if I have a sudden increase in traffic or encrypted tunnels, I know there are enough resources available to handle anything thrown at it.

Wow. It works like a charm. THANK YOU VERY MUCH. Sami

@srytryagn said in Redundant rules ?: Is it opposite for WAN ? No - works exactly the same way.. Traffic is inbound to the wan interface from the wan network. Out of the box all unsolicited traffic into the wan interface is denied..

@srytryagn Thank you !

@brad-bishop I found it (well... Almost).. Just for a sanity check I plugged my computer directly into the lan port of the router. I'm getting 935.3Mbps down and 95.4Mbps up. There's something in my network screwing this up. Thank you again for the help. I'll just have to track down the component, now.

@jarhead Head an error, list of all private IPs blocked was set to * not to my alias. Reaching internet now.

Urgh. Nice catch though.

Hi Steve, Thank for all the pointers - turns out it is indeed a 2.6.0 issue, I just upgraded to pfSense 22.05 plus and the limiter issue seems to be resolved. I'll keep monitoring.

Observium could be doing something like that but I think it's simply a different data source it's indicating.

Yes if you have selected serial console as the primary console then kernel panic info will be sent to it. You should also see global messages there such as logins. Steve

ah ok so basiclly i just stuck.. its like 90s all i could get was 2.8k connection while people lived in town go cable modems and faster rates.. now i have similar to cable modems dsl and people in town have 10x or more faster rates lol vicious circle. least its working the unbound stuff.. was main goal the 192.168.0.1 as dns so i not switching back and forth 192.168.0.1 and 192.168.0.33 just for each time gaming.. stick with either vpn or just wan or maybe ill do 2 lancaches 1 for games and windows updates for WAN 1 for just windows updates on VPN as going through the vpn and gaming either doesnt work or lags alot.. i guess thats due to the overhead stuff vpn does and i really appreciate the help and explaining things you done too it helps.. espcially when you dont understand all this stuff.. really like pfsense over my asus router so i greatly appreciate it (:

In a site-to-site tunnel you can route traffic across it either way. Without port forwarding or DMZ (1:1 NAT) at the Comcast end though the 1100 behind it will always have to initiate the tunnel to the other end. That's fine but it means the other side must be something fixed that can be connected to. I'm not sure what the TV service requires but you are probably going to need to route all your traffic over the tunnel to make it work. Steve