If that all happens through your WAN port, maybe the block bogons option on your WAN interface is getting in the way? I’ve never had to disable that before to hit 100.1, but maybe it’s a “feature” of newer versions of pfSense (I haven’t touched pfSense in almost 2 years)

HI thanks both for your explanation that make more sense now for me. Effectively it s better to use Split DNS and to add entry for all i just forget this simple solution. KR

Were you able to try Ctl+t there? If you shutdown the firewall from normal running conditions does it shutdown and power off as expected? You might also run some tests on the boot drive. If that fails it can appear like that. Running processes continue to function but nothing can be started or logged. I would expect to see errors on the console though in that situation. Steve

You don't need a switch if there are only two hosts in the segment, there is no switching to be done. IMO at least. I wouldn't use a switch there. Steve

Not covering the break room with solid guest wifi is just, well, so uptight. 8 APs looks a lot better. Stuff will sing.

First thing to do here is upgrade to 2.4.3_1. This may have already been addressed. If it doesn't then we would need to see logs covering the reconnection that results in no outbound traffic. Steve

It depends how they 'discover'. But most use either mDNS which Avahi should cover or they using the SSDP component of UPnP which can be made to work using IGMP proxy. But it is by no means guaranteed. It's worth pointing out that the UPnP component in pfSense is only for Internet Gateway Device protocol and does not help at all with this. So don't enable it. Unfortunately all these manufacturers cater only for a single flat layer 2. If you attempt to add some security to your network by separating devices into different subnets you're outside their target audience and on your own. They could easily allow this by just giving you a box to enter the server IP but..... IMO. Steve

Yes I agree, I seems unnatural to do that. However I guess that by doing that you can add new nodes to the mesh and as long as they are in that subnet the system routing table does not have to change to reach them. Only the internal routing in the daemon. Steve

It's almost certainly Squid if you're running that. Either cache or logs. Try running at the command line du -hs /* Then drill down further to find what's using the space, e.g. du -hs /var/* Clear the Squid cache from the package menu of you haven't already. Steve

oh nice

Solution System > Advanced > Miscellaneous https://prnt.sc/kp9ek6

You are correct, that would appear to be a symptom of a failing disk

Hi ! I have already the same problem. If you have this error : 10.50.3.1 | FAILED! => { "changed": false, "module_stderr": "/bin/sh: /usr/bin/python: not found\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 127 } You can pass the interpreter /usr/local/bin/python2.7 in Ansible Variable ! In the /etc/ansible/hosts file you can put : fqdn_server ansible_python_interpreter: /usr/local/bin/python2.7 After this modification it's work fine !

I have unchecked the option last night and made some changes where i knew before the connections will be dropped and all connections remained active! Thank god it was that simple. I haven't checked the number of states before, i wouldn't risk the dropped connections for that anymore. I don't have any packages installed. Thank you for your help, this solved my case.

[image: 1535644318002-56505a32-dc30-4b9e-97a2-f2bb6a9981d5-image-resized.png]

I have a pfSense VM setup for just this. It's WAN is inside my usual lab network, but in its outbound NAT it translates anything that leaves (except its own WAN address). Then on the LAN side I have the rules allow any/any and I add VIPs to the LAN that mimic the "ISP" side of the statics I am testing. If the VMs on the inside have VPNs or DynDNS I try to block those in the LAN rules before firing them up so they do not interfere.

There are some backwoods providers out there that give customers a /32 WAN IP Address with a gateway outside of what would otherwise be their subnet. It's ugly, but it happens. As @Derelict said, no matter what we pick as the default it will be wrong more often than it is right. Using /32 as the default is less likely to break something than using /1 as the default, and any value in the middle is a wild guess.