Potentially it could have been a failing disk causing that shutdown panic, yes. Certainly there is a problem with it if it disappeared from the BIOS entirely. Steve

Yep, I'd check your NAT statements. You'll also want to isolate whether you actually can't get to the internet or have a DNS issue. Can the clients resolve google.com? Can the clients' ping 8.8.8.8? Can you ping 8.8.8.8 from PFsense when sourced from the OPT9 interface? Are you using the Forward or the resolver? If using the forwarder, is it listening on the OPT9 interface? If using the resolver, two questions... is it listening on the OPT9 interface and if you're using ACL's... was 192.168.243.0/24 added to the allow list?

One thing to be aware of here is that the OpenVPN rules tab applies to all OpenVPN connections. If you have an OpenVPN server running already you probably have an allow all tule there so that connected clients can access resources behind the firewall. But when you get the ExpressVPN connection working that rule will also apply to it and you don't want to allow random connections from ExpressVPN! So make sure that rule it limited to your own subnet as source. Or alternatively assign your server as an interface the same way as the client and then you can apply the rules to those interfaces individually. Steve

It's very easily done. Ask me how I know!

If you are using pfSense on both sides as long as you're using IKEv2 and do not set 'split connections' it will do this by default. You will see one childSA created for all defined subnets on each side and it will carry traffic between any of them. But, yeah, I would probably use route mode IPSec (VTI) also. Logically easier to define. Steve

@stephenw10 Thanks steve appreciate it :)

@johnpoz said in autossh on pfsense: @_sko_ said in autossh on pfsense: tunnel let the MySql server to be configured in a more secure way So you have hackers or botware running on your local network? You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile? I stated wrong. Sorry but my english is a little bit rusty. The local network has a gateway and is connected to the internet but you are right just a too much complicated solution for the problem. I just enabled a rinetd rule for the pfsense firewall in the MySql server et voilà. Thanks!

@stephenw10 nada!

@stephenw10 After some further reading: [image: 1655374266122-f5106781-8b1e-4268-ab32-3482c0776e37-image.png] I enabled Software flow offloading and hardware flow offloading. Now, I will wait for a while what Zabbix measures …

Oh, you mean you can't even connect to LAN hosts from other LAN hosts? Yeah that never goes through pfSense so definitely a problem at a lower layer somewhere. Steve

@deanfourie Good idea. 1: SG-6100 with BiDi SFP for direct Fiber to the Home attach 2: Two VLANs - Home network and Guest network. 3: Aruba CX-6100 switch and Aruba IAP-315 APs with detailed pr. Device IPv4/IPv6 L2/L3 access lists enabled - based on client MAC address (to much hassle with 802.1x for wired home networking). One SSID and all wired ports are “colorless”. Mac-address defines which VLAN, role (access rights) is assigned to you. Five network roles defined i switch/AP: ADMIN, CLIENT, IOT, SECURE IOT and GUEST. Role gets assigned from Radius based on Client Mac-address. 4: FreeRadius on pfSense with all well known MAC Addresses defined and assigned their apropriate role. Unknown MAC addresses get assigned the Guest Role. The Trick here is that different device types (Not guests) are still in the same VLAN/IP Subnet and can find each other (broadcast/arp) if allowed by the ACL role assigned in the switch/AP. 5: pfBlockerNG for Geo based aliases blocking inbound sessions to whitelisted countries. Russia, Belarus, China and North Korea blocked completely inbound/outbound. 6: pfBlockerNG for IP based blocklists and wellknown offending IPs 7: pfBlockerNG DNSBL with about 12 feeds active to block tracking, adds and phishing - including DOH Blocking. 8: Occationally NTopNG active to spy and monitor traffic, but for unknown reasons, NTopNG adds a 20 - 200 ms latency to occational packets once in a while (noticable), so it’s not running permanently. 9: Destination NAT on ANY outbound DNS, NTP requests from internal interfaces. Rerouted to pfSense NTP and DNS server.

That's correct, there is no run-time patch for the issue. https://redmine.pfsense.org/issues/12954 Steve

@jimp Thanks ... 2FA and App Password solved the problem

Only ports 23 and 24 should be in the LAGG on the switch. Check the output of ifconfig lagg0 in pfSense. If LACP is correctly setup it will show '<ACTIVE,COLLECTING,DISTRIBUTING>' on each port. You are not using a VLAN for the captive portal interface in pfSense so you shouldn't have any VLAN config in the switch for the lagg or port 7. Including VLAN trunk enable. Steve

@enesas Its probably in context of this: Memory Leak Memory Usage As far as I read it should be fixed for CE 2.7.0 and PF+ 22.05 ...

@derelict I had lost webui access entirely... so I didn't have the opportunity to see the capture process still running. I had forgotten about it. Likely because the file being removed is still open by the capture process. Is there a command to see what files have open file descriptors?

Yup, that^. You just need to change the pfSense LAN subnet to something other than what the ISP router is using. The default 192.168.1.1/24 for LAN will work if it's not already in use somewhere on your network. But I suggest you don't use that, especially for a VPN server, because it can easily conflict with remote VPN clients. Use something obscure instead like, for example, 10.100.10.1/24. Steve

@jknott it looks like - thank you.