In Status > IPSec you should see traffic on the packet-counters for both P2s. If you don't they either don't match the traffic or your firewall rules don't.
@stephenw10 Yes, indeed :-). When pinging something continually and the problem occurs it will fail until pfSense+ ages and renews the ARP table entry or, as with my script, any ARP Request containing the layer-2 and layer-3 addresses of the pfSense+ WAN interface is transmitted to the ISP.
Thanks @stephenw10.
Andrew
@Unoptanio said in About Status/DHCP Leases:
"on line"
is still shown. Here :
[image: 1718009737456-7751a241-64e0-4f99-93a7-035954be5abd-image.png]
the green arrows.
And before you ask : "on line" or the green arrow means probably something different as what you might think.
"On line" or the green arrow means : the IP is in the "arp cache". See here Diagnostics > ARP Table
pfSense, or the DHCP server, is not 'pinging' (or something else) every (lease) IP every xx seconds to see it it replies.
Static or not : the admin knows what leases are static, as he set them up as static.
But I get it : why showing 'n/a' twice, even if it's true, if the word "Static implies the same. Not sure why that was changed.
@stephenw10 hahah, but its good... I believe this comment could be considered as covering the no route problem, or wrong route
"what your pinging either sending its answer to somewhere else"
But I like the clarity of making sure route is there to send it to back to pfsense.. Will keep that in mind for next thread we get about such an issue. Which I know there will be, since it is a common question to be honest ;)
@markdudov said in WAN packetloss:
@stephenw10
In what cases are the gateways dropping ping requests?
Also in case for example, when You have Your ISP's device (mediaconvertor-router) ETH up, and assigned IP by ISP's DHCP, BUT PACKETS BLOCKED on ISP's core level.
That should be fine. And, just to be clear, I would have expected what you did before to also be fine. pkg shows that it sees that as an upgrade and takes appropriate action.
It shouldn't be possible to have two versions on the same pkg installed.
Also I checked my plus. It is appropriate version on plus.
And no, this isn't holding out stuff for paying customers and shafting the community...cert token auth is generally an organization that should be paying the license fee anyway. Home users just plain don't do that very often... nor is it exploitable reasonably. Same with the system names thing. This is a rare thing...even more rare in non professional roles.
@markdudov so you want to generate a key for the ntp server on pfsense so your clients can auth?
Not sure pfsense has support for that option, pretty sure the ntp auth they have available is for pfsense to auth to some ntp server as a client.
"Authentication allows the NTP client to confirm it is communicating with the intended server, which protects against man-in-the-middle attacks."
And I don't believe they allow for talking to more than 1 ntp server with different keys either.. Maybe in 24.03 or I know there is some patch or working on a patch for ntp auth.
Personally I don't understand the use case for auth for local ntp.. You concerned that there will be some rogue ntp server on your network and you need to make sure your talking to the correct one via auth? Or that only your own clients on your own network are validated via auth to your server?
Seems like extra work/config/setup for like zero benefit other than a complexity that could cause issues.. In what scenario on your own local secure network does this added complexity provide added anything? Is someone going to get on your own local network and fire up some ntp server to do mitm on your ntp traffic? For what purpose exactly? And how would they go about such a thing without having physical access or already compromised your wifi?
@skogs windows added ssh many years ago.. But they always seem to be behind last I looked.
I always just install this openssh version
https://www.mls-software.com/opensshd.html
@anotherguy82 Tons of people run pfsense virtualized on Proxmox and I think the most common setup is to have dedicated NIC's for both WAN and LAN. And the preferred setup is to do passthru (IOMMU) of those NICs so that pfsense is the only machine accessing them (giving optimal performance).
So you assign two out of your four NIC's to pfsense and the others will be available to Proxmox and your VM's. Nothing other than pfsense WAN is exposed to the internet.
You have to make sure virtualization is enabled in the Optiplex BIOS to make this work though.
On the topic of VLAN's, yes your TP-Link Layer 2 switch will support that perfectly fine.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
