It's almost certainly pfBlockerng blocking access to googletagmanager which is commonly in ad blocking lists. It appears strangely because you have imported the untrusted CA that pfBlocker uses by default. You are seeing it because something on those host PCs is periodically reaching out to some site that includes it. Steve

@avsion Try this: [image: 1645960846207-capture.png]

Hmm, slightly odd presentation. Doesn't seem to be a regression though: https://redmine.pfsense.org/issues/11394 Steve

That should be all that's required assuming the wifi router is NATing to it's WAN IP. If the proxy is in transparent mode make sure there are no stale states in pfSense after making the change. What you should really do though is use a VLAN from the router/AP to pfSense as a different interface that you can exclude from Squid. It may not be possible with your device. Steve

@jimp said in SSH not working as it did before 22.01 upgrade: You'll need to make whatever customizations you made again. John, Jim, Thanks as always for your help, even if was just a nudge in the right direction. All back and working again. Funny those changes survived all the recent upgrades and the conversion to "+"... but this last one hosed it up. Now to get my backup SG-4860 built with the fixed ZFS install.

@stephenw10 said in Internet dropping randomly: gateway monitoring action Right so when you see gateway alarms it triggers the gateway monitoring action. But when you only have one gateway it;s not really necessary so I would disable the action. However the alarm will be for a reason. Usually and actual WAN issue but could be something just adding latency in firewall. That looks like a real problem though because it's packet loss. Hard to say if the 'pf wedged' error is cause or effect.

Interesting. What NICs does that appliance have? I would have expected anything that worked in 2.4.4 to also work in 2.6. Steve

Ooo, nice!

Ah, nice. Yeah if you lose one wire or pair but still have two pairs a lot of NICs/switches will detect that and fall back to 100M. Which only needs two pairs. Steve

@derelict Thanks Anyway.

If you're unable to reach the pfSense webgui that sounds like either an issue LAN side or some routing conflict, like maybe your modem lost sync and came up with an IP the same as the LAN subnet? Did you try connecting out from the console directly? That's what I would do, determine exactly what is failed so: Check the interface addresses, at the command line: ifconfig -a Try to ping out by IP address and by fqdn. Check the routing table: netstat -rn Steve

...tl;dr don't browse the web from the same session you admin your firewall. And also: run the browser for administering pfSense under a different OS account than the one you use for browsing, and add an OS firewall rule to prevent inadvertent general browsing from the pfSense browser.

@stephenw10 I only tried from 22.01 to 2.6.0; there, the same issue appears.

@linkp FWIW, I just came across this video, though I haven't watched it yet. Why The ZFS Copy On Write File System Is Better Than A Journaling One

@stiu81 For the CA : Export a Certificate Authority You will also find Export a Certificate. Btw : You have to go here Diagnostics > Backup & Restore >Backup & Restore very regularly. The backup file that you export will include the all certificates.

@stephenw10 said in Source address not NATed during OpenVPN startup?: Mmm, indeed. Can you see what rule 122 is or was when the OpenVPN is up? That rule is from after OpenVPN came up. I don't know what the numbering was before it came up; it would be tricky to get; I'd probably need to write a script. This starts to look like a stale state somehow. Well, I did find that setting Reset All States in System/Advanced/Networking reduces (but does not zero) the number of bad packets.

@hellegaard1 a vlan is a vlan is a vlan... it is supposed to divide networks. As johnpoz said, you can´t discover across vlans, without some special configurations. But just use an unc path to access your devices, if you would like to stay with different vlans for your devices. But all this is outside Pfsense stuff. If you have an AD Server you can go with Group policies ... but this is beyound the scope of yr question.

First of all i want to thank everybody for their help and suggestions. After more than a week testing and changing settings, the issue is discovered. In my setup i was using a switch that not supports VLAN. I immediately bought one that supports it and now there are no more drops. Totally forgot to check that part of my setup, but i'm glad it all has been solved. Again thanks for the support of this community!

Ok, well of you are outbound NATing that traffic from pfSense to WAN2 you might be OK. I could still imagine it receiving and ICMP redirect though. It you're not outbounf NATing in pfSense it's definitely asymmetric. https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html You should remove the asymmetry anyway, it will bite you at some point. Put the WAN2 gateway device in a separate transport subnet so all traffic passes pfSense. Steve

When you ping from pfSense and leave the source set to auto it will use the closest logical IP. In this case that's probably the Wireguard tunnel address. Try setting that as the source. Then try setting the LAN as source. It looks like you have either a missing route or firewall rule. Probably at the node2 end. Steve