No, there is no port knocking implementation in pfSense. Yet. There is at least one open feature request: https://redmine.pfsense.org/issues/8547 Steve

You can't route via a gateway group and you can't set a metric on a route directly so using dynamic routing, like OSPF, is usually how this is done. You could just use policy routing if the PA can do some sort of reply-to to make sure replies come back over the same link. And if you only need to open connections toward the PA. Steve

@barth https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html#requesting-new-pfsense-features

@jbeez fixed... definitely user error. I was restoring a filter.inc from a prior version. Restored the proper one and its good to go.

@tyler_rm your links vs just posting the image here is a bit off putting for someone wanting to help. Here is a post I did year a go or so on how to validate if avahi is working. https://forum.netgate.com/post/1003226 I personally am not a fan of breaking the L2 barrier like this - but in the link I go over how to actually validate if its working or not, etc. Hope that helps.

@stephenw10 This worked thanks guys!

Go to Firewall:System -> Advanced -> Firewall & NAT: Firewall Maximum Table Entries value of "800000"

@denverdesktopssupport Sounds like you'd be interested in Zabbix? https://www.zabbix.com/integrations/pfsense

@tyz Also if you want to know when something is down etc - setup a external test. status cake or uptime robot allow for free testing. I get alerted if my plex server goes down for example ;)

If the NIC/driver doesn't report it the OS has no way to know. Usually they do but SFP modules introduce a lot more variables and sometimes it will link fine but not report a speed or report as 'unknown'.

@johnpoz and that's the edited version! :D

@jarhead thank you! after several tries and errors i am less confused now :)

In System > Advanced > Misc you need to set Skip rules when gateway is down. Otherwise the pass rule is still created but without the VPN gateway set when it goes down. Hence the traffic leaves over the WAN directly. Steve Edit: What Bob said!

If it's a VM you should be able to see the memory use in the hypervisor. But you can also see it in Status > Monitoring in pfSense directly. Steve

Is it actually pulling a DHCP lease correctly? Showing a valid gateway? If the WAN shows as UP but you cannot connect out on it you may have a bad lease there. A cable modem handing out private IPs for example. Steve

You might have the AT&T homegateway device that requires shenanigans to get a true 'modem' mode. What's the actual model number?

I've never used Adguard so I can;t comment on the specifics there but if it's just DNS filetering then I'd expect to just set the DNS resolver in pfSense to forwarding mode and enter the Adguard IP in Sys > General Setup. Of course that will filter queries from pfSense itself too. I just use pfBlocker on pfSense itself to do that. Steve

Assuming the AP management is in the same subnet it too would need an ARP entry in order to reply to connections from the client. If pfSense is losing it's ARP entry or has a bad one the AP may well be seeing the same thing. When it fails do you just see no ARP entry rather than a bad entry? With no entry it should just ARP for the device to create one. You should see ARPing entries in the pcap. Make sure you're not filtering them. If the wifi interface became detatched n the client I imagine that would blow away any ARP entries that were built on it. I would still expect the client to just send ARP queries as soon as it re-attached though. Steve

@johnpoz The fun thing is the webserver behind the DMZ does vhosts so that is why there is a wildcard in the DNS for the domain.