Hi all, I posted the cause previously. The problem was simply that pfsense was not the default GW on the LAN. GW @ 10.0.0.1 pfSense @ 10.0.0.254 pfSense was set up in parallel to the existing GW so it could be configured to replace the existing GW. As pfSense was not the default GW none of the LAN traffic was being routed there and accordingly the modem GUI could not be accessed from the LAN. Simply adding a 2nd GW of 10.0.0.254 to the workstation, temporarily, allowed the modem GUI to be accessed.

@johnpoz I think bigger box would be fine .. keep in mind i virtualized pfsense vm on a server with 5GB of ram just for it anly 2 instances of suricata activated one on wan and other on one of my lan interfaces and that consumes about 3GB on normal and adding one more instance increase it to 4.5 and go to swap part :D

Ah, well a power cut would explain it!

@dobby_ thx Not long ago, the Odroid H3+ board was introduced. The positive thing is that the MB has 2x 2.5 GB NICs (Realtek, no Intel chip). CPU N6005 If I had known that 1GB of traffic could really handle it, I would have considered buying it. Odroid H3+

How are you testing exactly? What hardware are you using for pfSense? I assume the interface MTUs are all at least 1500? Steve

We can convert that for you but you should be able to import it into the 6100 directly. It will ask you re-assign the interfaces from the VLAN on mvneta0 in the 1100 to whatever NICs you want to use the 6100 and then reboot to that. If you have additional VLANs you need or PPPoE interfaces etc it's usually easier to modify the config in advance. Steve

Hmm, well pfSense does have the ability to send different boot files for different client types so you may be able to do that: [image: 1666659180710-screenshot-from-2022-10-25-01-52-30.png] Otherwise you would need to arrange some sort of override for the auto-generated conf file. I thought there might be something build in for that, like there is for mpd.conf, but I cant see anything. Ancient but would probably still work: https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/ YMMV! If you do find something that works you might drop a reply here as that looks like the same problem: https://forum.netgate.com/topic/174712/ltsp-on-vlans-pfsense Steve

Mmm, fun*. I'll have to watch out for that.

@febu see [image: 1666641600688-405070ad-8da8-468b-b50d-7634b0cb8dfd-image.png]

Almost certainly this: https://redmine.pfsense.org/issues/12873 There are workarounds in the linked thread there for 2.6 if you need to use that. Steve

Huh, interesting I missed that.

Yup. Using VLAN1 bad! https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1 Steve

Yup, that would work. Traffic blocked by Snort shouldn't appear under the default block rule though. Snort has it's own rule it blocks with in Legacy mode. Or in in-line mode it blocks before the firewall rules are parsed anyway. Steve

@stephenw10 I will make sure it's set to that, thank you so much for helping me through this! I guess we can close the issue. I think I'm good now. Appreciate it.

@gertjan Thank you. Much easier to navigate. It never occurred to me to access via SSH other than from the serial port. The firewall is located in an inhospitable location that makes it difficult to use a direct connection. I'm on now using Putty.

@stephenw10 Yes, you are correct. That was impacting the system. I first setup a test system in lab with same 2.6 config and performed a webgui update 2.6 to 2.7.0-DEVELOPMENT. On 2.7.0-DEVELOPMENT the system does not exhibit the issues described in first post. On production machine I followed your instructions and applied patch "Disable pf counter data preservation to temporarily work around latency when reloading large rulesets (Redmine #12827)". Issue appears resolved. Thank you!

Or roll back to a snapshot in Proxmox if you have one.