That looks to be working fine, it pulls an IP and then renews it every hour. Was it not working at that point?

pfSense is also an enterprise-capable firewall. I don't think you'd want to bet your real business on a Linksys or Asus from Walmart. Looking at it this way, you are getting enterprise-level performance and security for your home net at no required expense except what it takes to learn to manage it. Of course, being open source, you can always get creative and roll your own: https://github.com/pfsense/

Hi, Sagardawa!
I do not mean to bother you but the files you uploaded seem to be removed.
I am now trying to settle my PPPoE server with a service name so that the clients would not connect to the undesired server.
Could you kindly send the files again?

Right but it will be limited to "converting" the media on the other side, which 1Gbit fiber.

Not the same thing.

If you want the same thing, use a switch to "convert" from fiber to copper.

Glad it's working. Yep, plugging the AP it into the switch is the preferred deployment. However, the other way would have worked also. All you needed were firewall rules on the re0 interface allowing the traffic out and then a NAT entry on the PIA interface for the 192.168.2.0/24 subnet.

Finally tracked the issue down which was with the firewall state sync.

This was setup on seperate interface and seperated from normal LAN traffic via 802.1Q VLAN on switches (the two routers were in different areas and weren't possible to run another cable through). No idea why this was causing such problems but disabled now and rather a brief connection interuption if it switches over.

if you have control over those devices:

https://docs.netgate.com/pfsense/en/latest/cache-proxy/wpad-autoconfigure-for-squid.html#setting-up-wpad-autoconfigure-for-the-squid-package

or you can start messing with fake ssl certificates todo this transparently ... but thats messy

@angdigi said in Remove LAN interface:

Isn't this considered "flapping". Maybe it's something on the NIC that's causing the issue and not the ISP....

Flapping is generally a term for when a mac address moves rapidly between different ports on a switch / switches.

@danneh82 said in pfSense halving Virgin fibre connection speed:

Swapped data ports (luckily ran extra drops!) and now getting full speed.

The problem is probably at one of the connectors. Reterminating the cable should fix that or perhaps there's a bad connector. The cable itself rarely goes bad, unless physically damaged.

Yes, there's no way to do that directly. You can try using the Netflix ASN in pfBlocker to create an alias then use that in a policy routing rule. https://forum.netgate.com/post/848939

Steve

Another vote for replacing the USG with PFsense. I haven't seen anything in your diagrams that would warrant having two firewalls in your environment.

There's no other way I'm aware of I'm afraid. If you need to use source hash you need to use a subnet as the translation so you need to use a set of smaller translation rules.

Steve

nice! I'm working on a similar project. when I circle back to pxe boot from pfSense I'll expand on this.

I would check for a missing or bad default route when this happens. Diag > Routes

If there is no default route client traffic will not be able to get out. pfSense itself would not be able to ping out to arbitrary sites.

However the gateway monitoring will show onlint because that has a static route via the WAN gateway.

Do you have more than one gateway in System > Routing > Gateways?

If the default IPv4 gateway is set to automatic setting it to the WAN dhcp gateway instead should get you back a default route if that is what you're hitting.

Steve

Hmm Ok, well I know you can order from Voleatech: https://www.voleatech.de/de/produkt/sg-5100/

They are probably closest to you and have stock of most of our devices.

Steve

As is always the case, I was able to resolve this immediately after posting.

the comments in https://www.ceos3c.com/cloud/aws-with-pfsense-part-2-route53-dyndns-with-pfsense/ suggest that there is some uncertainty around prefixing the zone id with "us-east-1" which may have changed around 2.4.0. My old VM had been through many upgrades so perhaps it was still working with the old value while my fresh install on the sg-3100 was not.

I deleted the dynamic DNS entry entirely and recreated it from scratch with just the hosted zone ID sans the us-east-1 prefix, and it worked immediately.

Hopefully this proves useful to someone in the future.

@stephenw10 said in PfSense and Disabled Interfaces:

You're right. Yes really network cards were messed up (by FreeBSD itself). re0 became re1, and vice versa. Defined it as you advised on MAC addresses.
Changed their places in the slots. re0 became re0, re1 became re1.

kernel ae0: phy read timeout: 17.
kernel arpresolve: can't allocate llinfo for on ae0
In the interface properties, remove auto-negotiation and set the exact connection speed, for example 100 FD.

Hi Sir Steve,

Just to give you an update, my client is now able to ping external IPs, I just changed the Default gateway from None to Automatic under System>Routing>Gateways. Kindly see image below:
DFG.png

My problem right now is, still my client was not able to access the internet or even ping 8.8.8.8 or google.com. Can you help me troubleshoot with this? I can't see any problem with our set-up. Below are some of my configs:

WAN INTERFACE.png

ROUTES.png

GATEWAYS.png

YOUR HELP IS GREATLY APPRECIATED, SIR STEVE! :) GOD BLESS!