Probably your VPN provider is pushing a new default route to pfSense and that changes what Unbound uses to query root servers.
That is assuming you're running Unbound and it's in resolving mode.

That's not double NAT though unless your VPN provider is also giving you a private IP address.

You could try setting a static DHCP lease for the PS4 and handing it a DNS server to use directly rather than using Unbound in pfSense. If you already have policy routing in place for it then all it's traffic, including dns queries, will use the WAN dircetly regardless of the VPN status.

Steve

Hmm, odd. Doesn't seem like anything I've seen but I'll be watching for it now. Thanks for the write up.

Steve

It does but only the config version at the start of the file. Fortunately there is a handy reference 😉

https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html

Steve

Well I can tell you struggled for a while with the HG612 and eventually swapped it out for an ECI and never looked back.

When it failed it usually stopped passing traffic completely so the PPPoE would go down. All the LEDs just remained solid on
it.

I had thought you might be hitting this: https://redmine.pfsense.org/issues/9148

I saw that a few times in 2.4.4 but have not seen that since that patch was included in 2.4.4p1. I don't see that in your logs specifically either.

Unfortunately we can't see what happened that started the failure at 10.25. The first log entry shows the PPP session closing already:
Feb 5 22:27:14 pfSense ppp: [wan_link0] PPPoE: connection closed

However the failure at 00.01 was initiated from the remote side. It came back up by itself though.

If we can get the log showing the connection fail that might help. Not guarantied though.

I have nothing special set here and it "just works".

Steve

Putting a vpn server behind a edge router can be problematic yes.. Your trouble is making sure you don't run into asymmetrical traffic..

Normally you would put your vpn server into a transit network off your edge..

Running the vpn on the actual edge router is so much easier.

This area of the forum is English, if you wish to post in multiple languages, make a separate post in a language-specific category under pfSense International Support rather than putting both in a single post.

That said, there isn't a way to force it to reload the entire config completely from the command line live, but you can do this:

I followed this guide to the t and I still could not get my BT box to even connect to the internet.

I eventually found it was because of IPv6. I disabled the DHCP server for IPv6 and changed my LAN interface to have "none2 for the IPv6 config type.

I hope this helps someone :)

@jmacdonald I have the exact same question and would love to see some comments on it. Thanks!
Also, what is the rule to add in order to have "Allow All"? I tried 0.0.0.0/128 but that didn't work.

I am not blaming pfSense. I ran pfSense for quite a few years up until 2016 when I moved. My internet service has since changed at my new house. My old APU2 hardware worked fine with my old 15Mbps cable connection. Now that I am on vDSL I was more leaning towards the issue being hardware related. Unfortunately I did not have the time to do any thorough troubleshooting as I had to have my network back up and running ASAP with my cameras working. Regarding the Routerboard switch, the default settings were applied. I simply unboxed it and plugged it in to the LAN port of the pfSense box. My goal of posting on here was to see if somebody experienced something similar with NEST or other security cameras. I was hoping the setup would be as easy as it was in the past but unfortunately it isn't.

Will do that

Thank you both very much!

@jimp Yea I thought about it but I'd like to keep it minimal for now. Just wanted to post the solution here, took me a while to find it. Wasn't obvious to me

Are you running some soft of vpn client setup?

Here is the thing out of the box rules on lan are any any... And pfsense will nat all from its lan to its wan IP.

So if your WAN network is 10.1.1.0/24 with pfsense wan IP being 10.1.1.1
And your lan network is 10.1.2/24 then all clients will look like they are 10.1.1.1 when they talk to your wan network, ie pfsense wan IP.

If I had to "GUESS" to your problem your forcing traffic out some vpn gateway on your lan rules - which we would know if you could post a simple screenshot vs making gifs with zero information in them.

Other guess would be you have the wrong mask on your clients and they think that 10.1.1 is the same network as 10.1.2 say example a /8 which is what windows would default mask too, etc. etc. So how about you post up a config of your clients.. Show a traceroute to say 10.1.1.1 and one to 8.8.8.8

And post up a picture of your lan rules - and validate your not using any sort of vpn, and or is your clients pointing to any sort of proxy or using their own vpn client.

Why would you daily reboot your pfSense?

-Rico

Thank you, that's actually the way we are currently using it (not with pfsense though) , but because of the quantity of the modems it gets really expensive to have a 4G router for each modem.

I love the fact that pfsense is so easy to configure and just works out of the box with 4G modems, just the reboots are giving me headaches now )

I haven't used cacti in years but I seem to recall a FreeBSD+pf or pfSense template around that hit the pf MIBs to track some things like that. If nothing turns up here, search on the Cacti forum.

Well if you dig deep enough you can do whatever you want. You could potentially add a line to the gateway down script that restarts the PPPoE link. It would likely take some trying to get it working as you want though.

Steve

You want to be able to decrypt random SSL/TLS TCP traffic, inspect the packet contents and filter based on that?

No, you can't do that, short answer.

If you proxied the traffic in pfSense you might be bale to do it using custom rules in Snort/Suricata. I've never seen anyone do that though.

Steve

It depends on the switches, cables, network load, etc. No you shouldn't lose that amount in your switches.

There is a whole section of the forum related to using the proxy if you have questions
https://forum.netgate.com/category/52/cache-proxy

It includes squid proxy and such but any questions you have about haproxy would go there as well.

Here is some more info on the package
https://www.netgate.com/docs/pfsense/packages/haproxy-package.html