Port forwarding will not help at all with outbound connectivity.

How are they failing? Unable to resolve IPs? No route to host? Just timing out?

Steve

Comcast has a massive address pool, and has been known to move addresses around when doing maintenance or if they need more addresses in one area that aren’t being used in another. It’s not uncommon for two different routers to pull two different IP addresses in two different subnets either.

Also, geolocation of IP addresses isn’t an exact science, so it may take a few weeks, or even a couple months, for an address’s location to be updated by the various companies that provide geolocation services.

@stephenw10

Thanks Steve for your help.

Thanks for the feedback Jimp.

Thank you very much.

Are you using the DNS Resolver, perhaps? Maybe DNS over TLS? or DNSBL?

We found out there are some memory leaks in the version of unbound shipped with 2.4.4. They were recently fixed upstream in Unbound, and we'll have them in 2.4.4-p1 soon.

That's the only known memory leaks at the moment that I can think of.

@chpalmer It's a SG-2220.... maybe your right, but how ? (via ssh.. ?)

sniff/packet capture on your wan... Open the capture in wireshark.

Or just run a tcpdump with -e should also show it.

Looks like your seeing them every few seconds so you sniff should only need to be very short.

Start a new thread about it in the pfblocker sub. This has nothing to do with your 'DNS servers from ISP' issue. By unchecking that box, your ISP's DNS are no longer in your list.

@jimp

I see the line '$radvdconf .= "\tDNSSL {$config['system']['domain']} { };\n";'

Will removing ['domain'] from that line remove option 31 from the RA? Or just remove the domain name, leaving an empty option 31?

The reason I'm trying to do this is so that the pfSense RA matches the one from the cell phone as closely as possible, to see if this option is causing the problem.

Be sure to have source/destination check disabled if you're not NATing, which you probably aren't.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

Steve

You should upgrade to 2.4.4 if you're running 2.4.0.

Check to see if those URLs actually resolve when the sites fail. What are your clients using for DNS?

Steve

I assume you're using L2TP over IPSec rather than unencrypted L2TP?

Did you ever see any hits in the firewall logs before adding those floating rules?

If the VPN is actually dropping rather then the connection across it that sounds more likely something timing out. And since the Windows client seems unaffected it's probably something specific the MacOS client is setting.
Do you see anything in the VPN logs at either end when the tunnel drops?

I would recommend switching to IKEv2 mobile IPSec or OpenVPN to be honest. Both if those work well with current MacOS (and most other things).

Steve

Thanks Steve.

I think it wouldn't be a bad feature to have, or at least a way to order interfaces within the GUI, especially the monitoring parts; especially if one has many interfaces/Vlans.

Cheers

You probably mistyped that command in a way that caused openssl to fill up that drive or at least run until it died some other way. That isn't something you'd normally see.

I did and nothing showed up. With something like a firewall, there shouldn't be such an increase in disk usage, as you might get with a regular computer. Maybe you should try finding out where those large files are coming from.
.

If the crash report is empty then there is nothing to worry about:

https://redmine.pfsense.org/issues/8915

You'll need to provide some examples of what you mean there. When you set a rule to log and then save/apply you will see a log entry for all new connections made from that point on -- not for every packet and not for connections already open when you clicked the apply button.

If you want to see every packet of incoming traffic at that moment, use a packet capture, not the firewall log.