DynDNS works fine in everything I've tested. There have been some glitches with some services in the past and there maybe in the furture, usually when services change their API etc. Right now I'm not aware of anything that isn't working though.
You can check the redmine for open dynamic DNS issues.

Steve

@eeebbune Install the System Patches package, and then under System/Patches apply that patch I mentioned.

@nogbadthebad, @Cool_Corona , @stephenw10

Thank you all for responding. I have discovered OpenStack's Neutron network and Open vSwitch possibility and have installed OpenStack on VirtualBox to play with over the weekend. However, You all are correct that using home via VPN would be the best option for the iPad pro.

If your ISP has massive buffer-bloat you're going to see large latency increases when traffic increases however powerful your router is. To actually address that you need to use some traffic shaping on the firewall.

If you only have one gateway defined it will always be the default route and pfSense will always try to use it. However it will still trigger a bunch of scripts that aren't required if you only have one. So I'd recommend editing the gateway and setting 'Disable Gateway Monitoring Action' to prevent that. However if you move the load-balancing over to it you will need to re-enable it.

Where do you lose internet access from when you connect the 192.168.88.0/23 devices? What are you actually doing to connect them?

Steve

Personally I use the default setup for NTP. You don't ever want to expose that to the WAN but the default firewall rules prevent that.

@erikig And I figured out what was happening. A confluence of events. On the one side, yes the ISP’s DHCP server went offline although their front-line support kept insisting nothing was wrong. (Yes, I know the fibre is up, that’s not the problem. 😔).

What caused all of the odd secondary behavior was that the syslog server crashed and as a result pfSense started generating huge amounts of logs (notably system.log) which filled up the disk which resulted in all sorts of things breaking like DHCP etc.

Clearing out the excess in /var/log and rebooting put things back on track. Other than of course the original source of the problem which the ISP finally acknowledged 4 hours later with a generic “there’s an incident impacting your line”

Nice. Yeah if it;s really just L2TP without IPSec then you really need to be aware of what's going across it. Leaving it enabled shouldn't really be a huge problem since only traffic from the configured remote site would ever be allowed.
I would still investigate using something other than the LTE router to terminate a VPN so you can use a real VPN if you can.

Steve

Ah, yes IPSec will grab that traffic and it's not obvious. 😉

Yeah, not seeing anything that looks like a memory leak or CPU use.

If you can hook up a console and log that you might catch something that doesn't get entered into the logs.

@stephenw10 Yeah ok, looking at the emails I got, it looks like the UPS ran out of power before it could fully shut down, but it was shutting down when the UPS ran out.

@michmoor Yes.

Yes I agree and thought it was originally. Most common reasons for 502 error is server side but also can be network related.

Turns out NOT PF Sense ("probably not PF " == NOT PF) but probably the Ubiquity Gear. I just got out some cables and connect the Mac to physical port and turned off Wifi. Got there without issue.

The DNS, Whois, etc. seems to show different items in that the Registration appears to be domains@bevisible.com with an IP of 35.190.57.191. However, the certificate today looks different than the one from yesterday.

Originally on their website and logged into the site with Chat when tried a link of the page. Got the error. Thus, thought they went down. Now makes me wonder if something is spoofed from UBNT gear.

Thanks for looking! On to UBNT configs. ;-)

No DPD is a separate function.

https://github.com/pfsense/pfsense/blob/master/src/usr/local/bin/ipsec_keepalive.php

Steve

Ah, yes if something was holding open the states that would do it. The states from the tests would have to match it though and they would normally be different each test.

Steve

A better tool for this would be Diag > States filtered by the destination IP.
The photo above really doesn't show enough to be useful here.

Screenshots of your firewall rules on LAN and LAN2 would also help. And any floating rules you may have that apply to LAN or LAN2.

Steve

@stephenw10 look at the different IPs they coming from - bet you beer its "spam" incoming ;)

Hmm, no I meant status but I'm also seeing the same output...

The status data might show more. If I could work out the syntax!

That may or may not work depending on how the Sophos handles duplicate P2 connections. It will appear to overlap the existing P2 at the Sophos end.
If you have control of both ends of the tunnel just add a new P2 to cover 10.3.1.0/24 (?) to 192.168.40.0/22. Or something more specific if you like.

Steve

@rcoleman-netgate Thanks, now I feel like an idiot 🙂

I made the change and it now its displaying what I would have expected.

@datsys Don't over look the Lenovo quoted above made between 2016-2020; many from corperations and gov came off lease and are selling cheap on eBay, especially if you get one without an OS. Then, you can get dual 128GB SSD for raid set up and max out the RAM for less than $100. I see Lenovo m900 SFF box with 6th generation i7 and DDR4 RAM for $98 with no HD on eBay. Keep in mind whatever you get should/must be able to do AES-NI CPU crypto.