I assume the lagg settings must be correct since it works after re-saving.

It does seem like some issue at boot caused by the delay setting up the lagg I agree.

We need to determine exactly what has failed when that happens.

If the WAN/lagg has a valid public IP and the default route shows the correct gateway then I would expect to be able to ping out from Diag > Ping for example. Even if Unbound (the DNS resolver) fails to start the system itself should still be to ping by IP, to 8.8.8.8 for example.

You may not have the required automatic outbound NAT rules preventing LAN side clients connecting. Check Firewall > NAT > Outbound.

Check the system logs after rebooting. I suspect what you will see is that when the WAN connects and gets an IP it is ignored because it happens during the later bootup process.

@stephenw10 said in Pfsense constantly dropping WAN:

@xMrMurderx said in Pfsense constantly dropping WAN:

pfsense drops WAN within 2 minutes of a config save, then 30 seconds later LAN goes down. I'm unable to SSH into pfsense, and using a monitor and keyboard the console is locked up

If the console stops responding that implies some more serious issue. Does it even respond to ctl+t? That can sometimes show something when nothing else does?

Or does the caps-lock key/led work on a directly connected keyboard?

After you reboot do you see anything logged?

Ctrl+t did nothing. Num, caps lock etc lights turn on and off when I hit them, but yeah the console is completely frozen.

This guy has the exact same setup with the same intel nic, same problem as me. There's a few other reddit and forum threads about this specific PC build with intel cards giving the same issues. I just wish I did a little more research before buying the card haha. It's been a little over a month of running stock pfsense because of this issue.

But yeah, problem has been resolved. Threw in a different card I had lying around and everything has fixed itself.

@binary9 said in Crash after setting WAN interface options, now cannot access interface settings page:

Running 23.09-RELEASE (arm64) on a Netgate 2210

I assume you mean 2100 there since it's aarch64?

But that's a known bug: https://redmine.pfsense.org/issues/14949

It was fixed in 23.09.1. You should upgrade! 😉

Or wireguard. Or OpenVPN DCO.

Hmm, hard to imagine anything using that much RAM. But yes check the top output or ps -auxwd.

To close this out, installed a second X550-T2 - The system didn't even need a network device reconfiguration since the network device driver was identical (though my Netgate ID changed - DM'd @stephenw10 to update that on Netgate's end).

Here's my final config:cef9bb6f-3b07-429a-8e3e-eb520a343b2e-image.png

Everything works perfectly. With the CPU power set to ultimate efficiency, while hammering it with speed tests, I only get to 12% CPU usage. If I set the dial to midway between Perf and efficiency, I can't crack 4%. Haven't tried full perf mode yet.

Nice to know I've got power to spare in case I decide to start running more services on the box.

There are likely more efficient ways to set this up, but this works perfectly for my setup as-is. I'll likely move to using VLANs when I do some HW replacement later, but there's no rush.

Check out https://pkiaas.io. You can use SCEP to automate certificate renewal on your endpoints with MDM. There is also a self-service certificate options that use mTLS to authenticate renewal using the existing certificate.

@jackyaz

Is this of concern /* duplicates are ignored because keys must be unique */

@stephenw10 Ok I'll keep that in mind.

So I was able to use the console to go to an earlier configuration, reboot, and I was able to get into the WebGUI. Proceeded to immediately make a backup configuration on file just in case. Phew! Thanks for that suggestion, and thank the Devs for having such a feature available. Truly a lifesaver!

Next meeting we're gonna take it slow and only forward the ports that he needs. Maybe he won't need all of them.

@R-Mana So everything was correct and the VPN tunnel worked as expected. But I have a different problem to which I created a new post.

Try mtupath
mtupath www.detran.rs.gov.br

I have had similar problems some time ago, this was happening with IPv6 enabled but some sites were ipv4 only, so after mtupath discovery I have changed the MSS to 1352

BTW I have zero problems opening www.detran.rs.gov.br in firefox also, but not in edge.

@stephenw10 but THANK YOU 🙏 for your invaluable knowledge and desire to help. You really are indirectly one of the invaluable qualities that makes pfSense such a fantastic product.

@stephenw10 Actually I was just able to get it to work.

I logged in via my phone's web browser then switched to the app and got in just fine. Why, I have no idea, but it's working.

Thank you for your assistance!

Potentially you could use rules matching by priority tags perhaps. But you would need to be able to tag the traffic from the application in the client. Not something I've ever tried.

@stephenw10 I'm looking forward to the 25.03 version and will test it right away. Thank you for the information

@sensewolf restart the gui

restart.jpg

And yeah if your using acme for your webgui - then that command @Gertjan shows should be in your acme client.

I don't have it because I don't use them in my gui, only for my haproxy stuff

guirestart.jpg

Yes, that applies to the local side where the VPN would effectively be the other WAN.

At the remote side you just need firewall rules to pass the traffic coming in over the VPN and outbound NAT rules to translate it at the WAN. The OBN rules may already be added.

Try routing some traffic from a single client. Start a ping to something unique then check the states at both ends.

General Motors makes Chevrolets.
And Cadillacs.
EOF

Oh, yes indeed. And by far the easiest! 😁