OK so two seemingly independent problems.

The schedules rule appears to be on the WAN carrying SIP traffic port forwarded traffic to the PBX. That does not carry RTP traffic so calls would not immediately drop. Nor does it carry outbound SIP traffic so I would expect to still be able to place calls but not receive them outside of the schedule. Is that what you see?

Steve

@rcoleman-netgate De rire 😁

@stephenw10

Yep, that's another possible issue : Installing a package (always the latest version) on a pfSense system that is not on the latest (2.6.0 if you use the free edition) version can work out fine.
More often it breaks stuff.

That's why :
If you decide NOT keep pfSense on the latest vesrion then you also decide not to upgrade / install packages any more.
Not respecting this rule is like playing with a six barrel gun and a bullet.
( we all saw the movie Deerhunter ones in our lives, right ? )

Read / click on the image :

0c26b335-292e-4d62-bafd-2840b0cfa267-image.png

Note : with some 'small' packages, like "Notes", you might get away with it.

When you see this :

6b4a7c6a-5366-4380-afa8-da3e98de2a03-image.png

and you see that huge stuff like php74 gets pulled in - and knowing that pfSense uses also php7x for it's WebGUI, I would consider that as a huge red flag.

@luckman212

Thanks for response. I think the messages are standard response sequence of DHCP lack of response on the WAN interface. Of course I do not have much of a baseline but turns out the ISP has had a LOT of issues over the last week in our area. I assumed it was me.... I think it is / was them. I will post as I get better baseline.

@stephenw10 Thanks!

Potentially it could have been a failing disk causing that shutdown panic, yes. Certainly there is a problem with it if it disappeared from the BIOS entirely.

Steve

Yep, I'd check your NAT statements.

You'll also want to isolate whether you actually can't get to the internet or have a DNS issue. Can the clients resolve google.com? Can the clients' ping 8.8.8.8? Can you ping 8.8.8.8 from PFsense when sourced from the OPT9 interface?

Are you using the Forward or the resolver? If using the forwarder, is it listening on the OPT9 interface? If using the resolver, two questions... is it listening on the OPT9 interface and if you're using ACL's... was 192.168.243.0/24 added to the allow list?

One thing to be aware of here is that the OpenVPN rules tab applies to all OpenVPN connections. If you have an OpenVPN server running already you probably have an allow all tule there so that connected clients can access resources behind the firewall. But when you get the ExpressVPN connection working that rule will also apply to it and you don't want to allow random connections from ExpressVPN! So make sure that rule it limited to your own subnet as source. Or alternatively assign your server as an interface the same way as the client and then you can apply the rules to those interfaces individually.

Steve

It's very easily done. Ask me how I know! 😉

If you are using pfSense on both sides as long as you're using IKEv2 and do not set 'split connections' it will do this by default.
You will see one childSA created for all defined subnets on each side and it will carry traffic between any of them.

But, yeah, I would probably use route mode IPSec (VTI) also. Logically easier to define.

Steve

@stephenw10 Thanks steve appreciate it :)

@johnpoz said in autossh on pfsense:

@_sko_ said in autossh on pfsense:

tunnel let the MySql server to be configured in a more secure way

So you have hackers or botware running on your local network?

You stated that this "wan" is not connected to the internet. So who has access to this "network" where this mysql box sits? Your devices, your users? Are you own devices and users considered hostile?

I stated wrong. Sorry but my english is a little bit rusty. The local network has a gateway and is connected to the internet but you are right just a too much complicated solution for the problem.

I just enabled a rinetd rule for the pfsense firewall in the MySql server et voilà.

Thanks!

@stephenw10 nada!

@stephenw10 After some further reading:

f5106781-8b1e-4268-ab32-3482c0776e37-image.png

I enabled Software flow offloading and hardware flow offloading.

Now, I will wait for a while what Zabbix measures …

Oh, you mean you can't even connect to LAN hosts from other LAN hosts?

Yeah that never goes through pfSense so definitely a problem at a lower layer somewhere.

Steve

@deanfourie Good idea.

1: SG-6100 with BiDi SFP for direct Fiber to the Home attach
2: Two VLANs - Home network and Guest network.
3: Aruba CX-6100 switch and Aruba IAP-315 APs with detailed pr. Device IPv4/IPv6 L2/L3 access lists enabled - based on client MAC address (to much hassle with 802.1x for wired home networking). One SSID and all wired ports are “colorless”. Mac-address defines which VLAN, role (access rights) is assigned to you.
Five network roles defined i switch/AP: ADMIN, CLIENT, IOT, SECURE IOT and GUEST. Role gets assigned from Radius based on Client Mac-address.
4: FreeRadius on pfSense with all well known MAC Addresses defined and assigned their apropriate role. Unknown MAC addresses get assigned the Guest Role.

The Trick here is that different device types (Not guests) are still in the same VLAN/IP Subnet and can find each other (broadcast/arp) if allowed by the ACL role assigned in the switch/AP.

5: pfBlockerNG for Geo based aliases blocking inbound sessions to whitelisted countries. Russia, Belarus, China and North Korea blocked completely inbound/outbound.
6: pfBlockerNG for IP based blocklists and wellknown offending IPs
7: pfBlockerNG DNSBL with about 12 feeds active to block tracking, adds and phishing - including DOH Blocking.
8: Occationally NTopNG active to spy and monitor traffic, but for unknown reasons, NTopNG adds a 20 - 200 ms latency to occational packets once in a while (noticable), so it’s not running permanently.
9: Destination NAT on ANY outbound DNS, NTP requests from internal interfaces. Rerouted to pfSense NTP and DNS server.

That's correct, there is no run-time patch for the issue.
https://redmine.pfsense.org/issues/12954

Steve

@jimp Thanks ... 2FA and App Password solved the problem