In a true HA setup pfSense does not support either DHCP or PPPoE WANs. So, yes, you would need to use additional routers in front of both WANs to terminate those connections and provide the static subnets required for CARP. You might consider getting a static /29 on one if you can. That would solve both issues. Steve

Well it's always better to pass only what you need but doing that can make troubleshooting that much more difficult as you're then filtering in two completely different places. If it's just allowing traffic withing the VPC it's not a big risk for most setups. However only you can really make that decision, it depends entirely how you have things setup in the VPC. Steve

There are two Netgate devices that have a port marked 'LAN4'. In the 2100 that is part of the switch that is connected to the LAN interface by default and no additional config is required to use it. In the 6100 that is a discrete NIC and not enabled by default. There you would have to enable the interface and set a firewall rule on it at a minimum to use it. Steve

@linuxha Yes, I have a lot of experience with IPv6. As I mentioned, you should use SLAAC, unless you have some need for DHCPv6. With SLAAC, the router advertises the LAN prefix and the device adds the rest of the address, often based on the MAC address. This requires no configuration on the device. Also, RDNSS is provided in a router advertisement, though it must be enabled. Start with this and see how it goes. I'll help with whatever I can.

Ok, thanks for clarification.

Hi @netblues and @stephenw10 - thanks for the responses. I did end up getting this this to work how I wanted by modifying the Search Domains field under DHCP settings, but ultimately decided just to keep it simple: Instead of machineX.building1.companyA.lan I went with machineX-building1.companyA.lan to keep everything under a single local domain. Thanks again for all your help.

@viragomann Awesome, worked, thanks! How do I set it so that when a new client joins the network, I get an email notification?

@fixingstill said in Hotplug event detected for LAN at time xx:05:02 and xx:35:02 of random hours only.: I am out of idea how to troubleshoot this one On the pfSense side : swap WAN and LAN interface. Does the issue continue ? On the WAN now ? Or not ? Swap port on switch, or even use another switch ? Swap cable - even the best cable can be faulty from day one.

Thanks for all the input. It was indeed PVST. I've disabled spanning tree for each VLAN on the switch and the activity has disappeared from the traffic graph.

@parry For the future - just leave the DNS in Tomato set to 0.0.0.0 which it uses as a default. The DHCP server in pfsense provides the access to DNS

It looks more like you are trying to use this as a VPN router so that anything on the LAN side of pfSense will use the VPN? If so then that's not a switch and definitely not an access point. But that's good because pfSense is not a switch or access point! Steve

@stephenw10 There's not an alternative route that I can see from laptop to pfSense. Not connected via anything but the access point. Yes 23.x.x.x is the WAN IP passed through to pfSense. I ran a pcap on pfsense WAN as pfsense scans 172.16.0.0/13 and is generating TCP:A blocks outbound on WAN in the firewall logs. I look at a blocked TCP:A outbound entry timestamped 15:29:00 within the firewall logs, and filter for that destination in Wireshark. (ip.addr==172.16.56.89). I do not see any traffic to or from any of the destination IPs shown in the firewall logs. Edit: Where is 172.16.224.109? I don't know, it's not something that I've provisioned and well outside my address ranges. I use 172.16.0.0/24 for guest wifi access and that's not seen activity in some time. I saw that address in the AT&T gateway logs and was curious for this reason. AT&T gateway has everything related to firewalling and packet filtering disabled yet it was showing reason: filtering.

@stephenw10 okay thanks

Well the feature was rejected , due to a local (HW) obtained key was not secure , if the person performing the ECS had access to the hardware. Too bad .. I was never aiming for an unbreakable config , just something that would not give it away openly. /Bingo

@johnpoz Thanks, again! It was the Custom Option thing at the bottom of Services > DNS Resolver > General Settings. I'd forgotten all about that.

@bingo600 reroot is covered in docs (link) -- although it says it's faster than a reboot it still took a few mins. To perform a reroot, choose option r when triggering a reboot from the terminal menu. Since everything in my stack is automated (no human touch where we can help it), I just made a simple php script that triggers like this (php) and it's called through our automation engine: require_once("functions.inc"); system_reboot_sync(true); the true in system_reboot_sync(true) tells it to do a reroot instead of a reboot. It's not documented, but I found it in the source code here

@areckethennu glad you got it sorted and I could be of help.

@steveits Great information Steve! I willl take a deep look at it. Best Regards, and Thank you! LeMike

The reset config procedure in the 6100 is a little more involved that other devices. And it fact I would only attempt it in 21.05.2 if you have no other option. The timing is such that it's difficult unless you can see the console output and at that point just use the console! This is fixed in 22.01 where the feedback from the LEDs make the process relatively easy. The reset is a two step process: Power on the device. After a few seconds, when the green circle LED changes from orange to blue, hold the reset button for 5 seconds. This 'short-press' initiates the reset. Then after the drive has mounted the system recognises the reset has been initiated and asks you to confirm the reset. In 22.01 this is indicated by all three LEDs turning red. Hold the reset button until all three LEDs start flashing, ~13s. The system then resets the config and reboots. Steve