Mmm, that shouldn't be possible. Try running a packet capture on that interface and check the time between the CARP packets. The Sec would have to be sending in less than 1s intervals to demote the Pri. Or maybe something else using those VHIDs? Steve

@helyon You need to determine if it's a DNS issue or general connectivity and that's where the ping test will tell you.

@jimbohello I can't see what your configuration, but how about try to reboot and check if the config is still correct.

@jimp dude! you are famous. About 2017 controversy pfSense vs OPNsense in court. https://www.youtube.com/watch?v=y8R5-xNeHY8

@johnpoz said in how to connect pfsense to Wi-Fi?: NeXTSTEP ;) which was based on the Mach (kernel), and sure had some source from unix BSD.. You seem to imply that it is freebsd derived from that statement.. ;) The history of Unix is really messed up. I saw a diagram of the various Unix lineage and it was a real pile of spaghetti. This is due to the origins at AT&T and how they distributed it to colleges etc. for little more than the cost of a tape & shipping. One result was that everyone was borrowing from everyone, at least until SCO started claiming the others were stealing from them, including IBM's JFS, which was originally developed for OS/2 and ported to AIX. Since AIX was IBM's version of Unix, anything on it, including JFS, was "owned" by SCO. The various BSDs evolved from the original Berkeley Software Division (BSD), which in turn started from what AT&T had provided. Sun also did a lot of development, based on BSD. It's curious how just about the entire world, other than desktops, runs on some *nix version and most of that is now Linux, all the way from smart watches to the big supercomputers. One of my cousins is a nuclear physicist (he works with neutrinos) and runs Red Hat Linux on both his own notebook computer and on the supercomputer he uses in his work. Even that helicopter on Mars runs Linux.

@akegec LOL but it's a Netgate SG5100

@stephenw10 said in PF sense crashed after upstream ISP upgrade . Fixed but , working strangely .: 127.0.0.1 It was a DNS issue , the PF sense had been inheriting DNS from the upstream ISP ( Virgin ) . There is something wrong since the upgrade with DNS , working with PF sense . I re-entered DNS addresses 8.8.8.8 & 1.1.1.1 I changed the DNS settings , to and unchecked " DNS to be overwritten by DHCP WAN" I then set DNS Resolution Behavior tp 'Use local DNS , and ignore remote DNS " Seems to be working again now

@viragomann You can see the DNS request just below the one going out the VPN pipe to the 1.1.1.1. It was originated on a machine in the internal net that has the 10.100.2.14 IP right now. Everything is set to query the .1 address in the subnet and then as far as my understanding goes the resolver takes care of it after that. Why it is saying the INT VPN interface is beyond me unless the traffic is getting passed there first but I wouldn't think so. The only reason I was doing it that was was to add more obscurity of the traffic on the server side. Getting connections to from a 443 that doesn't match the location of the DNS requests.

You might need to check 'allow IP Options' on the pass rule there: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html?highlight=multicast#ip-options Steve

@jpaquin said in SG-3100 doesn't route traffic after WAN lost/regained: no clients past the firewall can get out to the internet No DNS or they can't ping? I've seen a few posts recently about Unbound not working (though the one I can think of was "after boot").

I believe I got it. Turns out, the FritzBox (at least in regards to virtual ip/mac) is crap. What you see is not what you get. I crossreferenced what I saw on the FritzBox with my local computer. [image: 1622053434216-fritznet-arp-table.png] On my local computer it seems to work as expected. Furthermore I disabled the exposed host functionality and went for a simple port forward. [image: 1622053716161-fritzbox-port-forward.png] With this, initiating a vpn connection from the offsite works without any problems. I'll mark this as solved. Thanks! //edit: Ok seems I'm unable to edit my first post. Anyway for me this works now. Have great day!

@christophermay These other routers (presumably consumer routers) might have had NAT reflection enabled by default (without the ability to disable it), but that has other drawbacks. DNS override is the more reliable solution for that in the end.

Thanks you all for the insight. The XML file and modifications worked great.

@nguser6947 You can also create some LAN firewall rules to prevent access to WebGUI by anyone except your workstation.

Downtime at my house is not a thing. It has been booted after this started and has only been up 23 days... embarrassingly short time... I just now got around to asking if there is a way to stop it. Thank you for the suggestions.

Yes. What about to a different public IP? If you are hitting something odd in the route you may not hit that to a different target.

@akegec said in Packages not updating: I remember how it used to be, no contracts and lawyers, we just used a hand shake to make a deal without any problems. EXACTLY! I have mentioned this here before

Just how 'live' do you need it to be? You could tail the filter log at the command line if you really want to see it as it happens. You might try using the ntop-ng package. Or one of the other monitoring packages: https://docs.netgate.com/pfsense/en/latest/monitoring/graphs/bandwidth-usage.html Steve