I've seen behavior like this with MTU problems. Consider sending pings of different sizes through the tunnel and see what happens maybe?

So step one, can you see me . org great site for testing.. Sniff while doing that on your wan.. If pfsense does not see that traffic, then no it can not forward..

Until you validate traffic you want to forward is actually getting to pfsense, anything else you do is just spinning your wheels if its not there to forward.

step 1 in troubleshooting port forwarding after you have double checked your settings for stupid mistakes is actually validate the traffic is getting to pfsense..

Doesn't matter if you have forwarded or not, if wrong dest IP behind, etc.. validation that the traffic actually gets to you is key..

I run plex on a different port.. But here is simple test that 32400 can get to my wan

gottowan.jpg

Until you actually validate that - zero point in doing anything else.

edit: step 2 would be to validate your firerwall rules on wan are in the correct order and nothing above your rule that allows your port forward blocking.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. So its great the port forward auto adds the rule to allow your port forward to work.. but if you have something above that blocking - it not going to work.. So vs you showing the detail of the firewall rule.. You need to show all the rules on your wan interface, and any rules on floating to see if you have something that would prevent the forward from working.

example of this could be a pfblocker auto rule blocking countries, etc.

@GabriellePeake said in how to block download mp3/mp4:

solve that problem ?

The thing is, when people take this road :

@stephenw10 said in how to block download mp3/mp4:

You you need full SSL interception to do so for https.

there are not many that come back to reports, or show or how-to's.
Doing some serious MITM is hard.

So, if anyone is interested. After digging around I managed to find https://redmine.pfsense.org/issues/3686

So in NPS if you set the condition to the string you can find in Wireshark as the NAS-Identifier you can handle things on a per service request.

Typical that you search for weeks for an answer but you find it only after you post online for help. It would be great if this appeared somewhere in the manual, or maybe it already does and I am blind?

I need to change my signature to show the latest release that I am running. A quick search shows that I now may need 5 thumbs up to change my signature.

So would 5 people be so kind as to give me 5 thumbs up for getting my pfSense back up and running?

Thank you in advance.

Thank you for your help.
It seems like Telekom added the route today and it is working now.

traceroute6 to files01.netgate.com (2607:ee80:10::119:40) from 2003:a:6f26:6400:3eec:efff:fe43:bc4c, 64 hops max, 20 byte packets 1 2003:0:1303:a428::1 (2003:0:1303:a428::1) 12.648 ms 12.707 ms 12.710 ms 2 2003:0:1303:a420::2 (2003:0:1303:a420::2) 12.743 ms 13.076 ms 13.237 ms 3 2003:0:f600:d::1 (2003:0:f600:d::1) 24.753 ms 24.711 ms 24.737 ms 4 2003:0:f600:d::2 (2003:0:f600:d::2) 24.482 ms 25.486 ms 24.487 ms 5 ae4.cs3.lhr11.uk.eth.zayo.com (2001:438:ffff::407d:1cc2) 94.355 ms 93.986 ms 94.120 ms 6 ae5.cs1.lhr11.uk.eth.zayo.com (2001:438:ffff::407d:1d7e) 92.245 ms 92.605 ms 91.240 ms 7 ae2.mpr2.ewr1.us.zip.zayo.com (2001:438:ffff::407d:1d87) 90.741 ms 90.916 ms 90.743 ms 8 ae5.mpr1.ewr4.us.zip.zayo.com (2001:438:ffff::407d:1feb) 93.492 ms 93.446 ms 93.244 ms 9 2001:438:fffe::1b96 (2001:438:fffe::1b96) 102.487 ms 123.473 ms 123.992 ms 10 cs99-cs90.nyinternet.net (2610:1c1::1802) 91.492 ms 91.687 ms 91.498 ms 11 2607:ee80:10::119:40 (2607:ee80:10::119:40) 91.486 ms 91.558 ms 91.502 ms

Fatal trap 12: page fault while in kernel mode cpuid = 2; apic id = 02 fault virtual address = 0x58aa5c6 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80d57a78 stack pointer = 0x28:0xfffffe00002e72c0 frame pointer = 0x28:0xfffffe00002e72c0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 0 (hvevent2) trap number = 12 panic: page fault cpuid = 2 KDB: enter: panic db:0:kdb.enter.default> show pcpu cpuid = 2 dynamic pcpu = 0xfffffe026cb25580 curthread = 0xfffff80005dd2000: pid 0 "hvevent2" curpcb = 0xfffffe00002e7cc0 fpcurthread = none idlethread = 0xfffff8000525a000: tid 100005 "idle: cpu2" curpmap = 0xffffffff834f1c40 tssp = 0xffffffff835a33a0 commontssp = 0xffffffff835a33a0 rsp0 = 0xfffffe00002e7cc0 gs32p = 0xffffffff835a9ff8 ldt = 0xffffffff835aa038 tss = 0xffffffff835aa028 tlb gen = 5304139 db:0:kdb.enter.default> bt Tracing pid 0 tid 100120 td 0xfffff80005dd2000 kdb_enter() at kdb_enter+0x3b/frame 0xfffffe00002e6f70 vpanic() at vpanic+0x19b/frame 0xfffffe00002e6fd0 panic() at panic+0x43/frame 0xfffffe00002e7030 trap_pfault() at trap_pfault/frame 0xfffffe00002e7080 trap_pfault() at trap_pfault+0x49/frame 0xfffffe00002e70e0 trap() at trap+0x29d/frame 0xfffffe00002e71f0 calltrap() at calltrap+0x8/frame 0xfffffe00002e71f0 --- trap 0xc, rip = 0xffffffff80d57a78, rsp = 0xfffffe00002e72c0, rbp = 0xfffffe00002e72c0 --- m_tag_locate() at m_tag_locate+0x28/frame 0xfffffe00002e72c0 bpf_mtap() at bpf_mtap+0x19d/frame 0xfffffe00002e7330 vlan_start() at vlan_start+0x1b6/frame 0xfffffe00002e73b0 if_transmit() at if_transmit+0x16e/frame 0xfffffe00002e73f0 ether_output_frame() at ether_output_frame+0x98/frame 0xfffffe00002e7420 ether_output() at ether_output+0x6d7/frame 0xfffffe00002e74b0 ip_output() at ip_output+0x138d/frame 0xfffffe00002e75e0 ip_forward() at ip_forward+0x2c3/frame 0xfffffe00002e7680 ip_input() at ip_input+0x724/frame 0xfffffe00002e7710 netisr_dispatch_src() at netisr_dispatch_src+0xa2/frame 0xfffffe00002e7760 ether_demux() at ether_demux+0x15b/frame 0xfffffe00002e7790 ether_nh_input() at ether_nh_input+0x32c/frame 0xfffffe00002e77f0 netisr_dispatch_src() at netisr_dispatch_src+0xa2/frame 0xfffffe00002e7840 ether_input() at ether_input+0x26/frame 0xfffffe00002e7860 vlan_input() at vlan_input+0x215/frame 0xfffffe00002e7910 ether_demux() at ether_demux+0x144/frame 0xfffffe00002e7940 ether_nh_input() at ether_nh_input+0x32c/frame 0xfffffe00002e79a0 netisr_dispatch_src() at netisr_dispatch_src+0xa2/frame 0xfffffe00002e79f0 ether_input() at ether_input+0x26/frame 0xfffffe00002e7a10 hn_chan_callback() at hn_chan_callback+0xf29/frame 0xfffffe00002e7af0 vmbus_chan_task() at vmbus_chan_task+0x22/frame 0xfffffe00002e7b20 taskqueue_run_locked() at taskqueue_run_locked+0x185/frame 0xfffffe00002e7b80 taskqueue_thread_loop() at taskqueue_thread_loop+0xb8/frame 0xfffffe00002e7bb0 fork_exit() at fork_exit+0x83/frame 0xfffffe00002e7bf0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00002e7bf0 --- trap 0, rip = 0, rsp = 0, rbp = 0 ---

That trace doesn't look familiar to me, but it seems to have crashed when trying to find an mbuf tag, so maybe it's an issue with mbuf exhaustion. (Though usually that would crash when trying to allocate one...)

What features do you have enabled? (Things like captive portal, limiters, CARP/HA, etc)

What does netstat -m show?

@bmeeks Does tracert (windows) use ports?
Anyway, I did two test with pfSense and two with Windows to an AWS IP... I can't see nothing.

Spoiler

Capture.PNG

@Gertjan thanks

@Gertjan

So an update, after a week of issues I've narrowed this down to pfBlockerNG-devel/DNS issues. I've removed pfBlockerNG-devel and reverted to AdGuard Home and I've had a stable WAN connection and box for 3 days. I did notice this and wasn't sure if that was a contributing factor:

https://www.reddit.com/r/PFSENSE/comments/88wg6g/issue_with_pfblockerng_dnsbl_and_cloudflares_1111/

@Rico - I made these changes and it made no difference when DNS was down or been blocked by pfBlockerNG-devel

So thanks all for the help and pointers, all really useful and I defiantly improved my knowledge of PFSense and DNS over the last week!

@awebster i've seen you help https://forum.netgate.com/topic/145578/ldaps-ad-bind/19.

Can you please point me in direction where i need to troubleshoot this issue?

@Derelict We actually have 2 phone systems from a merger. A on premise phone system (that works great) and AT&T hosted voice. Calls on the AT&T drop randomly. AT&T refuses to be of any help because it's a network problem and to be fair if i put the phones on a router with the udp timeout changed it does work.

The reason I am trying to move it off the current router is QOS. Which has been a problem before because we were running 3 routers for different network segments off the same internet connections and 1 router could use all the bandwidth and starve the other routers.

Ok, just found out pfSense is indeed truncating:
https://forum.netgate.com/topic/152220/suricata-eve-json-cutting-off-in-remote-logging/9

@cajunzman Okay.

@elduder You might want this: https://github.com/homebridge/homebridge
May find valuable info here too: https://forum.netgate.com/topic/154163/can-i-use-ips-to-trigger-a-custom-action

You can not put the wan and lan on the same network.. Sure looks like your going to connect the wan and lan to the same network.

UFS keeps extra space that is not available to regular users so when the filesystem is completely filled for user and non-user data, it shows 108%.

: tunefs -p / tunefs: POSIX.1e ACLs: (-a) disabled tunefs: NFSv4 ACLs: (-N) disabled tunefs: MAC multilabel: (-l) disabled tunefs: soft updates: (-n) enabled tunefs: soft update journaling: (-j) enabled tunefs: gjournal: (-J) disabled tunefs: trim: (-t) disabled tunefs: maximum blocks per file in a cylinder group: (-e) 4096 tunefs: average file size: (-f) 16384 tunefs: average number of files in a directory: (-s) 64 tunefs: minimum percentage of free space: (-m) 8% tunefs: space to hold for metadata blocks: (-k) 6408 tunefs: optimization preference: (-o) time tunefs: volume label: (-L)

Note the value for -m