Thanks! I'll give that a shot!

Looks like a type of bug that was fixed in a more recent release anyhow. Upgrading to a current release is the most likely solution.

You need to check to see what the mask is actually suppose to be - a /24 seems large as well.. See the other one you have with a /29 that is more realistic for IP space an ISP would give you, etc.

I would check with ISP what the settings should be!!!

What I can tell you for sure though - is not suppose to be a /5 ;) That is a freaking HUGE!!!!!! 134 Million addresses!!!

If I had to make an educated guess if that address is assigned to you I would guess either a /30 or /29 would be the most logical.. Those or maybe a /28 would put the wire at .16 and would make sense for your .17 gateway and .18 address.

With that /5 you wouldn't of been able to access any internet site using any of those 134 some million addresses..

In what way? Be as specific with error messages as possible. It does work, people do it all the time. That said, occasionally there are bugs due to items in the old config that might need edits to get past. That's rare but possible.

For example, you should probably edit out any <package>...</package> blocks from the configuration before restoring one that old.

@jimp Thanks that was it!!!

Well, I think @jimp nailed it. I've never been a big fan of onboard NICs so purchased a couple 2x Intel NICs and a riser card (RSC-RR1U-E16 R3.6) a year or so ago. I found they don't fit my board/chassis though (ebay, so who knows) and put everything back in the box last time I went through all this. I decided to pull the box back out the other day and make the card fit somehow.

Luckily, the add-on nic enumerated first and got moved to em0 automatically. I've rebooted the modem three or four times now and it's picking up a routable IP within a couple minutes.

@stephenw10 thanks for the link. @NollipfSense I think I wore out the contacts in the power switches rebooting everything so many times.

nic-0.pngnic-2.png)

@BaseBallHat You have to be more consistent.
Pings should run continiοusly, preferably not from pfsense (or from pf with multiple ssh sessions.
What we are trying to see is if the problem (when it happens) is only related to traffic passing through the tunnel, or everything.
This practically means that you need to configure traffic passing outside the vpn.
(and going preferably to a local chinese site...which has ping enabled e.g baidu.cn
it pings for me and looks like is in china.. )
With the pings running and things working normally you should be abe to establish a baseline on how things work as far as packet loss and rtt is concerned.
Then when you have issues pings will give you an idea where the problem is.
(local wifi, baseband ? connection, local traffic, vpn traffic/throttling).

Good luck.

Thanks, makes sense.

Good question, I do have pfmonitor but only 100 licenses out of 700ish pfsense firewalls. I would have to see if those are on pfmonitor.

EDIT:
Before I run off to pick up my kids, I did check and one of them is on pfmonitor and that one is a protectli. I ran an upgrade earlier on that one and it hadn't crashed since, but I ran what it said on the post you provided anyway.

@Bob-Dig I was checking if it was the right way before doing so.
I did it now. Worked. Thank you!!

@Sasil-M said in Cisco switch is capable and compatible with tp link managed switch or vise versa.:

@johnpoz ok thanks for the heads up.

Also, stay away from TP-Link access points. I have one that has the same issue. As a result, I am not able to have a guest WiFi on it. When I called support about it, they claimed it was normal for multicast to leak between VLANs. It was only when I spoke to 2nd level support that they acknowledged the problem. Still, no fix.

@TopperTom said in Internal Test Setup Help:

Logs show nothing but blocked WAN traffic.

What does that mean exactly?

can ping domains and IPs

But you can not load a website? like pfsense.org?

What exactly is pfsense running on? Your original setup seems fine.. As to logging lots of noise - can you post up some of this noise? You mention broadcast..

What you did after your original drawing is just nonsense... You know if there is lots of noise you can just turn off logging the noise..

If you're seeing connection refused externally rather than timing out it's hitting something.

Check the state table when you're trying to connect, filter by the source IP you're connecting from. You should see states on WAN and LAN with the translation on WAN.

Steve

This script did it for us via the shell:

pkg update -f
pkg upgrade -f pfSense-repo
pkg info | grep pfSense-repo
-Verify version 2.4.4_7
exit
option #16 to restart php-fpm

Those micro-seconds all add up. 😁

What you are trying to do is not how vswitches work. You might be able to map each nic to a separate switch and have a virtual nic on the firewall for each one, but that's kind of crazy.

NAT does not affect where the rules go.

Rules for traffic originating from your LAN go on the LAN tab.

Rules for traffic originating from the remote site over IPsec go on the IPsec tab.