That's the expected behaviour. You can open a feature request if you think it should be different.
https://redmine.pfsense.org/

Steve

Do you want time to be accurate? Out of the box pfsense uses ntp pool, which yes will be multiple servers that change even.. Yes ntp asks other ntp servers time and picks the best one to sync with.. And then yes checks quite often and then as its time gets in sync with the server it will back off on how often it checks, etc.. to longer between checks..

I suggest you research how ntp works ;)

But sure if you don't want it to use pool, you can set it to use specific ntp servers.. Public lists can be find on the ntp pool site.. But yeah normal ntp will talk to a few different ntp servers.. Unless your sure the one you talk to is correct and are not worried about it going offline, etc.

You do understand the amount of traffic 2 and from the ntp servers is very small right ;)

Look in status ntp, it will show you which peer your active with, which others are candidates, and which are outliers - it will also you show you how often will query them for their time.. should start at like every 64s and then slide upward to like 512/1024 seconds between queries..

If you just want to turn it off - remove all the listed ntp servers. No ntp servers listed, nobody to query.

The benefit is that you don't need to use port forwarding at all and you only need to have one port open. You can have HAproxy listen on the WAN on port 443 and send requests to the appropriate backend server based on the requested URL.
You don't have to remember what port the services are running on externally just the FQDN.
It isn't necessarily any more secure though. You only have one firewall rule on WAN so you can't apply different rules to each service at the firewall level. Connection limiting, traffic shaping etc.
You still can have HAprxy listen on different ports though if you found you needed that.

Steve

Probably your VPN provider is pushing a new default route to pfSense and that changes what Unbound uses to query root servers.
That is assuming you're running Unbound and it's in resolving mode.

That's not double NAT though unless your VPN provider is also giving you a private IP address.

You could try setting a static DHCP lease for the PS4 and handing it a DNS server to use directly rather than using Unbound in pfSense. If you already have policy routing in place for it then all it's traffic, including dns queries, will use the WAN dircetly regardless of the VPN status.

Steve

Hmm, odd. Doesn't seem like anything I've seen but I'll be watching for it now. Thanks for the write up.

Steve

It does but only the config version at the start of the file. Fortunately there is a handy reference 😉

https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html

Steve

Well I can tell you struggled for a while with the HG612 and eventually swapped it out for an ECI and never looked back.

When it failed it usually stopped passing traffic completely so the PPPoE would go down. All the LEDs just remained solid on
it.

I had thought you might be hitting this: https://redmine.pfsense.org/issues/9148

I saw that a few times in 2.4.4 but have not seen that since that patch was included in 2.4.4p1. I don't see that in your logs specifically either.

Unfortunately we can't see what happened that started the failure at 10.25. The first log entry shows the PPP session closing already:
Feb 5 22:27:14 pfSense ppp: [wan_link0] PPPoE: connection closed

However the failure at 00.01 was initiated from the remote side. It came back up by itself though.

If we can get the log showing the connection fail that might help. Not guarantied though.

I have nothing special set here and it "just works".

Steve

Putting a vpn server behind a edge router can be problematic yes.. Your trouble is making sure you don't run into asymmetrical traffic..

Normally you would put your vpn server into a transit network off your edge..

Running the vpn on the actual edge router is so much easier.

This area of the forum is English, if you wish to post in multiple languages, make a separate post in a language-specific category under pfSense International Support rather than putting both in a single post.

That said, there isn't a way to force it to reload the entire config completely from the command line live, but you can do this:

I followed this guide to the t and I still could not get my BT box to even connect to the internet.

I eventually found it was because of IPv6. I disabled the DHCP server for IPv6 and changed my LAN interface to have "none2 for the IPv6 config type.

I hope this helps someone :)

@jmacdonald I have the exact same question and would love to see some comments on it. Thanks!
Also, what is the rule to add in order to have "Allow All"? I tried 0.0.0.0/128 but that didn't work.

I am not blaming pfSense. I ran pfSense for quite a few years up until 2016 when I moved. My internet service has since changed at my new house. My old APU2 hardware worked fine with my old 15Mbps cable connection. Now that I am on vDSL I was more leaning towards the issue being hardware related. Unfortunately I did not have the time to do any thorough troubleshooting as I had to have my network back up and running ASAP with my cameras working. Regarding the Routerboard switch, the default settings were applied. I simply unboxed it and plugged it in to the LAN port of the pfSense box. My goal of posting on here was to see if somebody experienced something similar with NEST or other security cameras. I was hoping the setup would be as easy as it was in the past but unfortunately it isn't.

Will do that

Thank you both very much!

@jimp Yea I thought about it but I'd like to keep it minimal for now. Just wanted to post the solution here, took me a while to find it. Wasn't obvious to me

Are you running some soft of vpn client setup?

Here is the thing out of the box rules on lan are any any... And pfsense will nat all from its lan to its wan IP.

So if your WAN network is 10.1.1.0/24 with pfsense wan IP being 10.1.1.1
And your lan network is 10.1.2/24 then all clients will look like they are 10.1.1.1 when they talk to your wan network, ie pfsense wan IP.

If I had to "GUESS" to your problem your forcing traffic out some vpn gateway on your lan rules - which we would know if you could post a simple screenshot vs making gifs with zero information in them.

Other guess would be you have the wrong mask on your clients and they think that 10.1.1 is the same network as 10.1.2 say example a /8 which is what windows would default mask too, etc. etc. So how about you post up a config of your clients.. Show a traceroute to say 10.1.1.1 and one to 8.8.8.8

And post up a picture of your lan rules - and validate your not using any sort of vpn, and or is your clients pointing to any sort of proxy or using their own vpn client.

Why would you daily reboot your pfSense?

-Rico

Thank you, that's actually the way we are currently using it (not with pfsense though) , but because of the quantity of the modems it gets really expensive to have a 4G router for each modem.

I love the fact that pfsense is so easy to configure and just works out of the box with 4G modems, just the reboots are giving me headaches now )

I haven't used cacti in years but I seem to recall a FreeBSD+pf or pfSense template around that hit the pf MIBs to track some things like that. If nothing turns up here, search on the Cacti forum.

Well if you dig deep enough you can do whatever you want. You could potentially add a line to the gateway down script that restarts the PPPoE link. It would likely take some trying to get it working as you want though.

Steve