@chpalmer said in Losing WAN when receiving VOIP call:

Then ask your ISP if anything about your circuit has changed on their end. Just to cover your bases.

I already texted him :)

https://www.netgate.com/docs/pfsense/book/config/advanced-admin.html?highlight=ssh#secure-shell-ssh

Ok. Thank you sir

pfSense can be a VPN client, yes. But you cannot route arbitrary traffic over those types.

You might be able to do it with VTI. You definitely can do it with OpenVPN.

Steve

@derelict said in How do I setup LAN to Wifi, Wifi to LAN. Wifi different subnet to LAN.:

WAN allow > pfsense
LAN antilockout rule anything allow > pfsense
LAN 192.168.6.0/24 allow to 192.168.5.0/24
LAN 192.168.5.0/24 allow to 192.168.6.0/24
ATH0 allow anything to anything

The stricken rule does nothing.  You will never see traffic coming into LAN from 192.168.6.0/24.

Here's what you want to do in general:

Pass traffic on ATH0 for things you want wireless clients to be able to do (like local DNS)
Reject traffic on ATH0 for things you don't want wireless clients to be able to do (Like access LAN or the firewall itself)
Pass traffic on ATH0 to everything else (the internet)

Read this:
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
Wifi name in hindi
Any questions post the part of that document you don't understand and ask away.


There are some things that are specific though like the interface names but pfSense will ask you to re-assign them at the first boot. It can be a problem if the previous hardware had more interfaces than the new hardware.
You certainly can import a config file from an older pfSense version, there are scripts to translate it to the newer config file format.

@xlameee (the original poster) and I are running 2.4.4. I have the same symptom as xlam. Unfortunately it's not a matter of an upgrade for either of us; something else is happening for us under the same conditions.

I know major changes and upgrades behind the scenes happened with the PHP upgrade and BSD updates since then. @Trufelli is on 2.3.2 and his use case is different than mine or xlam.

Thanks for the info and suggestions, ended up just creating a vlan on the isp interface and removing an ip from my pfsense and connecting it through directly to the customers CPE router. It's done the job.

Changed the subnet on the printer to /24 and that WORKED! Thanks so much Stephen! Great job by YOU!

Port forwarding will not help at all with outbound connectivity.

How are they failing? Unable to resolve IPs? No route to host? Just timing out?

Steve

Comcast has a massive address pool, and has been known to move addresses around when doing maintenance or if they need more addresses in one area that aren’t being used in another. It’s not uncommon for two different routers to pull two different IP addresses in two different subnets either.

Also, geolocation of IP addresses isn’t an exact science, so it may take a few weeks, or even a couple months, for an address’s location to be updated by the various companies that provide geolocation services.

@stephenw10

Thanks Steve for your help.

Thanks for the feedback Jimp.

Thank you very much.

Are you using the DNS Resolver, perhaps? Maybe DNS over TLS? or DNSBL?

We found out there are some memory leaks in the version of unbound shipped with 2.4.4. They were recently fixed upstream in Unbound, and we'll have them in 2.4.4-p1 soon.

That's the only known memory leaks at the moment that I can think of.

@chpalmer It's a SG-2220.... maybe your right, but how ? (via ssh.. ?)

sniff/packet capture on your wan... Open the capture in wireshark.

Or just run a tcpdump with -e should also show it.

Looks like your seeing them every few seconds so you sniff should only need to be very short.

Start a new thread about it in the pfblocker sub. This has nothing to do with your 'DNS servers from ISP' issue. By unchecking that box, your ISP's DNS are no longer in your list.

@jimp

I see the line '$radvdconf .= "\tDNSSL {$config['system']['domain']} { };\n";'

Will removing ['domain'] from that line remove option 31 from the RA? Or just remove the domain name, leaving an empty option 31?

The reason I'm trying to do this is so that the pfSense RA matches the one from the cell phone as closely as possible, to see if this option is causing the problem.

Be sure to have source/destination check disabled if you're not NATing, which you probably aren't.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

Steve