Thank you @azzir
This was very helpful. I was trying to compile similar query for Splunk.
After spending some time, I could come up with following.

host="pfSense.HOME.COM" filterlog | rex "(?P<Month>\w+)\s\s(?<Day>\d{1,2})\s(?<Hour>\d{1,2}):(?<Minutes>\d{1,2}):(?<Seconds>\d{1,2})\s(?<RouterName>[^\.]+)\.(?<Suffix>[\S]+)\s\w+\s\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}\s(?P<LogType>\w+):\s(?<RuleNumber>\d+),,,(?<Tracker>\d+),(?P<RealInterface>\w+),(?P<ReasonForLogEntry>\w+),(?P<Action>\w+),(?P<Direction>\w+),(?P<IPVersion>\w+),(?<tos>[^,]*),(?<ecn>[^,]*),(?<ttl>\d+),(?<id>\d+),(?<offset>\d+),(?<flags>\w+),(?<ProtocolId>\d+),(?<Protocol>[^,]+)" | rex "^6,(?<class>\w+),(?<flowLabel>[^,]*),(?<hopLimit>\d+),(?<protocolText>[^,]+),(?<protocolId>\d+)" | rex "tcp,(?:\d+,)?(?<Length>\d+),(?<SourceAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<DestinationAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<SourcePort>\d+),(?<DestinationPort>\d+),(?<DataLength>\d+),(?<TCPFlags>\w+),(?<SequenceNumber>[\d:]*),(?<AckNumber>\d*),(?<TCPWindow>\d*),(?<urg>[^,]*),(?<TCPOptions>.*)" | rex "udp,(?:\d+,)?(?<Length>\d+),(?<SourceAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<DestinationAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<SourcePort>\d+),(?<DestinationPort>\d+),(?<DataLength>\d+)" | rex "icmp,(?:\d+,)?(?<length>\d+),(?<SourceAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<DestinationAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<ICMPData>.*)" | rex "(?<icmpType>request|reply),(?<EchoId>\d+),(?<EchoSequence>\d+)" | rex "(?<icmpType>unreach|timexceed|paramprob|redirect|maskreply),(?<icmpDescription>.*)" | rex "(?<icmpType>unreachproto),(?<icmpDestinationIpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<unreachableProtocolId>.*)" | rex "(?<icmpType>unreachport),(?<icmpDestinationIpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<unreachableProtocolId>[^,]+),(?<unreachablePortNumber>\d+)" | rex "(?<icmpType>needfrag),(?<icmpDestinationIpAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),(?<icmpMTU>\d+)" | rex "(?<icmpType>tstamp),(?<icmp_id>[^,]*),(?<icmpSequence>[^,]*)" | rex "(?<icmpType>tstampreply),(?<icmpId>[^,]*),(?<icmpSequence>[^,]*),(?<icmpOTime>\d*),(?<icmpRTime>\d*),(?<icmpTtime>\d*)" | table Month,Day,Hour,Minutes,Seconds,RouterName,Suffix,LogType,RuleNumber,Tracker,RealInterface,ReasonForLogEntry,Action,Direction,IPVersion,tos,ecn,ttl,id,offset,flags,ProtocolId,Protocol,class,flowLabel,hopLimit,protocolText,protocolId,Length,SourceAddress,DestinationAddress,SourcePort,DestinationPort,DataLength,DataLength,TCPFlags,SequenceNumber,AckNumber,TCPWindow,urg,TCPOptions,ICMPData,icmpType,EchoId,EchoSequence,icmpDescription,icmpDestinationIpAddress,unreachableProtocolId,unreachablePortNumber,icmpMTU,icmpId,icmpSequence,icmpOTime,icmpRTime,icmpTtime code

Tools used:
To validate regex aginst data: https://regex101.com/
Official Documentation About Log: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

@johnpoz said in PfSense Box cant ping LAN:

@jahonix

That https://textik.com is slick as shit! Added to my toolbelt links. Thank!!!

That will make for some really nice ascii art network diagrams.

edit: here is another one like that http://asciiflow.com/

I had ASCIIflow in that german support topic as well, but after trying both, it certainly lacks a few functions compared to textik. Textik handles links/lines between boxes and they stay linked/sticky whereas asciiflow doesn't have some sort of linking functionality :)

Did you have client pointing to multiple nameservers?

Having your client say with

192.168.1.1 (pfsense - local dns)
8.8.8.8 (googledns - public dns)

This is common mistake made... I see it ALL the time!!! Users do not seem to grasp that a client doesn't ask both, or move to the next one when NX returned, etc.

While you might list your ns in order on your client. You really can not be sure which nameserver a client might ask for any given query. Sure if one does not answer with specific time period for a query, the client will ask the other listed ns. And once a client gets answers from 1 it stick to that one..

So if you ask google for pfsense.localdomain.tld your going to get back NX.. Once a client gets back NX it will not go ask other ns for that since it was told - hey doesn't exist. Doesn't make any sense to bug the other NS for something that clearly does not exist. It will not ask again until the neg ttl expires on that NX.

While you can point your clients to multiple NS.. They all need to be able to resolve the same stuff! So if you want to point to google and opendns and 1.1.1.1 ok sure - they should all be able to resolve www.publicdomain.com

But using even different public that provide different blocking features can get you in trouble. While opendns might block xyz, maybe googledns allows it, etc. Which one is your client going to be asking? You can not be sure.

Listing internal and external dns is going to cause you grief for sure. All your nameservers listed on your client should be able to resolve the same stuff. So sure you can run multiple internal NS that can all resolve any internal stuff, and then forward/resolve to get the public stuff. If 1 is down - no answer at all (ie timeout) then yes client will ask other one. Your fine here since no matter what NS you ask you are sure you will get the same answer.

Thank you very much for your help.

Bumping this topic for No-IP group support... Would be a fantastic security enhancement for our sites.

I'm happy to provide a paid/Enhanced group for testing.

Good news. I think it has been resolved. Some background: I loaded my config into VM environment, no errors. But no real traffic for a good test. I reset to factory on physical box. Did basic setup. No errors. Restored original config, on reboot errors came back. So I started disabling rules firewall rules 1 by 1. When I finally got to the NAT rules, I found the culprit. Once this rule was disabled error stopped. Best and worst part is I re-enabled the rule and pfr_update_stats: assertion failed did not come back.

The offending rule was nothing special. WAN IP to LAN3 IP UDP port 70. No advanced options changed.

You are running 32bit and not even the latest 32bit version. That CPU can run 2.4.3_1 so you should be on that really.

You have no DNS resolution at the client. Is Unbound even running? Check Status > Services. Try Diag > DNS lookup which should try pfSenses own DNS servers.

You can ping 192.168.10.1 from the client but can you ping 192.168.1.20 or 192.168.1.1?

Steve

@andyc Yeah, i want to have access to my ESXi management from work and at home. (only for a while, as I am preparing everything for my VM ect ..)

i will make a IP restriction or something like that if it's possible, to allow only my home public IP and the work IP

Or i can just do a VPN with my pfSense (i saw come options to do this), i don't know, i'll think about it

More info needed @OP
What exactly are you trying to make work that is not working across subnets?

Not really a pfSense question at this point.

Steve

Probably not in this case.

It works with Google DNS on Apple TV manually. Thanks for your help guys!

Mmm, it does seem unlikely we can do anything to help much in pfSense then.
If you are at some other location, not behind pfSense, and it still behaves the same then that would confirm it.

Steve

Ok I am calling this fixed. I've got an uptime of 14 days after disabling AES/NI on this machine. Previously I couldn't make it past 4-5 days.