Don't be so lazy and try different searches, for example:

@roncbk:

Cannot allocate memory - The line in question reads

Also a different sign of being lazy, update your pfSense install your way behind.

OK, just saw a Tweet from Deutsche Telekom that they had issues with "some" connections with static IP  ::) … Seems the problem was an external one.

@querichelli:

I need to keep WAN1 working, but test WAN2 with ping test for 1hour+, is it possible?

Whats the purpose of the Test? If your wanting to test WAN2 specifically for devices behind pfSense than the policy route via firewall rule as suggested would be the way to go. If you just wanting to see the quality of your WAN2 from ping results than I would suggest changing the monitoring IP for that gateway to 8.8.8.8 and let pfSense monitor this for you. This way you can see the current quality of your WAN2 when you login and also check the history of that link by going to Status –> Monitoring. If you haven't done so already, I would suggest doing this for WAN1 as well. In order for failover to work properly this should have already been done but maybe this isn't the purpose for your test.

Is your modem routing, if it was bridging you's see a non RFC1918 address on the pfSense WAN NIC ?

BTW my blacklist is to block shodan.io & other IP addresses.

@aagaag:

The only remaining issue is that I think that I may need to do the same for IPv6. However configuring IPv4+6 disallows the gateway options.

Naturally, IPv6 requires an IPv6 gateway. So you cannot set the IPv4 VPN gateway for IPv6 traffic anyway.

@aagaag:

I stand corrected. I do have a DNS leak. Might you be so kind and explain to me how I can ensure that traffic moving through the VPN uses a specific DNS server, and only that one?

The simplest way would be to use an external DNS server on the concerned devices.
Assuming you use the DHCP server on pfSense to configure the network on your devices, add a static mapping for all devices you're directing over that vpn. In the static mapping you can define an external DNS like Googles 8.8.8.8 or what ever you want.
Since any traffic of that devices is directed over the vpn by the firewall rule, the DNS requests also have to go over the vpn.

No, that is not possible.

The "INCORRECT BLOCK COUNT"shouldn't be there.
At least, I do not have these messages.

** /dev/ufsid/54ca20c41b3d50b0 (NO WRITE) ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=2006402  OWNER=root MODE=100666 SIZE=0 MTIME=Apr  9 07:29 2018 CLEAR? no UNREF FILE I=26324042  OWNER=root MODE=100555 SIZE=684072 MTIME=Dec 12 20:49 2017 CLEAR? no ** Phase 5 - Check Cyl groups 27679 files, 300300 used, 74373502 free (3758 frags, 9296218 blocks, 0.0% fragmentation)

Do a fsck after rebooting - use the console access, before pfSense kicks in, so fsck can do its magic.

What switch(es) do you have?  If your wanting to isolate devices via network/vlan then its kind of must for these switches to be vlan capable.  They do not have to be expensive to do this $30 can get you an 8 port gig switch that does vlans.

Sure you can isolate your networks via different hardware, dumb switches on different interface to your firewall.  But vlans make it possible for devices in the same room to be on different networks using the same switch.

Per your like a pro comment - first step would be switches that do vlans.. You make no mention of what make and model your switches currently are.

that patch was pushed to master back in feb of 2017… What version of pfsense are you running that you would manually put in that patch?

By default vpn providers pushes the default route to the clients, so that all upstream traffic is routed over their vpn.
So if you computer tries to connect to the vpn this won't work, cause the connection request will come already from inside the vpn. But if you don't establish the vpn on the computer there should be no trouble with that and traffic should be routed over the vpn.

I finally found out what was causing the crash…seems my motherboard was dying, and today it went belly up!

I figured it out. Static Mode needs to be set to disable on LAG1 on the Netgear to enable LACP.  ::)

I'll second chpalmer. I have WAN firewall rules for the SIP and RTP ports my two phones (one Panasonic, one Polycom) use when the connection is originating from my VoIP provider's IP address ranges, and I've never had any issues.

I'm fortunate that my provider has a support article detailing the address ranges they use, so I was able to set them up. I'm also fortunate that the two phones don't have overlapping default RTP port ranges… though I could probably adjust them anyway. I did have to change the SIP port for one of them though. :)

thank you @nogbadthebad - I've found some entries for that so I'll see what it brings and report back

Thanks guys!

When I turned IPv6 off on the interfaces the errors stopped..  ISP is having issues with IPv6 so we are disabling for now. Ill update if when turned back on the errors start again..

No, I did not - because I misunderstood the instructions

Works now, huge thanks !

Yes you avoid a double NAT.

Some IP traffic has the IP address in two locations in the packet, NAT will only change the header.

@Gertjan:

PC's and other devices could have 'static' DSN addresses set up, so they will contact for example  "8.8.8.8", bypassing completely the local DNS authority (your pfSense).

That makes sense and explains those queries, thx!

@Gertjan:

Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.

I do force all DNS requests to use pfsense only!