Ok that looks like you don't have any users defined that have certs valid for the server. Which is a different problem really, it looks like the package installed OK.

Add a cert to an existing user. Make sure it's created against the same CA the server cert is using.

@Gertjan said in OpenVPN - Making it more tolerant to packet loss without re-auth:

Isn't keepalive a TCP thing ?

Actually, it's an application thing and can be over TCP or UDP. IIRC, there is no keep alive function in TCP, only timeout.

Incidentally, several years ago, I tried an experiment. I was in a coffee shop and used the WiFi to set up a VPN. I noticed there was another open WiFi in the area. I was able to switch WiFi, without dropping the VPN. This is a result of using UDP to carry the VPN. So long as the other end is reachable, it doesn't care how it gets there. This is also why, with WiFi calling, you can transparently move between a WiFi and cell network connection.

BTW, that coffee shop was at the corner of Harbord and Grace in Toronto. That other WiFi's SSID was "GraceLAN". 😉

@stephenw10
Thank you I was in the camp with LPD7. Recovered now.

@stephenw10
I feel SUPER dumb. I did a sloppy job by not turning off all of the routing and firewalling capabilities on the old router, and that is exactly what the problem was. As soon as I disabled all the things, casting worked. I'm pretty sure that this wasn't a routing thing though because I only have the LAN port of the wireless router plugged in (and DHCP would have failed), but this router had firewall services applied to the physical LAN ports which had never been used before. Guessing that the firewall services didn't kick in for WiFi clients (which is dumb) and that's why I didn't have problems in the past.

Thank you all for being so helpful and dealing with my ignorance!

@jeffreyhb123
I think its about https://www.ebay.com/itm/234892002874
My friend uses https://www.ebay.com/itm/326267601406 on 1gbit line without any issue, about 5 years already.

@SteveITS yeah concur multihoming is almost always problematic.. If you do need a connection to another network like a backup network or san (storage area network) its best not to set a gateway on that network.

As to the same windows profile firewall problem - I do believe NLA uses the mac of the gateway as mentioned by @stephenw10

One way to change that would be to use a different physical interface for these networks on pfsense. But personally I would rethink the need for multihoming the box in the first place - what exactly are you trying to accomplish with doing that?

My pc is multihomed.. But the 2nd network is just direct to my nas on a network that can't go anywhere other than the other host on the end of the wire. This is my san if you will.. This network is 2.5ge between my nas and pc used to transfer files back and forth. This network has no gateway, because there isn't one that could get it to other networks, and no dns either. This connection is only used when talking to the device on the other end of the 2.5ge connection.

Thanks solved.. but i solved the problem myself .. but you are the winner.. do you have an btc or monero wallet

@SteveITS said in Can't ping OPT1, missing firewall rule?:

@bumzag 192.168.1.100 is on LAN? Then the pass rule goes on LAN. That device’s gateway should be pfSense LAN IP.

Yeah this was it, forgot to set the DNS server for LAN DHCP to the LAN IP. You helped me last May with almost the same issue lol ty again

@ssmax said in Wan Block after reboot:

if I try to enter through GUI via WAN by disabling the console it doesn't let me,

What exactly are you disabling on the console? Disable pf?

What firewall rules do you have on the WAN? Incoming connections are blocked on WAN by default.

@ssmax said in Wan Block after reboot:

I simply go to the WAN tab, I don't change anything. And the connections come back

The WAN tab where? Which page? You don't save anything?

@stephenw10

Thanks a lot for your time today.

Ah, intermediate certs would do it. Nice! 👍

@bearhntr what is not working for nslooup? Can you set debug on it and do the query for what your looking for

@stephenw10 Thank you. I am on track enough that the system is working. I will hold for the update rather than messing further with the system.

@meowmere

If the connection is 'bad', pfSense will take the WAN connection (interface) down for a moment, and activated its again. The connection = WAN uplink will be re established.

@meowmere said in pfSense fresh install but no internet?:

sometimes it also has 50-75% loss

pfSEnse is sending a ping every half a second or so. If only 25 % come back, I guess it's time you question your ISP about this.
Or : change another ping destination ? Example :

89a59476-5caf-4d02-929b-762417c4ae8f-image.png

( under System > Routing > Gateways > Edit )

I use 94.23.251.x as I control that IP/device.

Yes you would need to run that at the time you were seeing those states.

You only have a single WAN there?

One thing that could provide useful evidence for both these situations would be to setup pflow exporting. That would show if there are any conflicting states when a non-natted connection is created.

It should also catch failing to close out old states.

@magician-balmy-stainable said in Local VPN won't connect when on LAN port?:

I was previously stopping Suricata from the Interface Settings Overview but now I understand how to disable it.

Using the Start/Stop/Restart icons on the INTERFACES tab only impacts any current sessions. Once you reboot, there is a shell script in /usr/local/etc/rc.d/ that automatically starts Suricata on any interface where it is enabled. Since you were only stopping the currently running instance and not disabling the instance, the shell script was starting it up normally upon reboot.

@magician-balmy-stainable said in Local VPN won't connect when on LAN port?:

It seems like Suricata may no longer be the issue.

I'm not convinced Suricata was ever your issue. I think you have a configuration issue. It's possibly something like @stephenw10 mentioned where you might have overlapping IP subnets or some kind of rouge gateway set up so replies from your LAN interface are directed someplace other than the network where you are attempting to access the firewall GUI.

Not all NICs support the link detection at assignment time. But that shouldn't prevent you assigning and using them. Just assign em0 and test it.

Yup, though I don't expect anything to have changed in the 7100 to be honest. The drivers are largely unchanged.

@4o4rh

Are you monitoring the gateway?

Edit Gateway -> Monitor IP (pick something outside, past the first hop at your ISP) A lot of people pick one of the big DNS providers (like for example 8.8.8.8) Use something that works best for you.

Status -> System Logs -> System -> Gateways

should have all the info you want with regards to packet loss and disconnects.

@johnpoz
Thanks, this is the list i'm using. Am going to add yours too :)

edae1531-7fe9-4af0-83b4-f720dc7e4bec-image.png