@ssmax said in Wan Block after reboot: if I try to enter through GUI via WAN by disabling the console it doesn't let me, What exactly are you disabling on the console? Disable pf? What firewall rules do you have on the WAN? Incoming connections are blocked on WAN by default. @ssmax said in Wan Block after reboot: I simply go to the WAN tab, I don't change anything. And the connections come back The WAN tab where? Which page? You don't save anything?

@stephenw10 Thanks a lot for your time today.

Ah, intermediate certs would do it. Nice!

@bearhntr what is not working for nslooup? Can you set debug on it and do the query for what your looking for

@stephenw10 Thank you. I am on track enough that the system is working. I will hold for the update rather than messing further with the system.

@meowmere If the connection is 'bad', pfSense will take the WAN connection (interface) down for a moment, and activated its again. The connection = WAN uplink will be re established. @meowmere said in pfSense fresh install but no internet?: sometimes it also has 50-75% loss pfSEnse is sending a ping every half a second or so. If only 25 % come back, I guess it's time you question your ISP about this. Or : change another ping destination ? Example : [image: 1727171879053-89a59476-5caf-4d02-929b-762417c4ae8f-image.png] ( under System > Routing > Gateways > Edit ) I use 94.23.251.x as I control that IP/device.

Yes you would need to run that at the time you were seeing those states. You only have a single WAN there? One thing that could provide useful evidence for both these situations would be to setup pflow exporting. That would show if there are any conflicting states when a non-natted connection is created. It should also catch failing to close out old states.

@magician-balmy-stainable said in Local VPN won't connect when on LAN port?: I was previously stopping Suricata from the Interface Settings Overview but now I understand how to disable it. Using the Start/Stop/Restart icons on the INTERFACES tab only impacts any current sessions. Once you reboot, there is a shell script in /usr/local/etc/rc.d/ that automatically starts Suricata on any interface where it is enabled. Since you were only stopping the currently running instance and not disabling the instance, the shell script was starting it up normally upon reboot. @magician-balmy-stainable said in Local VPN won't connect when on LAN port?: It seems like Suricata may no longer be the issue. I'm not convinced Suricata was ever your issue. I think you have a configuration issue. It's possibly something like @stephenw10 mentioned where you might have overlapping IP subnets or some kind of rouge gateway set up so replies from your LAN interface are directed someplace other than the network where you are attempting to access the firewall GUI.

Not all NICs support the link detection at assignment time. But that shouldn't prevent you assigning and using them. Just assign em0 and test it.

Yup, though I don't expect anything to have changed in the 7100 to be honest. The drivers are largely unchanged.

@4o4rh Are you monitoring the gateway? Edit Gateway -> Monitor IP (pick something outside, past the first hop at your ISP) A lot of people pick one of the big DNS providers (like for example 8.8.8.8) Use something that works best for you. Status -> System Logs -> System -> Gateways should have all the info you want with regards to packet loss and disconnects.

@johnpoz Thanks, this is the list i'm using. Am going to add yours too :) [image: 1727031324587-edae1531-7fe9-4af0-83b4-f720dc7e4bec-image.png]

@dareys Thank you everyone for the help. I now have setup a NETGATE Pfsense VPN running on AWS, as per the diagram on the right, temporarily freeing me from the local hardware requirement. FYI. [image: 1727029328566-116a288b-9f35-4994-8f3b-fe6f75acf15a-imagen.png]

@stephenw10 Thanks for the info. I came across pfMonitor which is a central management for pfSense devices. https://pfmonitor.com/index.php Do you know what are the differences between pfMonitor and the upcoming Multi-Instance Management from Netgate ?

@stephenw10 will try standard boot instead of efi, this is a Qotom Mini PC Q20331G9 1U.

I wouldn't consider my opinions more educated than others - I just had more time to make mistakes compared to other folks due to my age - and tried to remember a few of the things that went boom in my career. @chpalmer said in pfSense Installer Hinders Offline Network Deployment: I would ask if you had actually downloaded any of the installers before arriving at your venue?? I am having my ol' and trusty images by now plus a couple of ISO files on a Ventoy stick to save me some trouble as even a readily installed device can fail and you need to reinstall on a fresh disk in a pinch. Been there, done that. @chpalmer said in pfSense Installer Hinders Offline Network Deployment: But my advice is to always look for what could bite you in the days before during the planning stages.. Borrowed hardware on a budget is a sure way to bite you. Question is not 'if', it's 'when'. Especially when you receive certain parts just on site. We do get sponsored hardware at some point which are questionable as well and you get them a couple of hours before the opening. So firmware and stuff is really handy and a small fileserver in the admin vlan hosting that stuff is a must have at that point. My worries is really about the future deployments to come especially on some crucial infrastructure like a firewall...

@kwangmien There is a section in this forum for IDS/IPS where you find all you need on Suricata and Snort. Then there is another package called pfBlockerNG which I guess is what you might be thinking of as web filter. https://forum.netgate.com/category/53/ids-ips https://forum.netgate.com/category/62/pfblockerng No software licenses required and there are both free and paid versions of the rulesets used. And for pfblocker you would benefit from getting a MaxMind license, also free.

Changing the nic type and opting out of the CGNAT network address space seems to have corrected whatever issue I was having.

That implies the client cannot ARP for the IP. That could be because the LAN stops responding entirely but no way to be sure without more tests.

Wow...this is still going...