IPv6 doesn't even need dhcp - you will need to disable the RA for your interface if you don't want it to pick up auto IPv6 addresses.

Yeah a voip call would be specific ports.

@lonmarlon said in transparent bridge wan lan intermittent connection: any idea? Not a clue since can not make out how your setup.. Your bridging through pfsense? WHY would be my first question! ;) And WTF would you be doing it wan to lan for? Your going to have to give way more details to your setup and the issue your seeing if you expect any sort of actual help.

I will give that a try. Thanks

Awesome.

You might have better luck with such a question in the pfblocker section.. game servers and psn servers could have huge amount of domains that could be looked, so blocking x could cause something in the chain to fail, etc.

Ah, now I understand. I'm not from a country that enforces user certs for dealing with government. Glad to hear you got it working now.

@KOM Thank you very much, I'll do that

@JohnnyBeGood It's just NAT. If they did something stupid to require static source port 4500, the knob is there for you to turn. That will break if multiple phones try to connect to the same IPsec endpoint. These are my states to AT&T. NAT-T doing what NAT-T does: Packets Bytes LAN udp 192.168.223.223:4500 -> 129.192.166.10:4500 MULTIPLE:MULTIPLE 33.68 K / 25.353 K 4.87 MiB / 5.07 MiB WAN udp 203.0.113.230:31513 (192.168.223.223:4500) -> 129.192.166.10:4500 MULTIPLE:MULTIPLE 33.678 K / 25.353 K 4.87 MiB / 5.07 MiB

Hey JKnott, Thank you so much for detailed insight. The thing I have noted with pfsense that it does not pass LACP packets when SW1 and SW2 links are set with LACP so I used static LAG, as for static LAG it does not had any mechanism to check link state, if Link is up it ll keep sending traffic to other end and since other end is bridge, it wont pass over to corresponding pair link hence black holing the traffic. My pfsense is transparent to network, it not doing any routing or link aggregation. I know its kind of complex setup but thats why I posted hoping to get some insight, guess I dont have any other options except scripting.

@Derelict Derelict, thanks for the replay. To begin with, I made a mistake. The address seen in the logs is a valid level-2 address. So normally I would not have started this topic. Never the less, since I was thinking about this subject, I was wondering if there could be any non-physical “ip-object” which could be added / occur on the interface, added by the pf-sense router or firewall software or packages like avahi, igmp-proxy, pimpd, etc. (I am desperately trying to get multicast working across vlans, pimpd helps perhaps, imgp-proxy not). That additional to the GW/interface as bonded to a physical interface or in my case a vlan on a physical interface or lagg. Of course the gateway sees every thing passing by on that interface as stream towards the firewall, I understand. And next to that upstream there is the downstream, what is send from the FW-router towards that particular GW and from there towards the “physical” interface. Louis

even if "this has zero to do with pfSense" i can give you a couple of suggestion to try sudo setenforce 0 firewall-cmd --permanent --zone=internal --set-target=ACCEPT and check if it work

Well just go on your other vlan interfaces and block access to the vlan network your wanting to block access to from those vlans.

@nameofauser said in Resetting password: Call to undefined function pfSense_fsync() in /etc/inc/config.lib.inc:875 System (OS) core files are missing. You have console access : save the config file manually It's here : /conf/config.xml and re install. edit : and check your drive for failures before the install.

@pecker88 said in Firewall error, "proto 0 cannot be used": But, but definitely did not click the button in the log to add it, Weird. Someone did. Glad you found it.

The log file is in /var/log/filter.log In Diagnostics > Command Prompt there you can find a download function, or you may use scp to copy it to another device.

Yet another way to save time would be to put your networks in an alias and use that in a single rule vs multiple rules. I have an alias with all of rfc1918 space in it, so if I want to block a specific vlan from talking to other vlans I just use that as the destination.. There are multiple ways to skin a cat ;)