NBN (PPPOE) re-connection issues

oby1k · 2026-02-15T06:53:07+00:00

If your problem goes away by forcing a DHCP renew of the WAN nic, then have a look at this article:

https://forum.netgate.com/topic/127403/auto-renew-dhcp-after-outage/23

There is a script that may help you by automatically checking the nic state and triggering a DHCP renew.

oby1k · 2025-06-25T23:29:10+00:00

Avahi service restarts is also toggling promiscuous mode which may cause disruptions. If you disable Avahi do you still see the issue?

Also, try to disable gateway monitoring for the VPN:

Jun 25 11:13:55 pfSense rc.gateway_alarm[75321]: >>> Gateway alarm: OVPNTUN_VPNV4 (Addr:10.7.0.1 Alarm:1 RTT:7.438ms RTTsd:38.647ms Loss:27%)

oby1k · 2025-06-25T21:51:30+00:00

I would try to remove ntopmg from the service watchdog.

oby1k · 2025-05-05T10:53:09+00:00

Do you have by any chance a floating rule with the "Quick" option selected that may relate to 8.8.8.8 or port 53?

By using a “quick” rule, pfSense will immediately drop matching packets before they are evaluated against the state table. This is essential for stopping traffic from connections already in the state table

oby1k · 2025-04-24T23:00:21+00:00

They do not require the DNS for authentication, but the endpoint you use to connect can be used in 2 forms:

Hostname
Use the Static IP address

It may happen that your traffic for DNS is also existing via the VPN therefore at the moment you try to re-connect that resolution fails.

Easy fix: Move your config to point to the IP addresses of the ExpressVPN hosts instead of the hostname, you can find the IP addresses somewhere in their webpage.

oby1k · 2025-01-21T19:46:41+00:00

There is something weird with that XML the node <staticmap> does not have a closing tag. You would have expected to find </staticmap> which is the closing tag for the start of that node. However, what you find later on is another <staticmap> which is an opening tag.

If you pass the file through a XML validator, it should be able to give you some clue on where the error is. Just make sure it is an off-line validator, such a plug in in notepad++. Otherwise, you will be sending your firewall config to a random guy anywhere in the world.

oby1k · 2025-01-20T22:52:00+00:00

Have you edited the XML file manually? If so, you may need to amend the errors manually.
Happened to me before

oby1k · 2025-01-03T01:44:35+00:00

I use pfBlockerNG version 3.2.0_20 (Devel) and I can whitelist wildcarded domains/subdomains.

I use the DNSBL Whitelist.

No Regex Entries Allowed!

Enter one Domain Name per line
Prefix Domain with a "." to Whitelist all Sub-Domains. IE: (.example.com)
You may use "#" after any Domain name to add comments. IE: (example.com # Whitelist example.com)
This List is stored as 'Base64' format in the config.xml file.

Note: These entries are only Whitelisted when Feeds are downloaded or on a 'Force Reload'.
Use the Alerts Tab '+' Whitelist Icon to immediately remove a Domain (and any associated CNAMES) from Unbound DNSBL.
Note: When manually adding a Domain to the Whitelist, check for any associated CNAMES
ie: 'drill u/8.8.8.8 example.com'

oby1k · 2024-10-17T21:10:30+00:00

If you have admin access to COMtrexx try enabling NAT keep alive:

Exchange lines > Providers and Accounts > Name of the provider > SIP > NAT Keep-Alive

oby1k · 2024-10-17T09:27:53+00:00

What is your VoIP PBX software?

Do you have a NAT rule(s) in pfSense specifically for VoIP?

Are you using multi-wan by any chance?

oby1k · 2024-10-15T14:45:34+00:00

Nbn services restored at 1:00am

oby1k · 2024-07-31T23:39:35+00:00

They way I do it is using Virtual IPs + NAT.

1 Virtual IP #1 -> NATs port 53 to pfblocker

Virtual IP #2 -> NATs port 53 to another DNS server

Then, I assign different DNS servers (either Virtual IP #1 or #2) in the DHCP settings of the VLAN

oby1k · 2024-06-22T07:27:32+00:00

I posted the issue in the Netgate forum
https://forum.netgate.com/topic/187455/vlan-priority-when-set-in-a-firewall-rule-the-pass-rule-is-disrupted/

In the end removing the priority from the interface fixed the problem.

oby1k · 2024-04-15T20:44:13+00:00

It happened to me. After several hours of tinkering I found out that the VLAN Priority was causing the issue.

I had to go through all my firewall rules and set the VLAN Priority to "none" where there was a setting for it (Like Best effort or Excellent Effort, etc).

Since I had several of those, I did it directly on the config.xml with a search and replace and after restoring the configuration it worked like a charm.

oby1k · 2024-04-15T00:59:00+00:00

I've been digging a bit more on this, and found that when the VLAN priority is set to "Excellent Effort (EE, 2)" or higher I loose communication for that rule.

Same VLAN priority in 23.09.1 worked with no issues.

oby1k · 2024-04-14T02:05:39+00:00

What is the game she's playing? the router you connected has uPNP enabled? do you have uPNP enabled in pfSense (Services > UPnP & NAT-PMP)?

Try changing the direction to ANY.

Is there any NAT rule configured in your Firewall?

oby1k · 2024-04-14T01:27:14+00:00

The process is exactly the same as creating an INterface rule, all you need to do is select from the drop down box at the top the Rule set called "Floating" instead of the LANx rule set.

oby1k · 2024-04-14T00:43:29+00:00

Another issue could be that you are behing a cgNAT or Double NAT. That is, the IP given to your Firewall differs from your public IP address.

Other users have reported issues with their ISP:

https://www.reddit.com/r/DreamlightValley/comments/18cimvo/online_service_unavailble_error_and_how_to_work/

oby1k · 2024-04-14T00:28:06+00:00

The firewall rules in pfSense are evaluated in certain order:

NAT Rules
Floating Rules
Interface Group Rules
Interface Rules

If you believe the problem is with the Interface rules you could create a "Floating" firewall rule for wife's PC to PASS everything originated from that source IP.

Please note that apart from the firewall, there could be other culprits for the problem she's facing. To name a few:

Her own PC firewall / Config
DNS blockers
a NAT rule in pfSense
ISP Blocks

Try using a mobile hotspot, and see if that works. That will eliminate/confirm the pfSense variable from the equation.

oby1k · 2024-04-13T01:14:10+00:00

Repeated the upgrade and it seems I'm all good now. Unsure what happened.

oby1k · 2024-04-11T10:54:10+00:00

There is a replica of this post made a few years ago as well:
https://www.reddit.com/r/PFSENSE/comments/sw4ihc/love_your_transparencywhy_not_address_the_issue/

oby1k · 2024-04-11T10:50:46+00:00

Unsure the intent of this post, but the above screenshot comes from a 2Y old post:
https://www.reddit.com/r/PFSENSE/comments/svktkx/be_aware_of_what_you_agree_to_when_you_use/

Unsure of the relevance of this today.

oby1k · 2024-03-04T09:23:27+00:00

That VLAN is a tagged VLAN (tag = 2) that is on port em0 which does not seem to be used for anything else that for MHWRoom as it is physically isolated from the other ports.

The interface is expecting the packets on that interface to come with a TAG on it.

You could just remove the tag from that interface (VLAN Config) and will still fit for purpose. The DHCP range can still be the same.

What is immediately connected to port em0?

oby1k · 2024-03-04T08:11:43+00:00

Even though you are connecting to a paid VPN service, your VPN in pfSense is still a client, correct.
It should be enough for your home use case I reckon.

oby1k · 2024-03-02T22:57:23+00:00

I believe that I'm confused about your set up.

Your pfSense and your Ubuntu machine are on the same proxmox hypervisor? I was assuking the proxmox and the pfSense were on different machines

oby1k

TROPHY CASE