pfSense » pfSense Plus

IOT Devices of different manufacturers all seem to have this problem and while the problem is being experienced I would eliminate variables to pinpoint the cause and it all points to PfSense for some reason. I've listed the Variables eliminated and things tried to prove it was PFSense causing the issue.

Variables Eliminated:
(Checked logs for obvious)
WiFi Access point changed to different brand. (Unifi to TP-Link Omada)
IOT Device state is fresh to eliminate device is the problem
IOT Device firmware up to date
IOT Device server is not down at the time of issue
IOT Device reboot does not correct the issue
IOT Device CAN be contacted on local LAN and across Subnets by client-PC. (Phone app can control locally when on same Subnet)
IOT While this device is failing to connect to its home server on the internet, an identical device can connect no problem to the same home servers (IP's compared and are the same).
IOT Device has a long history of working reliablly without PFSense, (Just off the shelf TP-Link style for testing purposes)

We tried a standard PfSense box without any sort of PfBlocker / Snort rules applied.

The only thing that resolves it, is to use an "off the shelf router" and it will connect flawlessly all the time. (Tested over 3 months)
(Probably because these are notoriously insecure and full of bugs)

Traffic sniffed from this router and from PfSense is the same when it's working.

If I have the traffic from the "Off the shelf" router going through PfSense and allow that secondary router to have no restrictions in a double-NAT situation, the traffic still won't pass on the one or two devices failing to connect. If I use that "off the shelf" router as the sole router without PfSense it will not fail at all in the 3 months.

The only devices that don't seem to ever have an issue are Google Home assistants and Google Nest Products. These ALWAYS can connect even when other IOT devices fail.

An easy way I figured out to test this is when the device fails, shut down the WiFi and use Mobile Hotspot on your phone to emulate the same WiFi SSID and have it connect through your phone. Works instantly. Fails instantly when PfSense routed WiFi returns.

Another odd thing is it can be any device, and that same device being untouched can reconnect days later on its own with nothing changed.

I've tried more Conservative States in the state table and I tried forcing traffic with rules based on where the device is trying to connect to and that doesn't work either. I also tried a different ISP with the same setup as where it fails normally. Same problem. And I tried a fresh PfSense box with just basic rules and it will fail again.

Hope all this information helps pin down this pesky bug.

Why this is important to fix:
I use Netgate appliances or at the very least client-provided community version at large homes FULL of home automation in their homes, so having them on a properly segregated subnet is SUPER important. PfSense makes this a joy to setup so I'd like to get it fixed if we can figure it out.