Routing and Multi WAN

Using a public IP on a DMZ interface while PPPoE is configured on the WAN

itnl — Wed, 06 May 2026 14:27:10 GMT

We found an undocumented solution by doing our own investigation. It works by creating an interface that has the same IP address (.30) as the one assigned to you by PPPoE on your WAN. Note: configure this before PPPoE becomes active; otherwise, you won’t be able to set the address. Next, disable NAT for traffic originating from this interface and create a firewall rule for incoming traffic on the interface with the public IP you are using as the destination. You can now use a public IP address on the host behind the DMZ you just created. As the gateway, use the WAN address that is also configured on your DMZ port.

BTNet Dual Wan with virtual gateway

pwood999 — Tue, 05 May 2026 16:16:39 GMT

@Gazza77 said in BTNet Dual Wan with virtual gateway: 70.x.x.195/28 You cannot use the same GW on both WAN's You need to ask BT if they can split the /28 into two /29 or /30 subnets for you.

Dual WAN on 2100 using Wired and 5G connections

MartynK — Tue, 05 May 2026 14:29:54 GMT

@chpalmer unfortunately I am going to be away for a week, so will have to pick this up next week, thanks for the help so far.

Periodic packet loss at multiples of 15 minutes

Gertjan — Sun, 26 Apr 2026 20:30:35 GMT

@nazar-pc said in Periodic packet loss at multiples of 15 minuts: It doesn't sound like a great idea to disable monitoring completely. How would pfSense know to stop using the connection and switch to other ISPs when the connection is down? And you're totally right. 'Something' is always better as 'nothing'. I just wanted to highlight that monitoring - sending and receiving the pings to one specific device, an upstream gateway is just a (small) part the story. Btw : pfSense, and you, will know that the upstream link stopped 'flowing'. TCP traffic is a constant stream of 'data send' going upstream, and 'acknowledge' coming back. When these 'ack's' stop to come back, the upstream network stack will fill up, and when the local buffers are full, the entire system will stall. The end user starts to see "turning icons" on his browser screen. Other communicating software will just stall, and after a time out, show an error. pfSense might pull the plug : take the WAN interface down for a moment, and put it back on, as this will regenerate a DHCP sequence, or restart a pppoe negotiation upstream. If the uplink was 'broken' like ruptured, pfSense won't be able to do anything.

Is it better to have satellite internet like starlink as failover to existing fiber internet?

chpalmer — Fri, 24 Apr 2026 05:32:27 GMT

@netblues said in Is it better to have satellite internet like starlink as failover to existing fiber internet?: But if there is an outage and everybody switches to 5g on their mobiles then it might be an issue We ran into this issue for years here.. Verizon finally got fiber close enough to the tower that serves us to replace the microwave backhaul so the speeds are better but still sub 50mbps when something as simple as a wreck on the nearby highway backs up traffic in the area.. Speeds with the microwave backhaul sometimes went lower than 1mbps when some event happened. Luckily our local tower has generator backup as well.. not all do. We have no other Verizon towers that reach us. We have an original from 2017 unlimited data account that we don't want to give up. Another carrier might work better but not for the price point in our case.. And no "home internet" available for this location.. Some things to investigate for anyone thinking about cell as a back up.

Port Forwarding through VirtualBox / OpenVPN

wesley9946 — Fri, 17 Apr 2026 18:54:41 GMT

Hi there,

Due to personal circumstances, I'm on a network that I don't manage myself... it blocks things like VPNs if they'd be actually configured in the built-in VPN settings at the OS/router level. OpenVPN Connect on Windows, however, works perfectly fine! (much like those DNS relay applications for when the normal use of custom DNS is blocked, firewall at this place thinks that my PC-shaped router is constantly talking to a bank or something and just lets it happen when using OpenVPN Connect)

This is what the physical topology looks like currently:

WISP router connected to their network through WiFi on its WAN side --Ethernet from LAN port--> Old PC with Windows that connects to my VPN (OpenVPN Access Server on a DigitalOcean Droplet), with a VirtualBox VM sporting pfSense 2.8.1: WAN = VirtualBox NAT that I created, LAN = direct to USB-Ethernet adapter ----> 5-port unmanaged switch for wired clients and an ASUS router set to AP mode ----> clients

I'm trying to figure out the route that goes from the VPN's subnet to the VirtualBox NAT, so I can get port forwarding working.

Subnets:
WISP router: 192.168.72.0/24
VPN: 192.168.192.0/24
VirtualBox NAT: 192.168.85.0/24
pfSense VM's LAN: 192.168.44.0/24

I just took a look at the "route print" of the bare machine, no mention of the VirtualBox NAT subnet at all... would it be wise to add a route from the VPN one to that VirtualBox NAT one?

It does work when I run a Minecraft server for example, (I always set one up locally, just to test the ability of port forwarding through VPNs/multi-subnet setups) on the bare metal, but not when running it on one of the clients in the pfSense subnet.

Thanks in advance!

\\ Wesley, from the Netherlands

Strange Multi-WAN behaviour after upgrading to v26.03 from v25.11.1

luckman212 — Sat, 11 Apr 2026 03:22:52 GMT

@NetTechBrad fwiw I think I had the same situation after switching from 25.11 to 26.03RC ... ended up picking through my XML config with a fine tooth comb to uncover some bad firewall rules that referenced invalid interfaces or gateways. Once I surgically removed those everything was fine. Guess 26.03 is just stricter about the way it parses the rules.

WAN dhcp new ip daily old routes

baakie — Fri, 10 Apr 2026 10:25:53 GMT

Hi,

I have a backup 4G WAN connection which gets a new ip every 24 hours.
But I've noticed that in the FRR routing table all the old entries are still present.
I see 322 entries like this (1 for each 24 hours). Every time a different subnet:

C>* 178.225.15.0/24 [0/1] is directly connected, ix3, 00:03:20

They seem to remain there until I reboot the device.

Is there any way these can get cleanup automatically after the interface gets a new ip via DHCP ?

Starlink Routing problem, Bug 12922, not resolved after 4 years

pfnewb2016 — Thu, 02 Apr 2026 17:34:00 GMT

There is a Starlink routing problem, noted in Bug #12922, that is 4 years old and appears to not have been resolved in v26.03.

We opened a support case last year, #34394088536, and configured rules with specific Gateway Groups as a solution, after a second tech pointed out this bug.

This morning, our client's 6100 did not failover to Starlink. I lost the logs when a tech rebooted the firewall so I don't have specifics from today. The client is not at all excited about the situation, especially when I opened a support case last year and told the client it was resolved.

It appears that this bug, or Starlink problem that all firewall makers need to work around, has not received any attention other than the initial acknowledgement.

Starlink is selling a lot of kit and is a relatively inexpensive option for a rarely used 2ndary circuit vs a 2nd fiber circuit. It would be helpful if this very long known issue received some attention.

It appears that other firewall vendors have dealt with the same problem related to DHCP option 121 on the WAN. It is unclear why pfSense has not solved this, particularly when the original submission provides at least one option for resolution.

Starlink: DHCP option 121? No more need to add a static route to 192.168.100.1?
Unifi: Gateway target 0.0.0.0 and not routing packets
Meraki and Starlink Deployment Guide (See Additional Considerations)

I would much prefer a vetted and supported resolution from Netgate vs DIY code in production firewalls.

Thank you.

Multi WAN OpenVPN no LAN Traffic

RianKellyIT — Fri, 27 Mar 2026 16:27:59 GMT

The same subnet on WAN and LAN is the root cause here, as the previous reply mentioned. To explain why this specifically breaks your VPN and LAN traffic: pfSense uses the routing table to decide which interface to send packets through. When both WAN and LAN share 192.168.178.0/24, the router has two directly connected routes for the same network. It cannot distinguish "this packet should go out WAN to the Fritzbox" from "this packet should go to a LAN client" because both destinations are in the same subnet. The result is traffic either goes out the wrong interface or gets dropped. The fix: change your LAN to a different subnet. Something like 10.0.0.0/24 or 172.16.1.0/24. Then set up pfSense like this: WAN interface: 192.168.178.24/24 (DHCP from Fritzbox, gateway 192.168.178.1) LAN interface: 10.0.0.1/24 (your new LAN subnet) OpenVPN: assign the tunnel network to something like 10.8.0.0/24 For your second ISP (the one for general client traffic), add it as a second WAN interface (OPT1) and create a gateway group if you want failover or policy routing. Then use firewall rules on the LAN to direct specific traffic through each WAN gateway. After changing the LAN subnet you will need to update DHCP scope and reconnect your clients. Any static IPs on servers or devices will also need updating to the new range.

LAN stopped accessing internet

awair — Fri, 27 Mar 2026 12:14:00 GMT

Turns out that the routing table somehow got corrupted. netstat -r identified a previously disabled OpenVPN client as the first gateway. Removing the interface appears to have fixed this.

Routing problem to Subnet behind Wireguard

Comprex1975 — Thu, 26 Mar 2026 15:55:48 GMT

Hello,

I need to get a route from my proxmox-server via pfsense to a nas in subnet behind fritzbox Wireguard VPN.

Proxmox bridge 192.168,175,69/24 to pfsense 192.168.175.68/24
IP route is added direction nas (192.168.1,50/24) via pfsense (192.168.175.68)
This way between proxmox and pfsense is pingable in both directions.

Now I need to go on with my packets from pfsense through a site-to-side with wireguard.
The wireguard interface has no gateway. it is routet by static routes.
Tunnel is working in both directions and to subnet behind fritzbox.

Means I dont get the routing inbound OPT1 (Proxmox<->Pfsense) through the wireguard tunnel to nas with ip 192.168.1.50/24.
The ping from interface OPT1 to final ip behind wiregard ist 100% loss.

I really tried everything, but I am stuck after 4 hrs of testing...

Thanks in advance for your help.

PPPoE connection not connecting

kprovost — Sun, 08 Mar 2026 20:16:53 GMT

@Keffa That's very odd. I'm not seeing a lot of differences in those captures. Basically the only thing I still see is that the mpd5 version includes the rejected protocol section and the if_pppoe version doesn't. I'll see if I can teach if_pppoe to do that, but if that doesn't work I'm out of ideas. (I suspect the ISP side system may log why it's terminating the connection, but it doesn't show that in the capture, of course. So right now all I can do is guess.)

Gateway Weighting

patient0 — Wed, 25 Feb 2026 04:58:34 GMT

@wenko in the 'Advanced Gateway Settings' documentation there is an example of multiple WANs with different bandwidths. That should give you an idea what to tweak. In general the Multi-WAN guide from Netgate is a good read: https://docs.netgate.com/pfsense/en/latest/multiwan/index.html

Tunnel IPs not inserted into routing table when phase 2 is up

jbfoley — Tue, 24 Feb 2026 17:17:36 GMT

I found the solution, posting here for anyone else interested. I needed to check "Gateway Duplicates" on the phase 1 configuration of the hub-side firewall. The setup is two different remote endpoints NATed behind the same public IP address, not two remote phase 1 configurations on the same endpoint, but checking this box made it work. In case anyone at Netgate is listening, I would make a few suggestions: The description of this option in the GUI is: "Enable this to allow multiple phase 1 configurations with the same endpoint. When enabled, Netgate pfSense Plus does not manage routing to the remote gateway and traffic will follow the default route without regard for the chosen interface. Static routes can override this behavior." When this option is enabled, PfSense does appear to manage routing, because it then does inject a route into the local table for the phase 2 interface. Unchecking is what sends that traffic to the default route. This is also misleading, as it appears to pertain to the same remote outside tunnel IP address, rather than the same endpoint. Having different resolvable FQDNs from different physical endpoints is not enough, since the system seems to be going by resolved IP address. I would request changing the wording to correct and clarify this. It's a bit confusing to have this option, which clearly impacts routing behavior at the end of the phase 2 establishment, in the phase 1 configuration. Phase 1 comes up just fine to both endpoints without this checked, it is Phase 2 that misbehaves by failing to inject a route into the local routing table for the Phase 2 remote IP. If there's a fully authenticated tunnel up and running using a distinct Phase 2 VTI IP, why would the route to the remote not be injected into the local routing table? I don't even know what is accomplished by the default (unchecked) behavior. I can see why you would not want multiple phase 1 or phase 2 tunnels from the same endpoint to come up at the same time, but this doesn't appear to actually prevent that. If this option is doing something else to prevent phase 1 establishment when the remote endpoints are actually the same, then please consider un-bundling this behavior from the phase 2 route injection behavior. If a VTI tunnel comes up in phase 2 that doesn't get a route injected into the local routing table, there should at least be a notice, preferably a warning in the log that a condition that was clearly not intended has taken place. There did not appear to be any evidence in the logs when this happened. I come to this from a perspective of trying to help improve the product. PfSense is overall an incredibly versatile and useful set of tools. I pay for the "plus" to support the project, not because it comes with any real support (which it doesn't.) I'd like to be able to use it more on the professional side, too, but there are still a few issues like this that make it a harder sell in a production environment. (Edited the solution for clarity.)

Netgate 2100 using as router and place the Odido router on a separate network

Uglybrian — Tue, 24 Feb 2026 13:43:07 GMT

@ability Off the top of my head, do you have the patch cord plugged into the LAN or WAN on the Odido router, it needs to be plugged into the WAN. Another possibility is this router will not accept a VLAN on the WAN. You would have to plug it into a different port without a VLAN on the 2100 to see if it gets addressing. Have you tried the Odido forums?

Question on port forward

Gertjan — Sun, 22 Feb 2026 23:08:56 GMT

@kdmiller61 said in Question on port forward: that NAT rule does not work Show the rule it created on the WAN interface. [image: 1771942202408-979af70a-d705-4f5e-916d-c10e827223bd-image.png] The order of these rules is important. If you have a block rule above your firewall (part of a NAT rule) then you've found the issue. Also : look at the green marked stuff : [image: 1771942269057-92427b8d-37a7-4410-aea8-8615f62b60c1-image.png] if a rule matches, the counters start to increment. If they stay at zero : this means the rule did not mach any traffic. This most probably means that the traffic didn't reach the pfSense WAN interface => you can solve the issue upstream (ISP router, other equipment). Your ISP (so you) uses CGNAT : stop looking, that's a game over.

Suspected bug: DHCPv6 Fails on igc Driver Interfaces After Upgrade to pfSense 25.11.1 / FreeBSD 16 — IPv6 Multicast UDP sendto Returns EPERM

akghetto — Sun, 22 Feb 2026 05:45:15 GMT

Looking for confirmation before posting the below to Redmine.

Summary

Following an upgrade from pfSense 25.07.1 (FreeBSD 15) to pfSense 25.11.1 (FreeBSD 16-CURRENT), DHCPv6 client (dhcp6c) fails to obtain IPv6 addresses on WAN interfaces using the Intel I225-V (igc) NIC driver. Interfaces using the Intel X553 (ix) driver on the same system obtain DHCPv6 assignments without issue using the identical dhcp6c binary, configuration file, and socket operations. IPv6 via DHCPv6 was fully functional on all interfaces under pfSense 25.07.1/FreeBSD 15.

System call tracing confirms that IPv6 multicast UDP sendto to ff02::1:2 (All_DHCP_Relay_Agents_and_Servers, port 547) returns EPERM (Permission denied) exclusively on igc driver interfaces. Identical sendto calls on ix driver interfaces on the same system succeed. This is a regression in the igc driver's IPv6 multicast send path between FreeBSD 15 and FreeBSD 16.

Environment

Field	Value
pfSense version	25.11.1-RELEASE
FreeBSD version	16.0-CURRENT
Previous working version	pfSense 25.07.1 / FreeBSD 15
dhcp6c package	dhcp6-20080615.2_4
Affected NIC driver	igc (Intel I225-V, PCI device 0x8086:0x15f3)
Working NIC driver	ix (Intel X553, PCI device 0x8086:0x15c4 / 0x15e5)
Hardware	Official Netgate 6100 appliance
Issue onset	Immediately following upgrade to 25.11.1
ISP on affected interface	Comcast/DOCSIS cable (igc3); 3 physical WAN connections, 2 of the 3 (ix2 and ix3 obtain an an assignment from their ISPs via dhcp6 without issue

Hardware Inventory

Failing interfaces — igc driver (Intel I225-V):

igc0@pci0:4:0:0  vendor=0x8086 device=0x15f3  Intel Ethernet Controller I225-V
igc1@pci0:5:0:0  vendor=0x8086 device=0x15f3  Intel Ethernet Controller I225-V
igc2@pci0:6:0:0  vendor=0x8086 device=0x15f3  Intel Ethernet Controller I225-V
igc3@pci0:7:0:0  vendor=0x8086 device=0x15f3  Intel Ethernet Controller I225-V

Working interfaces — ix driver (Intel X553):

ix0@pci0:3:0:0   vendor=0x8086 device=0x15c4  Intel Ethernet Connection X553 10GbE SFP+
ix1@pci0:3:0:1   vendor=0x8086 device=0x15c4  Intel Ethernet Connection X553 10GbE SFP+
ix2@pci0:2:0:0   vendor=0x8086 device=0x15e5  Intel Ethernet Connection X553 1GbE
ix3@pci0:2:0:1   vendor=0x8086 device=0x15e5  Intel Ethernet Connection X553 1GbE

Symptoms

COMCAST_DHCP6 gateway shows Pending indefinitely in Status → Gateways
ifconfig igc3 inet6 shows only link-local fe80:: address — no global unicast address assigned
DHCPv6 was fully functional on the same hardware and ISP under pfSense 25.07.1/FreeBSD 15
Other WAN interfaces on ix driver obtain DHCPv6 assignments normally

Troubleshooting Steps and Evidence

Step 1: Confirmed Link-Local Address and ISP DHCPv6 Support

Link-local address confirmed present on the affected interface — DHCPv6 prerequisite satisfied:

$ ifconfig igc3 inet6
igc3:
    inet6 fe80::xxxx:xxxx:xxxx:xxxx%igc3 prefixlen 64 scopeid 0x4
    nd6 options=23

Router Solicitation confirmed ISP is sending RAs with M and O flags set, requiring stateful DHCPv6. SLAAC is not available (all RA prefix info options carry Flags [none]):

$ rtsol -D igc3
rtsol: received RA from fe80::xxxx:xxxx:xxxx:xxxx on igc3
rtsol: ManagedConfigFlag on igc3 is turned on
rtsol: OtherConfigFlag on igc3 is turned on

RA prefix advertisements from ISP confirmed flowing correctly:

$ tcpdump -r /tmp/dhcp6_comcast.pcap -n -v
xx:xx:xx IP6 fe80::xxxx:xxxx:xxxx:xxxx > ff02::1: ICMP6 router advertisement
    prefix info: 2001:xxx:xxxx::/64, Flags [none], valid 604800s
    prefix info: 2001:xxx:xxxx::/64, Flags [none], valid 604800s
    prefix info: 2001:xxx:xxxx::/64, Flags [none], valid 604800s
    prefix info: 2001:xxx:xxxx::/64, Flags [none], valid 604800s

Step 2: Confirmed Firewall Rules Are Correct

All required DHCPv6 pass rules are present and correctly configured for the affected interface:

$ pfctl -s rules | grep igc3 | grep -i "dhcp\|546\|547"
pass in quick on igc3 inet6 proto udp from fe80::/10 port = dhcpv6-client \
    to fe80::/10 port = dhcpv6-client keep state (if-bound) \
    label "descr=allow dhcpv6 client in COMCAST"
pass in quick on igc3 proto udp from any port = dhcpv6-server \
    to any port = dhcpv6-client keep state (if-bound) \
    label "descr=allow dhcpv6 client in COMCAST"
pass out quick on igc3 proto udp from any port = dhcpv6-client \
    to any port = dhcpv6-server keep state (if-bound) \
    label "descr=allow dhcpv6 client out COMCAST"

Step 3: Confirmed dhcp6c Builds Solicit Correctly But Fails to Transmit

Running dhcp6c in foreground debug mode shows the Solicit packet is correctly constructed but every transmission fails:

$ /usr/local/sbin/dhcp6c -d -D -f -c /var/etc/dhcp6c.conf igc3

xx:xx:xx: reset a timer on igc3, state=INIT, timeo=0, retrans=891
xx:xx:xx: Sending Solicit
xx:xx:xx: a new XID (xxxxxx) is generated
xx:xx:xx: set client ID (len 14)
xx:xx:xx: set identity association
xx:xx:xx: set elapsed time (len 2)
xx:xx:xx: set option request (len 4)
xx:xx:xx: set IA_PD prefix
xx:xx:xx: set IA_PD
xx:xx:xx: transmit failed: Permission denied
xx:xx:xx: reset a timer on igc3, state=SOLICIT, timeo=0, retrans=1091
xx:xx:xx: Sending Solicit
xx:xx:xx: transmit failed: Permission denied

This repeats indefinitely with exponential backoff. No DHCPv6 Advertise is ever received.

Step 4: Confirmed Packet Never Reaches pf — Block Is at Kernel Level

An explicit logging pass rule was added to the pf ruleset permitting DHCPv6 multicast output on the affected interface:

$ printf 'pass out log quick on igc3 inet6 proto udp from any to ff02::1:2 port 547 no state\n' \
    > /tmp/dhcp6_fix.anchor
$ pfctl -a "dhcp6_igc3" -f /tmp/dhcp6_fix.anchor
$ pfctl -a "dhcp6_igc3" -s rules
pass out log quick on igc3 inet6 proto udp from any to ff02::1:2 port = dhcpv6-server no state

Monitoring pflog while dhcp6c was actively attempting to send Solicits showed zero DHCPv6 packets from igc3 in the pf log. Traffic from other interfaces appeared normally. The packet never reaches pf for evaluation — the kernel rejects it before the firewall layer.

Step 5: Smoking Gun — System Call Trace Comparing igc vs ix Interfaces

Running all three WAN interfaces simultaneously under truss reveals the definitive cause:

$ truss /usr/local/sbin/dhcp6c -d -f -c /var/etc/dhcp6c.conf igc3 ix2 ix3 \
    |& grep -E "setsockopt|sendto\(3"

setsockopt(3,SOL_SOCKET,SO_REUSEPORT,...)        = 0
setsockopt(3,IPPROTO_IPV6,IPV6_RECVPKTINFO,...)  = 0
setsockopt(3,IPPROTO_IPV6,IPV6_MULTICAST_LOOP,...) = 0
setsockopt(3,IPPROTO_IPV6,IPV6_V6ONLY,...)       = 0

sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) ERR#13 'Permission denied'  ← igc3 FAILS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) = 68                        ← ix2  SUCCEEDS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) = 68                        ← ix2  SUCCEEDS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) = 126                       ← ix3  SUCCEEDS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) ERR#13 'Permission denied'  ← igc3 FAILS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) = 95                        ← ix3  SUCCEEDS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) ERR#13 'Permission denied'  ← igc3 FAILS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) = 52                        ← ix2  SUCCEEDS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) ERR#13 'Permission denied'  ← igc3 FAILS
sendto(3,...,{ AF_INET6 [ff02::1:2]:547 }) = 52                        ← ix2  SUCCEEDS

Key observations:

All interfaces share a single socket (FD 3) with identical socket options
Identical sendto destination ff02::1:2 port 547
igc3 (Intel I225-V, igc driver) returns ERR#13 EPERM on every attempt
ix2 and ix3 (Intel X553, ix driver) succeed on every attempt
The failure is 100% correlated with the igc driver — not dhcp6c configuration, not firewall rules, not ISP behavior

Driver Capability Comparison

$ ifconfig -v igc3 | grep options
options=4e020bb

$ ifconfig -v ix3 | grep options
options=4e138bb

Note igc3 is missing WOL_MCAST and VLAN_HWFILTER compared to ix3, which may be symptomatic of incomplete multicast support in the igc driver under FreeBSD 16, though the relationship to the sendto failure requires further investigation by the driver maintainers.

Root Cause Assessment

IPv6 multicast UDP sendto to ff02::1:2:547 returns EPERM on interfaces driven by the igc driver (Intel I225-V, PCI 0x8086:0x15f3) under FreeBSD 16-CURRENT. Identical operations succeed on ix driver interfaces (Intel X553, PCI 0x8086:0x15c4 / 0x15e5) on the same system. This is a regression introduced between FreeBSD 15 (pfSense 25.07.1) and FreeBSD 16 (pfSense 25.11.1), likely in the igc driver's IPv6 multicast transmit path or in a FreeBSD 16 kernel change affecting how igc handles multicast socket sends.

Impact Summary

Interface	Driver	PCI Device	DHCPv6 Result	sendto Result
igc3	igc	0x8086:0x15f3	Fails	ERR#13 EPERM
ix2	ix	0x8086:0x15e5	Succeeds	68 bytes
ix3	ix	0x8086:0x15e5	Succeeds	95 bytes

Expected Behavior

DHCPv6 Solicit packets should be successfully transmitted on igc driver interfaces, as they were under pfSense 25.07.1/FreeBSD 15, allowing IPv6 address and prefix delegation assignment from the ISP.

Actual Behavior

Every DHCPv6 Solicit transmission on igc driver interfaces returns EPERM at the kernel level. No IPv6 global unicast address is obtained. The gateway remains in Pending state indefinitely.

Workaround

None currently identified without kernel or driver-level intervention.

Suggested Investigation Path

Review changes to the igc driver's multicast transmit path between FreeBSD 15 and FreeBSD 16
Review any FreeBSD 16 kernel changes affecting IPPROTO_IPV6 socket multicast send permissions on a per-driver basis
Compare igc and ix driver handling of outbound IPv6 multicast UDP under FreeBSD 16

VLAN for Security Cameras and Guest Network on OPT1

Uglybrian — Fri, 20 Feb 2026 15:00:12 GMT

@jg2003 I have always wanted to try/ do something with open wrt. https://forum.openwrt.org/t/how-to-configure-vlans/131362

Second WAN Config on Netgate 2100

celeron — Wed, 18 Feb 2026 08:58:01 GMT

I am having the same issue currently. Not Starlink as the ISP but it should get a DHCP address but it isn't. VLAN is set untagged and I set switch port 1 as the source for port state changes on the interface. I also manually added a gateway bound to that interface but this seems to have no effect. EDIT: Maybe OP did the same thing I did. Read Instruction 15-26 very carefully. I have followed it exactly and now I am getting an IP as well as a working 2nd WAN connection. My mistake was not setting the untagged on the "WAN2" port, I only set the pvid.

Routing issue with IPSEC VPN

beconijoe — Mon, 16 Feb 2026 12:18:22 GMT

@keyser and @mcury I really appreciate you taking the time to discuss these topics in depth. It helps to understand all the pitfalls that I might encounter if our company grows in the future or if I might get involved in more complex customer projects. But for now we are talking 3 sites plus 1 (datacenter) That is 5 PFSense instances in total (2 operate in HA) And there are like probably not even 10 subnets we are talking about maybe 15 if I count the subnets that are going to be dual-stack soon as two I think the longest distance I could go in our network might be 2 hops On my old jobs we used Sonicwall, Sophos and Securepoint, sometimes Forti stuff. Sure I never did a setup for an environment larger than like 200-300 employees/seats. But I don't recall ever having to put in a bogus route to be able to monitor the firewall using SNMP throug an IPSEC VPN But I guess that's the way things go these days. Modern software gets more and more overcomplicated by the second, it is really a nightmare. At least I can work around it now. And again thank you :) It was educating as well as refreshing following your argument :)

Outbound NAT for Wireguard Interface

tinfoilmatt — Thu, 12 Feb 2026 10:56:34 GMT

It should however use its LAN ip address to query DNS/Radius/whatever at site A. Depending on what you mean by 'it,' I don't agree. If the traffic is from a LAN host, then a state should be created on the LAN interface, and then a second state created on the WireGuard interface—to preserve stateful filtering. Are you talking about LAN host pings/queries? Or pfSense localhost pings/queries? Are those ping tests you ran from a LAN host? Or from a pfSense shell? Do you have any NAT rules affecting (or, alternatively, failing to take into account) 127.0.0.1? Are you accounting for the loopback/lo0 interface?

hughesnet with pfsense

chpalmer — Wed, 11 Feb 2026 23:42:54 GMT

@jmstanley I have not but I still have a JPS NXU-2 audio unit that was on a Hughesnet static IP and worked fine. I have to guess any device would work the same.

brightspeed with cbras

[[global:former-user]] — Wed, 11 Feb 2026 23:22:57 GMT

Is their any way still use pfsense behind this using all the pfsense functions except the routing? Like dhcp etc.?

Changing from interface from default gateway breaks OSPF routing

jake — Wed, 11 Feb 2026 19:29:22 GMT

I have an interface that needs to utilize WAN2, which is the backup internet connection. I created a gateway group that has WAN2 as the tier 1 and WAN1 as tier 2. I set the interface to use this new gateway group and it works as expected.

Now traffic, that orginates from this interface, that is suppose to use OSPF to a remote location does not route.

How can I put the OSPF routes first and keep the gateway group with WAN2 as primary?