-------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Network f000::/4 Destination: Any Description: Block internal IPv6 (f000::/4) from leaving via WAN -------- Just letting people know i made a little mistake here while writing the tutorial it's actually: -------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Any Destination: Network f000::/4 Description: Block internal IPv6 (f000::/4) from leaving via WAN --------

@netblues Can you Post you Setup?

@sho1sho1sho1 nothing in the resolver would or could do that.. You running pfblocker? Show the rule in your ruleset. There is this feed in pfblocker [image: 1755628936429-pfblocker.jpg] That sure doesn't even look like a NS ;; QUESTION SECTION: ;4.64.4.64.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.64.4.64.in-addr.arpa. 28800 IN PTR wnpgmb0273w-dr09-v924.mts.net. And it doesn't even answer dns, atleast not from me. That is a bell canada IP.. Is that who you use for ISP?

@johnpoz -Yep-that worked just fine Jonpoz. TYVM.

@BlueSun ok, I'm generally out of my depth in regards to BGP. All I can say if you set a gateway in the interface settings (see screenshot) then pfSense creates NAT rules automatically, if outbound NAT is set to automatic or hybrid. [image: 1755188790365-screenshot-2025-08-14-at-18.25.56.png] But since you have disable outbound NAT I can't see your traffic being NAT-ted at all. Are you using the FRR packages and if yes did you have a look at pfSense Docu: BGP Example Configuraton for a start?

@IonutIT localhost is always going to be up to bind to.. but possible that my wan or say a vpn interface is not up when unbound restarts. If interface is not up can not bind to it.. So helps to make sure unbound starts and binds on interface to use to do outgoing queries.

Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?

@johnpoz I see, thanks for explaining and the help!

@iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself! Hopefully your setup will remain stable going forward.

@ahole4sure Maybe the routing table brings dissociation. However, I'm not familiar with Tailscale. Don't know, what it does.

@Gertjan said in pfSense 2.8.0 - Routing stops intermittently after update from 2.7.2: [...]matches your usage case ? You have Static routes, multiple sub nets ? Yes, the remote location has its own subnet and connects via a static route to the network in the main office. The default route of the remote location is set to the router that provides internet access in the remote location.

@carrzkiss why is that? HA proxy can listen can send stuff based on the uri to different machines. something.domainX.tld goes to your IIS IP otherthing.domainX.tld goes to your linux box. etc..

@NVDude said in Firewall Aliases IP Addresses with Port Forwarding: By default this creates the rule with source "Any" Be default, any rule has any in it, regardless. You are able to change the source in the NAT-rule too. So everyone is wondering why you didn't do that and fiddle around with the linked rule instead. But I also did this in some cases, for better visibility, especially with different aliases which I didn't wanted to combine, so I created the same firewall-rule but with different sources three times or whatever. But for best efficiency you do it right in the NAT-rule because then the not-matching traffic doesn't get NATed in the first place, I guess.

@johnpoz Thank you for the clarifications I finally opted to route everything on pfsense and remove SVIs on switch. It's so much easier than to manage the ACLs on switch If I end up needing more L3 switching throughoutput on some vlans, I can always try a hybrid setup with static routes on pfsense and running the dhcp server on the switch for those vlans

@AndyRH Hi, I managed to access the 192.168.11.1 Web Gui with the changes you've shared https://forum.netgate.com/topic/197766/how-to-connect-to-xgs-pon-controller/15?_=1751026822174 This access ( NAT OutBound ) to 192.168.11.1 Web Gui succeeded after i did a Power On Reset to the Netgate 4100 after making the NAT Outbound changes. It hence seems that NAT changes did not take effect after I "Save" and "Apply Changes" and only became effective after I did a Power On Reset. Also another point to note was this Web Access to 192.168.11.1. was successful when my WAN is on DHCP and without a Vlan assignment. I may have to open another thread for assistance as I need to access 192.168.11.1 with WAN on DHCP and with a VLAN for the WAN. Thanks to you, at least I have a window into the WAS-110 albeit when the WAN is not configured with a VLAN. On your temperature for the WAS-110 its 50/48/46 Celsius with ambient temperature at 30 degrees Celsius and with a cooling fan in place. Have a a good one.