Hmm, well it should start at boot. If it fails to start I'd expect some error to be logged.

@stephenw10 so i running in circles.. currently this is what i got i took out those custom options i can get it to say not leaking if i use 103 ip address which is a nordvpn dns on the WAN but if i use 1.1.1.1 then it leaks like a ship with 20 holes in it.. i getting frustrated.. and this article at the bottom tells you to use dns over ttls.. and use like 1.1.1.1 for a secure dns leak free but its not making sense and it leaks using 1.1.1.1 this is the article https://undergroundmod.com/2023/07/15/private-internet-access-vpn-on-pfsense-last-updated-08-2023/ this is the bottom not.. and those ips dont work Now we have done that, you should be done. Everything on those IP’s in the alias will go over the VPN. If the VPN disconnects, no internet traffic will pass and as long as the IP doesn’t change, traffic CAN NOT go over the normal gateway Important DNS Note If you are not using DNS over TLS to a trusted, privacy oriented DNS Resolver like CloudFlare’s 1.1.1.1, then you will leak your IP over DNS and this could be a problem To get around this, you should hard code PIA’s DNS servers on the system you are putting over the VPN. The DNS servers are 209.222.18.222 and 209.222.18.218 Be sure to check if your DNS requests are leaking your normal public IP: https://www.dnsleaktest.com/ Setting these DNS server will probably affect local DNS resolution, so you should really just use DNS over TLS… https://www.netgate.com/blog/dns-over-tls-with-pfsense.html You could create some NAT rules to intercept DNS requests and force them elsewhere, but it’s more work than just using DNS over TLS, which you REALLY should be doing anyway… Thats it! and here is my current setup what am i doing wrong [image: 1757598581638-1.png] [image: 1757598581610-2.png] [image: 1757598581585-3.png] [image: 1757598581557-4.png] [image: 1757598856286-5.png] [image: 1757598856310-6.png] [image: 1757599007086-7.png] and the nat page ive done wan address and PIA address cuz in the 2 videos they go both directions one says use the wan address and the other says use the pia address if you could provide pictures what i doing wrong would be good i know you probbably getting frustrated helping me on all this

You could try an afterfilterchange shellcmd to trigger a script. That would be triggered when any tunnel comes up.

@scottlindner look in https://github.com/pfsense/FreeBSD-ports/*/pfsense-pkg-*

So as a follow on, I have noticed that the gateway monitors are tripping fairly regularly on my AT&T Fiber IPv6 which is probably what is causing the DHCPv6 client to jump into action which occasionally leads to this situation. I've found similar issues from older releases where there was a race between interface reconfiguration and disablement. I've disabled the IPv6 monitor from taking action (but still logging) so will see if that eliminates the panics. But the fact that it can happen is still concerning.

Hmm, OK. Not much to go on in that report unfortunately. If it does crash again comparing it would be useful. I'll see if anyone else sees anything I'm missing.

@stephenw10 It's still showing a few simuleanteously, but every minute or so, not every other second like it was before.

You have to assign the OpenVPN client as a new interface so pfSense sees it as a WAN. It will then create a dynamic gateway for it you can use in a policy routing rule.

Sure you can upload it here: https://nc.netgate.com/nextcloud/s/zajWnCjF2sDBqXn A pcap from the parent NIC showing the VLAN and pppoe encapsulated packets during the pppoes negotiation should show something. If you open the pcap file in wireshark you can easily see the packet size and which way it's going.

Are you able to replicate that? If you roll back to 24.11 and upgrade again? So far I've failed to replicate it.

Thanks for following up. Good result!

Unlikely. The traffic handling for CP clients is identical in Plus.

PHP Errors: [08-Sep-2025 00:01:03 America/New_York] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes) in /usr/local/bin/kea2unbound on line 344 If you are using Kea, with DNS registration enabled, and pfBlocker with DNS-BL be sure to use Python mode to avoid the PHP memory limit. You can also increase the PHP max mem value in Sys > Adv > Misc. But that shouldn't be required if you're using Python mode.

Oh yes there certainly are many users running VMs as edge on all hypervisors. I just wouldn't myself.

@hescominsoon said in 25.7.1 package issue: 25.07.1-RELEASE on both and yesw i access both in private mode which auto clears when i close the tab. Minor nitpick…Private/incognito tabs all share the same session so cookies/cache would clear when closing the window/all private tabs.

@marcg I finally got the PD on the pfSense and I'm working through the reservations I had set to the tunnel so they get an reserved address within the PD. I had wanted to keep the tunnel from he.net but I never could get that working. If the BGW320 ever gets a different prefix I'll have to change any AAAA records at he.net's free DNS services. Won't be too difficult and I could script it through their API if it starts to happen often enough. I've had the same prefix for about a week now. Same IPv4 since I put the SG4200 online. I don't expect any changes but since I'm on the gulf coast it's somewhat likely that I could lose power and/or network for multiple days if a hurricane rolls through town. That could cause a change in the leases.