Hmm, odd. The routes should be added by the daemon when it connects as long as they are defined in tailscale as I understand it. But, yes, the tailscale interface is not expected to ever be assigned. It is not bypassed by the interfaces check at boot so will throw an error.

@viragomann oh yeah that can be on my pi‘s I have virtualmin! I‘ll change that up Adressen on the pi!

So - I added an Intel Pro 1000 - 4 port 1G NIC - and all is well. Realtek disabled in the bios. Life is good. Lesson learned. All functions normal... Thanks to all who helped.

@stephenw10 I’ve been running on “previous stable” firmware. In response to this most recent drop I upgraded firmware on this SG2100 from 2403 to 2411, removed or disabled several non-essential add ons, and disabled gateway monitoring entirely. crosses fingers

Updated my unofficial guide if anyone else wants to try this here is a short guide for you. https://forum.netgate.com/topic/195843/unofficial-guide-have-package-logs-record-to-a-secondary-ssd-drive-snort-syslog-squid-and-or-squid-cache-system

Patch issued https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/714ecd70d2db2fc45273cbf44e9ea6a6008e828b Success! Thanks

Yup if it is a bug it's in pfBlocker I would think. It should be here: https://redmine.pfsense.org/projects/pfsense-packages/issues Not seeing anything current for duplicate rules there.

Are the additional IPs in the WAN subnet? If so then add VIPs on the WAN and forward traffic from those to hosts in the DMZ. If your additional IPs are routed to you using a different subnet you have more options. https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html Steve

@johnpoz Found the issue I had to setup the right dhcp6 prefix in wan and enable ipv6 in the network now the server was able to reach map so the issue is that the ubuntu server seem to use primary the ipv6 instead of the ipv4 that they get!

@stephenw10 so do I, not felling good when see it.

Tailscale is a great option as @michmoor mentioned. It also depends on your organizations goals and whether or not you are just going to do ZTNA or go with full SASE (which incorporates ZTNA but is far more expensive). The later is arguably better, but it's a lot more work and money and still has some limitations.

@stephenw10 rats. Thanks for the quick response.

@josh44 Or this : [image: 1735840109472-7045020e-83c1-40e3-97a1-6ffe4823e552-image.png] Install pfSense, and you can see it right away. Or this [AWS - Howdy Partner | The Multi Instance Management (MiM) controller](AWS - Howdy Partner | The Multi Instance Management (MiM) controller ( I guess )) Didn't know it was already released.

@Gertjan Sorry its a typo, its should read 10Gb.

The T-Mobile device was delivered late Monday and initially configured as standalone yesterday morning. I live about 1/2 mile line of sight from the cell tower. My 5G phone normally gets 1.2gb to sometimes 1.4gb The T-Mobile internet standalone ran at the mid to high 800s without testing too hard. All sites in the house that would be good as a location for the device tracked about the same. My Comcast internet now is 500mb. So, not too bad so far. T-Mobile is said to put home internet on the 2nd lowest priority. After you hit the data cap you go down to the bottom until the next month. Thanks to the wire tester, finding the cat6 wire took more time to set up than to select the proper wire. T-Mobile as a pfSense WAN source fired up by the time I cleaned up after myself. Wired internet speeds dropped to the mid 400s. Pretty big but I was considered downgrading to 300 mb on Comcast if I stay with them. 2025 prices go up a lot. Still pretty good. Now it's a reliability test. I left the old wire from the cable modem just dangling there so it should take a few seconds to switch back. OK, as I write this, my T-Mobile wired internet just dropped. It was up for maybe 5 minutes. I wrote the above immediately after hooking it up. I finished using T-Mobile wireless - this pc is normally wired in the area serviced by the controversial MOCA. Far away from the device. T-Mobile delivered a very weak signal. Entirely unacceptable for any form of home network. The AX-21 Access Point always delivers a very strong wireless signal to this room. Correction - the wireless just dropped too. Back to the basement. Comcast fired back up almost immediately as WAN. Guess what's going back to T-Mobile later this week. OK Comcast, you win this time. The free 15 day trial came in handy. Back to negotiating a new contract later. Edit a few hours later: The T-Mobile device has been returned. I remembered fiber was installed in my neighborhood last year. The company confirmed by chat it is available at my house. One week lead time should work. Symmetrical gigabit for $50 a month for first year and $65 a month thereafter. No data caps. Lower price than Comcast for similar download speed. Free ONT. No install charge. No bad reviews anywhere.

Hmm, OK well it either has an ARP entry or a route for that device then. It should be sending directly since it's in the same subnet. Something must be blocking it.

You're right. The cert the firewall attempted to use is missing. Login SSH, restore the configuration prior to the upgrade. Rebooted back on RELEASE 24.03, Login to the GUI and removed the missing cert ... upgrade from 24.03 to 24.11 again ... and voila, upgrade is successful!!

Ah, nice result!

Yes if you had some other router that resolved to the same IP and then use that same URL after swapping in pfSense it will show a rebind error.

@jmmm Were you ever able to solve your IPv6 issues while bypassing the ATT modem? I followed the pfSense recipe. IPv4 works great, but IPv6 devices cannot access DNS nor can the pfSense instance access the Netgate servers for updates and packages.