IGMP Proxy could be your pitfall. Which version IGMP do you need, and something special like v3 with SSM or so? That's what you need for German Telekom's IP-TV (T-Entertain) which pfSense fails to deliver, considering it a niche only.

That would of been a source nat anyway since you were natting to the opt interface and not your actual wan (internet) interface.. What exactly where you trying to test?

Figured it out.  I just needed to make it a server cert, not a user cert.  Chrome is happy now.

You can add specific DHCP options using the 'Additional BOOTP/DHCP Options' in the DHCP config page (Services/DHCP Server/LAN). To specify TFTP servers by MAC addresses you can create a static mapping for that MAC in DHCP and use the Advanced field in the TFTP heading.

The point was just that the speed between wan, pfsense, ap and wireless client was good.

If you do not want an IP in the same network as another IP talking to each other. If you don't want 192.168.101.20 to talk to 192.168.101.21 then put a firewall on .21 and block .20 Or run private vlans on your switches.  Or as mention break out these devices to different vlans and firewall at pfsense.  As mentioned already by NogBadTheBad pfsense has nothing to do with devices on the same network taking to each other.

you said it ;)  I wouldn't go freaking near that domain even if you did manage to resolve it to something.. Clearly they do not have clue one..  Why would you hide your name behind a privacy domain if your such a big company?  Make's zero sense - be like google.com being behind a privacy domain, or microsoft, yahoo, etc.

thx, for your quick reply, I will try out your suggestion and see if it actually works.

Hi JimPhreak, I have a very similar problem: I switched the VLans from my OPT Port to the LAN Port and DHCP stopped broadcasting. Do you remember how you fixed that problem? To specify what I did: I have 4 Ports that were working just fine before I made the changes. Before: sk0 (WAN): Default Wan Port sk1 (Opt1): Used for my first Backup WAN. sk2 (Opt2): Connecting to my managed switch to connect my APs that have 3 VLans (Appx (10), Mobiles (20), Guests(99)). sk3 (Lan): Backdoor for recovery. After: sk0 (WAN): -no changes- sk1 (Opt1): -no changes- sk2 (Opt2): Now a WAN Port for my Backup UMTS. sk3 (LAN): Now Lan + the 3 VLans. After I made the changes the Backup UMTS works, and every Client that hat an IP before also worked. Users that had not connected in a while or renewed their lease could not get an IP from the DHCP. What I tested: DHCPd Server is running and was restarted (aswell as the whole box). Deactivated the LAN Interface so only the 3 VLans would be on the sk3 Port. Plugged in a cable from a PC directly in LAN and a Port of the Switch that worked before. Any ideas what else to test? Here is my Interfaces config with a few comments: <interfaces><wan><enable><if>sk0</if> <blockpriv><blockbogons><ipaddr>dhcp</ipaddr> <dhcphostname><alias-address><alias-subnet>32</alias-subnet> <dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path><spoofmac></spoofmac></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></alias-address></dhcphostname></blockbogons></blockpriv></enable></wan> <lan><if>sk3</if> <alias-address>192.168.178.197</alias-address> <alias-subnet>32</alias-subnet> <spoofmac><enable><ipaddr>10.0.1.254</ipaddr> <subnet>24</subnet></enable></spoofmac></lan> <opt1><if>sk3_vlan20</if> <enable><spoofmac><ipaddr>10.0.20.254</ipaddr> <subnet>24</subnet></spoofmac></enable></opt1> <opt2><if>sk3_vlan99</if> <enable><ipaddr>10.0.99.254</ipaddr> <subnet>24</subnet> <spoofmac></spoofmac></enable></opt2> <opt3><if>ovpnc1</if> <spoofmac><enable><blockpriv><blockbogons><alias-address><alias-subnet>32</alias-subnet></alias-address></blockbogons></blockpriv></enable></spoofmac></opt3> <opt4><if>sk3_vlan10</if> <enable><ipaddr>10.0.10.254</ipaddr> <subnet>24</subnet> <spoofmac></spoofmac></enable></opt4> <opt5><if>sk2</if> <enable><spoofmac><blockpriv><blockbogons><ipaddr>dhcp</ipaddr> <dhcphostname><alias-address><alias-subnet>32</alias-subnet> <dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></alias-address></dhcphostname></blockbogons></blockpriv></spoofmac></enable></opt5> <opt6><if>sk1</if> <enable><alias-address>10.0.30.58</alias-address> <alias-subnet>24</alias-subnet> <spoofmac><ipaddr>dhcp</ipaddr> <dhcphostname><dhcprejectfrom><adv_dhcp_pt_timeout><adv_dhcp_pt_retry><adv_dhcp_pt_select_timeout><adv_dhcp_pt_reboot><adv_dhcp_pt_backoff_cutoff><adv_dhcp_pt_initial_interval><adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options><adv_dhcp_request_options><adv_dhcp_required_options><adv_dhcp_option_modifiers><adv_dhcp_config_advanced><adv_dhcp_config_file_override><adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path></adv_dhcp_config_file_override></adv_dhcp_config_advanced></adv_dhcp_option_modifiers></adv_dhcp_required_options></adv_dhcp_request_options></adv_dhcp_send_options></adv_dhcp_pt_initial_interval></adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_reboot></adv_dhcp_pt_select_timeout></adv_dhcp_pt_retry></adv_dhcp_pt_timeout></dhcprejectfrom></dhcphostname></spoofmac></enable></opt6></interfaces> DHCP Config <dhcpd><opt1><range><from>10.0.20.1</from> <to>10.0.20.253</to></range> <enable><failover_peerip><defaultleasetime><maxleasetime><netmask><gateway><domain>appx</domain> <domainsearchlist><ddnsdomain><ddnsdomainprimary><ddnsdomainkeyname><ddnsdomainkey><mac_allow><mac_deny><tftp><ldap><nextserver><filename><filename32><filename64><rootpath><numberoptions><dhcpleaseinlocaltime></dhcpleaseinlocaltime></numberoptions></rootpath></filename64></filename32></filename></nextserver></ldap></tftp></mac_deny></mac_allow></ddnsdomainkey></ddnsdomainkeyname></ddnsdomainprimary></ddnsdomain></domainsearchlist></gateway></netmask></maxleasetime></defaultleasetime></failover_peerip></enable></opt1> <opt2><range><from>10.0.99.1</from> <to>10.0.99.250</to></range> <enable><failover_peerip><defaultleasetime><maxleasetime><netmask><gateway><domain>appx</domain> <domainsearchlist><ddnsdomain><ddnsdomainprimary><ddnsdomainkeyname><ddnsdomainkey><mac_allow><mac_deny><tftp><ldap><nextserver><filename><filename32><filename64><rootpath><numberoptions><dhcpleaseinlocaltime></dhcpleaseinlocaltime></numberoptions></rootpath></filename64></filename32></filename></nextserver></ldap></tftp></mac_deny></mac_allow></ddnsdomainkey></ddnsdomainkeyname></ddnsdomainprimary></ddnsdomain></domainsearchlist></gateway></netmask></maxleasetime></defaultleasetime></failover_peerip></enable></opt2> <opt4><range><from>10.0.10.20</from> <to>10.0.10.250</to></range> <enable><failover_peerip><defaultleasetime><maxleasetime><netmask><gateway><domain>appx</domain> <domainsearchlist><ddnsdomain><ddnsdomainprimary><ddnsdomainkeyname><ddnsdomainkey><mac_allow><mac_deny><tftp><ldap><nextserver><filename><filename32><filename64><rootpath><numberoptions><dhcpleaseinlocaltime></dhcpleaseinlocaltime></numberoptions></rootpath></filename64></filename32></filename></nextserver></ldap></tftp></mac_deny></mac_allow></ddnsdomainkey></ddnsdomainkeyname></ddnsdomainprimary></ddnsdomain></domainsearchlist></gateway></netmask></maxleasetime></defaultleasetime></failover_peerip></enable></opt4> <lan><range><from>10.0.1.10</from> <to>10.0.1.250</to></range> <failover_peerip><defaultleasetime><maxleasetime><netmask></netmask> <gateway><domain>appx</domain> <domainsearchlist><ddnsdomain><ddnsdomainprimary><ddnsdomainkeyname><ddnsdomainkey><mac_allow><mac_deny><tftp><ldap><nextserver><filename><filename32><filename64><rootpath><numberoptions><dhcpleaseinlocaltime></dhcpleaseinlocaltime> <enable></enable></numberoptions></rootpath></filename64></filename32></filename></nextserver></ldap></tftp></mac_deny></mac_allow></ddnsdomainkey></ddnsdomainkeyname></ddnsdomainprimary></ddnsdomain></domainsearchlist></gateway></maxleasetime></defaultleasetime></failover_peerip></lan></dhcpd>

Could be as simple as this : most 'real' NAS have "apps". My Synology disk-station has one : it's swallowing the "syslog" records from my pfSense just fine.

Definitely not in the attic. Put it in the utility room or on a shelf in the closet if you must. Install pfSense. Set a port as WAN and one as LAN on the pfSense box. Connect your switch to pfSense LAN port. Then connect your RT-66N to the switch so it is an extension of the same LAN. You will plug your cable into a LAN port on the RT-66N and turn off the DHCP server on the RT-66N. The pfSense box will be the only DHCP server for your install issuing an ip to all clients connected via cable to the switch or via WIFI through the RT-66N. See: https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense Plug the NAS into the switch with all your other clients. To set up PIA VPN see: https://www.privateinternetaccess.com/pages/client-support/pfsense That should get in the ballpark.

Thank you so much!

what are you firewall rules, are you using proxy?  Does www.bbc.com resolve?

Both the primary WG and my secondary WG got totally screwed up and wont even boot in an orderly fashion. Luckily I took a backup before venturing into testin. As a workaround, I installed pfSense on proxmox, hooked up my VLANs and now this technically works. Technically, not optimally - because now I'm firewalling in the host-environment where my crownjewels are, instead of firewalling before  even touching this hardware. But for now, I'm in business again.

Thanks this help a lot

Well, not the replies I wanted to get :), but thank you for the information and very quick responses. I guess I will have to try to make pfsense work on my hardware and after failing, decide what to do then.

"Netflix and YouTube are two that are blocking IPv6 from HE." There are also blocking a shitton of vpn providers netblocks as well.  And blocking non regional IPs from accessing their regional content.  What that has to do with the price of tea in china I don't have a clue.  ie no idea where you trying to go with such a statement.. They see HE as just another way of circumvention of geographical restrictions - which is why they block them.  If HE would promise to only allow geographic same ipv5 to create a tunnel to their different pops in those regions.. They would remove the band I am sure.  But currently there is nothing stopping someone from say the EU or Asiapac regions from creating their tunnels to the HE pops in the US, etc.