Clients will typically request the address they had before when connecting to a network. It doesn't mean there is a problem, since they will get rejected and then send a new request to get a new address. It's a common behavior for DHCP clients to want to keep the same address if possible. Now if they actually obtained an address for the wrong network, then you might have some cause to worry since it means you have an L2 connection between the segments so they're actually on the same switch segment which isn't what you want. That doesn't appear to be the case from what little you've shown in the log at least.

Traffic from the firewall itself won't use the IPsec tunnel unless it matches the IPsec P2. Since IPsec is not routed, the firewall does not know well enough on its own that it needs to source the traffic in a special way in order to use the tunnel. https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

I would guess it's only because this is IPv6 encapsulated into IPv4 and some of the details just aren't immediately available until the traffic gets unwrapped by the gif tunnel driver.

@Gertjan: Everything is set default - except the "pay load" (in the advanced section)  set to "64", which was an advise in the past (it must be bigger as 1). You only need to set a payload size if dpinger shows 100% loss with payload size 0. This is to work around defective icmp implementations in some routers. The other thing to check for is icmp rate limiting. Either change the target or change the probe interval.

simple sniff on your lan interface would tell you if being sent..

Thanks for the replies! I understand the position on Exodus, completely…. But.... it does contain content (legal / OTC orginally) that other streaming services don't have. Most recently we binge watched all seasons of Chicago PD on Exodus because Hulu and Netflix had a limited number of episodes / seasons. I think there is an oppurtunity for an online DVR to be built and populated with OTA content. Sorry, off topic a little. I will watch the firewall logs and see if I can tweak the rules. Again, thanks for the replies.

what does the switches route have to do with anything? So are these /24 routed to you via transit??  I this public IP 74.221.222.58 so these other /24's are routed to that IP..  Not attached? If that is case then just put the /?? whatever you want to subnet them to on your opt - you sure wouldn't be setting a gateway on that interface.  And yeah it will go out your.. Just make sure you disable natting of that interface since you have not use for it.

I'd frankly start with the allow rule scheduling, results with scheduling block rules are not exactly convincing for some people due to dangling states.

Found it! I have two WAN connections, and the failover rules were misconfigured. Instead of keeping all local traffic, it was sending anything not in its own /24 out the DSL line. I fixed it by using an alias for my local VLANs instead of the incorrect "network" match. All better now, thanks.

Not unless you've configured the ladvd package.