@stephenw10 Perfect example of why I checked here first!

@Fringe1533 Hi To connect such clients on Mac OS, I recommend using the Apple Configurator program, in which you can create a profile for connecting to a Wi-fi network (WPA-Enterprise). After creation, this profile is imported to the MacBook, and it connects successfully [image: 1707254158923-f2b0a1cd-2885-4edc-aec0-acd1644a38f1-image.png] [image: 1707253676653-da5fa148-047c-4674-a85d-8f7cc6c702bf-image.png] [image: 1707253729506-050f7847-3a4d-45da-a9c2-d8364172eb67-image.png] [image: 1707253803511-8db8eddb-9eff-426c-aae3-bfb3c84d5e06-image.png] [image: 1707253892857-bfc430f0-774f-4430-b611-ce8c7fdfec32-image.png]

@stephenw10 thank you for your wisdom. @pfguy2018 thank you for asking.

@pfsense57352

You should not have gateways set on LAN or OPT1. (or possibly OPT2). Only the WAN should have a gateway set for pfSense and that is added automatically for DHCP. When you add a gateway to an interface pfSense treats it as a WAN and that is not the case for LAN or OPT1. Additionally whatever is at 10.0.2.2 is not responding to ping. That's probably because it's the VBox NAT host. You should set some the external IP address for pfSense to monitor on the WAN. Steve

@Gertjan Thank you for the detailed explanation!

Nothing there looks specifically wrong. What sort of WAN connection is it, DHCP? Do you expect to get a public IP there? Do you reboot the modem to be sure it's not locked to the MAC address of the old router? Steve

@ChrisJenk said in Where does DHCP6 client keep its lease info etc.? And can I force a refresh of the DHCP6 lease from the command line?: Also, is it possible to force a DHCP6 refresh for an interface (the WAN in my case) via some command? I can do it by toggling the WAN interface to disabled and then back to enabled in the GUI, but that disrupts IPv4 traffic, which I want to avoid. This could be /usr/local/bin/php-cgi -f /etc/rc.newwanipv6 Note : haven't try this myself. Btw : when I check the ( Status > System Logs > DHCP ) [image: 1707153744892-eaa4a625-d194-4690-b0cd-e88d86f9da51-image.png] I see that the DHCP6C renews very often - every 10 minutes ( ) or so. Not sure if this is normal. The DHCP6 server is in my ISP box, that's the one handing out "20 min" leases ... Not something I can change. The WAN IPv6 and prefix didn't change for the last 9 months or so ( ouf ...).

Re: PFsense random loss of WAN gateway I just wanted to add my thanks! I have a Telia Fiber connection and it would lose WAN every six hours. Turns out that the Telia DHCP server only allows a limited number of renewals after which it demands a broadcast again. The above option to always broadcast works fine. It took me several month to find this solution! Thanks again!

@johnpoz @stephenw10 The problem with pfBlockerNG and config saves is even bigger as that many MANY configuration changes are all SYNCED to a CARP member triggering a HUGE number of unnecessary reloads and changes on the secondary node. And as pfBNG doesn't really sync the lists but the config only, the second node still has to run its own instance of pfB and do the whole download and install of the lists AGAIN, so you nearly have double the config changes to the standby node. Also in a bigger setup you have to either completely disable the sync because of this or you have to time the standby node down to do updates e.g. only daily or all 12h as otherwise you get hit with the sync job that triggers a reload of MANY services of the standby node, then have the node perform its own pfB download and saving configs. So config history is completely broken and unusable in a cluster where pfB is enabled as you won't see anything older then a day or two with that many checkpoints. Also the sync adds even more on the standby AND triggers high load and temporary RPC/sync unavailability as the node gets simply swamped by syncs and reloads (talking about a big node here with many VPNs, big ruleset etc. - datacenter firewall). That's a really big minus of pfB currently. I already mentioned that to BBcan/Tony several times but never came to tackle down the issue (with various others concerning a CARP setup like the interface creation in DNSBL mode etc.) Cheers

Yup, but he said he still didn't get access when the DMZ mode was disabled so pfSense gets a private WAN IP. Which is unexpected.

Trunk is actually a Cisco term but is commonly used to refer to a link that carries more than one VLAN. A trunk can carry tagged and untagged traffic but in order to keep them separated only one VLAN can be untagged.

It's probably a routing conflict. The laptop has an IP and gateway in the LAN subnet and that must be routed outside the tunnel but at the same time the WG server is sending it routes to the LAN subnet via the tunnel. I would expect to see some routing error logged somewhere. Putting the WIFI on a different subnet would workaround it. You could also block access to the WG server from the LAN so the tunnel cannot connect when you're on that subnet. Steve

The installer image contains a FAT32 partition for exactly this purpose. See: https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html#restore-configuration-from-usb-during-install Steve

Ok I created a bug for it but that may get changed to a feature request because that is the expected behaviour in the code. It's not what I would expect as a user though. https://redmine.pfsense.org/issues/15228

Yup, usually you won't notice the difference. We have seen some situations where it is required though. Others where the throughput can be significantly increased by disabling it. It's worth testing disabling it if you are not seeing the expected throughput and have local access to revert that change if required. Steve

Almost always because the system clock changed so the data becomes invalid.

Many modules that are shown as Intel compatible will work there. Those listed are just what we've tested locally. The most common problem people hit is trying to use a 10/1G module at 1G. That often requires setting a 1G fixed link speed and some modules don't expose that option. DAC cables usually don't offer that. Steve

Hmm, still can't replicate it. It must be something in your config somehow. Are you able to test it with a default config? Or upload your config to us to check?