NICE!

If your ISP requires VLAN7 for DSL then it needs to be configured correctly. On the 1100 that means configuring the PPPoE session on mvneta0.7 and passing that tagged through the built-in switch.

But also check if the router/modem is doing that for you in pass-through mode because double tagging would likely also break it.

@Luca-De-Andreis said in PHP ERROR: Type: 1:

But is not included in patch 2.2.20 ?

Look at the list below :

9ea6961b-6665-46e5-be14-fecf558e7c26-image.png

You can believe your iwn eyes : if it isn't there ... it isn't there 😊

A little bit to late to be included in 2.2.20, or it isn't an an 'important' patch as this issue can't happen, as humans shouldn't enter the portal URL manually. And if they do, they shouldn't make errors when typing it in (I know, they will make errors).
Portal user have to enter the URL them selves on your portal ?

@JonathanLee said in Differentiated Services (DiffServ) Identifiers:

What TOS would constitute full bandwidth use on pfSense?

pfSense doesn't use those values at all by default. You can use them in rules for shaper queues if you want to or set that for use in other devices the connection is going through.

@johnpoz I have it broke up like this

# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=100MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE icp_port 0 digest_generation off dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user squid cache_effective_group proxy error_default_language en icon_directory /usr/local/etc/squid/icons visible_hostname Lee_Family.home.arpa cache_mgr jonathanlee571@gmail.com access_log /nvme/LOGS_Optane/Squid_Logs/access.log cache_log /nvme/LOGS_Optane/Squid_Logs/cache.log cache_store_log none netdb_filename /nvme/LOGS_Optane/Squid_Logs/netdb.state pinger_enable on pinger_program /usr/local/libexec/squid/pinger sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048 tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt tls_outgoing_options capath=/usr/local/share/certs/ tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslcrtd_children 50 logfile_rotate 10 debug_options rotate=10 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/27 forwarded_for delete via off httpd_suppress_version_string on uri_whitespace strip acl block_hours time 00:30-05:00 ssl_bump terminate all block_hours http_access deny all block_hours icp_port 0 htcp_port 0 snmp_port 0 icp_access deny all htcp_access deny all snmp_access deny all acl getmethod method GET acl to_ipv6 dst ipv6 acl from_ipv6 src ipv6 #tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE #tls_outgoing_options default-ca=on acl HttpAccess dstdomain '/usr/local/pkg/http.access' acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate' #acl rewritedoms dstdomain '/usr/local/pkg/desdom' #store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt #store_id_children 10 startup=5 idle=1 concurrency=0 #always_direct allow all #store_id_access deny connect #store_id_access deny !getmethod #store_id_access allow rewritedoms #store_id_access deny all refresh_all_ims on reload_into_ims on max_stale 20 years minimum_expiry_time 0 refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com.akadns.net/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i deploy.akamaitechnologies.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 refresh-ims acl https_login url_regex -i ^https.*(login|Login).* cache deny https_login range_offset_limit 512 MB windowsupdate range_offset_limit 0 !windowsupdate quick_abort_min -1 KB cache_mem 256 MB maximum_object_size_in_memory 512 KB memory_replacement_policy lru cache_replacement_policy lru minimum_object_size 0 KB maximum_object_size 512 MB cache_dir diskd /nvme/LOGS_Optane/Squid_Cache 32000 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 acl donotcache dstdomain '/var/squid/acl/donotcache.acl' cache deny donotcache cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535 acl sslports port 443 563 8080 5223 2197 acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS # SslBump Peek and Splice # http://wiki.squid-cache.org/Features/SslPeekAndSplice # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit # Match against the current step during ssl_bump evaluation [fast] # Never matches and should not be used outside the ssl_bump context. # # At each SslBump step, Squid evaluates ssl_bump directives to find # the next bumping action (e.g., peek or splice). Valid SslBump step # values and the corresponding ssl_bump evaluation moments are: # SslBump1: After getting TCP-level and HTTP CONNECT info. # SslBump2: After getting TLS Client Hello info. # SslBump3: After getting TLS Server Hello info. # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that # they can be used there for custom configuration. acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl banned_hosts src '/var/squid/acl/banned_hosts.acl' acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl' http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 95 request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings deny_info TCP_RESET allsrc # Package Integration url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 100 startup=50 idle=50 concurrency=0 # Custom options before auth host_verify_strict on # These hosts are banned http_access deny banned_hosts # Block access to blacklist domains http_access deny blacklist # List of domains allowed to logging in to Google services request_header_access X-GoogApps-Allowed-Domains deny all request_header_add X-GoogApps-Allowed-Domains consumer_accounts # Set YouTube safesearch restriction acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com request_header_access YouTube-Restrict deny all request_header_add YouTube-Restrict none youtubedst # Custom SSL/MITM options before auth acl wpad urlpath_regex ^/wpad.dat$ acl wpad urlpath_regex ^/proxy.pac$ acl wpad urlpath_regex ^/wpad.da$ deny_info TCP_RESET wpad #deny_info 200:/etc/squid/wpad.dat wpad reply_header_access Content-Type deny wpad http_access deny wpad http_access deny !safeports http_access deny CONNECT !sslports #http_access allow localhost manager #http_access deny manager cachemgr_passwd disable offline_toggle reconfigure shutdown cachemgr_passwd redacted all eui_lookup on acl no_miss url_regex -i gateway.facebook.com/ws/realtime? acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT localnet http_access allow CONNECT wuCONNECT localhost http_access allow CONNECT windowsupdate localnet http_access allow CONNECT windowsupdate localhost http_access allow CONNECT HttpAccess localnet http_access allow CONNECT HttpAccess localhost #http_access deny manager http_access deny to_ipv6 http_access deny from_ipv6 acl deny_rep_mime_doh rep_mime_type application/dns-message acl deny_rep_mime_doh rep_mime_type text/dns acl deny_rep_mime_doh rep_mime_type application/dns+json http_access deny deny_rep_mime_doh http_reply_access deny deny_rep_mime_doh acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken' acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch sslproxy_cert_error deny all acl splice_only_ip src 192.168.1.8 acl splice_only_ip src 192.168.1.10 acl splice_only_ip src 192.168.1.11 acl splice_only_ip src 192.168.1.15 acl splice_only_ip src 192.168.1.16 acl splice_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl splice_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl splice_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl splice_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl splice_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump' acl NoBumpDNS dstdomain -n '/usr/local/pkg/dns.nobump' acl SSL_Intercept_Terminate dstdomain -n '/usr/local/pkg/url.bump' acl active_use annotate_client active=true acl bump_only_ip src 192.168.1.3 acl bump_only_ip src 192.168.1.4 acl bump_only_ip src 192.168.1.5 #acl bump_only_ip src 192.168.1.6 acl bump_only_ip src 192.168.1.9 acl bump_only_ip src 192.168.1.13 acl bump_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl bump_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl bump_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS #acl bump_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl bump_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS acl bump_only_mac arp :RE:DA:CT:ED:MAC:ADDRESS #collapsed_forwarding on #negative_dns_ttl 5 minutes coredump_dir /nvme/LOGS_Optane/Squid_Dump #read_ahead_gap 64 KB #pipeline_prefetch 6 #happy_eyeballs_connect_timeout 10 #memory_pools on acl splice_group any-of https_login NoBumpDNS NoSSLIntercept acl splice_only_local_group all-of splice_only_mac splice_only_ip acl splice_main any-of splice_group splice_only_local_group acl bump_main all-of bump_only_mac bump_only_ip ssl_bump peek step1 ssl_bump terminate SSL_Intercept_Terminate miss_access deny no_miss active_use ssl_bump splice splice_main active_use ssl_bump bump bump_main active_use acl activated note active_use true ssl_bump terminate !activated # Setup allowed ACLs # Allow local network(s) on interface(s) http_access allow localnet # Default block all to be sure http_access deny allsrc

Peek first check the request
terminate everything that goes to DoH list wackamole
miss access is when it caches items so do not store login or chat stuff.
splice the splice devices phones etc stuff I can not ssl intecept on and some always splice websites banks etc, bypass intercept list

bump the bump only lists
mark the active use acl true with note directive
terminate anything that does not follow this just in case, I do not think anything ever gets to this acl.

so it is broken up into a dual use set up

ssl_bump peek step1
ssl_bump terminate SSL_Intercept_Terminate
miss_access deny no_miss active_use
ssl_bump splice splice_main active_use
ssl_bump bump bump_main active_use
acl activated note active_use true
ssl_bump terminate !activated

Okay, as expected, this event is tracked in the system.log. After resetting the admin password today, I checked and can confirm that event is recorded there. Unfortunately I couldn't find such event in my previous logs. Log retention is not a problem since the system.log goes back to Oct'24.

That really doesn't make sense, because at some point I had different admin password. The hash proves it (I compared one of the hashes from my admin password with the password of my other VPN user. This is where I accidentally changed the admin PW instead of my VPN user PW; so, for a short period of time my admin password had the password of my VPN user). At the end there may be a backend bug here. I had a different admin password at some point and I'm not seeing any notable events at least in the system.log

@johnpoz said in Any way to share IP range on two separate LANs?:

Why exactly would you want to connect these 2 switches into 2 ports on pfsense if you want them to be on the same network anyway? Are you wanting to firewall between them? But have broadcast and multicast on both?

Just as an ans, I have this setup - three sets of switches are connected to the three ports on pfSense; one serving WiFi, one HomeLan and third one for Storage but of cource, I didn't wanna have 'em all in the same physical network.

In that way, I can manage these three services seperstely and family don't start yelling at me when I'm doing something on the Lan side or the files arer still availabe from my Storage over the WiFi or daughter can go back to her iMac when I'm updating the WiFi system (as long as pfSense is up and running) :)

@tbeaulieu said in New to pfSense. Googleads results are blocked. Advice on fixing or accepting?:

because googleads' certificate was bad

Call Google and tell them ?
You'll do them a huge favor Google's add renevu is several millions a day), they will give raise your addwords account to the sky.
Seriously ?

Their certificate is fine.
What happened this :
You installed pfBlockerng because you were totally fed up to see these adds everywhere.
pfBlockerng by itself is empty, does nothing.
You you added a DNSBL 'add block' feed.
Just for the fun : open it up in a text editor :

I'll show you :

Here are my DNSBL :

ff423602-c6c9-4df3-961c-1bc1011f7132-image.png

I'll edit second one :

2d655211-2a5b-49a1-ae9b-bc2c541843b9-image.png )

and there you have the actual file :

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

and in this file, your find :

883dd01c-864f-4329-a5bf-94a333ff67d1-image.png

and now you've found out what pfBlockerng actually does :
If a DNS request for "googleadservices.com" comes in, it will be replaced for 0.0.0.0.Even better, it isn't even pfBLockerng that does the heavy lifting. It the resolver (unbound).

So, if you, with the browser addresses bar, or as an URL on some web page that want to show you an add, a DNS call is needed, and 0.0.0.0 will come back. The browser will not try to contact 0.0.0.0 as that is the 'address does not exist' indicator.

I've explained the Null (or 0.0.0.0) blocking :

8e79642f-450c-4de5-9a48-ef22d84c0cc9-image.png

The (totally useless) Webserver/VIP blocking : the IP won't be 0.0.0.1 but 10.10.10.1.
And guess who will serve pages at that address ? The pfBlockerng web server that will tell you you wanted to visit a page that was blocked by the pfSense.
Sure enough, this web server can not have the web server certificate that Google uses for its addserver services page ( 😊 ) so it will use its own certificate.
Your browser detects that 10.10.10.1 is not Google as it will use the certificate and checks if the site it wanted to connect to is really goolgeadservcie.com.
And guess what ?? It wasn't.
The browser barks.
The add was blocked.

You said :

googleads' certificate was bad

I say :

Your browser was at that moment connected to 10.10.10.1 (pfBlockerng web server) and of course that server doesn't have the certificate that said it "googleadservice.com".
Because that's impossible.

But now, let me thank you first, as you really made my day - its always good to laugh ones in a while.
You said :

New to pfSense. Googleads results are blocked. Advice on fixing or accepting?

And then you said

Yes I have the pfBlockerng

and I presume you installed some DNSBL feeds, like the one I've shown above.

Here it comes : pfBlockerng is also known as an "add blocker".
googleadservcies.com is probably the biggest add server in the world, and present on all those DNSBL lists.

Or : what was your reason why you installed pfBlockerng ?

As said above : you can white list host names like "googleadservcies.com".
Go here :

74bcf8f4-cc17-41fa-8770-394adbb03694-image.png

and click on the green "+" and you'll be guided.

From now on, "googleadservcies.com" won't be blocked anymore.

And yes, don't worry, it took most of us a lot of time to learn how to work with pfBlockerng. We all went through it. There are no short cuts, not that I know of.

@Aadrem said in Frequent Crashes and Errors after upgrading to 24.11 pfSense Plus Version:

Unfortunately, accessing files, even through the shell, was not possible due to the frequent reboots.

Don't fact check me with your own PC type devices, so, if you're willing, imagine this situation :
Boot your PC.
Open all kind of files ....
Stand up, and walk to the power socket and rip it out.

Wait 10 seconds, put it back, and start over.

If your PC is modern enough, so its starts fast, you can do this 10 times test in less then 10 minutes.
If your PC is a portable : it will go even faster but please, these devices can have their disks soldered in so you will break your portable beyond repair by just removing the battery while it is running, for 10 times max.

But again, don't actually do it. Just imagine. (Go youtube to see them doing it - and, way better, ripping out the power while doing a BIOS upgrade - this one gives you a the full jackpot the very first time you play)

Your PC uses probably NTFS as a file system, and pfSense uses the somewhat even better 'ZFS', but still, chances are greate that 'nothing' happened. Just some current data loss.
But do this several times, and you will 'break' the filesystem.
Like in the good old days : do your CHKDSK /f and while doing so, you pray.
And then, again, you re installed Windows from those 46 floppies.*

Check this : How to Run a pfSense Software File System Check (5/2020) - some will say : not needed anymore.
Ok, maybe I lose some time while doing so, but at least, for me "data loss" or "OS broken", something that happened in century before this one.
(And if it happens, I've a daily dual copy)

Btw : a bad file system can be a symptom, not the original reason why your system went down.
Just install pfSense on some other hardware and suddenly all issue are gone ..... Doesn't that make you think ? ;)
(Yeap, motherboards, disks and our coffee machines still die on us)

@Aadrem said in Frequent Crashes and Errors after upgrading to 24.11 pfSense Plus Version:

From what I’ve read on forums and web in general, upgrade processes with pfSense often seem to cause issues

Yeah, I've seen them. Somewhat the 'same' story pops up on every OS update.
For myself, and since 2008 ( or more ? ) I'm still trying to make it fail on me.
It was always UPS protected, so it never (well : rarely) went down without the system shutting it itself.
I always reboot before upgrading it, and I go to single user mode (console !!) and do a file system check, and then let it run for several hours or a day before execute order number 13 (never GUI, I'm old school). This console session, I have it logged so I can review the upgrade process.
Some how I'm pretty sure that the upgrader process "knows" that it is watched. That would explain why it never failed on me.

Ones in a while the disk layout, or partitions, change, or new file systems comes out, like ZFS two years ago, so the phoenix method is needed.

I've always said here on the forum : go basic first : remove all installed packages before upgrading but, I admit, I don't do this myself anymore.

Before, I always asked for a (new) firmware first - I have a 4100, that I burned on a USB key. And I kept the previous version also. I still have a key with pfSense 1.2 (collector !). Now, the ZFS handles all this, but if the SSD dies, it will we "Hello, TAC ?" again. Or I'll go for the 'interactive' installer.

@djtech2k yeah I was going to say - a reject on local would make sense as default..

If device on your network wants to go to somethingblocked, might as well reject it - or he just going to retrans multiple times wanting an answer back from where he wanted to go.

If you tell him right away - hey you not going there, then it shouldn't spend any time doing retrans.

@viragomann said in CARP VIPs or Other:

@mcury
No, you need an interface IP and a CARP VIP in each VLAN.

So the VLANs are defined on the lagg and you have to assign an interface and an IP to each on the primary and secondary.
Then define the CARP VIP on each VLAN.

Thanks for clarifying things for me viragomann 👍

@stephenw10
This is not pfsense specific, just a general NLB query.

NLB > Unix vm's

Yup it's in the recommended patches list in the new patches package update.

@LaUs3r

Strange.

I've created a "a;conf" with :

!sshguard :msg, contains, ".*Exiting on signal.*" ~

( No !, and I've added the ~ )
and restated the syslog daemon.
No more

a120a7e2-fd52-4575-a76d-9a05447f4ce2-image.png

for me.

If you send me your NDI in chat I can check it.

Indeed! Even in that situation the gateway should not actually be on the LAN interface, just in the LAN subnet.

Just add the following line to your DNS Resolver Custom options:

local-zone: "duckduckgo.com" redirect

7122c48a-ec9a-4c84-891f-223556326f35-image.png