Hi, Upgrade confirmed, no issue! [image: 02-08-26-055113.png]

@stephenw10 And as suggested, I will set the WAN to a static IP and see about adding the gateway myself. Thanks for you help.

Yup that's expected when it gets updated.

@marcosm We can re-produce this error after almost every reboot on a pfsense plus 25.11. If you would like to investigate, we are happy to support.

I reply to myself: you can use this script to install the cert, the ca and activate it for different services on other pfSense without issuing a new certificate on each pfSense: https://github.com/stompro/pfsense-import-certificate

@stephenw10 FYI, I found an old config.xml that has the missing interface for the NAT rule, it was from v22.8 and was dated March 2023. I updated my system with every new release when it showed up on my dashboard. Thanks again for pointing me to the fix.

Yes. The page only parses the output of pfctl -ss. So you could dump that to a txt file then import it and filter using whatever tool you want.

Ultimately this is more of a TP-Link question than a pfSense question, but... @erichium Can I set up VLAN support in pfSense such that the wifi traffic from the TP-Link router goes through one VLAN and the hard-wired traffic from the TP-Link router goes through another VLAN? I've seen that the router has support for IPTV/VLAN, but I think I'm coming to the conclusion that, that's not really supporting VLAN for pfSense. IPTV/VLAN should solve this for you. On the AX1800, the IPTV/VLAN feature lets you configure up to 3 VLAN tags on the AX1800's WAN port. You can then choose which LAN ports are on which VLAN. Limitations You can't name the VLANs. On the tp-link the VLANs are named "Internet", "IPTV", and "VOIP", but they can be for whatever you want. Only the WAN port on the tp-link supports vlan tags. LAN ports have untagged traffic, but you can choose which network each LAN port is connect to. All WiFi traffic goes to the "Internet" vlan on the WAN port, regardless of SSID. Steps on the AX1800 Advanced -> Network -> IPTV/VLAN Enable "IPTV/Vlan" Mode: Custom Enable "802.1Q Tag for internet". Set the VLAN ID to some number (ex: 2) Enable "VOIP VLAN". Set the VLAN ID to some number (ex: 3) Disable "IPTV VLAN". Set all 4 LAN ports to VoIP. The WiFi is always on the "Internet" Save. Connecting things Connect WAN port of the tp-link to one of the LAN ports on the pf2100. Configure pfsense based on the vlan tags. (ex: vlan id2 = wifi, vlan id3 = wired). the AX1800 supports multiple SSIDs, but they're all be on the same vlan (ex 2). If you have NAT and DHCP enabled on the tp-link, then wifi (and any ethernet ports configured for "internet") will get DHCP from the tp-link and the TP link will perform NAT translation on traffic going to/from WAN port on the vlan id you set (ex 2). You'lll need to set up pfsense to provide DHCP for the other VLANs. If you disable NAT and DHCP on the TP-Link then you can let the pfsense handle DHCP for the tplink's "internet" VLAN as well. I think the TP-Link configuration interface is only available on the "Internet" vlan.

https://docs.netgate.com/pfsense/en/latest/development/system-patches.html#managing-recommended-patches

@ztamayo86 said in pfSense with multiple Proton WireGuard tunnels: @wardex Hello, thank you for this information. I am confused by: @wardex said in pfSense with multiple Proton WireGuard tunnels: This does not work well when you have a load balanced Gateway Group set as the default Gateway Group in System/Routing/, but does work in policy routing when you set a Gateway Group in your firewall rules. My default gateway is still listed as my WAN. Under the settings, default gateway says automatic. Do I need to change this? I am not using the WAN gateway in any of my firewall rules. It should be fine, the main point was that if you wanted to load balance your VPN's using a Gateway group as the default wouldn't be the best choice, but policy routing through the firewall, as you are doing, is better. It mentions this in the pfsense manual. @wardex said in pfSense with multiple Proton WireGuard tunnels: Further, you could even split those tiers in your policy routing Gateway Group, so for example, if you had six Proton gateways, two could be on tier 1 and two could be on tier 2, and two could be on tier 3. This would round robin the two tier 1 gateways until they were down which would failover to the two tier 2 gateways which would be round robined, and so on. I don't understand what would be the benefit of this over having six gateways in one group. Would the benefit by faster switching when one goes down? You still have the six gateways in the same Gateway Group. The difference is tier 1 will load balance between the tunnels until all tier 1 tunnels go down then pfsense will switch to the tier 2 tunnels (failsafe) and load balance those tunnels, and so on. You may have four Seattle tunnels on tier 1 and two L.A. tunnels on tier 2 , and may choose to load balance the Seattle tunnels, as they may be your preferred tunnels, but if they all go down pfsense will failsafe to tier 2 and load balance the L.A. tunnels. It gives you more control but the tier 2 and subsequent tiers will usually see less action than the tier 1 tunnels. Maybe you prefer P type tunnels in one city but there are only two of those tunnels and the rest are p2p tunnels. You could put the two P type tunnels on tier 1 and four p2p type tunnels on tier 2 for failsafe.

Don't be surprised if speed is not what you pay for. Speed tests should be run thru pfsense, not to or from it.

Hmm, interesting. So in 25.11.1?

@Laxarus thx for your help, i'm working on WatchGuard Firewalls and had same binding error. Could authenticate my users after adding the GPO.

Good choice!

Pfsense 24.11 Just like clockwork, had the outage just a bit ago. Here's some observations. I let the outage occur without touching anything, just monitoring what happens and/or if it self recovers. 10:13:13 last successful unicast wan dhcp renewal 10:14:56 outage began 10:43:13 unicast dhcp renewal began 10:51:50 still trying unicast renewal unsuccessfully (see dhcp log below) 11:06:18 broadcast successful renewal DHCPREQUEST on igb0.2 to 255.255.255.255 port 67 dhcp log https://pastebin.com/raw/MP2QAz4J Flood of entries in gateway log from dpinger - every 5s (modified configuration). Default would be every .5s! I've commented on this before. This really should be mitigated. At default setting of .5s, that's a lot of lines of basically noise. gateway log https://pastebin.com/raw/dtTiP9ak I could have sworn in the past a unicast renewal was sufficient enough to jumpstart connectivity. This was a year ago, so maybe something changed either in pf or att. Pf version is 24.11. I don't recall when exactly I updated to 24.11, it was probably in early 2025. Total outage lasted 2967 seconds - 49m27s (at 82.4% of lease time) 64 bytes from 1.1.1.1: icmp_seq=91 ttl=57 time=3.819 ms 64 bytes from 1.1.1.1: icmp_seq=3058 ttl=57 time=3.780 ms RFC spec says T2 (broadcast renewal) should take place at 87.5% - (https://www.ietf.org/rfc/rfc2131.txt, page 40, 2nd paragraph); 82.4% != 87.5%. Pfsense set differently? Edit, ping count is not exactly a measure of time. Computing the time between the outage onset and broadcast renewal reveals 3082 seconds had elapsed. 87.5% of 3600 is 3150. Renewal happened 1m10s earlier than expected ;). So while not exactly ideal for this use case, it does appear to generally be following spec. Perhaps unifi/udm products behave differently in these cases.

@lewis https://docs.netgate.com/pfsense/en/latest/install/netinstaller.html To add one more, the Installer provides its own Internet access, so can be installed directly on the router.

@jachin said in time drift: No, and just to be clear, this would like my DHCP settings on my WAN connection (to my ISP) right? Unchecking that will just stop pfsense from using your isp dns as a fall back, if you are using the resolver there is really little point to using that. Normally isp dns is crap anyway. ;; ANSWER SECTION: 44.25.17.216.in-addr.arpa. 86400 IN PTR usi-ns14-mpls.usinternet.com. The problem is with that testing pfsense for dns even when say unbound is down could still work, and that might be fine, but those would never be used by a client that is asking pfsense for dns. There just really is no point in allowing your isp to insert name servers like that.. If at you can't get any dns to work and you need for pfsense to talk to the internet you could always check it.. Yeah its possible some pool members might not answer ping - but that you can ping some of them would indicate you atleast can talk to them.. ntp might be blocked - but atleast you have connectivity. So that is a good sign. could you post what you have pfsense pointing to in the localization section under general. And could you put in some of the pool address again and see what your ntp service shows.. Here I turned off my dns ntp pool override so I could set pfsense to use a pool.. This what you should see. [image: 1769895064632-workingntp.jpg] Reach is only 1 since I just did it, so let it run for a while if not seeing a reach - but the pool should populate for sure.. If not you have something wrong with dns. if you do a dns query under diag do you see pool fqdn return addresses? And also this is just the ntp server, which your pfsense could use for its own time - but it might not be, so you need to look in the general setup section. edit: also what do you have here? under ntp settings. [image: 1769895405117-ntpsetting.jpg]