@ahole4sure
Maybe the routing table brings dissociation.

However, I'm not familiar with Tailscale. Don't know, what it does.

Hmm, interesting. I can't say I've noticed that. But also I wasn't looking for it specifically. 🤔

@chpalmer
Lan rule
fb4aae7f-b0da-4fe6-822b-8d3888d5610f-image.png
Lan is 172.16.0.1/24, ipv4 address = 172.16.0.1

d019653e-df38-440a-875e-640ff6e5ddc4-image.png

I can ping something from lan to a device on switch a (i changed the ip for switch a to 172.16.64.1/21)

but i can't ping to B net
3c20c8ba-57f4-4cd6-bedf-cdb4825b6dce-image.png

6800adee-5457-4941-aa5c-0da92b7c3482-image.png

i put allow all to all at the top because i want pfsense to process these rules first. I fixed this issue on friday but i wasn't writing down what i was changing so back to square one.

@stephenw10
Thanks again.
Well it is full of passwords and pre-shared keys and very detailed stuff but I guess we should find the culprit of it somehow.

I did find leftovers of lcdproc before, which I cleaned at some point.
That means that part of the config I am using was migrated from a modified WatchGuard I have used in the past.

Let me have a look tomorrow.
It's kind of late now in my timezone.
Thanks!

@70tas Indeed the global token does not work anymore, you must use the API token. And then for the login, do not use your email address. As I wrote before: "One must use the Zone ID when using the API token."

I have this working using the DDNS GUI. I only needed the script for debugging.

@Qinn said in Feed issue on SWC:

Got a reply from Dan and here it is solved.

Thanks for feedback!

Good to hear.

@Gertjan those 3 name server might be just his isp dns.. that first on is fibreop and the others are aliant - which are the same isp - with the fibre one being for their FTTH.

Yeah if you want to use those - you should have unbound forward to them - but I see little benefit to forwarding for dns, just let unbound resolve is better option imho.

@raspier The 2100-MAX runs Snort really well but it wont do SO objects. It does everything else. See Snort SO rules I have a paid subscription with a code and everything but the SO rules never populate do they show up on your 1100?

Screenshot 2025-07-11 at 16.34.49.png

"Your Netgate 2100-MAX uses an ARM64 CPU (Marvell ARMADA).

❗ Important Limitation:

Snort SO rules are precompiled binary modules. Cisco/Sourcefire only provides precompiled SO rules for x86_64, not ARM.

That means SO rules are not available on the Netgate 2100, 3100, 1100, or any ARM-based device." So how does your show up???

Because 10.60.0.252 is the server end of the VPN tunnel at pfSense. The local DNS resolver (Unbound) listens and responds on that IP and that is where the override is set.

Where as 8.8.8.8 is Google's DNS service that knows nothing about any local overrides you might have set. When clients use that DNS server is bypasses any local DNS overrides.

@rasputinthegreatest well blocking and not log would just be any any udp to that ff0e::c address or port 1900 anything, etc. And don't have it log.

As to the scanners - that is a pfblocker alias I have.. And put that in a floating rule.

scandeny.jpg

I would agree. 18 hours in and everything continues to run smoothly. The issue related to image availability I believe is the valid answer and we can close this out as solved. Thanks everyone. -JD

@phthatcher said in SG-1100 as VPN client only (no dhcp) adding to existing network:

just assure that when the server reaches out to the web it is behind the vpn

So all you need is to configure pfSense as default gateway on the server.

The pfSense only needs a single interface (LAN, router-on-a-stick), connected to your LAN.
On the VPN interface you have to add an outbound NAT rule, as mentioned in the ExpressVPN tutorial.

@stephenw10 i have same issue

Probably just that then. But you should see the set options and capabilities for those NICs like:

[2.8.0-RELEASE][admin@t70.stevew.lan]/root: ifconfig -vm igb0 igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> capabilities=4f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>

So there you can see the NIC is both checksum offload and TSO capable but only checksum is enabled.

@rasputinthegreatest see my edit about devices sending it out even when they have an IP on the network - my directv appliance does that.. But once you have a mac should allow you to track it down. Especially if you have a smart switch and its wired. Where you can look at the mac address table.

If everything is working and you just don't like the noise in the logs, you can turn those off, either in log settings - I believe new 2.8 allows for not logging link local. Or you could setup a rule not to log it.

@dennypage, @maximushugus, @louis2, @jeffscott

Good news!

I have the PIMD version I did compile yesterday working !!
Including the related pfSense gui.

Not I think I can make it running the way it should in the coming week(??).

Note that at this moment I still have the following issues:

The warnings at compile time. Surely NOT OK!
=> I do not have the knowledge to fix this. but it does not be blocking. The man directory issue.
=> I have no idea how to solve that. My actual work around is removing the manual files from package definitions (NOT OK) Pimd does not run using the GUI.
=> At this moment I have to start pimd from the command line in debug mode and restart pimd after each config change. However pimd is running and I can access my media server.
pimd -n -f /var/etc/pimd/pimd.conf --disable-vifs -l debug=all the firewall rules are not yet as they should be, for the test I just opened too much.

So I have to sort out things in the coming week/weeks. But I have good hope that I can solve points 3 and 4.

If someone can solve points 1 and 2, it would be highly appreciated!!

Yup, what I missed here is that whilst it's not hitting the default block rule it's in fact also not hitting your custom rules. It's actually the hidden block all v6 rules that are added when you unset 'allow IPv6'.

@georgelza said in multiple ISP/WAN interfaces:

I want to make it as simple as possible, without me becoming their IT department....

Well, you ARE their it department.

Leave it as it is, if it works why fix it?

@Markus4210 said in Lokale IP über Virtuelle IP "Umleiten":

9981 http abfrage m3u , stream dann über 9982 htsp.

Würde es nicht reichen, nur m3u über HAproxy laufen zu lassen?
Wenn da nicht kommt bzw. "Wartung" kommt, wird es ohnehin keinen Versuch geben, den Stream zu kontaktieren, oder?

Ja und habe gesehen das PFSense Files im HA Proxy bereitstellen kann.
Wärs da nicht noch klüger gleich bei Ausfall die "wartungs m3u" in der PFSense bereit zu halten.

Damit habe ich leider keine Erfahrung. Wenn es möglich ist, das File als "Backup Backend" auszuliefern, wäre das eine Option.