@stephenw10 I made some further changes. I removed the gateway for that problematic tunnel and also removed keep alive etc so that it is not expected to be running at start.
That didn't changed anything for me. At next reboot, gateways are down as is WireGuard. So it seems more of a general problem, although no one else is reporting it...

@stephenw10 Unfortunately I am going to have to wait till I can bring down the network to test. If I take it down now and it doesn't come back up I will be having some hell to pay from the family...lol. 😃

@johnpoz Ok, well thank you anyway John
Tas

@Gertjan oh I missed that - my bad.

@jarmo said in Should my dhcpv6 clients also get a /64 address?:

clients get one /64 address from a correct subnetwork.

Initially, there should be 2. A consistent address and a privacy address. You get another privacy address each day, up to 7, when the oldest one falls off the list.

@tinfoilmatt said in Netgate Documentation on DNS over TLS and NOT using DNSSEC:

I've never encountered any problems

And what have you gained by asking for something that has already been done.. You mention you leave 0x20 off for performance - but want to do a bunch of queries for dnssec that make no matter?

@johnytb said in Gtek 2.5G (Intel I225 Controller) PCI-E x1 Network Card not recognized by the pfsense:

can you explain to me what exactly is this interface that you show here ?

That's pfSense most important interface 😊
The one that works when even all your NICs don't work.

Its called : the console, which could be a serial connection, or, if you have VGA/HDMI build in, it could be that and a (USB) keyboard.
Or : If the LAN NIC is working, you 'ssh' into your pfSense using a SSH client like putty or classic 'ssh'.

Keep in mind : what happens when you have a disk drive issue ?
=> pfSense can't boot.
=> Network interfaces will all by down ...
You the the console (serial or VG/HDMI/Keyboard) access.

For command line commands I use the ... command line = console (or SSH) access.

@iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself!

Hopefully your setup will remain stable going forward.

@dennypage said in New Tunable: kern.crypto.iimb.enable_aescbc on fresh install:

So in summary, to answer your question, I don't think it matters at all. 🤠

Well, according to the documentation, ChaCha20-Poly1305 is accelerated by iimb, so if you are running only wireguard, you would benefit by enabling it.
If that is the case, kern.crypto.iimb.enable_aescbc will be 0.

Not sure if QAT enabled or disabled, will influence in that value.

Yes that's correct. The 1100 has only one NIC (mvneta0) and an internal switch with VLANs to separate the ports. But, as I said, you shouldn't need to make any changes there it's detected and set automatically for any Netgate device.

Ah OK I see, the names threw me!

Cool. Yup there was a backend issue last night. It should be fixed now.

@mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

So setting openvpn to bind only to the CARP VIP works fine for me

Multi-WAN with HA there?
If so, it would be a better idea to run openVPN server on localhost instead.
This would allow it to receive connections from all WANs.

No need to select a VIP, just forward packets from the WANs VIPs to localhost.
You can use DNS, thus the client would connect to the WAN that is UP.
Or
You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.

Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.

@bmeeks Thank you.

Your points are excellent. I believe I will back off from adding more supplemental apps. Adguard Home works with OPNsense as a 3rd party add-on without complaint so I will leave that alone for now. But I will also keep an eye out for issues with that configuration.

Worst case is a reinstall of pfSense and a restore of the backup configuration. My Windows Adguard Home servers are available if needed.

Screenshot 2025-07-18 at 15.25.50.png

It works I had to adapt the make file again USES= tar:tgz for it to make install clean. I have to update the pr now

it comes with ROCK too!!!!

@NOCling
Setzt aber voraus, dass man die Formel kennt.

@patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

I will try and do some packet capture to see if that reveals anything.

@RobbieTT

Be aware that I am not at all saying that a user can directly access the ISP-node, but I am sure that PPOE interface can !!

Whats ever I it helps, I am absolutely OK to activate PPOE debug logging for a short period!

Note that my actual config is like this
ISP => ISP-fiber-interface => one of my small switches => pfSense.

Internet should arrive via VLAN 6, IPTV via VLAN4 and (Old) VoIP via VLAN7.
Untagged routed to vlan1 and vlans (internet) are routed to pfSense.

I did add vlan1 to be quite sure that even untagged messages are passing to pfSense. Normally I would simply have blocked untagged. However the PPPOE is assigned to VLAN6.

@SteveITS said in pfSense® CE 2.8.1 Beta Now Available!:

Release notes?

https://docs.netgate.com/pfsense/en/latest/releases/2-8-1.html

It's not a bug because that's the expected behaviour. You could consider it a missing feature if you need to make changes there. Open a feature request: https://redmine.pfsense.org/

This is the first time I've seen anyone ask about it in 10 years though so it's clearly not a huge problem.

You could just patch the file to create the config with the values you need then carry that as a custom patch in the patches package.