@hfederau good manual to recheck setup -> https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/

@SteveITS I'll try the filer reload thing Thanks The alerts are an error that kept coming up after I restored a backup - with some mismatched interface assignments - etc Do you have any suggestions on how to get rid of the error? Can I get rid of the issue at an ssh level ?? If I recall right it is a rule on an interface or network that doesn't even exist and is not shown in the GUI[image: 1758751783303-image-9-24-25-at-6.05-pm-resized.jpeg]

@jogovogo said in No Internet access with VLAN via OPT1: My first surprise is that I'm now on the firewall, but why? The web server that serves the pfSense GUI runs on all assigned interfaces. When you installed pfSense, there was a pass rule for incoming traffic on the initial LAN interface : it accepts all traffic. When you add more LAN type interfaces, the ones called OPTx, there will be no inital rules, so you can't access anything. DHCP will work as pfSense will add hidden DHCP (UDP port 67 and 68) rules, but nothing else (no http https dns icmp etc etc etc etc). When you add a pas rules for TCP, UDP, etc, things "start to work". When you use addresses like this : [image: 1758697659291-89b7f27a-e729-4579-81c1-cb12989a7d3f-image.png] you use IP addresses. So, even is DNS is not working, then that won't be an issue. Your browser doesn't need to use use DNS (for translating host names to IP addresses) as you already gave an IP. It can contact the device 192.168.151.1 right away. You've allowed TCP IPv4 traffic to port 477, which is apparently your changed your pfSense https web GUI interface port. @jogovogo said in No Internet access with VLAN via OPT1: The issue has been resolved, simply, by restarting the DNS resolver. Euh ...... As you've changed lost of things at the same moment, it's hard to tell why dns (== the resolver) didn't work initially. Normally, when you add an new interface like your OPT1 interface, system processes like DNS (the resolver) gets restarted. The resolver will listen to All Interfaces : [image: 1758698045123-e07276c8-27b7-4a13-b999-ca154f396adf-image.png] by default so it would work right away on the new OPT interface. Again, you still have to add a firewall rule to allow DNS traffic to reach the pfSense DNS port 53 of course.

@perrin This is just switching on maintenance mode on the primary, nothing unusual.

@stephenw10 BINGO !! Thanks again as ever. My ISP recently changed the behaviour on the fibre accounts. The upstream gateway showed offline - I changed the monitor IP and - all working - thanks so much!!

What happens if you set the media to 100M without setting the mediaopt value so it still tries to negotiate that?

In addition to the ping issue, there is also an issue where the Gateway address (Gateway IPv6) is not set. Am I the only one for whom the Gateway address (Gateway IPv6) is not set when using if_pppoe? If so, I assume it's due to the uniqueness of setting only IPv6 for one PPPoE session. Specifically, if_pppoe assumes that IPv4 is configured. However, since there is no IPv4 configuration, if_pppoe cannot set the IPv4 Gateway (WAN_PPPOE). It is determined that an error has occurred in the IPv4 Gateway setting, and the IPv6 Gateway (WAN_DHCP6) setting is canceled. Is this guess correct?

Thanks. That's interesting. It looks like a different bug to me. Those are almost identical backtraces in the IPv6 stack. We are looking at it....

I'm not aware of any new issues in isc-dhcpd. It depends how it failed. If it was unable to service requests but was still running it might log an error. If it was just so busy it stopped responding you might see that in the logs. Or, yes, if it just crashed out you might see that in the main system log.

@Pagi So I guss, the NAT address changed to the WAN address. Set it to LAN3 address and it should do, what you want.

@JonathanLee guest.arpa - it really should be guest.home.arpa. .arpa was not set a special use tld.. The domain home.arpa was set If you want to use any domain name you want with tld, then use the special use tld .internal I don't think its been fully approved as of yet, but believe an rfc has been submitted.. But guest.arpa for sure is not a special use domain.

@lifeofguenter Ah. I see that now. I did not realized the windows scrolled. @weehooey your script does not work. When I install qemu-guest-agent it already installs a start script: What you are showing is not what our script does. I can tell you that we tested using the script we provided, and it works on 2.8.1. Perhaps you have not marked your script as executable?

@JKnott I do not expect ATT to change my address, I have had the same IP4 address for over 7 years. Right now I am making sure I understand how PiHole will behave and get in place my DNS blocking to prevent to use of rouge DNS. I suspect to solution will be to block all IPv6 port 53 (except PiHole) and force the use of internal IPv6 and continue to masquerade IP4 rouge DNS requests.

@johnpoz said in Why not a CNAME?: But I am not aware of anyway to dynamically change what fqdn a cname record points to other than via a API into the dns.. Or maybe you could script something with unbound-control. Agreed.

@SteveITS yes when I add a subnet to the alias it appears in the table, when I remove the subnet from the alias it disappears in the table. So that works as expected.

@Belcebu-Gdl Hola. Los logs se pueden incrementar en VPN - OPENVPN - SERVERS - editar el servidor - Verbosity level https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-server-advanced.html Para comprobar los certificados de un usuario, ir a SYSTEM - USER MANAGER - USERS - editar usuario - USER CERTIFICATES. Los certificados de usuario se pueden comprobar en SYSTEM - CERTIFICATES - CERTIFICATES. Se puede comprobar que son de la misma CA que el servidor openvpn. Puedes comprobar la autentiación de los usuarios en DIAGNOSTICS - AUTHENTICATION. Y puedes dar permisos de admin a los usuarios y comprobar si pueden entrar vía web a pfsense. Esto es para comprobar la autenticación mediante otro método. Un saludo.

@stephenw10 Yep IP alias for me.

@gambit100 I doubt it is related to your problem, it just caught my eye. The problem is should you ever need to connect to a home.com network, it won't work. That's why they came up with a top level domain name to be used for that sort of thing, in that it will never be assigned to anyone.

@patient0 Got it, will explore 'Shellcmd' package Thank you!