Ah OK I see, the names threw me!

@mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

So setting openvpn to bind only to the CARP VIP works fine for me

Multi-WAN with HA there?
If so, it would be a better idea to run openVPN server on localhost instead.
This would allow it to receive connections from all WANs.

No need to select a VIP, just forward packets from the WANs VIPs to localhost.
You can use DNS, thus the client would connect to the WAN that is UP.
Or
You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.

Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.

@viragomann I lost oversight. The customer edited stuff on his own ... and wrote he succeeded by adding fw rules and policy-based-routing. Sounds like overkill a bit, but ok if he's happy.
I have to accept that this box is out of my control somehow now ;-)

thanks for your help. I might report back if I get access again and see things.

@bmeeks Thank you.

Your points are excellent. I believe I will back off from adding more supplemental apps. Adguard Home works with OPNsense as a 3rd party add-on without complaint so I will leave that alone for now. But I will also keep an eye out for issues with that configuration.

Worst case is a reinstall of pfSense and a restore of the backup configuration. My Windows Adguard Home servers are available if needed.

Screenshot 2025-07-18 at 15.25.50.png

It works I had to adapt the make file again USES= tar:tgz for it to make install clean. I have to update the pr now

it comes with ROCK too!!!!

@NOCling
Setzt aber voraus, dass man die Formel kennt.

@patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

I will try and do some packet capture to see if that reveals anything.

@RobbieTT

Be aware that I am not at all saying that a user can directly access the ISP-node, but I am sure that PPOE interface can !!

Whats ever I it helps, I am absolutely OK to activate PPOE debug logging for a short period!

Note that my actual config is like this
ISP => ISP-fiber-interface => one of my small switches => pfSense.

Internet should arrive via VLAN 6, IPTV via VLAN4 and (Old) VoIP via VLAN7.
Untagged routed to vlan1 and vlans (internet) are routed to pfSense.

I did add vlan1 to be quite sure that even untagged messages are passing to pfSense. Normally I would simply have blocked untagged. However the PPPOE is assigned to VLAN6.

@SteveITS said in pfSense® CE 2.8.1 Beta Now Available!:

Release notes?

https://docs.netgate.com/pfsense/en/latest/releases/2-8-1.html

It's not a bug because that's the expected behaviour. You could consider it a missing feature if you need to make changes there. Open a feature request: https://redmine.pfsense.org/

This is the first time I've seen anyone ask about it in 10 years though so it's clearly not a huge problem.

You could just patch the file to create the config with the values you need then carry that as a custom patch in the patches package.

@MacUsers said in Kea DHCP stops working:

all of pfSense are v24.11-RELEASE (amd64); as far as I can see now, KEA actually never worked for me since I migrated from ISC, regardless of the pfSense version.

There is a 99,99 % solution avaible now.
Right now, this one :

05190dbc-0f5c-445e-ba66-8104c93aae78-image.png

is available.
An RC version is identical to the final Release.
It stays RC so very minor issues let GUI text can get corrected.
Major changes, like 'kea not working' won't be corrected anymore.

I'm pretty sure (tens of thousands) use "25.07"(RC) right now, and they 'all' use kea.
No issues afaik.
So .... even if 25.07 won't solve your issue, you'll be sure for 99,99 % that the issue is ... on your side.
Or, you are using pfSense (hea DHCP) in a very special way, and no one else is using it that way so we can't know what your issue is ?
Do you have any details about why your 'pfSense' (DHCP kea settings) are so different that it 'break's ?
Do use an edge case scenario where things were possible with ISC DHCP, but not anymore with kea ?

Btw : we all have iMac, IPads iPhone and other iStuff in our networks, they all behave fine with kea, using classic DHCP leases, or static MAC leases.

@Qinn Thank you, I just turned it back on and it is working!

@stephenw10 Correct. Way longer than the tunnel rekey times, so something must prompt a configuration reload outside of that.
Or maybe the tunnel went down at some point and the config was reloaded when a reconnect was attempted.

@SteveITS It looks like it is detecting ipv6 better

already is showing alerts

Screenshot 2025-07-12 at 10.39.56.png

It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it

@greatbush while I have about 3 minutes here
do you realize that windows machines by default will not allow pings and such from outside their own subnet to come in? Just trying to rule out any issues that you might have with Windows firewall on those machines..

@wc2l said in Teams Issues:

teams.microsoft.com works just fine.
Host "msg.teams.microsoft.com" could not be resolved.

Same for me.

edit : while waiting, read also C:\Program Files (x86)\Microsoft Teams Network Assessment Tool\Usage.docx - this is a Microsoft tool with a manual / notice .... ( 😊 )

@Wolfgangthegreat
...and to @comet424

I wasn't able to perform the 2.8.0 update this weekend, but when I got to the school this morning, it worked perfectly!

I appreciate the support from both of you, and from Netgate.

The backup/standby pfSense instance is back in place and ready in case I have a hardware failure, or a failure of the gray matter between my ears!

My best to all of you.

@ThePowerPig
So add an additional rule to allow access to internal subnets (best to create an RFC 1918 alias for this purpose), but at least for the IPs you want to access from the device in question, and move this rule up above of the policy routing rule.

@stephenw10 Confirmed fixed ty kindly sir.

https://github.com/pfsense/FreeBSD-ports/pull/1420

Merged I could not test it but it is in there with the make file now and the distinfo file

@stephenw10

Let me know if you can test that out

Dont use this I am having issues with the MASTER SITES and patches folder it wont make clean install all the way