@SteveITS Seems liek this was the issue! This option should be disabled by default. And of course it should be logged.

@thespirit I don't think it is really a bug. If it was changed so the auto-added rules were not overridden by a block all rule then that would be equally confusing as block all wouldn't mean block all. The way the code which generates the rules works it is pretty clear that user added rules should always take priority it probably just needs to be mentioned in the documentation somewhere.

@rpm5099 said in Fios DHCPv6 Issues: I'm assuming you are using the LLT method where your DUID is based on MAC and timestamp? I don't think the MAC is used. In those 7 years, I've changed both the computer I run pfSense on and my cable modem. Also, when my prefix changed, almost 7 years ago, it was because there was a problem at my ISP that messed up IPv6 for everyone connected to the CMTS I was. In my testing, I had identified the failing CMTS, but it took some effort to get them to fix it.

@njc :) here’s a couple

It wasn't ACB it was hitting it was the repo data servers. As though it was running 'pfSense-repoc' continually, or multiple devices running it. Let me see....

Yes, if you can replicate it in 25.11RC by simply disabling allow IPv6. Look at the system logs for errors. Try running Status > Filter Reload and see where it errors. I still can't generate that error here even on systems with NAT64. So it seems likely you have some other unusual rule. Are you able to upload your ruleset to us for testing? If so please upload the /tmp/rules.debug file here: https://nc.netgate.com/nextcloud/s/cFFWNHnLdm3rXtQ

@ahole4sure A Plan B exists. Make a list with known sites that don't want you to use (your) IPv6. The issue is known for years and as already mentioned reasons above, some sites don't 'like' the he.net IPv6s If you have pfBlockerng installed, go here : Firewall > pfBlockerNG > DNSBL First, be sure you use Python mode, not the unbound mode. Next : [image: 1764058931964-7cc5259a-1778-4c85-a9a1-aacb3a6f1fae-image.png] Check 'No AAAA', and fill in thelist with host names (site) that you do'nt want to visit using IPv6. After all, before one of your devices connects to a site, it will resolve the destination host name first. As most if not all devices prefer AAAA (IPv6) they will ask that first, and if needed, to fall back, the A record (IPv4). If there is a AAAA (Ipv6) addresses, that's what gets used. Now comes the trick : pfBlockerng does DNSBL, so it can block AAAA for listed sites. You device will fall back to IPv4 - and all is well. In the past, Netflix was one of those sites : it didn't want you to use the he.net IPv6 networks. Plan A would be of course : Frontier fiber internet does not have ipv6 Break your commercial relations with this frontier ISP. If they ask for a reason, tell them.

@stephenw10 That worked, thanks.

Check the MTU for the WAN Interface, not all ISPs are pk with 1500 and need a lower value.

@stephenw10 That is correct. The adding of the second WAN/LAN was what caused it. I have not encountered this with only one WAN/LAN in play, which is why I ultimately pulled the second WAN/LAN completely and am (for the temporary present) not running it through pfSense.

With previous macOS versions, the FTDI and Prolific drivers were built in and all one needed to do was download a serial console app like CoolTerm. https://freeware.the-meiers.org

@_malek said in I cannot used google analytics for captive portal: I know DNS and DHCP work as expected, but standard GA scripts seem completely blocked in this pre-auth phase. The device using the GA (?) script, or the GA script isn't portal aware. Be aware : most of the portal support isn't what pfSense does. The actual portal support must be build into the device you use. Most recent OS's are portal aware, but there can still be 'programs' (processes) that 'see' the Ethernet interface is 'up' so a 'Internet' connection' must be there. This is a wrong assumption. You don't do "Google Analytics" or anything else for that matter before the user has been authenticated on the portal. Like unlocking your phone before using it, or leaving the toilet before unlocking the door. @_malek said in I cannot used google analytics for captive portal: or is it technically impossible due to browser/portal restrictions? A good browser is portal aware by itself. Stupid browser plugins might exists that break this. That's not new. @_malek said in I cannot used google analytics for captive portal: or is it technically impossible The portal can have "Allowed IPs" and "allowed host names" lists : these two destinations types - both are eventually the same : a list with IPs - will pass through the portal firewall even when the user (device) hasn't been granted portal access yet. So it's a matter of 'find all the IPs' and your done. The thing is : you want to use services from the "big ones" (Meta, Google, Microsoft, Apple, etc) and that is hard. These guys have thousands of IPs, entire AS sections, and they swap them in and out all the time. Basically, what you are trying to do isn't the correct way. If you have to use "Google Analytics" because, for example, you sold your user's device Internet usage to Google, don't put these devices behind a portal. Or tell the users that they should connect first, and then and only then they can do what they have to do. Like : before driving a car, they have to start it first. They'll understand. The portal is just a concept that gives you the control "who us using your Internet resources". For example, I have a hotel, so I want to offer an Internet connection to my hotel clients as an extra service. Not everybody surrounding the hotel. After all, I am still somewhat (more or less) responsable for what these stranger 'do' with 'my' connection. Ones connected, the entire 'Internet' opens up for them. They can even launch nukes if they have the credentials to do so. What they are doing isn't my business. If needed, I can route all portal traffic out over a VPN connection, so my hotel visitors , who use my ISP WAN IP (!) won't blacklist my (static) WAN IP. This rarely happens though, as the portal ads - I think - a strange effect to them : they think they are watched ^^

@jbariyo said in DHCP Lease Pool Exhausted and Disabled Leases not deleted: 9-5 environment you can give 8 hours and 9 hours respectively i configured this today The default is 2 hours - what did you have it set to before.. You understand you could set it to 30 minutes or something if you wanted to.. If a client is still on they will just renew it. There is little need to set it for length of the work day. If your scope is oversubscribed - ie more clients than you have IPs then you going to have a bad day if more clients are trying to be on at same time than you have IPs. How many clients do you have total.. You should prob setup your network to have more IPs than that. Be it you increase the scope size out of your network, or increase the network size by increasing the mask from say a /24 to a /23 or even a /22 Are these wireless clients? If clients are changing their macs on you - then yeah you could run through a more IPs via dhcp than you actually need. If so would make a short lease so that if client rotates their mac the old lease expires quickly so it could be re-used. Do you have idiot users? (this is a given normally) where they have both wired and wireless at the same time - that are in the same network? edit: As @Gertjan mentioned maybe the client is borked - I would look into a specific client when they complain this is happening. Are you really out of leases, is the client getting a 169.254? This is what a client will normally give itself when its set for dhcp and can not get a lease. Are you getting clients with duplicate IPs? I would look into the details of a specific failure so you better understand what is happening. Is there currently a lease for that client and it just not renewing and using up new leases, etc. What dhcpd are you using isc or kea? Maybe there is an issue with reusing expired leases? More info on what is actually going on is always helpful.. But yeah if you are oversubscribed you either need allow for more IPs, or use really short lease times.. And just actually hope you never have more clients on at the same time than you could possible supply ips for.

@Wolf666 Thank you, I will try it. Unfortunately, since I had already replaced the contents of /usr/local/etc/rc.d/tailscaled and it had been working so far, I will not be able to tell which of the two solved the problem. And of course, I can't find a copy of the old .../rc.d/tailscaled. Therefore, if none of this works, it will require yet another delete and reinstall of everything Tailscale in my system.

@BlaSh said in KEA DHCP bleibt auf Standby-FW: Hi. Soweit ich das sehe, hat doch KEA gar nichts mit CARP zu tun, oder? Say what know? Warum sollte Kea nichts mit HA zu tun haben? Oder mit CARP? In einem Cluster ist das natürlich relevant, dein Gateway, dein DNS etc. ist ja ne Cluster IP. Dein Kea soll normalerweise HA laufen in einem Cluster - darum hat man ja einen - etc. etc. Kea hat ja explizit eine CARP/HA Konfiguration die gesetzt sein sollte. Wie soll er sonst wissen, wer den Job zu tun hat und wer nicht? :) Cheers

@kan84 Use also pfSense best interface : not the GUI, the console access ! You can see the state of your interfaces, and by inspecting the log file you can see what's going on.

It's an upstream EFI bootloader issue.

@Echoslave said in PHP Error im Carp Modus: Habe den IP-Scanner mal darüber laufen lassen, aber das scheint alles in Ordnung zu sein. Die Regeln sind auf beiden Maschinen gleich. Was denn für nen IP-Scanner und was genau soll er tun bzw. scannen/bringen? Ein externer Scan sagt dir ja nicht, ob was mit dem Cluster fehlkonfiguriert ist :) CE ist bspw. wichtig, weil es bei Plus ne neuere Version und andere Features gibt, die damit schonmal ausgeschlossen sind, dass es daran liegt. Sind das beides Hardware Boxen? Beide auf allen Seiten mit CARP Adressen? Alle sauber eingerichtet etc.? VHIDs in Konflikt? CARP kann vielfältig in die Hose gehen, wenn man nicht alle Punkte beachtet :) Und was ist mit diesen Broken MACs, wo steht das? Cheers

They still show as tagged correctly in the VLAN? Do you see the secondary sending CARP advertisements at the slightly longer interval? Mmm, just one VLAN on a NIC is odd indeed. Seems to rule out any sort of hardware issue.... unless maybe it's hardware VLAN tagging. Does it see other traffic arrive on that VLAN when it fails? Which NICs are the VLANs on? Always on the same NIC type?

Ok got it, on the allow ipv4 rule it was set to allow from port2 networks. My nested router isn't a port2 network so it would never be passed on and thus hit the default deny. Switched that to any source network as a test and it worked.