I had same issue for a long time.

Then I tried pkg update -f and got an error for SunnyVally repository
I figured that I had a old version of zenarmor installed that matches the FreeBSD 14 and not 15.
Upgraded the zenarmor to the latest version.

Haven't had any of the error messages for some time now. hopefully that was it.

Maybe this can be helpfull to someone.

@stephenw10
Thanks again.
Well it is full of passwords and pre-shared keys and very detailed stuff but I guess we should find the culprit of it somehow.

I did find leftovers of lcdproc before, which I cleaned at some point.
That means that part of the config I am using was migrated from a modified WatchGuard I have used in the past.

Let me have a look tomorrow.
It's kind of late now in my timezone.
Thanks!

@70tas Indeed the global token does not work anymore, you must use the API token. And then for the login, do not use your email address. As I wrote before: "One must use the Zone ID when using the API token."

I have this working using the DDNS GUI. I only needed the script for debugging.

@Qinn said in Feed issue on SWC:

Got a reply from Dan and here it is solved.

Thanks for feedback!

Good to hear.

The default LAN to any rule should pass that traffic.

What rule did you add exactly?

What gets logged when you run that in 2.8?

Because 10.60.0.252 is the server end of the VPN tunnel at pfSense. The local DNS resolver (Unbound) listens and responds on that IP and that is where the override is set.

Where as 8.8.8.8 is Google's DNS service that knows nothing about any local overrides you might have set. When clients use that DNS server is bypasses any local DNS overrides.

@rasputinthegreatest well blocking and not log would just be any any udp to that ff0e::c address or port 1900 anything, etc. And don't have it log.

As to the scanners - that is a pfblocker alias I have.. And put that in a floating rule.

scandeny.jpg

I would agree. 18 hours in and everything continues to run smoothly. The issue related to image availability I believe is the valid answer and we can close this out as solved. Thanks everyone. -JD

@phthatcher said in SG-1100 as VPN client only (no dhcp) adding to existing network:

just assure that when the server reaches out to the web it is behind the vpn

So all you need is to configure pfSense as default gateway on the server.

The pfSense only needs a single interface (LAN, router-on-a-stick), connected to your LAN.
On the VPN interface you have to add an outbound NAT rule, as mentioned in the ExpressVPN tutorial.

https://github.com/pfsense/FreeBSD-ports/pull/1420

Merged I could not test it but it is in there with the make file now and the distinfo file

@stephenw10

Let me know if you can test that out

Dont use this I am having issues with the MASTER SITES and patches folder it wont make clean install all the way

You can set the size it rotates at and the number of files to retain in the log settings at Status > Logs > Settings. As long as you have the space you should be able to increase it.

Probably just that then. But you should see the set options and capabilities for those NICs like:

[2.8.0-RELEASE][admin@t70.stevew.lan]/root: ifconfig -vm igb0 igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> capabilities=4f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>

So there you can see the NIC is both checksum offload and TSO capable but only checksum is enabled.

@rasputinthegreatest see my edit about devices sending it out even when they have an IP on the network - my directv appliance does that.. But once you have a mac should allow you to track it down. Especially if you have a smart switch and its wired. Where you can look at the mac address table.

If everything is working and you just don't like the noise in the logs, you can turn those off, either in log settings - I believe new 2.8 allows for not logging link local. Or you could setup a rule not to log it.

@dennypage, @maximushugus, @louis2, @jeffscott

Good news!

I have the PIMD version I did compile yesterday working !!
Including the related pfSense gui.

Not I think I can make it running the way it should in the coming week(??).

Note that at this moment I still have the following issues:

The warnings at compile time. Surely NOT OK!
=> I do not have the knowledge to fix this. but it does not be blocking. The man directory issue.
=> I have no idea how to solve that. My actual work around is removing the manual files from package definitions (NOT OK) Pimd does not run using the GUI.
=> At this moment I have to start pimd from the command line in debug mode and restart pimd after each config change. However pimd is running and I can access my media server.
pimd -n -f /var/etc/pimd/pimd.conf --disable-vifs -l debug=all the firewall rules are not yet as they should be, for the test I just opened too much.

So I have to sort out things in the coming week/weeks. But I have good hope that I can solve points 3 and 4.

If someone can solve points 1 and 2, it would be highly appreciated!!

@SteveITS It looks like it is detecting ipv6 better

already is showing alerts

Screenshot 2025-07-12 at 10.39.56.png

It sees some ipv6 going to my interface. Again snort also would spot stuff every once a a while. My son got a bad bug on his tablet and it had a Russian email server running I checked it on virus total and it was spot on as malware known abuses so I reported it

@georgelza said in multiple ISP/WAN interfaces:

I want to make it as simple as possible, without me becoming their IT department....

Well, you ARE their it department.

Leave it as it is, if it works why fix it?

@johnpoz I see, thanks for explaining and the help!