@kan84 Use also pfSense best interface : not the GUI, the console access ! You can see the state of your interfaces, and by inspecting the log file you can see what's going on.

It wasn't ACB it was hitting it was the repo data servers. As though it was running 'pfSense-repoc' continually, or multiple devices running it. Let me see....

Yes, if you can replicate it in 25.11RC by simply disabling allow IPv6. Look at the system logs for errors. Try running Status > Filter Reload and see where it errors. I still can't generate that error here even on systems with NAT64. So it seems likely you have some other unusual rule. Are you able to upload your ruleset to us for testing? If so please upload the /tmp/rules.debug file here: https://nc.netgate.com/nextcloud/s/cFFWNHnLdm3rXtQ

@BBcan177 Thank you for the kind reminder; I am so accustomed to ensuring Save Settings is checked that I didn't follow your instructions properly (thanks @tinfoilmatt for uploading and highlighting the screen shot). I've properly followed the instructions and the update did not report and db problems. Thank you again! drac

The default is automatic boot verification. So if you rebootit will automatically verify the boot and disable the watchdog. If it fails to boot for some reason it will hit the watchdog and revert to the last known good BE. You can disable the automatic verification in which case the user must login and manually accept the boot to prevent rolling back the BE. This happens at upgrade because the reboot during upgrade is set for one-time only so a subsequent reboot will roll back. To make that happen during a normal reboot (not upgrade) you would need to select the BE to boot into from the BE menu. Temporarily activate the ZFS Boot Environment one time and reboot https://docs.netgate.com/pfsense/en/latest/backup/zfsbe/gui.html But it will happen at any boot that fails because that BE is then marked as failed to boot and will not be selected until a user clears that.

@ahole4sure A Plan B exists. Make a list with known sites that don't want you to use (your) IPv6. The issue is known for years and as already mentioned reasons above, some sites don't 'like' the he.net IPv6s If you have pfBlockerng installed, go here : Firewall > pfBlockerNG > DNSBL First, be sure you use Python mode, not the unbound mode. Next : [image: 1764058931964-7cc5259a-1778-4c85-a9a1-aacb3a6f1fae-image.png] Check 'No AAAA', and fill in thelist with host names (site) that you do'nt want to visit using IPv6. After all, before one of your devices connects to a site, it will resolve the destination host name first. As most if not all devices prefer AAAA (IPv6) they will ask that first, and if needed, to fall back, the A record (IPv4). If there is a AAAA (Ipv6) addresses, that's what gets used. Now comes the trick : pfBlockerng does DNSBL, so it can block AAAA for listed sites. You device will fall back to IPv4 - and all is well. In the past, Netflix was one of those sites : it didn't want you to use the he.net IPv6 networks. Plan A would be of course : Frontier fiber internet does not have ipv6 Break your commercial relations with this frontier ISP. If they ask for a reason, tell them.

Check the MTU for the WAN Interface, not all ISPs are pk with 1500 and need a lower value.

@Wolf666 Thank you, I will try it. Unfortunately, since I had already replaced the contents of /usr/local/etc/rc.d/tailscaled and it had been working so far, I will not be able to tell which of the two solved the problem. And of course, I can't find a copy of the old .../rc.d/tailscaled. Therefore, if none of this works, it will require yet another delete and reinstall of everything Tailscale in my system.

@KevCar87 You might be able to make your preference, policy based or route based (VTI), work... pfSense documentation on policy based (tunnel mode) Otherwise, per that first warning box ("NAT is not currently compatible with route-based VTI IPsec tunnels without configuring an IPsec Filter Mode which is incompatible with tunnel-based IPsec."See Advanced IPsec Settings for details.")... pfSense documentation on VTI ...route based (VTI) will require additional configuration beyond what the WatchGuard documentation appears to cover (more specifically here under "IPsec VTI Filtering").

@_malek said in I cannot used google analytics for captive portal: I know DNS and DHCP work as expected, but standard GA scripts seem completely blocked in this pre-auth phase. The device using the GA (?) script, or the GA script isn't portal aware. Be aware : most of the portal support isn't what pfSense does. The actual portal support must be build into the device you use. Most recent OS's are portal aware, but there can still be 'programs' (processes) that 'see' the Ethernet interface is 'up' so a 'Internet' connection' must be there. This is a wrong assumption. You don't do "Google Analytics" or anything else for that matter before the user has been authenticated on the portal. Like unlocking your phone before using it, or leaving the toilet before unlocking the door. @_malek said in I cannot used google analytics for captive portal: or is it technically impossible due to browser/portal restrictions? A good browser is portal aware by itself. Stupid browser plugins might exists that break this. That's not new. @_malek said in I cannot used google analytics for captive portal: or is it technically impossible The portal can have "Allowed IPs" and "allowed host names" lists : these two destinations types - both are eventually the same : a list with IPs - will pass through the portal firewall even when the user (device) hasn't been granted portal access yet. So it's a matter of 'find all the IPs' and your done. The thing is : you want to use services from the "big ones" (Meta, Google, Microsoft, Apple, etc) and that is hard. These guys have thousands of IPs, entire AS sections, and they swap them in and out all the time. Basically, what you are trying to do isn't the correct way. If you have to use "Google Analytics" because, for example, you sold your user's device Internet usage to Google, don't put these devices behind a portal. Or tell the users that they should connect first, and then and only then they can do what they have to do. Like : before driving a car, they have to start it first. They'll understand. The portal is just a concept that gives you the control "who us using your Internet resources". For example, I have a hotel, so I want to offer an Internet connection to my hotel clients as an extra service. Not everybody surrounding the hotel. After all, I am still somewhat (more or less) responsable for what these stranger 'do' with 'my' connection. Ones connected, the entire 'Internet' opens up for them. They can even launch nukes if they have the credentials to do so. What they are doing isn't my business. If needed, I can route all portal traffic out over a VPN connection, so my hotel visitors , who use my ISP WAN IP (!) won't blacklist my (static) WAN IP. This rarely happens though, as the portal ads - I think - a strange effect to them : they think they are watched ^^

@jbariyo said in DHCP Lease Pool Exhausted and Disabled Leases not deleted: 9-5 environment you can give 8 hours and 9 hours respectively i configured this today The default is 2 hours - what did you have it set to before.. You understand you could set it to 30 minutes or something if you wanted to.. If a client is still on they will just renew it. There is little need to set it for length of the work day. If your scope is oversubscribed - ie more clients than you have IPs then you going to have a bad day if more clients are trying to be on at same time than you have IPs. How many clients do you have total.. You should prob setup your network to have more IPs than that. Be it you increase the scope size out of your network, or increase the network size by increasing the mask from say a /24 to a /23 or even a /22 Are these wireless clients? If clients are changing their macs on you - then yeah you could run through a more IPs via dhcp than you actually need. If so would make a short lease so that if client rotates their mac the old lease expires quickly so it could be re-used. Do you have idiot users? (this is a given normally) where they have both wired and wireless at the same time - that are in the same network? edit: As @Gertjan mentioned maybe the client is borked - I would look into a specific client when they complain this is happening. Are you really out of leases, is the client getting a 169.254? This is what a client will normally give itself when its set for dhcp and can not get a lease. Are you getting clients with duplicate IPs? I would look into the details of a specific failure so you better understand what is happening. Is there currently a lease for that client and it just not renewing and using up new leases, etc. What dhcpd are you using isc or kea? Maybe there is an issue with reusing expired leases? More info on what is actually going on is always helpful.. But yeah if you are oversubscribed you either need allow for more IPs, or use really short lease times.. And just actually hope you never have more clients on at the same time than you could possible supply ips for.

@stephenw10 Yes, same box, same hypervisor. sip, ssh, rdp, web, everything works fine over dco for those on the same hypervisor (and the same subnet) Whatever lies outside the box and the same subnet only icmp works (to either the behind the dco vpn or anything on the internet behind pppoe. Same lan stations policy routed to another dhcp wan connection work FINE. And again. reverting to previous version and uploading the SAME config file resolves ALL issues.

@EDaleH Thanks for your input on this matter. This issue is not related to the DHCP server, especially KEA DHCP. We are still on pfSense 2.6 as mentioned, so ISC DHCP is in use, and there are no lease problems. Lease times are already configured correctly. The core reason that @Gertjan pointed out is correct and seems to be the right direction to get this resolved. It doesn’t affect everyone, but systems under heavy load during peak hours are the ones that usually run into it. The issue is a race condition under load. If the pruning process takes a long time to enumerate and remove old entries, and a new session or disconnection occurs, or if the process is interrupted or times out, the lock file may remain or the process might not finish its database write cleanly. This can leave the system in a partial state where the voucher record is removed but the session is still present. I also believe this issue also exists in pfSense+ since the captive portal code is same in the areas related to this behavior.

That must be the console to see the bootloader menu like that. But it's showing serial as default console, is that actually the serial console? That looks like it's just not using the correct console. https://docs.netgate.com/pfsense/en/latest/troubleshooting/boot-issues.html#booting-with-an-alternate-console But, yes, why are you using such an old version?

@Gertjan said in Not sure this is normal: stashed somewhere in an obscure registry key Not sure I would call obscure Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

@Averlon Indeed. There are valid use cases for both options. Thanks for the feedback

@BlaSh said in KEA DHCP bleibt auf Standby-FW: Hi. Soweit ich das sehe, hat doch KEA gar nichts mit CARP zu tun, oder? Say what know? Warum sollte Kea nichts mit HA zu tun haben? Oder mit CARP? In einem Cluster ist das natürlich relevant, dein Gateway, dein DNS etc. ist ja ne Cluster IP. Dein Kea soll normalerweise HA laufen in einem Cluster - darum hat man ja einen - etc. etc. Kea hat ja explizit eine CARP/HA Konfiguration die gesetzt sein sollte. Wie soll er sonst wissen, wer den Job zu tun hat und wer nicht? :) Cheers

It's an upstream EFI bootloader issue.

@stephenw10 I tried ppp-ipv6 pppoe0 up and it made no difference. In my case IPv6 works fine, its just the gateway monitoring doesn't go 'online', so I need to restart the Gateway service. IPv6 may continue to work in my case because the subnets are hard coded in the LAN pages, so configuration is manual of IPv6 addresses for each LAN, and the ISP just sends through anything in my /48. Hope that helps.

@fireodo thank you very much for the help I will look into the sanity check.