@luckman212 said in Why is there an automatic Outbound NAT for ::1/128: NAT it to the routable V6 interface IP assigned to my ix0 LAN And why would it do that, you have it set on what your calling wan6 it was adding NAT rules for some site to site WG tunnels that I already had static routes for No it wasn't.. Unless you set it like that.. Example - I have an wg interface, only traffic that gets natted to that is traffic I route out that interface [image: 1763396222121-nat.jpg]

@d1novak said in Current pkg repository has a new PHP major version. pfSense should be upgraded before installing any new package.: @dennypage Thank you! Worked like a charm. Welcome

@luckman212 said in udpbroadcastrelay vs mcast-bridge vs mdns-bridge: I'm reminded of xkcd 2347... LOL! Closer than you know... I used to be one of those random maintainers in Nebraska. There were actually a handful of us, but we all escaped the state before 2003.

@marcosm can you be more specific? What functionality does it hinder.

@stephenw10 , thx. I tried now the most obvious thing and booted my PC with a live Ubuntu. Therefore I get the same IP settings from my pfSense DHCP. With Linux I can access the webgui without problems. This makes me assume that my win11 settings are somehow corrupt. Before now resetting my PC or removing manually updates, would you have other suggestions? I already disabled the firewall and AV. netstat shows a TCP connection on 192.168.0.1 port 80 on my PC. I just have the feeling that the packages from pfSense are not handled correctly on my PC Btw. changing to https didn't change anything. Connection to the vlan gw does not work either (192.168.10.1) This is what I got from the pcap: Running packet capture: /usr/sbin/tcpdump -ni ix0.10 -c '1000' -U -w - '((host 192.168.0.1)) and ((not vlan))' 18:13:14.921601 IP 192.168.0.1.80 > 192.168.10.3.57339: tcp 5043 18:13:24.501554 IP 192.168.10.3.57339 > 192.168.0.1.80: tcp 1 18:13:24.501651 IP 192.168.0.1.80 > 192.168.10.3.57339: tcp 0 18:13:24.501736 IP 192.168.10.3.57339 > 192.168.0.1.80: tcp 0 18:13:27.022080 IP 192.168.0.1.80 > 192.168.10.3.57206: tcp 5041 18:13:30.015909 IP 192.168.10.3.57369 > 192.168.0.1.80: tcp 0 18:13:30.016042 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 0 18:13:30.016195 IP 192.168.10.3.57369 > 192.168.0.1.80: tcp 0 18:13:30.016388 IP 192.168.10.3.57369 > 192.168.0.1.80: tcp 341 18:13:30.016405 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 0 18:13:30.098483 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 5044 18:13:31.102586 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 5044 18:13:33.346892 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 5044 18:13:34.511978 IP 192.168.10.3.57339 > 192.168.0.1.80: tcp 1 18:13:34.512073 IP 192.168.0.1.80 > 192.168.10.3.57339: tcp 0 18:13:34.512152 IP 192.168.10.3.57339 > 192.168.0.1.80: tcp 0 18:13:37.588787 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 5044 18:13:40.024986 IP 192.168.10.3.57369 > 192.168.0.1.80: tcp 1 18:13:40.025073 IP 192.168.0.1.80 > 192.168.10.3.57369: tcp 0

@_malek said in Tracking User Interactions in Google Analytics for a Website Opened via an iFrame from a Captive Portal: I added all required URLs (including google-analytics.com) to the Allowed Hostnames, Google Analytics still doesn't record any events When you add "Allowed Hostname" to the portal, a DNS lookup is performed and an ( 1 !! ) IPv4 is rteurn so the pf firewall can filter to 'allow'. Remember : a firewall can ='can't filter hos names. Just "IP addresses" (see for yourself : [what is in an Ethernet packet header]( what is in an Ethernet packet header)). Gues what : "Google Analytics" isn't one IPv4 - it changes all the time, as that site (service) is used by billions any moment thousands of times per second (everybody want to do Google Analytics for some reason) so the load is DNS pre distributed / balanced over a lot of (major understatement) IPv4 addresses. https://docs.netgate.com/pfsense/en/latest/captiveportal/allowed-hostnames.html : [image: 1763986053001-41301874-d0e5-4a18-a5fe-8d55e22431f6-image.png] If you manage to get them all, and you add all the possible IPv4s to the "Allowed IP Addresses" list, it might work.

@stephenw10 Good Point. The laptop does not have VLAN tagging going on. I'll try playing with it again leaving tagging on for the modem and not turning it on for the router Thanks Jason

@JKnott Of course it's not required. However, when you have lots of devices of the same brand/model, especially IOT, the name they show up as in both pfSense and Unifi by default is not distinctive. Sometimes even duplicate. I have over 40 TP-Link KP125 smartplugs that all showed up as "KP125", for instance. It is mpossible to tell which is which in the controller. The 218 Wiz light bulbs use wiz_last 6 of the MAC. So, I created DHCP reservations for each of them, and described them in pfSense. The tool ensures that the description matches. Otherwise, it is a manual process - you have to update it in 2 places. And if you forget, it is very confusing. Especially if you move and repurpose a devicex which happens a fair bit with the smartplugs. With 302 Wi-Fi clients, double manual edits did not cut it. Hence why I created the tool.

@Gertjan Thanks for the hint! I saw that I had TCode wrong, but even with the example, PCode still gets truncated: { "option-data": [ { "name": "time-offset", "data": "3600" }, { "name": "tcode", "data": "Europe/Zurich", "always-send": true }, { "code": 100, "data": "EST5EDT4,M3.2.0/02:00,M11.1.0/02:00" } ] } This is what Wireshark sees: Option: (100) PCode Length: 8 TZ PCode: EST5EDT4 Option: (101) TCode Length: 13 TZ TCode: Europe/Zurich Option: (255) End

It is added to the backend IIS server logging option. It is not receiving it from HAProxy..

@johndo Verständnisfrage: du willst dass der Port 3 separat (als eigener Single-Port) agiert und der die VLANs x (17,18,...) getagged sprechen soll? Das ist das was ich aus der Konfig gerade lese? Denn das Default VLAN 1 hast du ihm weggezogen, das steht da nicht mehr in der Liste. Nur das "Mgmt" (Group 2) - aber wenn das dein gewünschtes Untagged ist, stimmt das. Wichtig wäre noch im "Ports" Bereich zu schauen, dass das richtig eingestellt ist. Sobald man vom Default abweicht, muss da der entsprechende VLAN mode aktiv werden und die Ports korrekt anzeigen. Aber wenn es sich ansonsten korrekt verhält wie du möchtest, sieht das nicht verkehrt aus. Cheers :)

Really appreciate you circling back with the full explanation — this is extremely useful for anyone running multi-WAN with Starlink in the mix.

@shady28 Are you maybe looking at IP block list feeds vs DNSBL feeds?

@nobanzai +1 amd64 15.0-CURRENT FreeBSD 15.0-CURRENT #21 RELENG_2_8_1-n256095-47c932dcc0e9: Thu Aug 28 16:27:48 UTC 2025 root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-CE-snapshots-2_8_1-main/obj/amd64/AupY3aTL/var/jenkins/workspace/pfSense-CE- Crash report details: PHP Errors: [16-Nov-2025 21:48:05 Europe/] PHP Fatal error: Uncaught TypeError: Form_Select::__construct(): Argument #4 ($values) must be of type array, null given, called in /usr/local/www/vpn_openvpn_client.php on line 942 and defined in /usr/local/www/classes/Form/Select.class.php:31 Stack trace: #0 /usr/local/www/vpn_openvpn_client.php(942): Form_Select->__construct() #1 {main} thrown in /usr/local/www/classes/Form/Select.class.php on line 31 I'm temporery fix it. Use diag_edit.php edit /usr/local/www/vpn_openvpn_client.php & saved history version 4b9165e "Default to an empty array for functions expecting a countable value Do this for foreach() and count()." https://github.com/pfsense/pfsense/blob/4b9165e5ad3f47c36d1dec3a585a60b629bcdc3a/src/usr/local/www/vpn_openvpn_client.php and edit ciphers in client.

@tinfoilmatt Thanks! I have done that and it worked when forcing just her TV out the Centurylink.. My problem is my local box here. Im missing something because I can not get it to pass traffic from the WAN to the Wireguard tunnel. Ive got some time today so will chip away on my lab setup to see if I can finally accomplish it here first.

@SteveITS Thank you for your quick answer!

@Gertjan said in WebGUI inaccessible locally, through TS and multiple browsers.: @almostmagic said in WebGUI inaccessible locally, through TS and multiple browsers.: Anyone else experience this? yep. known (sort-of). Throw "csrf-magic.ph" into : [image: 1763157990105-0ea57f40-d002-4f74-ae86-c5edac43c360-image.png] and hit enter. 3 occurrences. Read ... and you'll know what not to use (use the GUI command line) : use the real one : SSH, or even better : the console access. Thanks. I increased memory beyond what support had suggested earlier, and so far no more errors.

Are you able to reproduce this, e.g. by rolling back the BE and trying the update again?

@IonutIT thanks

@ramup The 'available' package versions you note have not yet been merged into the Netgate-hosted CE (private) package repository.