@nicolasfo said in [RESOLVED] IPSec tunnel OK but routers can't ping each others:

You can know everything about everything thanks to Google. But if you don't know what to search, it is useless.

The problem is resolved, by adding a bogus route, by hand.

Here's the explanation :

https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

Thanks for help

Oh my god this worked! Created an account just to say THANK YOU for this. I have a pfSense<->Unifi connected via IPSec. Applying it on the pfSense side makes pfSense->Unifi direct gateway/FW connection possible. Applying it on the Unifi side made my IPSec work perfectly.

Again, thank you!

@drodgers Hey. I'm going through this exact thing now with Vodafone and pfSense and struggling. I've replicated your settings but it seems very intermittent.

My clients get ipv6 addresses and can ping out fine however browsing this forums dies because it responds with and ipv6 address.

For some reason as soon as I enable ipv6 netflix and paramount also stop streaming 🤦 They browse fine but as soon as you try to play a video it's a no go.

Any ideas or pointers please or could you post your most recent working config please?

I had same issue for a long time.

Then I tried pkg update -f and got an error for SunnyVally repository
I figured that I had a old version of zenarmor installed that matches the FreeBSD 14 and not 15.
Upgraded the zenarmor to the latest version.

Haven't had any of the error messages for some time now. hopefully that was it.

Maybe this can be helpfull to someone.

For 25.07 RC, this worked for me (run sh first)

[25.07-RC][root@r1.lan]/root: sh # export IGNORE_OSVERSION=yes # pkg add https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2.pkg # service tailscaled restart # tailscale up # tailscale version 1.84.2 go version: go1.24.4 # tailscaled -version 1.84.2 go version: go1.24.4

I saw where the Netgate kernel developer updated the Suricata package in the pfSense 25.07 development branch to work with the new kernel PPPoE driver. But so far as I know that updated package has not been migrated to 2.8 CE.

Here is the commit into the DEVEL branch: https://github.com/pfsense/FreeBSD-ports/commit/68a06b3a33c690042b61fb4ccfe96f3138e83b72.

@cdal

This could be a great security improvement ... It's the only way to do MFA with "LDAP/AD" backend for exemple (using oauth 2 proxy for exemple)

@rocket

Updated July 20-2025

pfsense 24.11 - Telegraf freebsd-15

pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.35.1.pkg

pfsense 2.7.2 - Telegraf freebsd-14

pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.35.1_1.pkg

https://www.freshports.org/net-mgmt/telegraf/#history

@Laxarus This worked for me as well. Though I had to search the web how to edit the file (the easiest way).

Therefore:

Addition for anyone struggling to find where to edit files on your pfsense system.

Go to Diagnostics --> Edit File --> insert the location of the file:

/usr/local/pkg/pfblockerng/pfblockerng.sh

Go to line number 1232 by filling it in the Go to line field.

That line should read:

s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"

replace only (leave the rest intact):

masterfile

to

mastercat

Then follow the above instructions from @Laxarus https://forum.netgate.com/post/1219635

@Nicholas97 Sticky connections are not enabled. Gateway status is fine. Weights for each LAN are set to 1 which should be fine for 2x gigabit connections and total bandwidth used of less than 1gbps. Will look at the logs but will have to figure out what I'm looking for ... will report back.

I have read the multiwan load balancing docs pretty well and searched the forums here before posting this originally. Unless there are other pfsense forums you're referring to?

Hmm, but they are policy based tunnels? And 300 Phase 1 configs not a total of 300 Phase 2 configs for example?

I'm not aware of any issue in 2.8 that might present like that for IPSec.

@70tas Indeed the global token does not work anymore, you must use the API token. And then for the login, do not use your email address. As I wrote before: "One must use the Zone ID when using the API token."

I have this working using the DDNS GUI. I only needed the script for debugging.