@hfederau good manual to recheck setup -> https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/

@stephenw10 Going crazy here I , TBH, am not sure whether I have been able to ping my public IP in the past or not. But I made sure I had created a WAN rule for allowing ping. I am not able to ping from my laptop using another internet source. I am not able to ping from the "client" pfsense box that is behind CGNAT As far as the States - I sent screen shots form the running site to site on port 51821 AND I ssent screenshots from the non working connection with the client behind CGNAT 51825 Looks there is some partial traffic but not 2 -way traffic! [image: 1758731961092-image-9-24-25-at-9.10-am-resized.jpeg] [image: 1758731961257-image-9-24-25-at-9.14-am-resized.jpeg] [image: 1758731961412-image-9-24-25-at-12.15-pm-resized.jpeg] [image: 1758732009649-image-9-24-25-at-12.16-pm-resized.jpeg] [image: 1758732009817-image-9-24-25-at-12.21-pm-resized.jpeg] [image: 1758732009972-image-9-24-25-at-12.23-pm-resized.jpeg] NOT SURE about the ping thing -- I have seemingly enabled ping to pass but I can't seem to ping my firewall from any device or any internet source BUT I have running services that are easily accesible from outside - that are coming in via https and haproxy

@jogovogo said in No Internet access with VLAN via OPT1: My first surprise is that I'm now on the firewall, but why? The web server that serves the pfSense GUI runs on all assigned interfaces. When you installed pfSense, there was a pass rule for incoming traffic on the initial LAN interface : it accepts all traffic. When you add more LAN type interfaces, the ones called OPTx, there will be no inital rules, so you can't access anything. DHCP will work as pfSense will add hidden DHCP (UDP port 67 and 68) rules, but nothing else (no http https dns icmp etc etc etc etc). When you add a pas rules for TCP, UDP, etc, things "start to work". When you use addresses like this : [image: 1758697659291-89b7f27a-e729-4579-81c1-cb12989a7d3f-image.png] you use IP addresses. So, even is DNS is not working, then that won't be an issue. Your browser doesn't need to use use DNS (for translating host names to IP addresses) as you already gave an IP. It can contact the device 192.168.151.1 right away. You've allowed TCP IPv4 traffic to port 477, which is apparently your changed your pfSense https web GUI interface port. @jogovogo said in No Internet access with VLAN via OPT1: The issue has been resolved, simply, by restarting the DNS resolver. Euh ...... As you've changed lost of things at the same moment, it's hard to tell why dns (== the resolver) didn't work initially. Normally, when you add an new interface like your OPT1 interface, system processes like DNS (the resolver) gets restarted. The resolver will listen to All Interfaces : [image: 1758698045123-e07276c8-27b7-4a13-b999-ca154f396adf-image.png] by default so it would work right away on the new OPT interface. Again, you still have to add a firewall rule to allow DNS traffic to reach the pfSense DNS port 53 of course.

@perrin This is just switching on maintenance mode on the primary, nothing unusual.

Yup, it's waaaay faster!

@stephenw10 BINGO !! Thanks again as ever. My ISP recently changed the behaviour on the fibre accounts. The upstream gateway showed offline - I changed the monitor IP and - all working - thanks so much!!

@stephenw10 said in Syslog service in pfSense v2.8.1 often stop itself: As a workaround you can prevent the syslogd process seeing the connection rejection message from the server by adding firewall walls. You need to pass the syslog traffic outbound with state set to 'none'. And block the incoming icmp rejection if it's not already blocked. It then just keeps sending to the server. Thanks for the tips

@keyser said in Order of routing: There is a MUCH simpler solution - simply bypass (exclude) that IP from the IPsec policy based route. Wow. Didn't know this as well. Thx.

In addition to the ping issue, there is also an issue where the Gateway address (Gateway IPv6) is not set. Am I the only one for whom the Gateway address (Gateway IPv6) is not set when using if_pppoe? If so, I assume it's due to the uniqueness of setting only IPv6 for one PPPoE session. Specifically, if_pppoe assumes that IPv4 is configured. However, since there is no IPv4 configuration, if_pppoe cannot set the IPv4 Gateway (WAN_PPPOE). It is determined that an error has occurred in the IPv4 Gateway setting, and the IPv6 Gateway (WAN_DHCP6) setting is canceled. Is this guess correct?

I'm not aware of any new issues in isc-dhcpd. It depends how it failed. If it was unable to service requests but was still running it might log an error. If it was just so busy it stopped responding you might see that in the logs. Or, yes, if it just crashed out you might see that in the main system log.

@gambit100 I doubt it is related to your problem, it just caught my eye. The problem is should you ever need to connect to a home.com network, it won't work. That's why they came up with a top level domain name to be used for that sort of thing, in that it will never be assigned to anyone.

@Pagi So I guss, the NAT address changed to the WAN address. Set it to LAN3 address and it should do, what you want.

@JonathanLee guest.arpa - it really should be guest.home.arpa. .arpa was not set a special use tld.. The domain home.arpa was set If you want to use any domain name you want with tld, then use the special use tld .internal I don't think its been fully approved as of yet, but believe an rfc has been submitted.. But guest.arpa for sure is not a special use domain.

@stephenw10 said in Issue with WAN speed negotiation after upgrading from 2.7 to 2.8 or 2.8.1: ifconfig -vvm igb0 So, yes, if the ISP modem/router is set to fixed speed and duplex you will need to configured whatever is connected to it to match that We do not have a switch between ISP modem and Pfsense. we always had configured igb0 through web Gui Interfaces --> igb0 --> Speed and Duplex = 100baseTX full-duplex. This normally configure igb0 to force speed and douplex matching the ISP Router. Note that this is working well on Pfsense 2.7.2. This is why i thing that there must be a problem with the Gui configurations not well applied on Pfsense 2.8.1. ifconfig -vvm igb0 igb0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> capabilities=4f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> ether 00:90:0b:72:d8:83 inet X.X.X.X netmask X.X.X.X broadcast X.X.X.X inet6 X.X.X.X prefixlen 64 scopeid 0x3 media: Ethernet 100baseTX <full-duplex> (100baseTX <half-duplex>) status: active supported media: media autoselect media 1000baseT media 1000baseT mediaopt full-duplex media 100baseTX mediaopt full-duplex media 100baseTX media 10baseT/UTP mediaopt full-duplex media 10baseT/UTP nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> drivername: igb0 So we can see that the NIC is 100baseTXfull-duplex capable. (like it worked on pfsense 2.7.2) Testing to set it from command line with no luck : I launched the commands through ssh to be sure to have the right feedback and the command completes normally. ifconfig igb0 media 100baseTX mediaopt full-duplex ifconfig -vvm igb0 igb0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> capabilities=4f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> ether 00:90:0b:72:d8:83 inet X.X.X.X netmask X.X.X.X broadcast X.X.X.X inet6 X.X.X.X prefixlen 64 scopeid 0x3 media: Ethernet 100baseTX <full-duplex> (100baseTX <half-duplex>) status: active supported media: media autoselect media 1000baseT media 1000baseT mediaopt full-duplex media 100baseTX mediaopt full-duplex media 100baseTX media 10baseT/UTP mediaopt full-duplex media 10baseT/UTP nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> drivername: igb0

@lifeofguenter Ah. I see that now. I did not realized the windows scrolled. @weehooey your script does not work. When I install qemu-guest-agent it already installs a start script: What you are showing is not what our script does. I can tell you that we tested using the script we provided, and it works on 2.8.1. Perhaps you have not marked your script as executable?

@JKnott I do not expect ATT to change my address, I have had the same IP4 address for over 7 years. Right now I am making sure I understand how PiHole will behave and get in place my DNS blocking to prevent to use of rouge DNS. I suspect to solution will be to block all IPv6 port 53 (except PiHole) and force the use of internal IPv6 and continue to masquerade IP4 rouge DNS requests.

Are you able to test using the debug kernel in 25.11? https://docs.netgate.com/pfsense/en/latest/troubleshooting/debug-kernel.html Those crashes are not very informative unfortunately. The output from the debug kernel should give us more.

@johnpoz said in Why not a CNAME?: But I am not aware of anyway to dynamically change what fqdn a cname record points to other than via a API into the dns.. Or maybe you could script something with unbound-control. Agreed.

@SteveITS yes when I add a subnet to the alias it appears in the table, when I remove the subnet from the alias it disappears in the table. So that works as expected.