@stephenw10 Whats a good method to keep myself informed if a firmware update does come out? Would this come up on the pfSense Security Advisories Mailing List? Anything similar? https://info.netgate.com/pfsense-security-advisories

@luckman212 I see the same thing. At the moment, 25.11 Plus is down to 6 open issues - I just assumed lots of anxious users are checking the status :-)

The default is automatic boot verification. So if you rebootit will automatically verify the boot and disable the watchdog. If it fails to boot for some reason it will hit the watchdog and revert to the last known good BE. You can disable the automatic verification in which case the user must login and manually accept the boot to prevent rolling back the BE. This happens at upgrade because the reboot during upgrade is set for one-time only so a subsequent reboot will roll back. To make that happen during a normal reboot (not upgrade) you would need to select the BE to boot into from the BE menu. Temporarily activate the ZFS Boot Environment one time and reboot https://docs.netgate.com/pfsense/en/latest/backup/zfsbe/gui.html But it will happen at any boot that fails because that BE is then marked as failed to boot and will not be selected until a user clears that.

@marcosm Appreciate all this clarification. Thanks.

@brado7274 said in IPv6 changes aren't written to config.xml or dhcp6c.conf: Known symptom In 2.8.x builds, if: • The configctl binary is missing or broken (configctl: command not found — which you’ve seen), • or the service mapping files under /usr/local/etc/configd/actions.d/ are missing/corrupted, Yeah, that is just plain wrong. Yet the LLM sounds very convincing, as it's designed to be. But obviously that file should still be generated. Just to be clear you initially said you tried testing with only one WAN and still didn't see the file correctly populated. But is that not in fact correct? You only see this with two WANs configured for IPv6?

That must be the console to see the bootloader menu like that. But it's showing serial as default console, is that actually the serial console? That looks like it's just not using the correct console. https://docs.netgate.com/pfsense/en/latest/troubleshooting/boot-issues.html#booting-with-an-alternate-console But, yes, why are you using such an old version?

On a 2100 the WAN has a different MAC so shouldn't be a problem. That can be an issue on the 7100. But, yes, maybe requires a different client identifier?

@johnpoz said in Custom options in unbound (dns resolver) cause syntax error: include wouldn't be part of it Oops. I corrected my post.

@wazim4u said in Captive Portal DB Issue (Active Users VS Active Vouchers ): https://forum.netgate.com/post/1224016 That was the time that when ipfw, a firewall component of FreeBHSD, used for the captive portal as it supported and MAC addresses, was removed. The pf firewall was extended (Netgate added MAC related filtering to pf) and from then on only pf was used. The portal 'glue' code - mostly /etc/inc/captiveportal.inc, PHP, was rewritten so it could dialog with the new pf. Of course, things were not perfect right after this switch. @wazim4u said in Captive Portal DB Issue (Active Users VS Active Vouchers ): https://forum.netgate.com/post/1151842 That's maybe (?) more a resource issue. Throws 10 of thousands of users on a "single web server" - even if it has multiple queues, multiple PHP-fpm instances. And again, "ipfw was better" is mentioned here. @wazim4u said in Captive Portal DB Issue (Active Users VS Active Vouchers ): https://redmine.pfsense.org/issues/15262 Again, the switch from ipfw to pf is pointed. Now some 'me' background info : I don't use vouchers - and I don't have a '10k' portal network. If I have 30 max portal connected users at any time, it's already a lot for me (don't laugh). It's impossible for me to test the portal under a xK user a load. Worse : I don't think that any of the pfSense portal code developers have hand's on experience with sites where that number of users are connected. What I think doesn't have much weight, but : "pf" by itself should be able to handle 10k users just fine. "xK portal users" is maybe a rare thing, a pfSense site with xK ordinary network users is way more common. pf is pretty core for FreeBSD, and, again, imho, can handle the load. Constant insertion into the portal anchoer, or removal, might be something else ... Also : just my point of view, you already know this : pfSense isn't a router/firewall that creates the captive portal functionality. It's the OS of the devices we use that create the portal's functionality. The interface of pfSense the has the portal activate adds two rules : A first rule, which is alias based, that passes all traffic, this rule will also use and apply the portal's GUI firewall rules. A second rule ; "block all". The portal user must be able to visit the portal's IP (using TCP a port like 8080) where it will fuind a web server that offers the user to "enter a voucher code". if this voucher code is valid (accepted), the IP and MAC of this uses is added to the first rule. @wazim4u said in Captive Portal DB Issue (Active Users VS Active Vouchers ): captiveportal_prune_old_automac() Humm. Not sure. I would vote for the big one : captiveportal_prune_old() See this file : /etc/rc.prunecaptiveportal Take notice : this files starts with a $rcprunelock = try_lock("rcprunecaptiveportal{$cpzone}", 3); does it's work : calling : captiveportal_prune_old() in /etc/inc/captiveportal.inc Then unlocks. Suggestion : /etc/inc/captiveportal.inc : [image: 1763395473258-a72c759e-762d-4b85-a931-0b6398f91e03-image.png] You see the variable "$croninterval" , It doesn't even exist in the pfSense config file. It isn't surfaced in the GUI neither ... What happens if you decide that pruning happens every ... 300 seconds instead of 60 seconds ? Have a look at what captiveportal_prune_old() does. It enumerates over all connected users. It uses a SQlight 'PHP' data base file, and collects a list with 'user to be removed', and at the end, removes them from the SQlight database file. While doing so, if applicable, it also does an xml resync ... Btw : it also calls captiveportal_prune_old_automac(). If this pruning process takes 'a lot of time' and at the same time other portal user are logging in ... what happens ? To test for 'race conditions', I have to see them happening. My issue with all this : it's all done using PHP .... that just perfect for a "couple of users". xK users ? "PHP" isn't probably the best choice anymore. My option of course. Anyway, true, there is a list with "big portal users" that experience issues...

@luckman212 said in Why is there an automatic Outbound NAT for ::1/128: NAT it to the routable V6 interface IP assigned to my ix0 LAN And why would it do that, you have it set on what your calling wan6 it was adding NAT rules for some site to site WG tunnels that I already had static routes for No it wasn't.. Unless you set it like that.. Example - I have an wg interface, only traffic that gets natted to that is traffic I route out that interface [image: 1763396222121-nat.jpg]

Well it far higher than even the 1M default we usually set and that is generally far bigger than it needs to be. But you also show only 1400 states which is nothing. If you exhaust the mbufs that would definitely cause a problem. But you should also see that logging an error.

@shady28 Are you maybe looking at IP block list feeds vs DNSBL feeds?

@Draco [image: 1763386090794-7ecdca98-7c98-427f-9ee0-95e7a2c9309e-image.png]

@ameinild Netgate switch to FreeBSD-CURRENT about two years ago. https://docs.netgate.com/pfsense/en/latest/releases/versions.html They wrote a article about it in autumn of 2022: https://www.netgate.com/blog/pfsense-software-is-moving-ahead

@fireodo thank you very much for the help I will look into the sanity check.

Is it just me, or does it seem like the KISS (Keep It Simple [redacted]) answer is to install X-Ray on an officially supported platform or a VPS and tunnel traffic through that?

@slu said in Syslog service in pfSense v2.8.1 often stop itself: @jrey years ago there was a p1 release: https://docs.netgate.com/pfsense/en/latest/releases/2-3-5-p1.html Thanks for the source

Note to self under the latest release I had to set decipher list to cipher_list = "DEFAULT@SECLEVEL=0"