Indeed the memory can be an issue especially with larger upgrades. The memory usage during ZFS upgrades has been improved in 25.07 (to be released soon) to address the issue. You can check the system log for signs of processes being killed abruptly. If however you're still using UFS it's more likely to have been some other issue.

@stephenw10 Thanks. Just finished the reinstall and have Plus.

I made a mistake in my config, for the local network in the VPN config I enter 192.168.0.1/24 and should have been 192.168.0.0/24

I resolved this by accepting the T+Cs via https://www.maxmind.com/en/accounts/1205389/geolite2/eula

I am on 24.11. I have several consoles at home, PS5, PS4, Nintendo's. No issues at all. I just assigned a fixed IP to them put those IP in the ACL allow list. Outbound NAT with static port for the consoles. The only "issue" is that port mappings remain there for days. I have to manually cancel them. At the moment I did not find any solution to remove them via cron job scripts.

Now, I can start configure more rules on the FW + connecting the Netgate directly to my ISP Modem. Great Is there a recommende list of FW settings laying around? I saw several of the Youtube videos where they kind of had their own focus. Based on the description, this would be a GUEST network. Here’s an example for you: Note: GUEST users are not allowed to use pfSense’s DNS server. Instead, I’m using DHCP to provide a public DNS server for them. [image: 1753873577326-5f99a867-d081-4c33-ac6a-de697d0826fb-image.png] Internal network alias is an alias that contains all my local networks.

@scotrod said in Dynamic DHCP lease not visible outside of ARP table: That's how we started. At this point I have no way of showing dynamic leases anywhere but the ARP table and I expect to see that under DHCP leases. Also, assigning a static lease on a particular MAC address won't work (I've tried that several times) until i check the Create an ARP Table Static Entry for this MAC & IP Address pair. checkbox. I don't know if that's by design, but if it is, it's just a dumb design. Not needed because not related - and sure enough not by design. I never look at the ARP page ... Also : look at my ARP table : [image: 1753864634193-ee416d17-5007-48b3-9b60-a2bd51ba2818-image.png] ARP requests are cached (on pfSense) and stay valid for (default) 1200 seconds = 20 minutes. The ARP relation IP <=> MAC has nothing to do with the fact that the IP was obtained originally by a static IP assignment, or or DHCP request (static MAC or dynamic). See here for a nice example. Not a solution, but this would help you : Nearly all my LAN devices have a static MAC DHCP setup, so my NAS, printers, airco, all the networked LAN PCs and other stuff I need to access to control have a 'fixed' but DHCP assigned IP = static MAC DHCP. You could do the same for your setup if the network isn't very big. As you don't change all your equipment very often, this is a one time job. I don't care, for my network, if I I don't see the IPv4 of a device that is merely visiting for a while, and then vanished, like the phone IP of a friend that uses my network. I'm not going to connect to his IP anyway, neither sharing info with it etc. According to this blog post, kea DHCP worked since Plus 23.09. This means that classic dynamic leases woild be served, and shwon on the leases page. Back then, as shown in the "restrictions" list, static MAC leases weren't even supported yet. That changed with 24.11 - and yiou' shwon that that part works. So : imho, your issue isn't "kea" (as we both use it - and it works for me). There must be some setting somewhere that explains this all ....

@stephenw10 My connection dropped tonight. ISP logged it as a "Planned PPP restart". I uploaded a log to the link here. Maybe it's helpful? It was only my CityFibre connection which did not reconnect. FTTC reconnected OK. Both use PPPoE and both are with A&A. Rebooting the appliance brought it back up.

I decided to check out the repo to see what build looks like for CE. I noticed that 2.8.0-RELEASE is still not an available branch in the repo. The master branch version is currently 2.9.0-DEVELOPMENT. Is netgate going to post the 2.8.0-RELEASE branch for the main package and FreeBSD-src?

Hmm, you should be able to check that. When you add a server there it should be added to /etc/resolv.conf. If it has a gateway set for it you should see a static route added for the server IP via that gateway in the routing table (Diag > Routes).

Yes both nodes would have to have the same WG config.

@ebcdic What software/hardware are you using to publish? If you haven't looked at WeeWX, you might give it a try as it would certainly address the issue. Just a thought.

@clearscreen said in Avahi trying to broadcast on public interface?: Then, I'm not sure what'd cause Avahi to publish on the public interface. It stems from Avahi's use of a single socket bound to all interfaces, which leaves a lot of room for problems. mDNS-Bridge uses individual sockets bound to each configured interface which precludes these kind of issues.

Upgrading from the local console is always the safest way. That is using the root user. More importantly you will see all the output from upgrade including after the reboot. So if there's some issue with hardware in the new OS version you will see it and be able debug.

Mmm, so prevent source tracking for specific IPs or subnets? I did wonder if sticky connections could be per gateway group. That seems like it should be possible. You could then use rules to route specific clients or subnets to a non-sticky group.

@SteveITS Yep. The address in that /29 was given by DHCP.

@bigsy Nice! Thank you for the update.