Ah, interesting. Yup AT&T expect to see their own router at the end of GPON/XPON and pfSense could well be doing something that doesn't play well. Obviously it still shouldn't panic like that. The panic appears to be caused by a race condition during removal of an IPv6 address. If the WAN was renewing a lease repeatedly that seems likely.

That's an ugly error but shouldn't actually cause a problem because pfSense-upgrade itself uses statically compiled versions of pfSense-repoc and pkg. You should still be able to select the 25.07.1 branch there and upgrade to it.

Also see: https://docs.netgate.com/pfsense/en/latest/development/develop-packages.html

Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.

So you upgraded the secondary to 25.07 and it didn't hit the same issue?

I'll look into this for you. I can renew certificates that I created in the new GUI, but none of the others. It does seem that it uses the CA endpoint to renew regular certificates though. So you should be able to use system/certauth/{refid}/renew until it's fixed.

As long as your local a remote subnet combination in a P2 is unique, there are are no problems in IPSec itself, unless you have some remote networks in use locally too. That will conflict, of course. Better keep your subnets not too big, 10.0.0.0/8 might not be the best idea… From what I know, if you have some overlap, say a /24 that that overlaps with a /16 (or even /8…) the smaller subnet/more specific route will go first. Hope this helps

It looks like we are close to finding a solution to the HP DL issue (and likely other hardware).

It looks like the interface ends up with 2 public IPv4 addresses, is that expected? There are no large outgoing packets there at all. Something is clearly restricting it. Do you have that parent NIC assigned, for accessing the modem for example? It would be useful to prove you can send large packets on the NIC but outside the PPPoE. A pcap showing the same thing but using the mpd5/netgraph driver for PPPoE instead for comparison would be useful if you can get it.

Same issue on 25.07.1 pfBlockerNG-devel 3.2.7 Database Sanity check [ FAILED ] ** These two counts should match! ** ------------ Masterfile Count [ 26379 ] Deny folder Count [ 26378 ]

fwiw, after checking a few other systems I am seeing this exact notice on several other 2.8.0 systems. Now I am geussing the above system had the notice before upgrading to 2.8.1.

I looked at logs in var/log and am not seeing anything other than a bunch of no routes to host, after reboot following upgrade. Let me know if any othere information may can help figure this out.

https://github.com/woffko/pfSense-quick-search/releases/tag/v0.4.6 Release notes — Quick Search (pfSense) Inline Quick Search in navbar. Compact field (−33% width) with dropdown results (title + path), closes on Esc. Type-to-search. Runs automatically after 500 ms of idle time; ignores queries shorter than 3 chars. Activity indicator. Spinning loupe while typing/searching; click the loupe to rebuild the index and re-run the same query. Language-aware UI. Placeholder and messages are fetched from the backend and shown in the current GUI language. Multilingual matching. Backend normalizes Unicode and supports synonyms/aliases per language (JSON dictionaries), plus XML menu titles; includes package pages (e.g., filer). And so on...

Yes

@marchand.guy you understand that an update would of cleared the cache - so for sure the numbers would be lower after this. Wait a few days to let your normal browsing habits stabilize.

@bmeeks your work outclasses so many individuals and developers. Your stuff is amazing. Cheers

I've solved it with a script and a cron-job in the mean time: #!/bin/sh Fetch public IP with debugging PUBLIC_IP=$(curl -4 ipinfo.io/ip 2>/dev/null) if [ -z "$PUBLIC_IP" ]; then logger -t ddns "Failed to get public IP from ipinfo.io" exit 1 fi logger -t ddns "Public IP: $PUBLIC_IP" No-IP update NOIP_USER="USERNAME" NOIP_PASS="PASSWORD" NOIP_HOST="SUBDOMAIN.ddns.net" NOIP_RESPONSE=$(curl -s "http://$NOIP_USER:$NOIP_PASS@dynupdate.no-ip.com/nic/update?hostname=$NOIP_HOST&myip=$PUBLIC_IP") logger -t ddns "No-IP ($NOIP_HOST): $NOIP_RESPONSE" But I still want to figure out the official fix of course!

@justme2 Get your SFTP browser, open /usr/local/www/services_dhcp_relay.php Or use the console or SSH, and edit /usr/local/www/services_dhcp_relay.php Locate : if ($dhcpd_enabled) { print_info_box(gettext('DHCP Relay cannot be enabled while DHCP Server is enabled on any interface.'), 'danger', false); } Chance for : if ($dhcpd_enabled) { print_info_box(gettext('DHCP Relay cannot be enabled while DHCP Server is enabled on any interface. !! OVERRIDDEN !!'), 'danger', false); $dhcpd_enabled = false; } Note : the "!! OVERRIDEN !!" is my personal choice, and not needed. Save. Now, for example : I disabled the DHCP server (kea) for this interface : [image: 1757669144546-1208eea8-273b-4632-aa28-447a19ca7d92-image.png] Save and Apply. Back to DHCP relay, select IDRAC - add a DHCP Relay server : [image: 1757669183530-4a1df8ab-bc3b-41ce-9da3-edd2d04bfacc-image.png] and Save. Check : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep 'dhc' root 26880 10.2 0.6 43768 23968 - S 11:18 0:00.10 /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.conf root 27281 9.9 0.6 43728 23532 - S 11:18 0:00.09 /usr/local/sbin/kea-dhcp6 -c /usr/local/etc/kea/kea-dhcp6.conf root 24435 0.0 0.1 14404 2980 - Is 20Aug25 0:00.02 dhclient: system.syslog (dhclient) root 41257 0.0 0.1 14404 3100 - Is 20Aug25 0:00.05 dhclient: ix3 [priv] (dhclient) root 51257 0.0 0.1 14308 3460 - SCs 20Aug25 0:39.41 /usr/sbin/syslogd -O rfc5424 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf -b 192.168.1.1 _dhcp 51487 0.0 0.1 14408 3268 - SCs 20Aug25 0:05.22 dhclient: ix3 (dhclient) root 52757 0.0 0.1 14128 2900 - Is 20Aug25 0:06.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid ix3 root 56422 0.0 0.1 16812 4776 - Is 11:10 0:00.00 /usr/local/sbin/dhcrelay -id igc2 -iu ix3 192.168.10.1 The kea DHCPv4 is still running. If all goes well, it doesn't touch/use the igc2 - my "IDRAC" - interface. As you can see, dhcrelay is running also - using 'igc2' - my IDRAC interface. You'll notice that on the DHCPv4 (kea, as that's what I'm using) there are also red messages showing. [image: 1757668428078-c8d71175-a0b8-4fd6-b081-18138c5027b5-image.png] Also for the LAN, and other interfaces. I guess you know now how to make these GUI pages more "smart", and don't show messages if they are not needed. On the DHCP Relay GUI page you could even modify the list with shown network, by excluding the networks that have the DHCPv4 active on them. In my case : this list should only shown "IDRAC" instead of : [image: 1757669589057-fe81bc41-f103-4a54-be83-890688b52a39-image.png] Btw : I did not test this dhcrelay service. I don't have a network where this is needed / don't know how to use it. Also : I presume you cant' save DHCOPv4 ((kea) settings and network pages anymore, as on this pages the test 'is dhcp relay' running also exist (Generaol settings page : just the test, on the interface(s) page - the same PHP file is used for all interfaces the test also exist, and name some love). I'll leave it up to you a make something nice, safe and fool proof out of it. Like : If you select an interface, like my IDRAC, that has a dhcp relay activated on it, show the red message and don't allow the user to Enable it with an active DHCP server. This is now already the case. Make the code a bit smarter by testing the (this) interface is used by dhcp relay, and only allow the DHCP server (kea) to be activated on that interface if it is not used by dhcp relay. See /usr/local/www/services_dhcp.php- here : [image: 1757669965048-4812bf5d-0bca-4afb-a4f0-8e0173cd984f-image.png] how to make these decisions.