The default is automatic boot verification. So if you rebootit will automatically verify the boot and disable the watchdog. If it fails to boot for some reason it will hit the watchdog and revert to the last known good BE. You can disable the automatic verification in which case the user must login and manually accept the boot to prevent rolling back the BE. This happens at upgrade because the reboot during upgrade is set for one-time only so a subsequent reboot will roll back. To make that happen during a normal reboot (not upgrade) you would need to select the BE to boot into from the BE menu. Temporarily activate the ZFS Boot Environment one time and reboot https://docs.netgate.com/pfsense/en/latest/backup/zfsbe/gui.html But it will happen at any boot that fails because that BE is then marked as failed to boot and will not be selected until a user clears that.

@marcosm Appreciate all this clarification. Thanks.

@brado7274 said in IPv6 changes aren't written to config.xml or dhcp6c.conf: Known symptom In 2.8.x builds, if: • The configctl binary is missing or broken (configctl: command not found — which you’ve seen), • or the service mapping files under /usr/local/etc/configd/actions.d/ are missing/corrupted, Yeah, that is just plain wrong. Yet the LLM sounds very convincing, as it's designed to be. But obviously that file should still be generated. Just to be clear you initially said you tried testing with only one WAN and still didn't see the file correctly populated. But is that not in fact correct? You only see this with two WANs configured for IPv6?

That must be the console to see the bootloader menu like that. But it's showing serial as default console, is that actually the serial console? That looks like it's just not using the correct console. https://docs.netgate.com/pfsense/en/latest/troubleshooting/boot-issues.html#booting-with-an-alternate-console But, yes, why are you using such an old version?

On a 2100 the WAN has a different MAC so shouldn't be a problem. That can be an issue on the 7100. But, yes, maybe requires a different client identifier?

@johnpoz said in Custom options in unbound (dns resolver) cause syntax error: include wouldn't be part of it Oops. I corrected my post.

@luckman212 said in Why is there an automatic Outbound NAT for ::1/128: NAT it to the routable V6 interface IP assigned to my ix0 LAN And why would it do that, you have it set on what your calling wan6 it was adding NAT rules for some site to site WG tunnels that I already had static routes for No it wasn't.. Unless you set it like that.. Example - I have an wg interface, only traffic that gets natted to that is traffic I route out that interface [image: 1763396222121-nat.jpg]

Well it far higher than even the 1M default we usually set and that is generally far bigger than it needs to be. But you also show only 1400 states which is nothing. If you exhaust the mbufs that would definitely cause a problem. But you should also see that logging an error.

@shady28 Are you maybe looking at IP block list feeds vs DNSBL feeds?

@ameinild Netgate switch to FreeBSD-CURRENT about two years ago. https://docs.netgate.com/pfsense/en/latest/releases/versions.html They wrote a article about it in autumn of 2022: https://www.netgate.com/blog/pfsense-software-is-moving-ahead

@fireodo thank you very much for the help I will look into the sanity check.

Is it just me, or does it seem like the KISS (Keep It Simple [redacted]) answer is to install X-Ray on an officially supported platform or a VPS and tunnel traffic through that?

@slu said in Syslog service in pfSense v2.8.1 often stop itself: @jrey years ago there was a p1 release: https://docs.netgate.com/pfsense/en/latest/releases/2-3-5-p1.html Thanks for the source

Note to self under the latest release I had to set decipher list to cipher_list = "DEFAULT@SECLEVEL=0"

@nobanzai +1 amd64 15.0-CURRENT FreeBSD 15.0-CURRENT #21 RELENG_2_8_1-n256095-47c932dcc0e9: Thu Aug 28 16:27:48 UTC 2025 root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-CE-snapshots-2_8_1-main/obj/amd64/AupY3aTL/var/jenkins/workspace/pfSense-CE- Crash report details: PHP Errors: [16-Nov-2025 21:48:05 Europe/] PHP Fatal error: Uncaught TypeError: Form_Select::__construct(): Argument #4 ($values) must be of type array, null given, called in /usr/local/www/vpn_openvpn_client.php on line 942 and defined in /usr/local/www/classes/Form/Select.class.php:31 Stack trace: #0 /usr/local/www/vpn_openvpn_client.php(942): Form_Select->__construct() #1 {main} thrown in /usr/local/www/classes/Form/Select.class.php on line 31 I'm temporery fix it. Use diag_edit.php edit /usr/local/www/vpn_openvpn_client.php & saved history version 4b9165e "Default to an empty array for functions expecting a countable value Do this for foreach() and count()." https://github.com/pfsense/pfsense/blob/4b9165e5ad3f47c36d1dec3a585a60b629bcdc3a/src/usr/local/www/vpn_openvpn_client.php and edit ciphers in client.

@dennypage Create an igmp rule on your floating rules, and do not set the direction to in. Set: Interface Leave: Direction to any Set: Protocol to IGMP only Set: Source to any Set: Destination to any Set: Quick Set: Adavanced Options, Allow IP options For example if you have pfblocker dnsbl auto rules (ping auto rule, permit auto rule) on top, it can cause trouble on the states. Check: the States of this rule. You should see tcp and upd packets as well, 443. If you set the direction on your lan intarfce to in, you should see igmp only, otherwise you have to place at the very top of all your other floating rules before everything else.

@w0w You can also run Squid on OpenWRT I am told there is so many packages I have been playing with OpenWRT because TP-Link was doing so weird data harvesting and pfsense caught it in the act after I just installed openwrt per @johnpoz recommendations. I just run it in bridge mode now

@patient0 Thanks for the quick response. Yes I am accessing from LAN and using ip but it does not work. Correct, remotely logging from lan to ssh which was working. This does not happen very often but seems that i read somewhere that sometimes the Spectrum modem will issue an ip from local range which causes the issue and this only happens sporadically. I have added in wan interface to reject lease from local interface, will see how it goes. The main issue is that it happens once in 3-4 months so not very easy to troubleshoot and i have not been able to recreate it by plugging modem cable etc.