Hello everyone, Is there an update to this entry? Image 2 no longer seems to work/be available. Thank you very much.

@SteveITS I didn't read everything yet, was busy trying to get the problem solved. As I said, I'll look at why since I use DHCP on a dozen networks at least.

@patient0 Not a production environment just home environment. Thanks for your suggestion I'll give it a try. Best Regards and thanks again....

@jriofrio said in Watchguard Firebox M400/M500: @chpalmer .... Did you update the BIOS? How it went! I mean did you encounter any difficulties updating the BIOS..... Do you have any advice for the process! Thank you for your comment.... No worries! ;) I did update the BIOS but it has been years. I did it with a package on pfsense itself if I remember correctly.. I have never had any kind of VGA connector on any of these (except the one box with a VGA connector) just use the serial port.

@Gertjan said in WebGUI inaccessible locally, through TS and multiple browsers.: @almostmagic said in WebGUI inaccessible locally, through TS and multiple browsers.: Anyone else experience this? yep. known (sort-of). Throw "csrf-magic.ph" into : [image: 1763157990105-0ea57f40-d002-4f74-ae86-c5edac43c360-image.png] and hit enter. 3 occurrences. Read ... and you'll know what not to use (use the GUI command line) : use the real one : SSH, or even better : the console access. Thanks. I increased memory beyond what support had suggested earlier, and so far no more errors.

@jlinesabi Yes. Surprised nobody commented earlier truthfully. I have two remote sites both with failover set up. The sites are set up as dynamic in my primary "hub" site. If one of their connections go down they simply hunt for the primary on the other connection which it gladly accepts. If the primary goes off the air and reverts to the cellular backup (behind CGNAT) Ive noticed that in the past that it will go hunt down the active connections and reconnect. What I do not know is if CGNAT on both sides will do such a thing.. I do not believe that would work but truthfully have not tried it.

Priorities.

@pfpv said in check_upgrade: "Updating repositories metadata" returned error code 1: misread my post This post ? is what I see/have.

@Jaritura Thank you for your reply! I replicated the settings from my former pfsense box to the new one and confirmed with what you said above. Im still missing something. On both systems I Pure NAT, Enable NAT Reflection 1:1, and Enable automatic outbound NAT for Reflection selected. Firewall -> Rules -> WAN has the required ports forwarded IPV4 TCP/UDP * * Server IP 80 * none Firewall -> NAT ->Port Forward the same required ports are forwarded WAN TCP/UDP * * WAN address 80 Server IP 80 Firewall -> NAT -> Outbound I have both set to Automatic outbound NAT rule generation mode along with two Mappings for each subnet: WAN "Network subnet" * * 500 WAN address * (Not sure why this is here? Not knowingly using IPSec) WAN "Network subnet" * * * WAN address * Neither is using a DNS Resolver

@pftdm007 not quite - if you are not in forwarder mode, unbound resolves what was asks from the roots down.. It doesn't send the query anywhere - it resolves vs forwards. And not so much pfsense passes it to unbound, unbound is listening on 53, and as long as your firewall rules allow it - unbound will get the query directly. When you resolve - you don't need anything in the general setup at all. If pfsense itself needs to resolve something it will ask itself (unbound) via the loopback address 127.0.0.1 the only time something like 8.8.8.8 would be used if you have it in general is if pfsense itself wanted to lookup something and unbound wasn't answering. Or you were in forwarding mode, be that either native (just 53) or in dot mode (853 with encryption of the connection via tls) Now that you know normal dns works - you could go back to forwarding if you want. I personally not fan, but sure if you want to forward forward.. Only thing I would suggest if you forward is uncheck to do dnssec. It can only be problematic if you forward - where you forward either does dnssec already or it doesn't, if it doesn't telling unbound to do dnssec is just going to cause extra queries, and could cause problems. Also forwarding to different services can be problematic as well - especially if they do filtering, and the filtering could be different. Since you don't really know which one will be forwarded to when you have more than 1 service.. You are not sure which filtering you would get.. Its best if you forward to pick 1.

@tinfoilmatt The default gateway was specified as the ISP's gateway, GW_WAN. I've already changed the hardware; now it's an R430 with 8 Broadcon LANs, a Xeon E5-2609 v4, 32 GB of ECC RAM, and a 480 GB SSD (a bit overkill), running version 2.8.1, the previous version was 2.7.2... I think pfSense will be happy now.

I have disabled RA, there is no use for it, as I do not use ipv6

@ivica.glavocic said in TAC support questions: For HA cluster do we have to buy two pfSense TAC support packages, or one is enough? Isn't "HA" always : "more then one" by default ? Both entities must be identical, where one acting as a master, and the other(s) is (are) acting as slave(s), all following all the interactions of the master. If the master detects a fail, a slave is elected and takes over. So, for me, 2 (identical devices !) at least. About bind : Have a look at this forum, there are pfSense users that use the pfSense bind package. Afaik : the bind GUI implementation isn't ... perfect. Loads of options are missing. And the version bind version used isn't the latest. I'm using bind myself as a autoritative domain name server, servings 10+ domain names, and have it synced to another (also mine) bind server, acting as the slave. It does DNSSEC, can do DDNS, and all kind of other nifty trick. My option is : it's 'impossible' to use a GUI to maintain the config of bind. Maybe with one domain name, and minimal settings ? Anyway, imho, pfSense is a firewall/router, not an autoritative domain name server. What about this solution : host your bind on another device with a real OS, like a rock solid Debian server, and set it up from there ? True, you have to edit the files (I actually rarely edit my bind's 20+ config files). I short : you're opting for a "HA" setup, so your installation becomes somewhat mission critical. In that case, divide important task over separate devices/hosts. The firewall != the proxy server != the DNS server != the file server etc. (!= = 'in not').

@yellowRain said in offline pfsense 25.07 and 25.07.1 installer (usb stick) doe snot work reliably: offline pfsense 25.07 and 25.07.1 installer (usb stick) doe snot work reliably Problems Installing or Upgrading pfSense Software 7 posts 3 posters 120 views 3 watching Reply YOffline yellowRain 6 days ago I tried 25.07 and 25.07.1 pfsense plus reinstall on Netgate 6100 without success. Error was "cannot connect to netgate servers". Fortunately, I had to the 23.09 offline image stick somewhere, and went with this old version. I had to apply 23.09.1, then 23.11, then 25.07.1 upgrade afterwards, and then restore 25.07.1 config. Hope you can improve the netgate server detection part, or add back an offline option. I have changed of ISP, and now I'm sure 100% there are no issues on this part. Internet connectivity was fine before the reinstallation, and I could check netgate forums, and pfsense-installer dhcp client has been detected by the ISP box during the installation. Thank you for your work. Yeah, I ran into the same issue. Super annoying that the new installer won’t work offline anymore. Glad you found a workaround though!

Danke für die Antwort. Aktuell komme ich zu nix, aber wenn wieder luft ist, werde ich mir das mal genauer anschauen mit den Filtern.

@d1novak said in Current pkg repository has a new PHP major version. pfSense should be upgraded before installing any new package.: @dennypage Thank you! Worked like a charm. Welcome

@KevCar87 You might be able to make your preference, policy based or route based (VTI), work... pfSense documentation on policy based (tunnel mode) Otherwise, per that first warning box ("NAT is not currently compatible with route-based VTI IPsec tunnels without configuring an IPsec Filter Mode which is incompatible with tunnel-based IPsec."See Advanced IPsec Settings for details.")... pfSense documentation on VTI ...route based (VTI) will require additional configuration beyond what the WatchGuard documentation appears to cover (more specifically here under "IPsec VTI Filtering").

@luckman212 said in udpbroadcastrelay vs mcast-bridge vs mdns-bridge: I'm reminded of xkcd 2347... LOL! Closer than you know... I used to be one of those random maintainers in Nebraska. There were actually a handful of us, but we all escaped the state before 2003.