@viragomann Danke für deine ausführliche Beschreibung. Das was du beschrieben hast, hört sich nach vielen Änderungen in den Einstellungen an. Ich hab mich dazu entschlossen die beiden VMs zu entsorgen und alles nochmal auf physischen Rechnern aufzubauen. Ich habe etwas Angst, dass es zu Problemen bei anderen VMs kommt wenn man so viele Einstellungen ändert. Danke nochmal für die Hilfe und viele Grüße.

@keyser I could also change the connection between the affected sites to Wireguard. The downside is I end up with two VPN Technologies for Site-to-Site connection too, cause not all my devices are Wireguard capable. I also have to evaluate how Wireguard interact with dynamic routing running FRR and especially BGP. It might be worth looking more closely into this and switch to Wireguard where possible. The lack of IP fragmentation support with VTI IPsec is also annoying. I suspect a sort of regression causing this issue. If we're lucky it's due to changes of default configuration and this may get fixed on the fly. But so far I haven't spotted any, when comparing IPsec related settings between 2.7.2 and 2.8.1.

@patient0 I'll try. Thanks ;)

Hi, I just completely removed my pppoe interface after switching to the new if_pppoe and it started to work after recreating it! Only thing I noticed is that with the new if_pppoe the device takes longer to obtain an IP/connection after a reboot f.e. compared to the old implementation. But everything is working now, so this can be closed! :)

This was a backend change that has now been reverted while we confirm the cause. You shouldn't see that currently.

Huh, odd. Well I would suggest familirazing yourself with the serial console now while everything is working so you'll have it available if this ever happens again. https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/connect-to-console.html

Yup, a change was still in place. It's now been reverted until we confirm the root cause. You should no longer see that.

@jliolios Got it, got it. Alright, this all makes much more sense now. Foundational understandings: 1.) When you assign pfSense's GUI (called the webConfigurator) a port, it listens on all interfaces, including both WAN and LAN. Since most people never 'open' this port to inbound connections on the WAN interface, it typically never presents a conflict or a problem that the webConfigurator's nginx-based web server listens on all interfaces by default. (See this post for a recent thread on this point.) 2.) You have both: 'Opened' port 9443 on the WAN interface; and Crafted a NAT rule to forward any/all inbound 9443-destined traffic arriving on the WAN interface, to be 'redirected' to the EZProxy host that I'm assuming is not homed to 172.16.0.1 3.) At some later point, you changed the webConfigurator's listening port to 9443. It would not have been readily apparent at that time that inbound 9443-destined traffic arriving on the WAN interface now had two potential and conflicting routes to take: the webConfigurator webserver, and the EZProxy LAN host. With all that being said, and returning to your original question, what do you mean when you've said: [in Use of a custom port for admin console caused issue with NAT using same port:] in this case 443 took a back seat to 9443

@LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes

The issue was caused by a staggered rollout update on the backend. We've pushed a fix and will continue to monitor. Thanks for the report!

https://pypi.org/project/pfsense-redactor/

Wow... ok figured it out. The links provided in @Gertjan post put me on the right path. It seemed strange that only Ubuntu Server hosts were affected so I started digging on that. Turns out that by default in Ubuntu Server systemd-resolved is not configured to use the domains passed by DHCP (either v4 or v6) not by RDNSS. So all I had to do was to edit /etc/systemd/networks/networkd.conf to have UseDomain=true and just like that, by magic the hostname is properly registered in Unbound...

@viragomann OK, I’ve created it this way and I’m going to monitor the status to see what happens and how the tunnel behaves from this point on. Thanks a lot!

@stephenw10 said in SG-4100 orange LED but no firmware update: you can manually clear it with: pfSense-led.sh update 0 This worked, thank you!

So, it wasn't until I got down to 0 unblocked IOT clients that the problem resolved. Meaning, the problem wasn't caused by a specific client. I went to check the IOT SSID setting in the Unifi controller. It had something called "Proxy ARP" enabled. I disabled it. Miraculously, all problems with IPv6 on the wired Windows hosts went away. This is really crazy.

New package for 25.11 is ready for testing. pkg add -f 'https://raw.githubusercontent.com/woffko/pfSense-pppoe-ha/refs/heads/main/pfSense-pkg-pppoe-ha-0.1.3.pkg'

Thank you for the replies, I was sort of able to figure it out and get it/them working But its not how I expected? I setup the VLAN's on the switch and according to everything I could figure and you guys too it should have worked but it didnt? After going back-n-forth with this for a few days I decided to give it a rest for a couple days. When I got back to it I went to login to the switch and was unable? No matter what I tried couldnt get it so I did a hard reset (unplug) and tried to log back in, I was able to get into the switch and all the config was there so I plugged my laptop in and it pulled the .20 IP??? More testing and it did what it is supposed to do? Best I can figure is that the switch didnt like what I was telling it and decided it needed a refresh to then give what I was telling it? IDK but its working now. To all Thank You especially johnpoz , theother, and patient0! :-)