@stephenw10 said in Gateway monitoring still not OK:

I would still expect to have seen dpinger try to ping and show loss rather than pending.

/etc/inc/gwlb.inc:

// dpinger returns '<gwname> 0 0 0' when queried directly after it starts. // while a latency of 0 and a loss of 0 would be perfect, in a real world it doesnt happen. // or does it, anyone? if so we must 'detect' the initialization period differently..

@AWeidner its just pfsense trying to proect you against a rebind. When you foward to something that is normal some external public NS - which normally should not be returning rfc1918.

You might want to read some of the history of rebind attacks. And why this good protection to have in place.

@NetworkNerd Just in case you haven't tried this yet. The new Netgate online installer does provide you the option to set up the WAN interface connection details such as PPPoE etc as part of the process. I'm not a fan of the choice to remove offline installers by any means but at least they do provide this functionality.

@gemg83 yes, that's the issue I'm having, thanks for letting me know! I haven't found any workaround yet, maybe we should place a bug report?

Probably just that then. But you should see the set options and capabilities for those NICs like:

[2.8.0-RELEASE][admin@t70.stevew.lan]/root: ifconfig -vm igb0 igb0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e100bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> capabilities=4f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>

So there you can see the NIC is both checksum offload and TSO capable but only checksum is enabled.

Ok, I had created a block rule to the firewall before and because I actually don't use UPnP, I didn't noticed that this was blocking UPnP now. So everything works like expected, at least with IPv4.

*** 15.07.2025 *** [11:27:00] starting Tixati v3.29 [11:27:00] loading settings [11:27:00] loading transfers [11:27:00] loading DHT [11:27:00] loading RSS [11:27:00] loading scheduler [11:27:00] loading throttle [11:27:00] loading channels [11:27:00] loading interface [11:27:01] startup complete [11:27:01] listening on tcp:0.0.0.0:19703 [11:27:01] listening on tcp:[::]:19703 [11:27:01] DHT started [11:27:01] listening on udp:0.0.0.0:19703 [11:27:01] listening on udp:[::]:19703 [11:27:04] NAT-PMP mapped TCP port 19703 on gateway 192.168.1.1 [11:27:04] NAT-PMP mapped UDP port 19703 on gateway 192.168.1.1

Would be nice to have that UPnP Port 5351 as a port-template.

Screenshot 2025-07-15 114613.png

@E-I Chill Guy Clicker said in pfSense 2.8.0: Sticky Connections in Dual-WAN Setup Not Maintaining Source Tracking:

Hello Community,

After recently upgrading to pfSense 2.8.0, I've encountered an issue related to source tracking entries in a dual WAN configuration.

Under System > Advanced > Miscellaneous, the "Use sticky connections" option is enabled (though I've also tested with it disabled and re-enabled), but I am noticing that source tracking entries are not being maintained as expected. In previous versions, enabling sticky connections ensured consistent outbound gateway selection per source IP, with source tracking entries reflecting this behavior.

Current Behavior:

With or without "Use sticky connections" enabled, source tracking table is empty. This affects connection consistency across WAN interfaces, potentially impacting applications sensitive to IP changes. I have verified that my policy routing and gateway group configuration remain unchanged since the upgrade. The issue appears to persist across reboots and interface resets.

Environment Details:

fSense version: 2.8.0-RELEASE (amd64) Dual WAN (WAN1 + WAN2) with Gateway Group for load balancing (both Tier 1) "Use sticky connections": Checked Outbound NAT: Automatic State Policy: Interface Bound States No custom modifications to source tracking timeouts

I'd appreciate any insights or recommendations for troubleshooting further or confirming whether this is a bug.

Thank you in advance!

This certainly sounds like an unintended change or bug in the source tracking mechanism introduced in pfSense 2.8.0. Since your configuration has not changed and the problem persists even after trying toggling sticky connections on/off, rebooting and resetting the interface, a misconfiguration can be ruled out. The fact that the source tracking table is always empty suggests that the sticky connection mechanism may not be working as expected. You should consider filing a bug report or checking to see if other users are experiencing the same problem on the Netgate forums or Redmine bug tracking system.

@elvisimprsntr thanks for your suggestion. I will give it a try.

@stephenw10

I want to use 10GBIT DAC inside my rack and also directly attach to my ISPs Fiber. It'd be the perfect successor for the SG6100 with the SFP+ Addon installed.

@ameinild said in Kea client logs:

I get no logging from the kea-dhcp4 service for client DCHP logs, only from the dhclient for the WAN interface.

Well ... this is FreeBSD/( and Linux) classic log behavior : no news is good news.

In general, as my friend said, seven troubles - one reset. The situation was corrected by reinstalling the system and restoring the configuration. This can be written down as a solution to the problem.

Hmm, yeah I'd expect it to only be resolving leases that were present before that change. Like if you add a new static dhcp lease on that interface I'd expect that to fail to resolve.

@detox you should be able to edit your first post and edit title with [solved] in the title, add tag.. If you can not - let me know and can do it for you. There might be some restrictions on rep ports or something - but you have 6, I would think that enough?

@stephenw10

Thanks for the response.

In reviewing your response and looking through my configurations, this one firewall did NOT have a valid Client name set and was missed from my template configuration when the firewall went into service.

I apologize for taking up yours and anyone else's time. I feel like a Newby today.

Does it report the memory usage in both Proxmox and pfSense?

Can you see what's using it in the output of top or ps?

@stephenw10

Thank you, that was what I was not doing and really appreciate the guidance and support here. Thanks

@rasputinthegreatest see my edit about devices sending it out even when they have an IP on the network - my directv appliance does that.. But once you have a mac should allow you to track it down. Especially if you have a smart switch and its wired. Where you can look at the mac address table.

If everything is working and you just don't like the noise in the logs, you can turn those off, either in log settings - I believe new 2.8 allows for not logging link local. Or you could setup a rule not to log it.