Well it will work fine but I won't fill an 8Gbps link. Which may not be a problem.

Hmm not much shown in the backtrace: db:1:pfs> bt Tracing pid 11 tid 100003 td 0xfffff80101804780 kdb_enter() at kdb_enter+0x33/frame 0xfffffe008c220b80 panic() at panic+0x43/frame 0xfffffe008c220be0 trap_pfault() at trap_pfault+0x3c9/frame 0xfffffe008c220c30 calltrap() at calltrap+0x8/frame 0xfffffe008c220c30 --- trap 0xc, rip = 0xffffffff80d6261d, rsp = 0xfffffe008c220d00, rbp = 0xfffffe008c220d60 --- callout_process() at callout_process+0x1ad/frame 0xfffffe008c220d60 handleevents() at handleevents+0x186/frame 0xfffffe008c220da0 cpu_activeclock() at cpu_activeclock+0x6a/frame 0xfffffe008c220dd0 cpu_idle() at cpu_idle+0xa6/frame 0xfffffe008c220df0 sched_idletd() at sched_idletd+0x546/frame 0xfffffe008c220ef0 fork_exit() at fork_exit+0x7b/frame 0xfffffe008c220f30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe008c220f30 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- And the message buffer is mostly spammed by the Snort output but I do see igc0 and igc1 losing link and relinking. Do you have Snort running on both of those? In in-line mode? Is this in 25.11?

@alekdm I thought I had seen scripts to help with this many years ago, I didn't find the old one I remember from long ago. This one is from 2025, looks like it could be helpful https://github.com/jftuga/pfsense_dhcp_static

@stephenw10 thank you for the confirmation. At least now I know that it won't work in the current setup, "it's not me, it's you" :) Hopefully with further development of if_pppoe more legacy setup will be added. I the meantime I'll try to nag my ISP to move me to something more modern.

@beerguzzle said in Should I use IGMP proxy service?: Should I be running the IGMP proxy service? I am leery of making WAN the upstream interface. IGMP Proxy is used to route multicast from one interface to another(often WAN) to one or more other interfaces (usually LAN). It's used for things like IP-TV. As a general rule, you would know if you needed to route multicast from the internet. I'm guessing you do not need IGMP Proxy. As to the IGMP query packets appearing on your internal network, that is your switch asking each of its ports what multicast groups the port is interested in. You can safely allow IGMP packets into the lan interface on the firewall, or you can safely block them. I generally recommend allowing IGMP on lan ports because there is no downside to doing so. There is a minor down side to blocking them. If you allow IGMP, the host (pfSense) will respond to queries from the switch and provide an explicit list of multicast groups that it has interest in. In turn, the switch will only forward multicast groups that the host (pfSense) is actually interested in. If you block IGMP the usual default behavior of switches is to forward all multicast groups to the port, which means that the firewall be sent multicast packets even if it has no interest in them. The host will discard them, but it's a minor waste to send them across the wire and for the host to process them. As a general rule, is more efficient to use IGMP if your switch supports it.

If you send me the NDI / Order Number in chat I can check it.

@pfpv said in The new if_pppoe doesn't write to logs: After switching from ISC there were no logs ... Read here how to add Leases logs as ISC DHCP did.

Potentially it could. I've never seen that before but... Did saving it make any difference? What was it set to in the GUI before?

Anything logged when this happens? In the main System log or Unbound log?

You can set the gateway monitoring action to disabled if that's your only WAN but it's not to prevent it going down. I'd be very surprised if it's anything to do with IPv6, nothing in the logs there is unexpected for IPv6. Using if_pppoe may or may not be any different but it produces a lot less logging than mpd5 so it will be harder to diagnose. The logs you showed appear to start after the link went down? The only concerning thing shown there are the lines like: Jan 16 19:03:30 ppp 82927 [wan_link0] LCP: rec'd Terminate Request #225 (Opened) That's your ISPs pppoe server closing the link. So possibly it thing you are still connected already. When this happens what do you do to reconnect? Just wait? You can check the output of ifconfig -va to see the link status of the PPPoE parent NIC. Or you can assign that NIC separately and the GUI will show it.

@dennypage said in StarLink as source for NTP: Yea, that would be a dev build. That's certainly the kind of thing that can make packages not show up as missing. Since we've been toying with time servers, I was just hoping it was some sort of localized time travel.... What do we want?! TIM E TRAVEL!!! When do we want it?! ...doesn't matter

@Twel DM'd

Now that the WireGuard-package is patched (0.2.11_1) to allow booting with DNS-addresses as endpoints, I decided to go all in. I disabled any gateway-monitoring-action and hided those gateways from the dashboard, to spare my nerves. Now the WireGuard-widget gets more of my attention. [image: 1768563663973-screenshot-2026-01-16-at-12-28-44-pfsense.internal-status-dashboard.png] And I was able to reuse my interfaces and gateways to some degree, only changing the WireGuard config behind those, like key-pairs etc., which is a nice touch. Happy WireGuarding everyone!

@aaronouthier just for more info - as you get more familiar with policy routing, you could if you want get more granular with it - so your nases only use the high upload connection when there actually talking to where they send the up. This may or may not make sense in your use case - but just that such stuff is possible. Maybe the nases also download stuff where using the 1g down would make more sense, etc. Have fun!

@linuxpc4me said in automatic email notices on OS updates?: I have 17 PfSense appliances in service is there some reason they are not all the same version? You might want to look into nexus - for managing multiple sites, installs, etc. Just got an email about it this morning from netgate. https://www.netgate.com/nexus Prob good idea to had the rss feed onto your dashboard - prob do it on all your installs - so you would see it on whatever one your on at some point. They announce stuff like security issues as well. [image: 1768511810992-rss.jpg] But if you have a bunch of different versions could be issue.. But off the top of the head not sure why they wouldn't all be the same.. At most I could see 2 versions - where some are + and others are just ce.

@stephenw10 No idea which rule hit that issue. I work for an MSP and we have dozens of rules across ~10 VLANs and our 3100 manages 6 public IP addresses (we lease a /29 network from the ISP). pfSense has been rock solid for us for the better part of a decade, other than this one bug that requires me to manually patch it with each release/upgrade. Also, yes; format_bytes is correct, rather than format_number as used in the previous 2 lines. Good catch!

It's still in 25.07, looks like it may be fixed in 25.11 with limited testing.