pfSense

Summary:
When using the new if_pppoe kernel module in pfSense 2.8.1 with a Broadcom NIC (bce driver), LAN clients — specifically those relying on internal DNS resolvers like AdGuardHome — are unable to perform external DNS lookups. pfSense itself can resolve DNS and has full internet access. Reverting to the legacy PPPoE driver immediately restores functionality for LAN clients.

System:

- pfSense CE 2.8.1-RELEASE (amd64) - built on Fri Oct 24 16:53:00 BST 2025 - FreeBSD 15.0-CURRENT
    - Dell R210 II with onboard Broadcom NIC (bce0 & bce1)
    - WAN via PPPoE (BT Openreach)
    - AdGuardHome DNS on internal VLAN (VLAN20)

Steps to reproduce:

1. Assign WAN PPPoE to a Broadcom NIC.
2. Enable the new if_pppoe kernel module under System > Advanced > Networking.
3. Ensure LAN clients use an internal DNS resolver like AdGuardHome (not pfSense directly).
4. Observe DNS failures on LAN clients despite internet working from pfSense itself.

Workaround:
1. Switch back to the legacy PPPoE driver (resolves issue).
2. Use a non-Broadcom NIC for PPPoE (e.g., Intel NICs work fine with the new driver).

Additional Notes:

- DNS resolution from pfSense diagnostics (e.g. Diagnostics > DNS Lookup) continues to work regardless of driver.
    - The issue appears to only affects LAN clients using internal DNS resolvers (e.g., AdGuardHome, Pi-hole).
    - Packet captures show DNS requests leaving but no responses arriving — suggests a problem with how outbound NAT or state tracking works with the new driver on Broadcom NICs.
    - No firewall blocks or pfBlockerNG interference — all other variables tested and ruled out.
    - Consistently reproducible.

Expected Behavior:
LAN clients using local/internal DNS resolvers should continue to have full DNS resolution and WAN access when the PPPoE interface is switched to a Broadcom NIC using the new if_pppoe kernel module.