Categories

• TNSR

  Discussions about TNSR

  • TNSR Announcements
  • TNSR Feedback
  • Problems Installing or Upgrading TNSR Software
  454 Topics

  1k Posts

  D

  Hi @Tyronejackson839,
  Thanks for the awesome advice! Your ACL tips worked perfectly—enabling fragment-checking and lean rules secured my nginx webserver without sacrificing performance. Really appreciate your detailed help!

  Best,
  David James | Founder of The Yes No Button!

• pfSense® Software

  Discussions about pfSense Software, click a category below

  • Messages from the pfSense Team
  • General pfSense Questions
  • Multi-Instance Management
  • Problems Installing or Upgrading pfSense Software
  • Firewalling
  • NAT
  • HA/CARP/VIPs
  • L2/Switching/VLANs
  • Routing and Multi WAN
  • Traffic Shaping
  • DHCP and DNS
  • IPv6
  • IPsec
  • OpenVPN
  • Captive Portal
  • webGUI
  • Wireless
  • SNMP
  • Documentation
  • Development
  • Gaming
  • Virtualization
  • Hardware
  • Bounties
  • Retired
  120k Topics

  763k Posts

  P

  Follow-up: Even after changing Source to "Any" and disabling all IPv6 services, the issue persists.

  Additional steps taken:

  Changed LAN rule Source from "LAN subnets" to "Any" Disabled DHCP6 on WAN interface (set to None) Disabled IPv6 Track Interface on LAN (set to None) Rebooted pfSense completely

  Current status:
  IPv6 traffic continues to be logged on both interfaces despite Block rules with logging explicitly disabled:

  Here, some examples:

  Capture d’écran 2025-07-10 à 18.04.28.png

  Both WAN and LAN rules are configured as:

  Action: Block Address Family: IPv6 Protocol: Any Source: Any Destination: Any Log: UNCHECKED

  Question: Is there a system-level IPv6 logging mechanism in pfSense that overrides custom firewall rules? The traffic is being blocked correctly but continues to generate logs despite logging being disabled in the rules.

  Additional guidance would be appreciated!

• pfSense Packages

  Discussions about pfSense software packages

  • Cache/Proxy
  • IDS/IPS
  • Traffic Monitoring
  • pfBlockerNG
  • UPS Tools
  • ACME
  • FRR
  • Tailscale
  • WireGuard
  20k Topics

  127k Posts

  J

  @yobyot I think maybe it is node key expiring at 180 days?

  fwiw I have discovered that running in shell

  tailscale down tailscale up --force-reauth

  will give you a URL you can then paste in browser and it re authenticates and gets pfsense back online as the same machine and status shows this in pf tailscale UI. This is reauthing the node key.

  The node key shouldn't expire when you set it not to on the tailscale admin but I just caught is note on https://tailscale.com/kb/1028/key-expiry
  "A change to the Key Expiry value applies to any devices that are logged in after you make the change. The key expiration for any devices that are already logged in remains unchanged, until the next time the device is logged in."

  So maybe when we setup pf tailscale and the subsequently disable node key expiring it doesn't take effect until reauth which maybe doesnt happen until --force-reauth and doesn't become apparant until after 180 days?

  However, what I don't understand and undermines my theory somewhat is that after doing reauth, at first I noticed that restarting tailscale in pf UI caused me to be logged out again with error "You are logged out. The last login error was: invalid key: API key does not exist"

  I manually updated tailscale to 1.84.2 (see https://forum.netgate.com/topic/174525/how-to-update-to-the-latest-tailscale-version/155 but basically run pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2.pkg) and then did tailscale down and up --force-reauth and this time it made me resign (I have tailnet lock on) after auth it. Now restarting the service in UI works.

  Not sure yet what is going on and what role the new tailscale pkg played. One thing I suspect that maybe also is a factor is the fact that /usr/local/pkg/tailscale/state/tailscaled.state is the state file with node key instead of the standard /var/db/tailscale/tailscaled.state could be a factor On pf tailscale, /usr/local/etc/rc.d/tailscaled uses /var/db/tailscale/tailscaled.state as state directory so maybe sometimes somehow tailscale is looking for state there and it doesn't exist.

  But this wouldn't really explain why everything is fine for a while initially (usually 90 to 180 days Im not exactly sure in my case). This may explain why it logs out on reboot if you if you use ram disk though.

• pfSense International Support

  Discuss pfSense in other languages

  • Chinese
  • Deutsch
  • Español
  • Français
  • Indonesian
  • Italiano
  • Russian
  • Nederlands
  • Norwegian
  • Portuguese
  • Polish
  • Romanian
  • Swedish
  • Turkish
  43k Topics

  267k Posts

  Q

  Moin.
  Ich habe hier ein sehr komisches Ding. Bin ich auch nur durch Zufall drauf gekommen.

  Problem Mehrmals in der Woche liegt der WLan Download-Speed bei 1,5Mbps, also extrem gering. Hinweise LAN geht alles DHCP funktioniert generell, also IPv4 wird sauber verteilt. pfSense ist neuste Version (Stable) pfSense ist alleiniger DHCP Server im LAN/WLan UniFi WLan System mit Controller auf Debian Basis Bis vor 8 Wochen gab es keine Probleme und es wurde 0,00% am UniFi und pfSense gestellt. Es wurde nur (soweit ich mich erinnern kann) ein Update von pfSense auf die neuste Version gemacht. Und dabei war auch irgendwas mit DHCP (Sorry, das ich das hier nun nicht genauer schreiben kann). Bisherige Lösung kea-dhcp4 -> Dienst neu starten -> sofort wieder alles Ok.

  Hier stehe ich echt auf dem Schlauch und denke: Häääh?!?!? Was das denn?

  Vielen Dank für Anregungen
  Lars

• Official Netgate® Hardware

  Information about hardware available from Netgate
  3k Topics

  20k Posts

  J

  @michmoor

  fwiw, It appears that Netgate only offers the 4200 with the 128Gb SSD, probably due to the eMMC issues.

• Netgate Announcements

  Information about hardware available from Netgate
  44 Topics

  211 Posts

  A

  It looks like unified web management could be coming soon. It would be great if it means easier control and management of all web services in one place. Let's see if any companies announce more details about it!

• Off-Topic & Non-Support Discussion

  Feel free to talk about anything and everything here

  • Forum Feedback
  • Community Job Board
  3k Topics

  19k Posts

  P

  From my perspective the issue is the scope for a users contingency planning on pfsense router failure (initially of unknown cause). Netgate's current device locked licensing and lack of an off line installer doubles the cost of ownership and significantly reduces pfsense functionality. It is the reason I have not purchased plus licences.

  My contingency planning is focussed on rapid restoration of service with minimum dependences, limited technical complexity, and a short time. Doing so involves the ability to swap out a failed physical system and replace it with another. First line using a box with pfsense pre-installed. Second line with my locally stored copy of pfsense installation media. The installation media has to work within my system without a functional router, for which an off line installer is most reliable. An online installer which uses that sites pfsense configuration may work but at best introduces higher risk in a contingency plan.

  To achieve this economically I run pfsense on third party hardware which also does other roles. I have multiple physical devices performing tasks of varying importance (set top box for each TV, router a several sites). As well as each device running
  running multiple virtual machines for other functions (PABX, Unifi controller, surveillance cameras etc). The overall effect is all hardware is utilised but relatively spare hardware can be rapidly commandeered if required.

  For this to work with pfsense plus I need to be able to install pfsense on multiple virtual machines and transfer a licence from a failed to a replacement device if required. Ideally by entering registration details in the replacement hardware (which would warns doing so inactivates the prior registration) or doing the same via a Netgate portal. Either of which implies such a transferable pfsense plus licensed device regularly checks licence validity with a Netgate server (making a transferable licence incompatible with a pfsense installation without online access to the Netgate licence server).

  I'm not sure how large the market is for off line Netgate routers. Such an installation would require a non trivial protocol to update pfsense software, which even on Netgate hardware would not be simple. With an off line installer including all patches was available, this could be taken into the secure environment and used to re-install / update pfsense. My understanding there has never been an off line installer with all patches (or packages) as such I suspect software update would require secure erasing the pfsense disk, physically moving the hardware out side of the secured environment, programming it with current pfsense software, returning it to the secure environment, import the sites pfsense configuration file. Not something done frequently and probably not a large market but I could be wrong.

  Similarly my use case is probably also a small market, however I suspect the market for economic contingency planning is much broader. As such many users are likely to benefit from the licence transferability and off line installation options which maybe possible it a monitored plus licence option was offered.