Subcategories

• Cache/Proxy

  Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.
  4k Topics

  21k Posts

  M

  I have some servers hosted with OVH Cloud and their IP reputation must be poor as many of our client websites cannot be accessed.

  I have subscribed to a local residential proxy service and now when tested with CURL the sites can be accessed.

  I have multiple servers behind pfsense each running multiple apps that are failing to communicate.

  Is it possible to configure pfSense to push all http/https traffic out via the proxy service. Better still is it possible to only push certain domains to the proxy?

• IDS/IPS

  Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.
  2k Topics

  16k Posts

  J

  I just noticed that if you set the following in the GUI the system tunable does not change to reflect that you disabled it

  Screenshot 2025-06-06 at 10.49.30.png

  for snort to work well Hardware TCP Segmentation Offloading must be disabled. However the GUI seems to not change the actual net.inet.tcp.tso to 0

  You have to also manually change it under system tunableables

  Screenshot 2025-06-06 at 10.52.35.png

  I don't know if anyone has spotted this issue.

• Traffic Monitoring

  Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.
  570 Topics

  3k Posts

  K

  @pulsartiger
  The database name is vnstat.db and its location is under /var/db/vnstat.
  With "Backup Files/Dir" we are able to do backup or also with a cron.

• pfBlockerNG

  Discussions about the pfBlockerNG package
  3k Topics

  20k Posts

  S

  @fireodo Somehow this one escaped me.
  Didn't notice it until I updated to CE 2.8.
  Anyway, much appreciated.

• UPS Tools

  Discussions about Network UPS Tools and APCUPSD packages for pfSense
  98 Topics

  2k Posts

  J

  So far everything is stable without me changing anything else. Who knows why....

• ACME

  Discussions about the ACME / Let’s Encrypt package for pfSense
  491 Topics

  3k Posts

  J

  Let's Encrypt is removing the TLS Client Authentication EKU from certificates they sign in the near future:

  https://letsencrypt.org/2025/05/14/ending-tls-client-authentication/

  This shouldn't affect many, if any, users of ACME on pfSense as it isn't used as a client certificate, only as a server certificate in various context (e.g. GUI, Captive Portal, HAProxy)

  In the past we have discouraged using Let's Encrypt certificates in certain contexts (like for clients) since it wasn't typically a secure practice. For example, if you use a Let's Encrypt certificate for OpenVPN, it would trust any certificate signed by Let's Encrypt, which makes it useless as an authentication factor.

  So while this is something to be aware of and check, it's unlikely to be a problem for most people.

• FRR

  Discussions about the FRR Dynamic Routing package on pfSense
  292 Topics

  1k Posts

  A

  I'm trying to get BGP working between Metal LB on my Kubernetes cluster and pfSense (2.7.2)/FRR (2.0.2_1).
  My aim is to use the 192.168.254.0/24 network for my Kubernetes load balancer, advertised by metallb via BGP to pfsense, so I can access those addresses from my LAN. The Kubernetes cluster has nodes in the 10.10.10.0/24 network on vlan 254 and my local 192.168.1.0/24 network is on VLAN 10.

  However I've clearly done something wrong because my traffic never reaches my ingress objects. In fact, traceroute to one of the ingress addresses just seems to exhaust the TTL. This was working under VyOS, so I suspect it's a pfsense configuration issue (combined with the fact I have no idea what I'm doing)

  Can anyone spot any obvious config issues with the below? I hope this rambling post makes some sense.

  2d92e7f7-d3f3-4a41-819a-4e5d84764341-Screenshot_20250608_124627-1.png

  pfSense FRR-BGP configuration

  frr defaults traditional hostname ahostname password redacted123 ip nht resolve-via-default service integrated-vtysh-config ! ip router-id 10.10.10.1 ! ip route 192.168.254.0/24 10.10.10.10 ip route 192.168.254.0/24 10.10.10.11 ip route 192.168.254.0/24 10.10.10.12 ip route 192.168.254.0/24 10.10.10.13 ! router bgp 64512 bgp router-id 10.10.10.1 bgp graceful-shutdown no bgp network import-check no bgp ebgp-requires-policy neighbor metallb peer-group neighbor metallb remote-as 64511 neighbor metallb update-source 10.10.10.1 neighbor 10.10.10.10 peer-group metallb neighbor 10.10.10.10 remote-as 64511 neighbor 10.10.10.10 description Kube Master neighbor 10.10.10.11 peer-group metallb neighbor 10.10.10.11 remote-as 64511 neighbor 10.10.10.12 peer-group metallb neighbor 10.10.10.12 remote-as 64511 neighbor 10.10.10.13 remote-as 64511 ! address-family ipv4 unicast network 192.168.254.0/24 neighbor 10.10.10.10 activate neighbor 10.10.10.11 activate neighbor 10.10.10.12 activate neighbor 10.10.10.13 activate no neighbor metallb send-community no neighbor 10.10.10.10 send-community no neighbor 10.10.10.11 send-community no neighbor 10.10.10.12 send-community no neighbor 10.10.10.13 send-community exit-address-family ! ! line vty !

  Metal LB configuration

  --- apiVersion: metallb.io/v1beta2 kind: BGPPeer metadata: name: metallb-bgp-peer namespace: metallb-system spec: myASN: 64511 peerASN: 64512 peerAddress: 10.10.10.1 enableGracefulRestart: true --- apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: address-pool-bgp namespace: metallb-system spec: addresses: - 192.168.254.0/24 autoAssign: true --- apiVersion: metallb.io/v1beta1 kind: BGPAdvertisement metadata: name: metal-lb-bgp-adv namespace: metallb-system spec: ipAddressPools: - address-pool-bgp aggregationLength: 24 localPref: 100

  an example ingress object and some diagnostic output:

  NAME CLASS HOSTS ADDRESS PORTS AGE kuard traefik test.mydomain.com 192.168.254.1 80, 443 133d $ kubectl --namespace metallb-system get bgpadvertisements.metallb.io NAME IPADDRESSPOOLS IPADDRESSPOOL SELECTORS PEERS metal-lb-bgp-adv ["address-pool-bgp"] $ kubectl --namespace metallb-system get bgppeers.metallb.io NAME ADDRESS ASN BFD PROFILE MULTI HOPS metallb-bgp-peer 10.10.10.1 64512

  Traceroute output:

  $ traceroute 192.168.254.1 traceroute to 192.168.254.1 (192.168.254.1), 30 hops max, 60 byte packets 1 _gateway (192.168.1.1) 0.170 ms 0.092 ms 0.075 ms 2 rpi-cm4-tp2-04.domain.com (10.10.10.13) 0.311 ms 0.357 ms 0.335 ms 3 10.10.10.1 (10.10.10.1) 0.351 ms 0.461 ms 0.440 ms 4 rpi-cm4-tp2-04.domain.com (10.10.10.13) 0.609 ms 0.658 ms 0.706 ms 5 10.10.10.1 (10.10.10.1) 0.607 ms 0.650 ms 0.604 ms 6 * * * 7 10.10.10.1 (10.10.10.1) 0.770 ms 0.764 ms 0.717 ms 8 * * * 9 10.10.10.1 (10.10.10.1) 1.250 ms 1.245 ms 1.235 ms 10 * * * 11 10.10.10.1 (10.10.10.1) 1.574 ms 1.535 ms 1.565 ms 12 * * * 13 10.10.10.1 (10.10.10.1) 1.240 ms 1.250 ms 0.988 ms 14 * * * 15 10.10.10.1 (10.10.10.1) 0.994 ms 0.890 ms 0.929 ms 16 * * * 17 10.10.10.1 (10.10.10.1) 0.949 ms 0.794 ms 0.970 ms 18 * * * 19 10.10.10.1 (10.10.10.1) 1.061 ms 2.817 ms 2.779 ms 20 * * * 21 10.10.10.1 (10.10.10.1) 3.028 ms 3.001 ms 2.953 ms 22 * * * 23 10.10.10.1 (10.10.10.1) 2.363 ms 2.352 ms 2.514 ms 24 * * * 25 10.10.10.1 (10.10.10.1) 2.662 ms 2.645 ms 2.631 ms 26 * * * 27 10.10.10.1 (10.10.10.1) 2.689 ms 2.700 ms 2.668 ms 28 * * * 29 10.10.10.1 (10.10.10.1) 1.747 ms 1.381 ms 1.128 ms 30 * * *
• Tailscale

  Discussions about the Tailscale package
  86 Topics

  554 Posts

  B

  so now that 2.8.0 CE is running Freebsd15, should we be grabbing the tailscale port from the Freebsd15: latest dir for installation?

• WireGuard

  Discussions about WireGuard
  682 Topics

  4k Posts

  M

  @tiiash

  So you set both MTU & MSS to 1420 in the interface configuration settings?

  Why did you make MSS the same?