webGUI

Cant access webGUI: Expired certificate!

Gertjan — Sun, 03 May 2026 18:39:17 GMT

@the-other said in Cant access webGUI: Expired certificate!: or you could do it as sasid in the official documentary... https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html look for https cert problems... https://docs.netgate.com/pfsense/en/latest/troubleshooting/locked-out.html#https-certificate-problems pfSsh.php playback generateguicert should do the trick. It regenerates a new (CA) certificate, assigns it to the GUI, and restarts the GUI. @kenw said in Cant access webGUI: Expired certificate!: CE 2.8 2.8 : I don't recall, but newer versions do warn you about a certificate that you use, and is about to expire. pfSense is even sends notifications (mail or other) if you've set this up.

User Manager WebGUI limits group length to strict

Gertjan — Wed, 22 Apr 2026 09:01:16 GMT

@alf42 pfSense has a 'GUI'. That's a complicated word for : it' s a web server, which means the start of the answer to your question is here : [image: 1776850973900-11ae3a2a-b7ea-49c3-8702-3349e40e8713-image.png] Here is the file - line 197 and 199. You might think : that's easy, change the two '16' to 'bigger then 16' and you're done. You have a good chance that this is true. Still, you have to check things : where and how is it saved - what will breal elsewhere as the size in implicit or not; known to be '16 chars max'. ? The final result will be present, of course, in the config.xml file, so start checking that the new name length really is saved. Check also how it is saved : is something else enforcing the '16' char size for 'some, yet to be determined reason'. Check also other, related files, you know now where they are, as the name of the group is used on other web pages = php (and other) files. 16 chars wide can be enforced there also. In short : yes, you can change it, but be ware of the side effects, known, or unknown for the moment. Also, when upgrading, the "system_groupmanager.php" will get overwritten with the new official version. So, instead of editing this file, create your own "patch file" and add it in System > Patches. edit : [image: 1776851821127-8161dcaa-18b1-4f2c-b647-ca8d237178cc-image.png] all goes well ?

26.03 Diagnostics, Arp Table, WOL button links. colons replaced by percent 3A, not accepted by WOL page

johnpoz — Tue, 21 Apr 2026 10:05:25 GMT

@jimp I just tested this - and yup seems to clear it up.. WOL button now works from Arp Table in 26.03

GUI not accessible after 26.03 update

phibster — Mon, 20 Apr 2026 06:51:04 GMT

@jimp said in GUI not accessible after 26.03 update: local self-signed CA and a GUI certificate signed by that CA I had the local CA and gui cert signed.

Diagnostics States Reset States

kamazik971 — Mon, 20 Apr 2026 06:09:37 GMT

Здравствуйте при удалении состояния вручную подтвердил не спрашивать более теперь не удаляется соединение вообще никак кто нибудь знает как вернуть окошко подтверждения для удаления ? Перезагрузка не помогла.

Hello, when deleting the state manually, confirmed not to ask anymore, now the connection is not deleted at all, does anyone know how to return the confirmation window for deletion? The reboot did not help.

webgui doesn't start anymore after applying systempatches on 26.03

SteveITS — Sun, 05 Apr 2026 07:59:45 GMT

@stegbth the pfB virtual IP for DNSBL is usually attached only to localhost and listening on that VIP. Note in 25.11 and now 26.03 the VIP needs to be manually added to localhost and set in pfB DNSBL settings. May be related. Edit: that may be if uninstalled before the update, IIRC if it’s left installed it will keep it?

how to fix CVE-2025-1647

RianKellyIT — Fri, 03 Apr 2026 05:15:41 GMT

~~CVE-2025-1647 is an XSS vulnerability in Bootstrap 3.x's data-template attribute in Tooltip and Popover components. The severity in pfSense's specific context is worth understanding before deciding how to respond. The risk in pfSense is significantly lower than the CVE score suggests for a few reasons: The pfSense WebGUI uses Bootstrap tooltips and popovers, but the data-template values are set by Netgate's own PHP code, not by user-supplied input in most cases If your WebGUI is only accessible from trusted internal networks (as it should be), the attack surface is limited to already-authenticated administrators That said, for a vulnerability assessment the finding is legitimate since Bootstrap 3.4.1 is documented as EOL and carrying this CVE. What you can actually do: Upgrade to pfSense Plus 26.03 if you're on CE 2.8.1 and eligible. Netgate has been updating frontend dependencies in the Plus track. Check the release notes to see if Bootstrap was updated. For pfSense CE: there is no supported path to manually upgrade Bootstrap without breaking the webGUI, since the templates are tightly coupled to Bootstrap 3's API. Manually replacing bootstrap.min.js with a 5.x version will break the UI. Mitigation for your assessment: document that WebGUI access is restricted to trusted management networks/VLANs only. This is the standard accepted mitigation for bootstrap-in-admin-UI findings. Most security auditors accept this with a network diagram showing access controls. The "Patches" package chpalmer mentioned can apply unofficial fixes, but there is no community-maintained patch specifically for CVE-2025-1647 at the moment. If you're stuck on CE 2.8.1 with a hard requirement to remediate, the only fully clean path is migrating to pfSense Plus where Netgate controls the update cadence. ~~

Suricata Alerts Dashboard - crash report

Amos-Burton — Fri, 27 Mar 2026 01:54:13 GMT

Hi,
The Suricata Alerts Dashboard frequently crash generating the log below.
Is this just happening to me, or are others having the same problem?

Crash report begins.  Anonymous machine information:

amd64
16.0-CURRENT
FreeBSD 16.0-CURRENT #7 plus-RELENG_25_11_1-n256519-3d5e07ee0abe: Mon Jan 19 17:34:47 UTC 2026     root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-Plus-snapshots-25_11_1-main/obj/amd64/8uazGBdh/var/jenkins/workspace/p

Crash report details:

PHP Errors:
[26-Mar-2026 17:29:22 America/New_York] PHP Fatal error:  Uncaught ValueError: date_create_from_format(): Argument #2 ($datetime) must not contain any null bytes in /usr/local/www/widgets/widgets/suricata_alerts.widget.php:188
Stack trace:
#0 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(188): date_create_from_format()
#1 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(78): suricata_widget_get_alerts()
#2 {main}
  thrown in /usr/local/www/widgets/widgets/suricata_alerts.widget.php on line 188
[26-Mar-2026 21:32:12 America/New_York] PHP Fatal error:  Uncaught ValueError: date_create_from_format(): Argument #2 ($datetime) must not contain any null bytes in /usr/local/www/widgets/widgets/suricata_alerts.widget.php:188
Stack trace:
#0 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(188): date_create_from_format()
#1 /usr/local/www/widgets/widgets/suricata_alerts.widget.php(78): suricata_widget_get_alerts()
#2 {main}
  thrown in /usr/local/www/widgets/widgets/suricata_alerts.widget.php on line 188

No FreeBSD crash data found.

Questionable Error Messages in General Log

Gertjan — Sun, 22 Mar 2026 18:54:56 GMT

@leroyx Thanks for the feedback. I think this "Norton" process scans local network resources once in a while and it checks if known 'bad URLs' gets a web server answer = a web page. In that case you'll see a "Norton local network security issue message" on your PC. That's why you saw these web requests on your pfSense web server log. Remember this one : said in Questionable Error Messages in General Log: Anyway : it's not hard to find out what is happening = what or who is sending these https requests to your pfSense. File names like "index.asp"and "get.cgi" are to generic, but you might have a chance with "loginMsg.js" : locate this text string in every file on your system, and you will find what file it is. Finding this file on your PC, and you can see who made the request. which means that in one of the Norton executables or Norton DDLs you would have found the text "loginMsg.js" so you would have known it was Norton sending these URLs. This : @leroyx said in Questionable Error Messages in General Log: I started TcpLogView on the Computer was a good idea Btw : Normally, when you start to use a PC, you have to go through the rather tedious process called : "remove bloatware". Most PC users don't need Antivirus stuff anymore. And the ones who do, even something like "Norton" can't protect them. so ... remove it all, and keep the CPU for yourself.

NET-ERR-CERT- deadly handshake

Tiny 0 — Sun, 22 Mar 2026 07:02:19 GMT

Can access to debug cert using Chrome and 'thisisunsafe' at error page (previously nogo because my web search showed spaces, which fails). -No need at all to reinstall pfSense!

Dashboard Widget Error

beloc — Wed, 18 Mar 2026 13:48:04 GMT

@Gertjan Thank you. I removed the file, and it loads. I copied the file from a working router (same version) and got the same error. But for now, I can use the dashboard. I will look deeper into why even a new file causes the issue.

New Widget Proposal - ISP Quota / Failover

dennypage — Sun, 15 Mar 2026 14:33:49 GMT

@djgans said in New Widget Proposal - ISP Quota / Failover: As before you're are welcome to make whatever changes you want since I've provided the widget code "as-is". If you wish to post your own contributions, again you're welcome to and I even encourage it. Okay. I'll add it to my list and have a go when I can.

What to expect with a 2100 Max?

fabnavigator — Sun, 15 Feb 2026 13:13:37 GMT

@SteveITS Thank you!

The following CA/Certificate entries are expiring: Certificate: GUI default ...

JonathanLee — Mon, 02 Feb 2026 05:38:53 GMT

@johnpoz with that music going haha

Can't log in

SteveITS — Mon, 12 Jan 2026 19:09:19 GMT

@timbaeten on Plus it’s almost always old Boot Environments: https://docs.netgate.com/pfsense/en/latest/troubleshooting/filesystem-shrink.html

PHP Error but Pfsense is working fine

Forenlurch71 — Wed, 07 Jan 2026 22:33:49 GMT

Updated Pfsense 2.7.2 to 2.8.0 without deinstalling Pfblocker (that was my mistake). After reboot i got several errors and issues. So i saved my config, setup 2.8.1 clean, imported my pfsense config and installed pfblocker-devel again. I configured it manually with screenshots, so i didnt use its backup.

The system is running totally fine. All services are up, no issues are shown. I checked in shell.

Only when i use "pfSsh.php playback svc status" in shell, i get the error:

PHP ERROR: Type: 1, File: /etc/inc/util.inc, Line: 142, Message: Uncaught TypeError: is_process_running(): Argument #1 ($name) must be of type string, null given, called in /etc/inc/service-utils.inc on line 290 and defined in /etc/inc/util.inc:142
Stack trace:
#0 /etc/inc/service-utils.inc(290): is_process_running()
#1 /etc/inc/service-utils.inc(607): is_service_running()
#2 /usr/local/sbin/pfSsh.php(374) : eval()'d code(119): get_service_status()
#3 /usr/local/sbin/pfSsh.php(374): eval()
#4 /usr/local/sbin/pfSsh.php(379): playback_text()
#5 /usr/local/sbin/pfSsh.php(233): playback_file()
#6 {main}(°information text

For me this is only a "cosmetics" issue cuz pfsense is using PHP only for the GUI. Seems like it has zero impact on pfsense. But i want to try to fix it anyway or at least to find out whats the problem exactely.
Maybe someone has a plan how to do it?

haproxy pre-3.1-bug

Nan0tEch — Tue, 06 Jan 2026 19:20:22 GMT

I'm getting the following error on my haproxy 25.11 pfsense plus setup i'm using haproxy with authelia thats why i need to load lua files for the config.

When i try it to put "tune.lua.bool-sample-conversion normal" in the global advanced pass thru it comes behind the lua load section and this tunable needs to be in front of it. Trying to manualy edit the haproxy config file its not kept after reboot. It seems to that i need to have an option in the tunables section to add this tuneable "tune.lua.bool-sample-conversion normal"

I can't open the GUI

Gertjan — Sat, 06 Dec 2025 06:09:50 GMT

@Alamoodi Also : now you've your system back up, and ssh works, and the console works, and you know how to use the IPMI works (wow, didn't even know the 8300 had that access : just great !), go to the /var/log/ folder ans save all the logs files. It's very possible that you find in the system.log (or older, rotated versions of that file) what the reason was things went wrong in the first place. Get, for example WinSCP, you can use the SSH credentials and SSH port 22, to access the pfSense file system like Windows explorer. If you can't find anything, start by adding a UPS.

Slow loading of the dashboard

Gertjan — Wed, 03 Dec 2025 14:53:24 GMT

This one : Call for Testing: pfSense Plus 26.03 RC Now Available! says : WebGUI Optimizations - The WebGUI code has been optimized. Users may experience a dramatic increase in GUI performance. For me, on a 4100 MAX, the dashboard access time has been in half.

Suricata on pfSense: Custom HOME_NET via Pass List not matching traffic

radian — Tue, 18 Nov 2025 22:42:41 GMT

Re: Suricata cannot change HOME NET list?

I am trying to customize HOME_NET for Suricata on pfSense CE and something seems inconsistent between the GUI and the actual rule evaluation.

What I did (following the recommended procedure from this thread):

Created an alias SURICATA_HOME_NET containing:

10.0.10.0/24

10.0.20.0/24

10.0.30.0/24

10.0.40.0/24

192.168.200.200/32 (WAN IP of the firewall)

Created a Pass List, added that alias at the bottom, saved it.

In Suricata → Interface Settings (WAN), in “Networks Suricata Should Inspect and Protect”, I selected this Pass List as HOME_NET, saved and restarted Suricata.

In the WAN interface I can see via “View HOME_NET” that 192.168.200.200/32 is indeed listed as part of HOME_NET, and EXTERNAL_NET looks correct as !HOME_NET.

I added the following two custom rules to custom.rules on the WAN interface:

alert tcp any any -> $HOME_NET 1:1024 (msg:"LAB T1046 SYN to HOME_NET"; flags:S; sid:4000001; rev:4;)
alert tcp any any -> 192.168.200.200 1:1024 (msg:"LAB T1046 SYN to WAN"; flags:S; sid:3999999; rev:3;)

After Save + Apply + restart of Suricata on WAN, I run:

nmap -sS -Pn -p1-1024 192.168.200.200

Result:

list itemThe rule with the literal IP (sid:3999999) triggers alerts as expected.
The rule using $HOME_NET (sid:4000001) never fires, even though 192.168.200.200/32 is clearly shown in the HOME_NET list in the GUI.

At the same time, a very simple test rule:

alert icmp any any -> any any (msg:"LAB TEST ICMP ANY"; sid:4999999; rev:1;)

does fire normally on the same interface, so custom.rules is loaded and working.

So the situation is:

custom rules are loaded and working,
HOME_NET/EXTERNAL_NET Pass List is configured and visible in “View HOME_NET”,
traffic definitely hits the WAN interface (the static-IP rule sees it),
but rules using $HOME_NET as destination do not match that same traffic.

Is this a known issue or am I misunderstanding how HOME_NET from a Pass List is applied internally? Any hints how to debug why $HOME_NET does not seem to include 192.168.200.200/32 at rule evaluation time, even though the GUI says it does?

Certificate DN elements show in incorrect order in webGUI

helviojr — Fri, 07 Nov 2025 12:46:14 GMT

I'm sorry if that's duplicate, I couldn't find a way to search only in a specific group.

I'd like to know if there is a reason for tha behavior below or if I could present a fix for that:

When presenting the list of CAs or the list of certificate, the main column is "Distinct Name", that is obtained from an array in the decoded certificate by function cert_get_subject in /etc/inc/certs.inc. For some reason, the elements of DN are sorted alphabetically by key, that means, the country (C) is always first, state (ST) usually the last with other elements in between. That order has no sense at all, so I see no help at all in two commands there. Although a distinct name is understood by many application, no matter the order of the elements, there are some where that matters a lot. IPsec, for example, will not allow conection if the ID used is a DN in a order different from the actual certificate. So, copying the DN from the Certificates GUI and pasting in IPsec phase 1 settings will give you a headache with no purpose.

More, as said, the new alphabetic order means not but non-sense. To get worst, creating the string, the function join the elements backwards (starting with ST, ending with C). The actual order in the certificates created by pfSense webGUI makes much more sense (starts with CN - more specific, ends with C - less specific). In my point of view, it helps nothing the reordering and is less helpful also, as we can't use it in other applications (we actually must open the certificates details and copy the DN record that is exactly the name above, but, this time, in the correct order.

If that's an issue, the correction is very easy, deleting two lines (the sorting) and adjusting other two (the one that is assembling the elements in the reverse order.

WebGUI inaccessible locally, through TS and multiple browsers.

almostmagic — Tue, 04 Nov 2025 15:11:36 GMT

@Gertjan said in WebGUI inaccessible locally, through TS and multiple browsers.: @almostmagic said in WebGUI inaccessible locally, through TS and multiple browsers.: Anyone else experience this? yep. known (sort-of). Throw "csrf-magic.ph" into : [image: 1763157990105-0ea57f40-d002-4f74-ae86-c5edac43c360-image.png] and hit enter. 3 occurrences. Read ... and you'll know what not to use (use the GUI command line) : use the real one : SSH, or even better : the console access. Thanks. I increased memory beyond what support had suggested earlier, and so far no more errors.

Make the web GUI only listen on LAN interface?

Gertjan — Thu, 30 Oct 2025 18:53:26 GMT

@truist Here's the gun and a bullet : Add the LAN IP right here : [image: 1762242565881-a088330f-5214-4f43-b272-a5fd3bc724a0-image.png] Btw : the ssl (port 443 normally) nginx will be 'locked' to the LAN IPv4 - as you can it still listens on all IPv6 interfaces. Further down you'll find the place where you can do the same thing for the http (non-ssl) access. I didn't test this. The file is : /etc/inc/system.inc Happy hunting

Can't see Alias Details from Netgate4200

patient0 — Thu, 16 Oct 2025 21:59:56 GMT

@eeebbune said in Can't see Alias Details from Netgate4200: If I go downgrade, would it be possibly resolve my issue? I'm afraid it won't fix it, I assume.