Subcategories

  • Discussions about development snapshots for pfSense Plus 25.03

    48 Topics
    740 Posts
    A

    @stephenw10

    igc1 - LAN Default setting didn't work for me perfectly, still going bufferbloat.
    3.https://isc.sans.edu/diary/Securing+and+Optimizing+Networks+Using+pfSense+Traffic+Shaper+Limiters+to+Combat+Bufferbloat/27102/
    Yes Limiters applied for outbound WAN traffic
  • PR review? Automatic Split-DNS

    1
    1 Votes
    1 Posts
    202 Views
    No one has replied
  • Remove duplicate suppression for smtp?

    1
    0 Votes
    1 Posts
    211 Views
    No one has replied
  • Send email on GUI or VPN login script

    1
    0 Votes
    1 Posts
    218 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    19 Views
    No one has replied
  • Ubiquiti intigration package?

    13
    1 Votes
    13 Posts
    1k Views
    JeGrJ

    @cloudless-smart-home said in Ubiquiti intigration package?:

    I do the same. any advice on reining them in? things are working fine, I guess, but always trying to learn how to improve / secure my home lab setup.

    In paranoid setups, we've setup the management network for Unifi stuff separate from the default VLAN and actually use that (default VLAN) as a "sort of jail" where devices won't get an IP and are just isolated. So Mgmt runs with all other networks on different VLANs. Initially that's a bit harder to set up so you'll not loose connection between the controller and at least one switch but it works :)
    After that it's really your choice. If you trust the updates and stuff you could leave outgoing HTTP/S open so switches, APs etc. can get their firmware themselves. Others like it better if only the controller itself has web access, no one else. You'd need to deploy the firmware via the controller then by caching it first there and then rolling the upgrading the controller should send it to the device. Or go full defense and revoke internet access from management alltogether and only open it for patch days. That choice is yours :)

    Otherwise reigning them in also means checking for things like RSTP etc. going wild etc. ;)

    Cheers

  • Development Updates Options missing

    3
    0 Votes
    3 Posts
    968 Views
    S

    @jonathanlee I don't see it, but, I suspect 23.05 is not available to test yet. It's not on other hardware, either.

  • IPSec connect through CLI?

    3
    0 Votes
    3 Posts
    412 Views
    M

    @jimp Thank you! That worked!

  • 0 Votes
    5 Posts
    1k Views
    lohphatL

    @steveits Perfect. Thanks!

  • Where is Subnetting Implemented?

    6
    0 Votes
    6 Posts
    767 Views
    jimpJ

    It's all typical subnet math, nothing special about it. The code for checking that is in util.inc, like check_subnets_overlap() but you might also look at things like gen_subnet() and get_subnet_mask() and the v4/v6 specific ones.

    The question is very vague, though. We need more context to know what you're attempting to do that the current checks aren't allowing to know if it's valid.

    While nothing stops something from using the network/broadcast addresses of a subnet (e.g. if it's routed to the firewall, all can be used for NAT so long as they aren't defined on an interface), you still can't force things to work that are not valid at a subnet level when used directly on an interface.

    When using larger subnets, there is indeed nothing special about those addresses either. Such as when using a /23, it's valid to have clients use the .254 and .0 addresses in the middle of the /23.

  • made a widget to change the web configurator theme

    1
    0 Votes
    1 Posts
    413 Views
    No one has replied
  • php shell commands not working - openvpn id needed

    3
    0 Votes
    3 Posts
    776 Views
    Cloudless Smart HomeC

    @heper nice!

  • re-building iso

    2
    0 Votes
    2 Posts
    816 Views
    M

    or can I just rebuild a kernel outside and replace the kernel on a running pfSense ? I would like to disable ALTQ

  • gui/settings change idea for ease of use

    3
    0 Votes
    3 Posts
    996 Views
    jimpJ

    That's something we want to standardize eventually but it's a much bigger task than anyone realizes, and very easy to introduce new bugs in the process. Easy to think/suggest, but much more complicated to implement.

    Overall we'd like to eliminate confusing/negative actions in options and move to a standard type of toggle control that makes it more obvious when things are on/off rather than checkboxes, too.

    But for now we've at least been trying to do the right thing for new functions that get added when it's feasible.

  • expect script not working as expected

    Moved
    7
    0 Votes
    7 Posts
    1k Views
    V

    @mephmanx
    Can you edit and re-import the config?

    If so, there is an <ssh> section within <system>.
    You can add a port line there:

    <port></port>
  • Support for Edwards Curves

    5
    1 Votes
    5 Posts
    1k Views
    johnpozJ

    @aligator638 yeah see my edit, maybe I needed more coffee ;) Not sure what I was thinking - sorry about that.

    I did some research this morning - and it seems there is a way to use it, but not with the official versions as of yet, I saw talk of compiling your own version and or manually doing some settings.

    While that might be possible in pfsense, until its a standard feature in the released versions you most likely will not see it available in the pfsense openvpn settings.

  • One big ruleset

    2
    0 Votes
    2 Posts
    768 Views
    stephenw10S

    So you would like to see a single page firewall view because that would enable drag-and-dropping a selection of rules between interfaces?

    Steve

  • pfSense GUI damn(!) slow due to ^Firewall Logs^ widget

    53
    0 Votes
    53 Posts
    10k Views
    L

    Hello,

    I think I have solved all issues. The version I will upload in a moment to the bug-tracker-side does have the same functionality as the original NetGate version.

    However, on my system and setup, it is nearly 20-times faster and does process a maximum of 250 lines from the firewall log in opposite to only 50 in the original version (which is relevant if you e.g. would like to select alarms from one specific interface).

    I also shorted the timestamps printout, since I did not like it and assume nearly any one is interested to see the micro seconds.

    If you want to use or test it, you can download it from
    https://redmine.pfsense.org/issues/12673

  • Questions about DHCPd: new service on the agenda? DHCP pool restrictions?

    3
    1 Votes
    3 Posts
    777 Views
    JeGrJ

    @jimp said in Questions about DHCPd: new service on the agenda? DHCP pool restrictions?:

    Yes, it's EOL. We'll be working on moving to Kea but not for this release. We've been using Kea with much success on TNSR, so we are hopeful that is the best path forward. That said, we still need to look into how it does things like failover pools.

    Oh really exciting to read. I almost assumed it's a OpenBSD like situation that FreeBSD runs its own fork and will do so further down the road but I see that I now have to read on and check out Kea myself :)

    @jimp said in Questions about DHCPd: new service on the agenda? DHCP pool restrictions?:

    I'm not sure how Kea handles that second part but if they are actually reservations there then we can obviously lift that restriction after moving to Kea.

    Oh then I'm sorry and "my bad" for assuming they actually were reservations. I just followed a similar discussion where ISC-dhcpd was concerned and either there was some misconception or they weren't aware, that preferences weren't really reservations.

    But thanks for the update that gives additional input if that question pops up in the future again. Have to read Kea docs, if that is actually supported there (just for informational purpose).

    Thanks again,
    Jens

  • How to use GUI screen controls / (Colors / Graphics Mode)

    7
    0 Votes
    7 Posts
    1k Views
    L

    @jimp

    One other reaction to add. I do not know which security measures / precautions Netgate makes with packages, e.g. with which authorization level they are running, however adding whatever 'external' code to your system is always a risk and surely if the involved system is a firewall.

    So, but if you allow that whatever package to be installed, than you trust that package and an installed package does IMHO technically have the capability to do all kind of unwanted things with your platform.

    If one of those more or less trusted packages generates fixed html code, it sounds strange to me to see that html code from one of your own packages as ^dangerous^ where the fact that the package is installed is again in my feeling is far more dangerous.

    So, I do not need the htmlspecialchars() protection replacement for this case, but I do scratch my head why it is dangerous 😥

  • Modifying and developing the iPerf3 package

    2
    1 Votes
    2 Posts
    961 Views
    bmeeksB

    This long thread from earlier this year should help kickstart your effort: https://forum.netgate.com/topic/169749/pfsense-compile-requirements-for-3rd-party-software. This thread was about a different binary package, but the information is directly applicable to your iperf3 work.

    You will first need to create a FreeBSD package builder environment based on the pfSense version you are targeting. Today that is FreeBSD 12.3-STABLE for pfSense CE and pfSense Plus RELEASE, and FreeBSD-14.0-CURRENT for the DEVEL snapshot branches.

    You will find the binary pieces of iperf3 here: https://github.com/pfsense/FreeBSD-ports/tree/devel/benchmarks/iperf3.

    The PHP GUI component of the package is here: https://github.com/pfsense/FreeBSD-ports/tree/devel/benchmarks/pfSense-pkg-iperf.

    There is very little documentation of the process. Be prepared to draw upon your experience (or else you will have to spend a good deal of time on Google searching for clues and tips).

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.