General pfSense Questions

Unable to update repository pfSense (26.03)

bschapendonk — Fri, 08 May 2026 19:44:17 GMT

I'm having the same issue :( I was playing around with my install at home, and saw this error. I thought I messed something up, so I reinstalled using the latest installer (netgate-installer-v1.2-RELEASE-amd64.iso). This worked, but i'm still having errors and packages won't install :( Probably something in the netgate infrastructure, let's hope that it works again tomorrow. check_upgrade: "Updating repositories metadata" returned error code 1 @ 2026-05-08 22:22:27 Updating pfSense-core repository catalogue... pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-core/meta.conf: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-core/meta.txz: Problem with the local SSL certificate repository pfSense-core has no meta file, using default settings pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-core/data.pkg: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-core/data.tzst: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-core/packagesite.pkg: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-core/packagesite.tzst: Problem with the local SSL certificate Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-pfSense_plus_v26_03/meta.conf: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-pfSense_plus_v26_03/meta.txz: Problem with the local SSL certificate repository pfSense has no meta file, using default settings pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-pfSense_plus_v26_03/data.pkg: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-pfSense_plus_v26_03/data.tzst: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-pfSense_plus_v26_03/packagesite.pkg: Problem with the local SSL certificate pkg: Failed to fetch https://pfsense-plus-pkg.netgate.com/pfSense_plus-v26_03_amd64-pfSense_plus_v26_03/packagesite.tzst: Problem with the local SSL certificate Unable to update repository pfSense Error updating repositories!

WAN disruptions with 802.1X Authentication Bridging

bplein — Fri, 08 May 2026 15:14:43 GMT

I am using 802.1X Authentication Bridging in order to get my pfSense (Netgate 4200) directly connected to AT&T. It's been working fine for 2 years.

The other day my internet went down, I rebooted my router and when everything came back up, I started experiencing drops (1-2 seconds where I cannot ping anything outside my side of the router). These occur on a regular 40 second interval.

There are no logs in pfSense that correlate to this issue.

I did see what seems to be a flicker on the port that connects the AT&T RG (the bypassed RG) at the same time as the drops. When I remove the RG, the problem goes away (but I cannot leave it like that because it needs to re-authenicate me after a router reboot or any other timer it might have).

I saw this on 25.x and now on 26.03 with no change in symptoms.

Thoughts?

Custom ICAP to DLP

abbu.rakesh — Fri, 08 May 2026 05:50:57 GMT

Is it possible to tweak ICAP settings and perform DLP content inspection using your own DLP server running as an ICAP server on the network?

Thanks in advance.

Acme certificate expiring notice after deletion

4o4rh — Thu, 07 May 2026 11:43:47 GMT

I used acme to create a duckdns certificate which i no longer need.
i deleted the certificate, under certificate manager, but i keep getting notifications

The following CA/Certificate entries are expiring:
Certificate: DuckDNS-xxxxxxx (68b14b77xxxxx): Expired 86 days ago @ 2026-05-06 03:01:00
The following CA/Certificate entries are expiring:
Certificate: DuckDNS-xxxxxxx (68b14b77xxxxx): Expired 87 days ago @ 2026-05-07 03:01:00

Where is it coming from?

Pfsense crashing daily on protectli vault

kindlywasp — Tue, 05 May 2026 17:39:42 GMT

@stephenw10 No worries, thanks for looking into this.

BSNMP causing massive memory use spikes since 26.03 update

keyser — Tue, 05 May 2026 16:37:49 GMT

I can confirm it is some kind of memory leak in BSNMPD. Both firewalls shows the BSNMPD process slowly but steadily allocating more and more memory. So this is very likely the same case/issue as the previously referenced thread. Let’s use that thread going forward and stop posting here :-)

MFA for pfSense

KOM — Tue, 05 May 2026 14:05:17 GMT

@ortizat Kind of. pfSense supports TOTP logins via the FreeRadius package.

Rogue DHCP Server

stephenw10 — Tue, 05 May 2026 06:18:17 GMT

@JKnott said in Rogue DHCP Server: then a request from the client and finally an acknowledge from the server. Right. I guess I forgot (or never knew!) that the dhcprequest is also broadcast the first time. At lease renew it is unicast which is what you more normally see.

pfsense hardware failure(?)

patient0 — Sat, 02 May 2026 19:35:51 GMT

@lkh your best bet is to attach keyboard and monitor, everytihng else is just guesswork. If you have not changed anything else in your infrastructure (switch, cables, etc.) then hardware failure is a likely scenario.

RESOLVED - 26.03 - Failure updating ACME certificate

SwissSteph — Sat, 02 May 2026 06:06:53 GMT

@Gertjan Thank you! The link you provided : https://github.com/acmesh-official/acme.sh/issues/6851 is the solution, so I created a new ‘Token’ with domain:read dns:read dns:write I put the ‘code’ in place of the other one, and miraculously, it's finally working now [image: 1778154784906-0dacebe3-c924-49f0-abbd-992b82bd738e-image.png] As for the second one, I’ve tried too many times and I’m stuck until tomorrow evening, but I’m confident because I’ve made the same changes I know I’m repeating myself, but thank you again for all your help

eed Help: Portal Account Not Provisioned / Cannot Access Subscription

patient0 — Thu, 30 Apr 2026 14:58:06 GMT

@Bruce11 if you know that you need a portal account (I wouldn't know what use that is) then maybe create a TAC support ticket? https://www.netgate.com/tac-support-request

I cannot get Dynamic DNS

patient0 — Wed, 29 Apr 2026 18:41:06 GMT

@BlazeStar is your WAN marked as up in the 'Gateways' widget or under 'Status / Gateways'? In the past people ran into similar issues when pfSense gateway monitoring thinks that the gateway is down. And additionally: what monitoring IP is set for the WAN interface (System / Routing / Gateway)? Sometimes you can't use the ISPs gateway IP for monitoring of PPPoE connections since this IP is not ping-able. You would have to use another public IP, like 1.1.1.1 or 8.8.8.8 or 9.9.9.9.

Wireguard using Proton configs and pfsense 2.7.2

marcosm — Wed, 29 Apr 2026 03:33:03 GMT

I suggest following the Netgate docs for any steps related to pfSense. Unless Proton is using a custom WireGuard implementation I see no reason for there to be any compatibility issues. Part of what makes WireGuard configuration on pfSense more involved is the flexibility to support many scenarios. Granted an import/export feature like the OpenVPN service has would certainly be nice. https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html

SSl certificates for all home network

johnpoz — Tue, 28 Apr 2026 07:54:23 GMT

@Gertjan yeah I think there are some ways to do acme via script via the new os server.. But I just installed my own, and its good til 2035 ;) [image: 1778173237048-osserver.jpg]

Tftp-proxy between two subnets - reply blocked

opoplawski — Mon, 27 Apr 2026 19:20:59 GMT

Looks like it need to test this out with an updated system. I'm still running 25.07.1

pfsense plus - crypto Accelerator Wireguard / OpenVPN / IPsec

stephenw10 — Mon, 27 Apr 2026 07:45:34 GMT

@tinfoilmatt said in pfsense plus - crypto Accelerator Wireguard / OpenVPN / IPsec: If the FreeBSD driver supports them. We see what you did there. Well there are some newer CPUs with QAT that are not yet supported at all by the driver shipped in pfSense. So YMMV!

Is the FreeBSD Remote Code Execution Vulnerability fixed in 26.03?

stephenw10 — Sat, 25 Apr 2026 15:35:17 GMT

Generally. yes, we review FreeBSD CVEs and assess whether or not they apply to pfSense. A lot (most? ) do not apply since pfSense is a very cut down subset of the FreeBSD code.

Crash Dump - 1st time, how or where should I share ?

stephenw10 — Sat, 25 Apr 2026 15:17:10 GMT

Hmm, it could be just that testing. The dmesg logs have no time stamps so it can be some time before the panic if nothing else is logged in between.

Fatal trap 12: page fault on pfSense 2.7.2

stephenw10 — Fri, 24 Apr 2026 07:18:06 GMT

What does the backtrace in the crash report show?

Netgate 3100 - v25.11.1 - Sudden flood (228 messages A SECOND) of DHCPv6 syslogs

KB8DOA — Wed, 22 Apr 2026 12:23:23 GMT

@stephenw10 I will not be able to get pcap as this is something that happened last week. It occurred over a period of a few days, and our logging server locked-out the pfSense for exceeding the storage quota. I will try to find what piece of office equipment was causing this. I know very little about IPv6, but will enlist chatgpt to help me.

NTP exposed to WAN by default

johnpoz — Tue, 21 Apr 2026 20:03:12 GMT

@dennypage said in NTP exposed to WAN by default: specifying the listen by interface usually isn't necessary. While I do agree here, I also think the ability to limit (when possible by the application/service) is a worth while security option to have. Should it be the number one priority - no prob not. And since pfsense is a firewall, you do have complete control of who can talk to what service that might be running no matter what the service does for binding to IPs the device might have. I mean quite often many services would be on device with only 1 interface anyway ;) So the ability to call out what specific interface/ip a service is bound to really becomes moot. And it just makes it easier to setup to know that hey that service will listen to whatever IP the device has. Back to the topic at hand, while ntp does out of the box listen on all IPs. Out of the box this would not be available via the wan no matter what IPs the service is actually listening on. Seems the OP clearly was not using valid testing methods (nmap to a udp port) - where nmap in layman terms reports I can't tell there was no answer. What I don't get is how you could interpret (not open|filtered) To you got a ntp response. Or any response at all. Nor did they follow up with validation of what they thought they were seeing before jumping to the conclusion that somehow pfsense left this service open to the wan even with default deny on all interfaces out of the box.. The only sort of exception to this is while the lan also has default deny, out of the box a any any rule is created to ease setup.

Internal DNS only when VPN is up

johnpoz — Sat, 18 Apr 2026 22:55:42 GMT

@stephenw10 if so then means the they are available via public - so what is the point of the vpn? Just not understanding they are wanting to actually accomplish other than complexity. If I want to resolve stuff on the other end of a vpn, I put in a domain override to go ask the the ns there for the domain at that site, done.. I am not understanding what exactly they are trying to accomplish here.. The use case makes no sense to me.

ZFS Mirror replacing failed Drive

VioletDragon — Sat, 18 Apr 2026 20:53:42 GMT

@stephenw10 Absolutely that was the first thing I did and I'm very glad I did to that or I would be in a right mess.

MTU on VLAN sub interface for WAN

mikey_s — Fri, 17 Apr 2026 15:18:13 GMT

@stephenw10 thank you, will test, currently running 26.03

Netgate 6100 unstable since upgrade to 26.03

ChrisJenk — Fri, 17 Apr 2026 13:31:51 GMT

@dennypage yes, sorry, that is provided by HACS so you can ignore it.