Subcategories

  • Announcements and information about pfSense software posted by the project team

    220 Topics
    3k Posts
    P
    @SteveITS Thanks for the clarification, I would give you an up-vote but I do not have enough reputation.
  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    191k Posts
    S
    @stephenw10 I'm sorry, I didn't get that?
  • Discussions about Multi-Instance Management.

    22 Topics
    150 Posts
    stephenw10S
    This should be fixed in the next version.
  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    stephenw10S
    You can just resave that value in the update settings tab. It should then look like: <pkg_repo_conf_path>2_8_1</pkg_repo_conf_path>
  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    S
    @Uglybrian, Thank you, I will give that a try. Stuart
  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    KahnaresK
    @SteveITS I haven't tried disabling or removing Outbound rules, but it's worth a shot. I'm not sure it would make a difference, but stranger things have happened and it's quick'n'easy to test. Outbound is just directing traffic to the gateways (ISP or VPN, depending on the VLAN). I'll test my loopback theory too.
  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    U
    A week ago, I switched our Kea DHCP backend on our production firewall cluster to Kea (after a lot of test in a virtualized environment). It worked fine until yesterday, when suddenly the clients stopped receiving leases. After some troubleshooting, I found that the Kea server must have crashed on the primary node, and the secondary node didn’t seem to fail over properly. Both firewalls were running, but no leases were being handed out to clients. The error log I found was the following: port 67, reason: Address already in use - is another DHCP server running? Oct 21 14:26:57 ITL-FWL-001 kea-dhcp4[65433]: WARN [kea-dhcp4.dhcpsrv.0x7f3c2012000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg1.999, reason: failed to bind fallback socket to address 10.0.63.2, port 67, reason: Address already in use - is another DHCP server running? Oct 21 14:26:57 ITL-FWL-001 kea-dhcp4[65433]: WARN [kea-dhcp4.dhcpsrv.0x7f3c2012000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg1.999, reason: failed to bind fallback socket to address 10.0.63.1, port 67, reason: Address already in use - is another DHCP server running? Oct 21 14:26:57 ITL-FWL-001 kea-dhcp4[65433]: WARN [kea-dhcp4.dhcpsrv.0x7f3c2012000] DHCPSRV_NO_SOCKETS_OPEN no interface configured to listen to DHCP traffic Oct 21 14:26:57 ITL-FWL-001 kea-dhcp4[65433]: ERROR [kea-dhcp4.dhcp4.0x7f3c2012000] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp4.conf, reason: Error initializing hooks: CmdHttpListener::run failed: unable to setup TCP acceptor for listening to the incoming HTTP requests: bind: Address already in use [system:48 at /usr/local/include/boost/asio/detail/reactive_socket_service.hpp:161:33 in function 'bind'] Oct 21 14:26:57 ITL-FWL-001 kea-dhcp4[65433]: ERROR [kea-dhcp4.dhcp4.0x7f3c2012000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': Error initializing hooks: CmdHttpListener::run failed: unable to setup TCP acceptor for listening to the incoming HTTP requests: bind: Address already in use [system:48 at /usr/local/include/boost/asio/detail/reactive_socket_service.hpp:161:33 in function 'bind'] Oct 21 14:27:01 ITL-FWL-001 kea-dhcp4[17711]: WARN [kea-dhcp4.dhcpsrv.0x106d79612000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 21 14:27:01 ITL-FWL-001 kea-dhcp4[17711]: WARN [kea-dhcp4.dhcp4.0x106d79612000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 21 14:27:01 ITL-FWL-001 kea-dhcp4[17711]: WARN [kea-dhcp4.dhcpsrv.0x106d79612000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Oct 21 14:27:01 ITL-FWL-001 kea-dhcp4[17711]: WARN [kea-dhcp4.dhcpsrv.0x106d79612000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg0.10, reason: failed to bind fallback socket to address 10.0.9.2, port 67, reason: Address already in use - is another DHCP server running? Oct 21 14:27:01 ITL-FWL-001 kea-dhcp4[17711]: WARN [kea-dhcp4.dhcpsrv.0x106d79612000] DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket on interface lagg0.10, reason: failed to bind fallback socket to address 10.0.9.1, port 67, reason: Address already in use - is another DHCP server running? Oct 22 10:22:33 kea-dhcp4 78645 WARN [kea-dhcp4.dhcpsrv.0xc0595a12000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 22 10:22:33 kea-dhcp4 78645 WARN [kea-dhcp4.dhcp4.0xc0595a12000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 22 10:22:33 kea-dhcp4 78645 WARN [kea-dhcp4.dhcpsrv.0xc0595a12000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Oct 22 10:22:33 kea-dhcp4 78645 WARN [kea-dhcp4.dhcp4.0xc0595a12000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 48, queue size: 64 Oct 22 10:22:33 kea-dhcp4 78645 ERROR [kea-dhcp4.packets.0xc0595a12000] DHCP4_BUFFER_RECEIVE_FAIL error on attempt to receive packet: Truncated DHCPv4 packet (len=172) received, at least 236 is expected. Oct 22 10:22:33 kea-dhcp4 67709 WARN [kea-dhcp4.dhcpsrv.0x3a7d32612000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 22 10:22:33 kea-dhcp4 67709 WARN [kea-dhcp4.dhcp4.0x3a7d32612000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 22 10:22:33 kea-dhcp4 67709 WARN [kea-dhcp4.dhcpsrv.0x3a7d32612000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Oct 22 10:22:33 kea-dhcp4 67709 WARN [kea-dhcp4.dhcp4.0x3a7d32612000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 48, queue size: 64 It seems like another instance of Kea tried to start, even though there was probably already one running. I restarted the firewall, and it seemed to recover. However, I can no longer trust it in production. I’ve looked into it further, and later the same day something similar occurred again. I also noticed since yesterday that, from time to time, the DHCP status on the lease page goes red for one node for a few seconds, then recovers automatically. ct 21 18:20:31 kea-dhcp4 34212 WARN [kea-dhcp4.dhcpsrv.0x3bc9d6212000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 21 18:20:31 kea-dhcp4 34212 WARN [kea-dhcp4.dhcp4.0x3bc9d6212000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 21 18:20:31 kea-dhcp4 34212 WARN [kea-dhcp4.dhcpsrv.0x3bc9d6212000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Oct 21 18:20:31 kea-dhcp4 34212 ERROR [kea-dhcp4.dhcp4.0x3bc9d6212000] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp4.conf, reason: Error initializing hooks: CmdHttpListener::run failed: unable to setup TCP acceptor for listening to the incoming HTTP requests: bind: Address already in use [system:48 at /usr/local/include/boost/asio/detail/reactive_socket_service.hpp:161:33 in function 'bind'] Oct 21 18:20:31 kea-dhcp4 34212 ERROR [kea-dhcp4.dhcp4.0x3bc9d6212000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': Error initializing hooks: CmdHttpListener::run failed: unable to setup TCP acceptor for listening to the incoming HTTP requests: bind: Address already in use [system:48 at /usr/local/include/boost/asio/detail/reactive_socket_service.hpp:161:33 in function 'bind'] Oct 21 18:21:15 kea-dhcp4 71088 WARN [kea-dhcp4.dhcpsrv.0x2b7e08012000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 21 18:21:15 kea-dhcp4 71088 WARN [kea-dhcp4.dhcp4.0x2b7e08012000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 21 18:21:15 kea-dhcp4 71088 WARN [kea-dhcp4.dhcpsrv.0x2b7e08012000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Oct 21 18:21:15 kea-dhcp4 71088 ERROR [kea-dhcp4.dhcp4.0x2b7e08012000] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp4.conf, reason: Error initializing hooks: CmdHttpListener::run failed: unable to setup TCP acceptor for listening to the incoming HTTP requests: bind: Address already in use [system:48 at /usr/local/include/boost/asio/detail/reactive_socket_service.hpp:161:33 in function 'bind'] Oct 21 18:21:15 kea-dhcp4 71088 ERROR [kea-dhcp4.dhcp4.0x2b7e08012000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': Error initializing hooks: CmdHttpListener::run failed: unable to setup TCP acceptor for listening to the incoming HTTP requests: bind: Address already in use [system:48 at /usr/local/include/boost/asio/detail/reactive_socket_service.hpp:161:33 in function 'bind'] Oct 21 18:28:52 kea-dhcp4 16688 WARN [kea-dhcp4.dhcpsrv.0x10a766c12000] DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled. Oct 21 18:28:52 kea-dhcp4 16688 WARN [kea-dhcp4.dhcp4.0x10a766c12000] DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first. Oct 21 18:28:52 kea-dhcp4 16688 WARN [kea-dhcp4.dhcpsrv.0x10a766c12000] DHCPSRV_MULTIPLE_RAW_SOCKETS_PER_IFACE current configuration will result in opening multiple broadcast capable sockets on some interfaces and some DHCP messages may be duplicated Oct 21 18:28:52 kea-dhcp4 16688 WARN [kea-dhcp4.dhcp4.0x10a766c12000] DHCP4_MULTI_THREADING_INFO enabled: yes, number of threads: 48, queue size: 64 I did some research and found that maybe the 48 threads could be an issue? This is a dual-CPU server with 48 threads in total. I am also using the DNS Registration and early DNS registration options to register the dns names of static mappings and to also register the dns entries of the clients that bring the hostname when making the dhcp request Does anyone else have a clue how to investigate this issue further? Thanks in Advance
  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    nazar-pcN
    @viragomann said in Can't get pfSense bridge to work with VF NIC: Yeah, if you pass through the hardware to a VM, the host cannot use it anymore. That is 100% not true. As I mentioned, I pass through VF, SR-IOV is designed just for this. Host device remains and is supposed to be able to talk to guests and to the outside. @viragomann said in Can't get pfSense bridge to work with VF NIC: You should rather create a bridge in Proxmox, connect the hardware NIC to it and assign and IP and connect the virtual interface of the VM, if you want to access both devices over the single NIC. That is exactly the description of the virtio interface I have, but it is slow, just ~1.3 Gbps in pfSense due to multiple reasons (issues opened for years and little if any progress is happening on them, so I wanted to pass through the physical hardware). On Linux virtio interfaces trivially push over 10 Gbps, but not in pfSense.
  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    42k Posts
    B
    Just managed to fix the issue. It was not related to the floating states thingy. They are all at default. Under VPN -> IPsec -> Advanced settings, change "IPsec Filter Mode" to "On Assigned Interfaces" This gives you a Firewall rules tab per (ipsec) interface, instead of the general "IPsec" firewall rules tab. Now create rules on those tabs to allow traffic.
  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    stephenw10S
    No support are in the same situation we are. It would require building a 25.07.2 release. It's fixed in 25.11 snapshots if you're able to test there. The first public beta is close.
  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    R
    Additional information that may be useful: These are the DNS Server Settings: [image: 1761276830237-2eafe4a8-26d5-41e4-8b7d-c49f9e9ce91f-image.png] These are the monitor IP: [image: 1761276861882-4ebbaf32-a8bb-4b48-888a-4d06fff447b1-image.png]
  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    johnpozJ
    @alnico pfsense already have ipv6 rules on it to allow ipv6 to work. They are just hidden. look in /tmp/rules.debug # IPv6 ICMP is not auxiliary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state But simple enough to test - just disable the rule, give it a few days - do you notice any problems? What is not working? If you have no issues you can delete the rule. As I said there are hidden rules that allow for the min required for IPv6 to work. What you will notice that is not in the main rule is 128,129 echoreq and echorep - ie ping. So if you want to allow for that via non link-local you would want to add those.
  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    stephenw10S
    Ok that's good information. 20s like that sounds like a redirect timing out. And where that would apply in 2.8 might be change in default for firewall state policy from floating to interface-bound: https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-advanced-firewall-state-policy Specifically this applies to VTI tunnels when the IPSec filter mode is still set to the combined ipsec tab: https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#ipsec-vti-filtering I would bet that's what you're hitting unless you've tested it already.
  • Discussions about OpenVPN

    10k Topics
    53k Posts
    A
    @Gertjan Actually, the NAS's live on the USER .200 network. [image: 1761263490986-7a8e6a4a-bd88-4746-b972-590669a71219-image.png] Yes, it is a /24. [image: 1761263576735-dc59d4ee-7b17-45d3-adad-6b33724c9f4d-image.png] [image: 1761263615720-4f971d77-9f42-4fa1-8a2d-ad35737c6473-image.png] Yeah, I have the OpenVPN server subnets rule to allow all traffic. What advanced settings do you have in your VPN interface rule? I see a gear symbol next to the pass check mark. Is that something that may help? That private address assigned to my iPhone (10.208.190.248) is puzzling. It appears to be a Verizon thing. If I go to Starbucks and jump on their WiFi, or work, it shows the same address.. Just for kicks, I put that IP in the VPN interface rule shown above but that had no effect. My iPad does not have any of that since it has no SIM card.
  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    GertjanG
    @PhilC168 I also have a hotel here, pfSense, and my LAN is fully dual stack for a couple of years now. There are days, weeks, even months where there was more IPv6 traffic compared to IPv4. But, today, mid octobre 2025, I don't recall ever see one client asking me why my portal doesn't support 'IPv6'. More serious : I even doubt that I saw a client this year who knew what 'IPv6' or 'IPv4' is. That one person that didn't ask the reception about IPv6 didn't even bother : he connected to the portal over IPv4, fired up his "IPv6 aware VPN" connection and surfed away using IPv6 over my "IPv4 only" network ^^ So, imho, no, IPv6 yet isn't a show stopper. I already feel sorry for the guy @netgate who gets the mission to implement that one. Btw : @Enrica_CH said in IPv6 support for Captive Portal planned?: IPv4 addresses will by more and more rare so that some day a part of the internet won't support IPv4 anymore. That didn't age well ^^ Since 2016, there are no more 'free' IPv4 left, and still, IPv4 is still pretty mandatory everywhere. Tens of thousand of IPv4 devices can access the internet just fine over just one ISP IPv4. Most IPv6 aware ISP don't implement IPv6 - the prefix part, very well. Miost of them can give you a IPv6/128, but a prefix ? euh, oh, "we call you back". Yes, IPv4 will fade out in the future. That's fact. Some one who starts to admin a pfSense today, and this person is 20 years old, then maybe he will see the end of 'IPv4' when he finishes his IT career ...
  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    patient0P
    @eeebbune said in Can't see Alias Details from Netgate4200: If I go downgrade, would it be possibly resolve my issue? I'm afraid it won't fix it, I assume.
  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    stephenw10S
    Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.
  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now
  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.
  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    7k Posts
    MarinSNBM
    Hi all, Have been searching all the QAT-related topics on the forums in the last several months and especially this post among them: https://forum.netgate.com/topic/183177/intel-xeon-d-1736nt-qat-on-pfsense-plus-23-05-1?_=1761261416961 and was wondering if I am experiencing the same issue. I have a Supermicro machine with a Xeon D-2796NT processor and pfSense Plus (25.11 Beta) loaded in it and have been wondering if there would be a way to have QAT fully activated in it. Have run some commands to see if the QAT drivers have been loaded and they show that they are (or at least I hope). However, the main pfSense web UI still displays QAT Crypto: No. Just like in the post I linked, the vmstat command also does not produce any info, so I am wondering too if this particular CPU/QAT driver is not on the list of FreeBSD approved drivers that has been shared in other posts. If this is the case, how does one find out if this CPU (and or other ones for that matter) may or may not make it in this list in the future? Can users request to have them included via a Redmine request? If so what information is needed for such submission? I am a complete newb when it comes to QAT.... Below are few screenshots from a few commands used when investigating this. Let me know if you need other info. Appreciate your input and assistance ! [image: 1761262691223-screenshot-2025-10-23-at-6.26.34%C3%A2-pm.png] ![Screenshot 2025-10-23 at 6.26.10 PM.png] [image: 1761263514545-screenshot-2025-10-23-at-12.14.52%C3%A2-pm.png] [image: 1761263529858-screenshot-2025-10-23-at-6.26.10%C3%A2-pm.png] [image: 1761262752679-screenshot-2025-10-23-at-6.38.52%C3%A2-pm.png] [image: 1761263216309-screenshot-2025-10-23-at-6.45.31%C3%A2-pm.png] ![Screenshot 2025-10-23 at 6.44.11 PM.png][image: 1761263351048-screenshot-2025-10-23-at-6.49.05%C3%A2-pm.png] (/assets/uploads/files/1761263216381-screenshot-2025-10-23-at-6.42.13â-pm.png) [image: 1761263666554-screenshot-2025-10-23-at-6.50.34%C3%A2-pm.png] [image: 1761263873270-screenshot-2025-10-23-at-6.57.38%C3%A2-pm.png] [image: 1761263925158-screenshot-2025-10-23-at-6.58.30%C3%A2-pm.png] [image: 1761264029306-screenshot-2025-10-23-at-6.59.53%C3%A2-pm.png] ![Screenshot 2025-10-23 at 7.00.14 PM.png] (/assets/uploads/files/1761264040658-screenshot-2025-10-23-at-7.00.14â-pm.png) [image: 1761264229839-screenshot-2025-10-23-at-7.03.25%C3%A2-pm.png] [image: 1761264362104-screenshot-2025-10-23-at-7.05.49%C3%A2-pm.png] [image: 1761264596118-screenshot-2025-10-23-at-7.09.22%C3%A2-pm.png]
  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    429 Topics
    3k Posts
    N
    This discussion about using pfSense for VPN interfaces and game server port forwarding is quite technical but very useful for gamers and network enthusiasts who want secure and optimized connections. It reminds me of how watching online movies หนังออนไลน์ also depends on stable and well-configured networks both require speed, security, and smooth performance to fully enjoy the experience. Just like setting up pfSense ensures a seamless gaming session, having a good connection makes online movie streaming effortless and enjoyable.
  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    weehooeyW
    @lifeofguenter Ah. I see that now. I did not realized the windows scrolled. @weehooey your script does not work. When I install qemu-guest-agent it already installs a start script: What you are showing is not what our script does. I can tell you that we tested using the script we provided, and it works on 2.8.1. Perhaps you have not marked your script as executable?
  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    N
    @NC1 This would be for home use, not infrastructure as it applies to Enterprise environments. It seems a 40Gbps bus would be plenty fast though for a 1Gb service from your local internet provider. Anyway... I don't know which drivers would be needed which is why I was asking if anyone has ever tried it or thought about it. Maybe someone would have some insight as to the pros and cons. I did see the price tag. I was merely trying to give an example of an external chassis a NIC card could be used in. As a side, I typically future proof my home builds to at least a minimum of 5 years if I can. In a configuration such as this, I could repurpose the NUC for some other future project and plug the external chassis with the NIC card into a different computer. Just a thought.
  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.
  • 10k Topics
    64k Posts
    L
    @dennypage Out of curiosity are you getting any hits for qat in vmstat? I'm configured in a nearly identical way and it must be that I must either not be using the right ciphers or IPsec-MB is so efficient it absolutely makes QAT useless.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.