pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

218 Topics

3k Posts

said in Now Available: pfSense Plus 25.07.1-RELEASE: Coincidence? Yes, indeed.

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

190k Posts

@marcg well that is good, then it should work for the OP.

Multi-Instance Management

Discussions about Multi-Instance Management.

15 Topics

114 Posts

Does anyone know when licensing costs etc for Nexus / MIM will be announced? It seems a little odd to release it with 25.07 but not have ability to get licenses for it.

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

62k Posts

I have this issue too, it will fail to boot (it's a VM in unraid) The fix, to change console to video first

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

59k Posts

Nice catch. Thanks!

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

-------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Network f000::/4 Destination: Any Description: Block internal IPv6 (f000::/4) from leaving via WAN -------- Just letting people know i made a little mistake here while writing the tutorial it's actually: -------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Any Destination: Network f000::/4 Description: Block internal IPv6 (f000::/4) from leaving via WAN --------

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

Hi all, I’m running pfSense 2.8.0 CE on my main router and I’d like to build a cold spare in case the primary fails. Main box: 4 ports in use → WAN / LAN / IoT / Guest Spare box: Only 3 ports available → I’d drop the Guest network if I needed to switch over I know I can install pfSense cleanly on the spare, but I’m unclear on the best way to: Transfer my current configuration to the spare. Keep that configuration up to date as I make changes on the main router. Questions: Is it best practice to back up and restore configs manually, or is there a cleaner way to sync across different hardware (since the interfaces don’t match)? How do others handle maintaining a cold spare so it’s ready to go at short notice? Any practical tips, workflows, or “gotchas” to watch out for would be really appreciated. Thanks!

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

@HidekiSenpai what does it show in your dns lookup diag..

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

41k Posts

foranalyze2.anonymized.txt

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

I cannot say more about questions Q1 and Q2. About Q3. I have a PPPoE line, 1Gbps/300Mbps, MTU is 1492. My line is fine also without limiters, I had a solid A for bufferbloat, RTT is 6ms (first hop) I tried limiters, using 1506 as quantum (1492 + 14 interface overhead), set limit at 7ms for download and 5ms for upload, bandwidth (950/285) I tested with thoese limiters, set the floating rules as per netgate instructions, and now I have a solid A+ on bufferbloat test, with average speeds of 930/280. I suggest to test against bufferbloat issues before using limiters, then repeat the test using limiters so you can see if they are working and improving latency management.

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

43k Posts

Update from my side: issue hasn't appeared again since disabling ntopng, so seems that was the culprit (or one of them, anyway).

IPv6

Discussions about IPv6 connectivity and services

2k Topics

20k Posts

I just learned…. “The public recursors at 74.82.42.42 / 2001:470:20::2 / ordns.he.net now also support DNS over TLS (DoT) and DNS over HTTPS (DoH) for those who wish to use those interfaces.“ If anyone wants to test out DoH over a ipv6 HE tunnel broker check it out.

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

@bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

@patient0 Thank you for the question. I am using pfSense Community Edition 2.8. I found the url on gpt and also searched for the package in the website but with no luck

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

@Gertjan Thanks for your reply. However, in your screenshot, you added "192.168.1.33" in the "Allowed IP Addresses", which means that even before being officially authenticated on the hotspot, it's possible to access all ports of the "192.168.1.33" address. Moreover, it clearly states: "All connections to the address are allowed", which confirms that there is no filtering — all ports, from 0 to 65,535, are open to that IP. As far as I understand, IPs listed under "Allowed IP Addresses" completely bypass the rules defined in the "PORTAL" tab. So my question remains: How can filtering be applied before user authentication — especially for IPs listed under "Allowed IP Addresses"? Also, if I connect to your hotspot (without a Wi-Fi password, for example) and I don’t have any login credentials, technically, if I run an Nmap scan on "192.168.1.33", I would see all the open ports — and potentially exploit them.

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

@nasheayahu where is this CA from? You can for sure create your own CA, and sign certs for any domain and use those certs anywhere. And as long as you add this CA to your browser, or other device to trust certs its signed then you can create a cert for any host.domain.tld, even can put in rfc1918 IP addresses as SAN, so your browser can access via name or even IP and trust the cert. I am pretty sure have gone over how to do that many times over the years - here is an old post where I went over it https://forum.netgate.com/post/831783 I use certs signed by my local CA for lots of things, printer web gui, switches web gui, nas gui, yes my pfsense web gui, etc. etc.

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

Nice. Yes that's a much better setup if you don't need them on the same subnet.

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

186 Topics

1k Posts

As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

1k Topics

6k Posts

Hmm that's an interesting setup. I don't think I've ever seen that before. I assume it was working previously with mpd5/negraph? Can you say which ISP that is?

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

427 Topics

3k Posts

@BMD Good to hear it’s stable now.

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

My patch https://github.com/pfsense/FreeBSD-src/pull/57 fixing above redmine ticket (by enabling corresponding driver in kernel config) was merged last month and will be a part of 2.9.0, whenever that comes out.

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

Based on what I can see in the man pages, there should be support in the latest versions of pfSense (which are based on FreeBSD 15) through the bnxt driver: https://man.freebsd.org/cgi/man.cgi?query=bnxt&apropos=0&sektion=4&manpath=FreeBSD+15.0-CURRENT&arch=default&format=html @stephenw10 - can you please confirm that the bnxt driver is included with pfSense? I have not used Broadcom cards myself with pfSense, but have had good experiences with both Intel and Chelsio. Hope this helps.

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

Retired

Categories that are no longer active, but are present for reference

10k Topics

64k Posts

Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.