pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

213 Topics

3k Posts

@seanmcb said in pfSense Plus 25.03-BETA is here!:

The delay does show the follow of year-based version numbers.

Yup. Everything has downsides!

It will probably be 25.07.

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

189k Posts

@stephenw10 does the squid status php page work in the new version with the adapted url for access? I had a tough time getting the status page to work.

Multi-Instance Management

Discussions about Multi-Instance Management.

11 Topics

95 Posts

Thanks for testing! This will be resolved in the upcoming pfSense+ release.

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

61k Posts

Your NDI will have changed if you replaced the hardware. Send me your NDI and the order number in chat and I'll check it.

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

58k Posts

@chris-doldolia Hello! You can safely make configuration changes on a running pfSense firewall, it's designed for that. Most settings apply immediately without needing a reboot, though some services (like IPsec, OpenVPN, or interface changes) may briefly interrupt traffic when restarted. Just make sure you have console or alternate access in case something goes wrong.

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

In the firewall rule I changed the source address to the name of the firewall alias.

Do you mean the source of the NAT rule? If not, try that.

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

@patient0 Thank you very much for yours knowledges.

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

I got it to work. It had to do with not setting mtu of 1400. I can now do dns lookup and it works! Thank you for your suggestions.

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

41k Posts

Hmm, that looks like PHP stopped responding. But that could be a symptom of whatever check_reload_status is doing.

Does it clear it if you restart php from the console menu?

Is that the first error logged after enabling the shaper?

How is the shaper configured?

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

Update: It turned out to be some issue with the ISP. Took multiple calls, people and hours of troubleshooting, works much better now. Still curious if prioritizing traffic to a specific URL is possible

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

42k Posts

@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:

Can there be 2 authoritative DNS Servers in the same domain?

If they both contain the exact same records for the domain, then yes. Although typically they are treated as primary and backup servers, respectively.

@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:

FWIW: Until I get this working, only my laptop is using Windows Server for DNS, as I have domain logins setup for it. That said, it sounds like this won't work, so I suppose I'll have to manually add all of my DNS records inside Windows and then remove from pfSense. darn!

The correct way to handle this with AD is to let AD DNS be the sole DNS server for all the Windows machines. You can add a domain override for your AD domain to the DNS Resolver in pfSense that points to the IP address of your Windows AD DNS server (typically the domain controller in small networks). That way, the DNS Resolver on pfSense knows which server to ask for information about your AD domain.

IPv6

Discussions about IPv6 connectivity and services

2k Topics

19k Posts

I have an older box (A) and a new box (B). And was trying to make B the primary with A being a backup.

So I swapped cables to make A the system running the LAN.

Then I started to update B and realized I had forgotten the first step -- uninstall all the applications. So I stopped this, and re-installed 2.7.2 on B. This is where things went sideways when I did the upgrade to 2.8.0.

Once the re-install (2.7.2) was completed and I had it all configured the same as box A (password, static IPs, and pools), I started the 2.8.0 upgrade, and then thought this was the time for going from ISC to KEA. Time for a reboot and that is when I started getting all kinds of error messages.

So I swapped back to A and could not get anything to work correctly. Laptops didn't connect to the LAN, could not ping anything. --- What I found out later was, this was a problem with the VPN software (Mulvad in this case). I had needed to turn that off on the laptops first -- OK, back to system B and now it can't be made to boot. I actually had to take another install DVD (different Linux O/S) and have it install to clear the disks.

I got the ISP involved and they wanted me to take their equipment and put that between my equipment and their ONT (fiber optic "modem"). So I did that. This added a new complication so I finally fixed it to be off on the side where it was not providing any service to box A or B.

This (wiring so that the EERO router did not provide service to Box A or B) is how I found that it was that 2.8.0 goes APE when it gets an IPV6 address when it has been configured to NOT use IPv6. So much so that I had to do another install of a Linux system to get the 272 DVD to actually install.

Meanwhile I read about others having a problem with KEA for DHCP so I decided to NOT use that once I got 2.7.2 to install correctly (again) -- I have not upgraded to 2.8.0. Not going down that road again for a while.

I'm finally operable using Box A.

One of the things that was happening was getting a large number of rule errors and various strings in messages during the boot processes after the install completed with 280. Since I don't understand that problem -- just not going to upgrade box B to 280 for now.

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

Hi,

We have a site-to-site IPsec tunnel between a Fortinet firewall (remote) and our pfSense (local).

Setup: Remote LAN (Fortinet): 10.0.0.0/8 Local LAN (Pfsense): 20.20.78.0/29 VPN Server: Behind pfSense (VPN IP 20.20.78.2), running Pritunl
Hosts VPN clients on 192.168.214.0/23 and 192.168.216.0/23

pf.png

Phase 2 entries: Local: 20.20.78.0/29 Remote: 10.0.0.0/8 Same on Fortinet What works: VPN clients <-> Internal LAN (10.0.0.0/8): ✅ VPN server <-> Internal LAN (10.0.0.0/8): ✅ Internal LAN Ping <-> VPN server: ✅ What doesn’t: Internal LAN -> VPN clients (192.168.214.x) ❌ ICMP echo seen on pfSense IPsec capture Nothing seen on VPN server tun interfaces Clients can reply to internal just fine (asymmetric?)

Is this a NAT or policy route issue?
Any way to SNAT/route traffic from internal -> VPN clients so replies come back through IPsec ?

Thanks !

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

Hi guys

I have a PFsense Plus installatiion at home, where I created a Seperate subnet - that send all traffic from machine on the Subnet - through an VPN - and there everythings works fine
But - I have tried the last couple of days, trying to open a port from the Openvpn Client incomming to a dedicated Service.
Shortly said - I want to open a port 19001 which will communicate to a service of mine - How ?? I've seen and tried so many different solutions.
I have
LAN - my normal network 192.168.1.0/24
VPN Internal Subnet 192.168.200.0/27
Torguard - My incomming DHCP

The torguared is created as an interface om I got rules that I've tried - tried configuration - allowing ttaffic from the to the specified port - but always getting this ansver
da587b27-ebc8-4e82-9598-4cdbb52175b4-image.png

I've also tried open the port as NAT from torguard afdresses - but the same result.
But how do I come to the solution, since I'm been verreading about this and got more confused from each old guides I'm finding.

Can anyone help here - would be very much appriciated..

Thanks in advance - Udbytossen

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

@Gertjan

This is beautiful.

I've managed to get things working good enough to accomplish my first-level goals and turn it over to my relief so I get to go on vacation without getting emails about radius. And I noticed from my attempts earlier that as I was making changes trying to get SQL to update the Portal would stop working every so often and need to be restarted, so I'm going to leave things here for now. I was able to brute force a bash script that could calculate daily data usage as a percentage of the cap by poking around the datacounter directory and scp it to my desktop, and my relief will just have to live with the GUI user manager for a few trips.

But when I get back and have more than a couple days I'm going to dig into why radacct isn't updating then work on these changes you've outlined. Being able to view and edit all this through SQL will be a huge advance. (No smart children onboard so I added pHPmyadmin to my synology immediately after MariaDB.)

Thanks so much for this, I really appreciate it.

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

@SteveITS Thanks for pointing that out! That is indeed very close to what i need. The customisable message will do fine for my clients, i hope it will allow for an image to be put into it.

And my nerdy self would still like to replace the pfsense logo with something else. So i could be able to have a clean black login screen with merely a login prompt and a HAL9000 eye staring at me, for example :-)

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

@elvisimprsntr thanks for the chart! Getting rid of the ISP's Bridge Mode router and plugging the ethernet cable from the wall directly in Vault's WAN port has solved it...hopefully permanently.

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out 🤦. My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either...
So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

184 Topics

1k Posts

Hi everyone. So, when I first installed pfSense about two months ago, I started keeping a detailed log of my configuration process. Partly as a personal reference, but also to help others who might be navigating similar challenges. Over time, this evolved into a step-by-step guide and troubleshooting journal, which I’ve shared here: My pfSense settings walkthrough.

One recent example: Yesterday, I ran into an issue where the NordVPN app on my phone wouldn’t connect when using my main Wi-Fi VLAN. After some trial and error, I ended up using the Diagnostics > Packet Capture feature in pfSense for the first time to trace the problem. And, with just a few seconds of captured data, identified the missing firewall rule, added it, and that resolved the issue:

14c917f1-d14e-4d4b-8818-f5dfd20f6538-image.png

I’m continually updating the post as I learn more. Especially after those inevitable moments of “why isn’t this working?!!” 😧

If you’re also just getting started with pfSense or enjoy reading, and sharing, I hope my notes will be helpful as well. Thanks to everyone in the community for sharing your knowledge here in the forums, Reddit, and to the pfSense team for such a powerful, network-transformational tool.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 25.03 Develoment Snapshots

1k Topics

7k Posts

How is your floating rule defined?

Are you using if_pppoe?

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

427 Topics

3k Posts

Updated with Switch 2 info at the end of the first post. tl;dr same as Switch 1 for IPv4, but the console itself appears to support IPv6 (likely depends heavily on the game and peers).

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

@wickeren I actually had it enabled with legacy version (but I didn't make a difference), while switching to modern I removed it.
Probably should add back and see if there is a difference, however as mentioned in the links in the first post, I don't think pfSense has corresponding support enabled in the kernel anyway 😕

There must be something equivalent in Proxmox as well, it probably designs PCIe architecture in a way that produces legacy devices just like it was in my case originally.
I'm still puzzled as to why that was the case, but glad it is resolved.

Here is the full QEMU command that libvirt generates for the VM in case it is helpful:

Spoiler

/usr/bin/qemu-system-x86_64 -name guest=pfSense,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file":"/var/lib/libvirt/qemu/domain-26-pfSense/master-key.aes"} -blockdev {"driver":"file","filename":"/usr/share/OVMF/OVMF_CODE_4M.fd","node-name":"libvirt-pflash0-storage","auto-read-only":true,"discard":"unmap"} -blockdev {"node-name":"libvirt-pflash0-format","read-only":true,"driver":"raw","file":"libvirt-pflash0-storage"} -blockdev {"driver":"file","filename":"/var/lib/libvirt/qemu/nvram/pfSense_VARS.fd","node-name":"libvirt-pflash1-storage","auto-read-only":true,"discard":"unmap"} -blockdev {"node-name":"libvirt-pflash1-format","read-only":false,"driver":"raw","file":"libvirt-pflash1-storage"} -machine pc-q35-8.2,usb=off,dump-guest-core=off,memory-backend=pc.ram,pflash0=libvirt-pflash0-format,pflash1=libvirt-pflash1-format,hpet=off,acpi=on -accel kvm -cpu host,migratable=on -m size=2097152k -object {"qom-type":"memory-backend-ram","id":"pc.ram","size":2147483648} -overcommit mem-lock=off -smp 8,sockets=1,dies=1,cores=8,threads=1 -uuid REDACTED -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=38,server=on,wait=off -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-shutdown -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot menu=off,strict=on -device {"driver":"pcie-root-port","port":16,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x2"} -device {"driver":"pcie-root-port","port":17,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x2.0x1"} -device {"driver":"pcie-root-port","port":18,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x2.0x2"} -device {"driver":"pcie-root-port","port":19,"chassis":4,"id":"pci.4","bus":"pcie.0","addr":"0x2.0x3"} -device {"driver":"pcie-root-port","port":20,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x2.0x4"} -device {"driver":"pcie-root-port","port":21,"chassis":6,"id":"pci.6","bus":"pcie.0","addr":"0x2.0x5"} -device {"driver":"ich9-usb-ehci1","id":"usb","bus":"pcie.0","addr":"0x1d.0x7"} -device {"driver":"ich9-usb-uhci1","masterbus":"usb.0","firstport":0,"bus":"pcie.0","multifunction":true,"addr":"0x1d"} -device {"driver":"ich9-usb-uhci2","masterbus":"usb.0","firstport":2,"bus":"pcie.0","addr":"0x1d.0x1"} -device {"driver":"ich9-usb-uhci3","masterbus":"usb.0","firstport":4,"bus":"pcie.0","addr":"0x1d.0x2"} -blockdev {"driver":"file","filename":"/var/lib/libvirt/images/pfSense.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"} -blockdev {"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null} -device {"driver":"virtio-blk-pci","bus":"pci.3","addr":"0x0","drive":"libvirt-1-format","id":"virtio-disk0","bootindex":1} -netdev {"type":"tap","fd":"39","vhost":true,"vhostfd":"44","id":"hostnet0"} -device {"driver":"virtio-net-pci","netdev":"hostnet0","id":"net0","mac":"REDACTED","bus":"pci.1","addr":"0x0"} -netdev {"type":"tap","fd":"45","vhost":true,"vhostfd":"46","id":"hostnet1"} -device {"driver":"virtio-net-pci","netdev":"hostnet1","id":"net1","mac":"REDACTED","bus":"pci.2","addr":"0x0"} -netdev {"type":"tap","fd":"47","vhost":true,"vhostfd":"48","id":"hostnet2"} -device {"driver":"virtio-net-pci","netdev":"hostnet2","id":"net2","mac":"REDACTED","bus":"pci.5","addr":"0x0"} -netdev {"type":"tap","fd":"49","vhost":true,"vhostfd":"50","id":"hostnet3"} -device {"driver":"virtio-net-pci","netdev":"hostnet3","id":"net3","mac":"REDACTED","bus":"pci.6","addr":"0x0"} -chardev pty,id=charserial0 -device {"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0} -audiodev {"id":"audio1","driver":"spice"} -spice port=5901,addr=127.0.0.1,disable-ticketing=on,seamless-migration=on -device {"driver":"qxl-vga","id":"video0","max_outputs":1,"ram_size":67108864,"vram_size":67108864,"vram64_size_mb":0,"vgamem_mb":16,"bus":"pcie.0","addr":"0x1"} -global ICH9-LPC.noreboot=off -watchdog-action reset -device {"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.4","addr":"0x0"} -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on

And this is XML domain config it was generated from:

Spoiler

<domain type="kvm"> <name>pfSense</name> <uuid>REDACTED</uuid> <metadata> <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0"> <libosinfo:os id="http://freebsd.org/freebsd/14.0"/> </libosinfo:libosinfo> </metadata> <memory unit="KiB">2097152</memory> <currentMemory unit="KiB">2097152</currentMemory> <vcpu placement="static" cpuset="8-11,24-27">8</vcpu> <os firmware="efi"> <type arch="x86_64" machine="pc-q35-8.2">hvm</type> <firmware> <feature enabled="no" name="enrolled-keys"/> <feature enabled="no" name="secure-boot"/> </firmware> <loader readonly="yes" secure="no" type="pflash">/usr/share/OVMF/OVMF_CODE_4M.fd</loader> <nvram template="/usr/share/OVMF/OVMF_VARS_4M.fd">/var/lib/libvirt/qemu/nvram/pfSense_VARS.fd</nvram> <boot dev="hd"/> <bootmenu enable="no"/> </os> <features> <acpi/> <apic/> </features> <cpu mode="host-passthrough" check="none" migratable="on"> <topology sockets="1" dies="1" cores="8" threads="1"/> </cpu> <clock offset="utc"> <timer name="rtc" tickpolicy="catchup"/> <timer name="pit" tickpolicy="delay"/> <timer name="hpet" present="no"/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <pm> <suspend-to-mem enabled="no"/> <suspend-to-disk enabled="no"/> </pm> <devices> <emulator>/usr/bin/qemu-system-x86_64</emulator> <disk type="file" device="disk"> <driver name="qemu" type="qcow2"/> <source file="/var/lib/libvirt/images/pfSense.qcow2"/> <target dev="vda" bus="virtio"/> <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/> </disk> <controller type="sata" index="0"> <address type="pci" domain="0x0000" bus="0x00" slot="0x1f" function="0x2"/> </controller> <controller type="pci" index="0" model="pcie-root"/> <controller type="pci" index="1" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="1" port="0x10"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x0" multifunction="on"/> </controller> <controller type="pci" index="2" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="2" port="0x11"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x1"/> </controller> <controller type="pci" index="3" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="3" port="0x12"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x2"/> </controller> <controller type="pci" index="4" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="4" port="0x13"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x3"/> </controller> <controller type="pci" index="5" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="5" port="0x14"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x4"/> </controller> <controller type="pci" index="6" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="6" port="0x15"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x5"/> </controller> <controller type="pci" index="7" model="pcie-root-port"> <model name="pcie-root-port"/> <target chassis="7" port="0x16"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x02" function="0x6"/> </controller> <controller type="usb" index="0" model="qemu-xhci" ports="15"> <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/> </controller> <interface type="bridge"> <mac address="REDACTED"/> <source bridge="wan"/> <target dev="pfsense-wan"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> </interface> <interface type="bridge"> <mac address="REDACTED"/> <source bridge="wan2"/> <target dev="pfsense-wan2"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x02" slot="0x00" function="0x0"/> </interface> <interface type="bridge"> <mac address="REDACTED"/> <source bridge="lan"/> <target dev="pfsense-lan"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/> </interface> <interface type="bridge"> <mac address="REDACTED"/> <source bridge="guest"/> <target dev="pfsense-guest"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/> </interface> <serial type="pty"> <target type="isa-serial" port="0"> <model name="isa-serial"/> </target> </serial> <console type="pty"> <target type="serial" port="0"/> </console> <input type="mouse" bus="ps2"/> <input type="keyboard" bus="ps2"/> <graphics type="spice" autoport="yes"> <listen type="address"/> </graphics> <audio id="1" type="spice"/> <video> <model type="virtio" heads="1" primary="yes"/> <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/> </video> <watchdog model="itco" action="reset"/> <memballoon model="virtio"> <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/> </memballoon> </devices> </domain>

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

The only interaction I've seen is with an internal modem. I assume the particular modem I tested is somehow causing problems for the switch IC when so close both physically and electrically. Though it should not.

I would try putting a switch between the modem and the 2100 as a test if you can.

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

@winkmichael Thanks so much. I'll look into it some more, but you were a great help. What I meant by a 0 point release is that is it basically an alpha or beta version until it reaches version 1.x This to me has historically been an indication that it shouldn't be deployed in mission critical spaces or commercial spaces, but good to hear it is very active and very reliable. thanks again

Retired

Categories that are no longer active, but are present for reference

10k Topics

63k Posts

@Patch Yes, I have just confirmed that it is related to early DNS registration