Subcategories

  • Announcements and information about pfSense software posted by the project team

    220 Topics
    3k Posts
    C
    @pfGeorge So what? What should I do or not do? Update something somewhere or just wait?
  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    191k Posts
    A
    So I think I may have found at least part of the issue --- any help would be greatly appreciated. I have a static IP (for my ATT modem) I took the pfsense device out of the equation and with it directly connected to a PC I am able to reach certain websites , like : google.com cloudflare.com but my domain which has DNS thorugh Cloudflare - the modem is not able to reach the site. the attached are[image: 1758588193522-image-9-22-25-at-8.42-pm.jpeg] [image: 1758588193573-image-9-22-25-at-8.42-pm-1.jpeg] the traceroute results: are there any suggestions ?? I assume only ATT can fix
  • Discussions about Multi-Instance Management.

    18 Topics
    139 Posts
    T
    I'll look into this for you. I can renew certificates that I created in the new GUI, but none of the others. It does seem that it uses the CA endpoint to renew regular certificates though. So you should be able to use system/certauth/{refid}/renew until it's fixed.
  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    stephenw10S
    Hmm, you added that cronjob yourself? Any particular reason? Do you have an url aliases with a large number of entries?
  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    johnpozJ
    @revengineer the trick is to figure out where it is coming from. Not sure how to figure out what could of created it. But would assume if it labeled it gateway monitoring - that has to come from somewhere. It could be a bug that creates a block vs what I would think a better idea of an allow rule, to make sure you could always ping what your wanting to monitor.. But it doesn't make a lot of sense to be honest, since there is already a hidden rule that allows pfsense itself to do whatever it wants outbound. Which is where the monitoring would come from - ie dpinger. # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts ridentifier 1000016215 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts ridentifier 1000016216 label "let out anything IPv6 from firewall host itself" Other thing about the rule that you posted that is odd - is why would it be logged? Have you looked in /tmp/rules.debug - this is a full listing of the rules, and shows the rules pfsense creates on its own that are hidden, like when you enable dhcp server, hidden rules are created on the interface you enable dhcp on so it is sure to work, etc.
  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    P
    @SteveITS I don't want to do this. I think that is not good option to loose public IPs for that purpose :/ Furthermore y.y.y.80/28 is already assigned and ~80% IPs are used. So it's not possible to do NAT using "internal" public IP?
  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    P
    @girkers said in Best way to set up and maintain a cold spare for pfSense 2.8.0 CE: How do others handle maintaining a cold spare so it’s ready to go at short notice? On my cold spare I load the current version of pfsense (and maintain it in the current series so configuration import is compatible) Load the configuration from the main unit. Most easily done via the GUI so interface reassignment can be easily seen. This is do both so plug and play will probably work but also as a dry run in-case a newer configuration has to be loaded in a hurry. Back up the main units configuration to a location accessible without a functioning pfsense router (to enable use during an emergency restore). I actually use my cold spare for other things when not needed as a router by running pfsense under Proxmox but configuring dual boot would achieve similar functionality
  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    S
    @patient0 Yes, I tested it and it is working. ifconfig ix1 -vlanhwcsum -vlanhwfilter -vlanhwtag I also added these cron jobs: Job 1 - Set VLAN flags on ix1 Minute: @reboot User: root Command: /bin/sh -c 'sleep 25 && /sbin/ifconfig ix1 -vlanhwcsum -vlanhwfilter -vlanhwtag' Job 2 - Restart Suricata after VLAN flags Minute: @reboot User: root Command: /bin/sh -c 'sleep 45 && /usr/sbin/service suricata restart' Thank you.
  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    A
    @SteveITS Yes, same ISP hardware. That is probably a worsening factor. Had it been two separate connection types or ISPs, I don't think it would mind identical DUID (but not entirely sure there) I tried the NPt and two "fake" interfaces that just monitored the prefix; but that did not work as again the other WAN is never going to be assigned anything by the ISP (again, not sure but it's my theory). I have too considered it to be a limitation way down deep, as OPNsense has the exact same problem. The static IPv6 stuff in the manual I did read, and it would work as no DUID is being used to negotiate a static IPv6. I don't believe many people have static IPv6 addresses though. But that makes me think Netgate knows of this issue already, and either it will never work, or just not a priority feature. Thanks for your input and thoughts, I really appreciate it. At least people who run into the same behavior will hopefully find this thread, and not spend 40-60 hours troubleshooting with different router software and what not, as I have :)
  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    J
    @chpalmer Thanks for your experience and thoughts. Good points all.
  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    JonathanLeeJ
    Hello fellow Netgate community members, Can you please help? I have two subnets on my network: 192.168.1.0/24 (LAN): main network with an active WPAD pointing to a proxy 10.0.0.0/24 (Guest): guest network with a dummy WPAD that should just use direct connections I want to configure Unbound so that: Clients on the internal network get the WPAD that points to the proxy Clients on the guest network get a WPAD that bypasses the proxy All other DNS queries still resolve normally Currently, the WPAD “bleeds over” onto both interfaces because of the Unbound resolver host override on the guest network. Apple devices in particular will constantly search for a WPAD file when set to auto and never default to “none,” which is why I need a dummy WPAD for guests. How can I accomplish this using custom options, host overrides, or zones in Unbound so that the correct WPAD is automatically served depending on the client’s subnet? Thanks in advance!
  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    S
    @JKnott said in lan clients periodically drop ipv6 connectivity: That doesn't make sense That was also one of my thoughts. :)
  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    keyserK
    @tinfoilmatt I could just as well use OpenVPN for S2S as the workaround. But i Prefer Wireguard due to it’s simplicity - I find it’s just as fast as OpenVPN with hardware acc. There is nothing wrong with either of those options - it’s just not enough in many cases… I’m not always in control of the other ends hardware, and IPsec then becomes the golden standard, and thus required. Also, I much prefer to have only one VPN engine/setup running on pfSense - My “KISS OCD” does not like having multiple different VPN suites/rules and setups running when just IPSec should be enough. PS: The pfSense mobile warrior IPsec setup is not replaceable :-) I, and my customers, absolutely LOVE the pfSense Mobile VPN with it’s simple setup, and grouping of firewall rules due to multiple IP pools. Not having to deploy and maintain VPN clients, but just use the ones built into OS’s is an absolute WIN-WIN when coupled with 2FA from the MS Entra plugin to Microsofts NPS radius server.
  • Discussions about OpenVPN

    10k Topics
    53k Posts
    G
    Just replying to my original post. The issue seemed to be something to do with Proxmox. I brought another PVE host into my cluster this weekend. As part of that work, I had to go to the Proxmox Datacenter view and go to "SDN > Apply" to push my Proxmox SDN "Zones" and "VNets" to the new host. When I did that, it went ahead and refreshed the Zones and VNets (and anything else that is SDN-related) on the existing PVE hosts - one of which was hosting my virtual firewall. To my surprise and utter delight, the previous issues of some internal websites not always working, and RDP often timing out and coming back - all that went away. I have no idea what was going on in the virtual bridges but at least now if I see those issues again, I'll know where to look for troubleshooting, and what should fix it. Hope this helps someone down the line. Hope I've put in enough keywords for web crawlers and AI. :) Cheers.
  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    GertjanG
    @rds25 said in Captive Portal: Restrict Ports for Allowed IP Address?: As far as I understand, IPs listed under "Allowed IP Addresses" completely bypass the rules defined in the "PORTAL" tab. That's what I initially also thought. This is the portal rule that blocks all portal-to-LAN IPv4 traffic : [image: 1756797401971-c9aa3733-1739-40f8-b7cf-757f4f3abb37-image.png] I connected my phone to the portal, it got 192.168.2.10, and then I started to send ICMP packets to 192.168.1.33. While doing so, I was packet capturing on my portal interface for ICMP traffic, send by 192.168.2.10, my phone. I saw the packets, ICMP requests, coming in - but no answers logged. At the same moment, I was : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: tail -f /var/log/filter.log and I saw : ... <134>1 2025-09-02T09:15:05.661320+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,271,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1564 <134>1 2025-09-02T09:15:06.661321+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,52479,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1664 <134>1 2025-09-02T09:15:07.661337+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,19671,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1764 <134>1 2025-09-02T09:15:08.661389+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,9817,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1864 <134>1 2025-09-02T09:15:09.661321+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,17809,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1964 <134>1 2025-09-02T09:15:10.661336+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,16478,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,2064 <134>1 2025-09-02T09:15:11.661399+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,17854,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,2164 <134>1 2025-09-02T09:15:12.661402+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,34051,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,2264 ... which tells me that my firewall rule (shown above) was blocking my ICMP requests (to 1492.168.1.33). GUI equivalent : [image: 1756797907823-8d2a4a54-06d5-45d4-afb3-c5e359d61e79-image.png] The firewall log label is "LAN Block" so I knew which firewall rule was blocking, the one I showed above. This really makes me think that even when you Allow an IP address, the portal's GUI firewall rules still apply. As soon as I activated this first portal's firewall line : [image: 1756797755652-ed4331af-495b-42e3-ae7e-5464c718cba4-image.png] which allows ping packets from the portal interface to go to my LAN, 192.168.1.33, my NAS, ping packets came back / the NAS was replying.
  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    K
    Hi, Thanks everybody, it works now by configuring the router and pfsense with the good way. I did the same thing for nttopng. It works too, but it seems slow. I will try the next week to check.
  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    stephenw10S
    Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.
  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now
  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.
  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    6k Posts
    w0wW
    @stephenw10 Different hardware, one of them were running on the procmox 9 and looks like a bit different backtraces too. Yes I have a couple of backtraces from both firewalls. Currently running 25.07.1 and no traps observed. Can I upload it somewhere?
  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    429 Topics
    3k Posts
    R
    @viragomann There's no router before pfsense. Only the gate with optic fiber to LAN
  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    weehooeyW
    @lifeofguenter Ah. I see that now. I did not realized the windows scrolled. @weehooey your script does not work. When I install qemu-guest-agent it already installs a start script: What you are showing is not what our script does. I can tell you that we tested using the script we provided, and it works on 2.8.1. Perhaps you have not marked your script as executable?
  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    M
    Is it possible to receive a copy of the unlocked bios bin file? I have three M370 appliances, and I would like to try to program them with my ch341a programmer.
  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.
  • 10k Topics
    64k Posts
    stephenw10S
    Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.