1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    216 Topics
    3k Posts
    Y
    I did another clean upgrade 24.11 to 25.07 release, and what really changed regarding the dhcp6 client is that pfsense now picks up the manually assigned static ipv6, which is set up in my ISP box settings, instead of an auto generated one derived from MAC. In 24.11 this manual setting was ignored or malfunctionning. So far so good ! No need to change the DUID. Though on some ISP connections, the ipv6 ping to google from the DHCP-PD range was ok only after a few minutes, maybe due to routing check or appliance check on ISP side. So you should plan the upgrade form a redundant ipv6 WAN, or a dedicated management network, or from a remote ipv4 access.

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    190k Posts
    AndyRHA
    @stephenw10 Fiber straight into the 7100. Nothing funky. No heavy packages. With no performance hit I did not see a reason to chase it. Someone fixed something and made it better. In theory I could boot the old image and Clonezilla the disk.

  • Discussions about Multi-Instance Management.

    14 Topics
    106 Posts
    luckman212L
    I didn't really go much further but I'll test again. I was clearly misunderstanding the "The pfSense+ instance that Nexus is running on doesn't need to be registered since that's handled automatically" part Thanks

  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    stephenw10S
    Yup could be something dropping packets in the route. But I would try setting MSS on the WAN to something that will definitely pass like 1300. If that fixes the link it confirms an MTU or PathMTU issue.

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    andrzejlsA
    @tedquade Thanks.

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    P
    Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    U
    Hi there, So I've recently seen some issues which I think might be related to pfSync. Running on whitebox hardware and pfsense plus 2507 The interface order is exactly identical across nodes pfSync states is enabled on both nodes in the cluster I've verified that I can see all the states on both nodes before I initiate maintenance on the primary node. When maintenance mode is initiated I can see that the sessions seems to be dropped on the secondary because the states goes to 0-give or take a few and then starts rising again. No errors in the logs. Hardware is identical. Are there anything we could try here?

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    C
    @keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    luckman212L
    @stephenw10 / @marcosm any chance we can relocate this busy/lively thread to the regular Routing and Multi WAN section? It seems it isn't and probably never was specific to 25.07 RC anymore...

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    G
    @stephenw10 , In versions 2.7.x and 2.8, the problem with limiters on a WAN that isn't the default route occurs. The last version that worked correctly was 2.6.0. The evidence and tests performed in each version are documented. Thank you very much and I hope you can validate from version 2.7.x onwards that the limiters no longer work in a WAN that is not the default . thanks. In 2.6.0 the limiter uses the private IP as source and destination, to control the BW for each IP In 2.8 and 2.7.x the limiter uses the public IP as the source and the private IP as the destination, that is, for the upload it uses the public IP after applying NAT, this does not limit each connection from the LAN, it limits the entire bandwidth [image: 1754342256028-3031a675-6d14-4702-98be-a788da8e8744-image.png]

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    patient0P
    @exomic can you disable IPv6 on WAN or try setting "Prefer IPv4 over IPv6" in System / Advanced / Networking"? Does IPv6 work with if_pppoe enabled? What is the issue with DNS, does it not resolve or do you get empty answers?

  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    JKnottJ
    @Bob.Dig said in Can I force one /64 on my WAN?: Gateway IPv6: fe80::*** That's entirely normal. Routing is often done via the link local address. ISPs may or may not provide a global address on the WAN interface, but you have to enable it if they do. If you can't get a global address from your ISP and want to set up a VPN, etc., you can use the LAN interface address.

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    C
    I definitely will do this next week and post here the results. Thank you

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    GertjanG
    @ipguy said in I need BF-CBC: https://forums.openvpn.net/viewtopic.php?t=35809#p111709 These openvpn options : providers legacy default data-ciphers-fallback BF-CBC compat-mode 2.3.18 check if they still exist in the version used by pfSense. First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual. If it's the case, then use them here : [image: 1754303064757-c6da93cf-9502-4171-b791-b119919f5e6f-image.png] for example, I use the option status /var/log/openvpn.status; status-version 1; for my own needs. When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors. Also check the openvpn config file (the one created with the GUI parameters) for consistency. You can find the file here : /var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file. Don't (bother) edit(ing) this file as it is auto generated by the GUI.

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    GertjanG
    @DominikHoffmann said in Captive portal with external code?: Am I correct? You can upload the files you need, like css file with the portal's file manager. From then on, you can use these files in your 'main' portal login html file, error file etc.

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    S
    @mmkkoo Every HTTP request is logged. So everything that updates on the dashboard.

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    A
    @johnpoz Thank you! Now I think I understand. This actually seems better than how I thought it worked before because I was nervous about having an open port on the WiFi VLANs.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    6k Posts
    stephenw10S
    Hmm, I would expect that to work. It's pretty much exactly what I run myself. What do you see logged at boot compared with when you restart dpinger?

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    427 Topics
    3k Posts
    W
    I am on 24.11. I have several consoles at home, PS5, PS4, Nintendo's. No issues at all. I just assigned a fixed IP to them put those IP in the ACL allow list. Outbound NAT with static port for the consoles. The only "issue" is that port mappings remain there for days. I have to manually cancel them. At the moment I did not find any solution to remove them via cron job scripts.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    P
    @KOM Oh! :) Thanks!

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    V
    @johnytb Why are you only looking for log entries regarding the network card, if you are not sure that it's the reason for the dropouts. If pfSense loose internet, I'd expect that there are related logs entries in the system log. Did you enable gateway monitoring? Ensure to monitor a public IP.

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

  • Categories that are no longer active, but are present for reference

    10k Topics
    64k Posts
    stephenw10S
    Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.