1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    207
    Topics
    2.3k
    Posts

    A

    @delphin_007 : please see this thread if my patch /Work around helps you.

    https://forum.netgate.com/topic/190987/squid-error-fatal-unknown-http_port-option-no_tlsv1/9?_=1735383414679

    There is indeed an issue with Squid when acting as mitm. Some options are broken, hopes that someone Will Make a proper fix

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    26.2k
    Topics
    183.9k
    Posts

    L

    Thx for the replies guys.

    I got the right syntax figured out now which is to use a "!" in order to suppress certain log messages.

    Example:

    :msg, !contains, "Connection closed by xxx.xxx.xxx.xxx port"

    The working example I used is this:
    /var/etc/syslog.d/myssh.conf

    !sshd :msg, !contains, "Connection closed by xxx.xxx.xxx.xxx port" *.* /var/log/myssh.log

    This logs now everything related to the sshd except the above defined string.

    Eventually, I am pretty sure that this will not work with pfSense.
    The reason for this is that the automatically created pfSense log config (based on the GUI) is also stored in the same dir: /var/etc/syslog.d/pfSense.conf

    In this config, all auth message are logged:

    # Automatically generated, do not edit! !* auth.*;authpriv.* /var/log/auth.log

    Changing this is not possible as all changes are reverted once the syslogd is restarted. Therefore all sshd activities will be logged despite what is defined in additional config files in /var/etc/syslog.d/

    Regarding the Check_MK check interval of 1min:
    this is the default check interval for the active checks. To change this of a single check is not possible to my knowledge, but only for ALL active checks for a dedicated host. But maybe this is the way to investigate for me.

    Appreciate the help here!

  • Discussions about Multi-Instance Management.

    7
    Topics
    84
    Posts

    stephenw10S

    There isn't any specific handling in MIM for HA setups yet. It's something we expect to have though. It's exactly the sort of thing I'd want to see there.

  • Discussions about installing or upgrading pfSense software

    9.4k
    Topics
    60.2k
    Posts

    J

    @jimp The disks are 2 Silicon Power A55 SSDs, (256GB). The second disk is plugged into a SATA-2 port, because the motherboard only has a single SATA-3 port.

    camcontrol identify ada0
    pass0: SPCC Solid State Disk SBFM81.3 ACS-4 ATA SATA 3.x device
    pass0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
    ...
    https://www.amazon.com/dp/B075RJS55D

    camcontrol indentify ada1
    pass1: SPCC Solid State Disk VE1R900F ACS-3 ATA SATA 3.x device
    pass1: 300.000MB/s transfers (SATA 2.x, UDMA6, PIO 8192bytes)
    ...
    https://www.amazon.com/dp/B0CQCH4RSD (a more recent replacement drive)

    When I type 'sysctl kern.disks' it shows me
    kern.disks: da1 da0 ada1 ada0

  • Discussions about firewalling functionality in pfSense software

    9.6k
    Topics
    57.7k
    Posts

    S

    @Gertjan @johnpoz

    Greetings,

    I appreciate both of you! My FQDN wasn't matching, that's all. I briefly got a DNS rebind error, but added the domain to the Alternate Hostnames list. So far, everything is working! Thanks so much!

  • Discussions about Network Address Translation (NAT)

    5.5k
    Topics
    30.8k
    Posts

    V

    @CubedRoot
    1:1 NAT of multiple IPs to a single backend IP cannot work at all.
    1:1 means, that packets addressed to the external IP are forwarded to the internal IP AND outbound traffic from the internal IP is natted to the stated external IP.
    While the first part might be possible, the second cannot be done. Which external IP should be used for outbound traffic of the single internal? The first, the second, both alternating?

    You should rather configure port forwarding rules for both external IP.

    If you also want to use these IPs for outbound traffic from the server set up an outbound NAT rule for it.
    You can translate it to one of them or to both alternating by adding both to an alias and use it as translation address in round-robin mode.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    2.6k
    Topics
    11.6k
    Posts

    V

    @mike_vc said in How to ensure continued connectivity when LAN interface on primary unit goes down?:

    If LAN interface on primary unit is down, and backup unit CARP status for that interface becomes MASTER

    All other interface should follow then. So all interfaces on the primary should go into backup status.

    If this is not the case, something is wrong in your setup.
    Ensure that the WAN interfaces of both nodes can reach each other on layer 2.

  • Discussions about Layer 2 Networking, including switching and VLANs

    1.2k
    Topics
    9.9k
    Posts

    JKnottJ

    @Sergei_Shablovsky said in Mixed MTUs on different NIC's interfaces on same pfSense bare metal:

    How mixed MTUs impact on FreeBSD overall performance and throughput as this server are BORDER firewall ?
    (PCI bus pressure, RAM pressure, etc...)

    You can have different MTU on different sides of a router, as they are separate networks and the router will handle the MTU difference with Path MTU Discovery (PMTUD) or sometimes with fragmentation.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    8.4k
    Topics
    40.8k
    Posts

    johnpozJ

    @totalimpact said in Pfsense cannot port forward to Layer 3 switch:

    having static routes requires a gateway on the Transit network.

    Not on the interface - you create a gateway to the IP on the transit network, but you don't actually put that gateway on the interface of pfsense on the transit.. Or pfsense thinks a wan interface and creates an outbound nat on it.

    You create the gateway in the routing gateway section not on the specific interface.

    pfsense-layer-3-switch.png

  • Discussions about traffic shaping and limiters

    3.0k
    Topics
    15.8k
    Posts

    R

    Re: TCP - UDP timeout for VoIP

    Thank you so much, Uglybrian, for your reply. I have applied the conservative mode and am testing to see if the drops disappear.
    Best regards.

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    6.4k
    Topics
    41.1k
    Posts

    GPz1100G

    Perhaps the solution is to release the lease prior to disconnecting either network.

    Unplugging a network connection is different than releasing the lease then disconnecting the cable.

    If this is windows, it's possible to create a task based on a trigger. In this case I don't think it will work. The trigger would be loss of network connection, but once lost, can't issue a dhcp release.

    You could however run a script that would do the same via commandline. Just have to remember to execute it before switching wired<>wireless.

    I use something like this for my screen blanking. I have a rodent that suffers from tourette's syndrome, manifesting as random movements when the the trackball is not even touched. This results in the screen waking for no good reason.

    Using such a script it's set to disable the mouse, then induce screen sleep mode. Of course I can't wake the mouse but can with keyboard. A trigger based on wakeup runs another script that re-enables the rodent.

    This particular box has 2 ethernet nics + wifi. AP is configured for for a different vlan than the primary lan. Both wifi and wired can be on at the same time (with different IP's).

    What is your use case for keeping the same ip for both interfaces?

  • Discussions about IPv6 connectivity and services

    2.0k
    Topics
    19.1k
    Posts

    D

    @JKnott

    I was younger than you when I got mine, but based upon your other historical background, I suspect that you're a few years older than me as well. Too bad we didn't know each other back then. I think we would have had a lot of fun.

    Thank you again for engaging with me in this discussion, and for keeping it civil. I've enjoyed the discussion, and look forward to communicating with you again.

  • Discussions about IPsec VPNs

    5.7k
    Topics
    23.3k
    Posts

    S

    @Decepticon Thanks for the reply. This is an IPSec VPN, and I use the gateway monitoring for multi-wan failover. The IPSec gateways don't show in that section but do think it has something with a route not advertising.

  • Discussions about OpenVPN

    9.7k
    Topics
    52.7k
    Posts

    R

    Hello,

    We recently deployed EntraID MFA with our OpenVPN deployment. It works great minus one drawback that we've come across. Currently we have reneg-sec set at the server and client as reneg-sec 36000; We're finding that clients that actually stay connected for the term are only staying persistent for 9 hours and not the full 10 hours. Short of deploying a longer renegotiation time to compensate, has anyone seen these settings not honor the full timeout amount?

    Thanks!

  • Discussions about Captive Portal, vouchers, and related topics

    3.5k
    Topics
    18.6k
    Posts

    S

    @EDaleH , @Gertjan ;

    Found a bug in

    One line 1742 you will find function "portal_ip_from_client_ip"

    If someone calls https://MYDOMAIN.tld:8003/index.php and omit "zone=MyZone", this throws an Exception in PHP on line 1746 due to global variable $cpzone being "" empty string.

    I added the following to /etc/inc/captiveportal.inc

    function portal_ip_from_client_ip($cliip) { global $cpzone; /* Fixes bug when portl URL is called without zone */ if(empty($cpzone)) { return false; }

    The function returns false at the end, if it cannot find what zone interface you belong too by default. So all this does is the same, but fixes that bug that will show a message in pFsense crash reports.

  • Anything that does not fit in other categories related to the webGUI

    2.1k
    Topics
    9.8k
    Posts

    M

    @Gertjan said in RESOLVED Configuration history hanging php:

    And "backupcount" is set to what ? 100 ?

    I couldn't check this value exactly because it was hanging.
    But based on the config size and the folder size, I would say a hundred indeed.

    This one ?

    Yes. How I didn't see that option to change the behavior 😢
    Just changed to "Automatically backup on a regular schedule" and enabled ACB again.

  • Discussions about wireless networks, interfaces, and clients

    1.7k
    Topics
    11.1k
    Posts

    R

    Got it, thanks for the confirmation! The restriction of =< 802.11n and no AP mode works OK for my situation: we have one 3d printer which, for some reason, doesn't work well with the office wifi, and it's located right next to our pfSense gateway. It also doesn't have an Ethernet port (incredibly unfortunate). (So if it doesn't support station, but does support adhoc mode, I'm good here.)

    This hardly something that I'd want to call "production ready" and more "a useful hack" until we get a better 3D printer with real functionality.

    I'll do a cross-compile and report back with the results.

  • Discussions about monitoring via SNMP

    196
    Topics
    594
    Posts

    C

    Hello,

    I am experiencing constant crashes of the bsnmpd service on a Netgate 4200 router running pfSense 24.03. The SNMP service settings are default; it is polled by an external monitoring application (Prometheus/snmp_exporter) every 5 seconds. The following entries appear in the log:

    [24.03-RELEASE][admin@pfSense.home.arpa]/var/log: cat system.log | grep snmp Nov 8 03:58:33 pfSense kernel: pid 578 (bsnmpd), jid 0, uid 0, was killed: failed to reclaim memory Nov 8 11:46:11 pfSense snmpd[57864]: disk_OS_get_disks: adding device 'da0' to device list Nov 8 23:50:22 pfSense kernel: pid 57864 (bsnmpd), jid 0, uid 0, was killed: a thread waited too long to allocate a page Nov 10 11:01:04 pfSense snmpd[57763]: disk_OS_get_disks: adding device 'da0' to device list

    Any solution/workaround?

  • Discussions about pfSense documentation, including the book

    182
    Topics
    1.3k
    Posts

    P

    I am looking at a GRE attack agains my system (https://nvd.nist.gov/vuln/detail/CVE-2022-20946), my entry looks like this:

    4,,,1000000103,mvneta0,match,block,in,4,0x0,,50,50087,0,DF,47,gre,1090,59.127.81.214,192.168.2.11,datalength=1070

    I can see that IP 59.127.81.214 is probing the sytem, I just do not know the other fields is there any documentation, https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html doesn't show any.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    CE 2.8.0 Development Snapshots
    1.1k
    Topics
    5.9k
    Posts

    O

    @stephenw10 I don't think kernel debug symbols are really going to be of much use to me. And Xdebug is a php debugger, but I need debug symbols for php83-pecl-radius (and php-fpm I suppose).

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    422
    Topics
    2.8k
    Posts

    S

    @nbk333 When you added the blocks did you kill the open states?

    https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

    Obviously you need to identify which IPs or hostnames are being used. They could well change over time, for instance it may use multiple servers.

    It can get a bit difficult on some devices. Most mobile phone default to using a privatized/unique MAC address so it can be difficult to assign an IP, and/or it may use IPv6 and temporary IPv6 IPs.

    FWIW I have a Netgate device at home so for school Chromebooks over which I have no control we had to block by MAC address which pfSense Plus can do via Ethernet rules (using a schedule).

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    1.9k
    Topics
    11.7k
    Posts

    R

    Hello!

    It´s possible to install CloudWatch Agent on pfSense server to monitor memory use?

  • Discussions about pfSense hardware support

    7.5k
    Topics
    68.2k
    Posts

    GertjanG

    @andrew_cb

    Humm.
    Nice write up.
    Most of what you have written exsietd already in my head, as I used these kind of questions when I had decide what type of device to buy, or to be more exact : what storage options ?

    pfSense, when used without any addition - read : packages - runs just fine on any device, from the 1100 to he 8x00, and the only difference will be ! how many NICs, and the overall throughput.

    Anyway, for the reasons you've shown, I bought a 4100, and I had the option : base or max, I went for the max, and you've summed up the real (for me) reasons. Which tells me that the mmc can be replaced (added ?) with a NVME drive rather easily on that (4100) device.

    Still, I'm not using the packages that create huge amounts of write cycles.
    I do use pfBlockerng with a minimal DNSBL list.

    And you're right, when we go out buying that no-name router, we don't look for "what RAM" or what storage it has. But pfSense brings new issues : suddenly, there are a lot of things to click and activate.
    And these new functionalities often start to 'do' things on the router (pfSense) and they log a lot so nice charts and images can be shown (and pfSense isn't even a pi-hole yet).

    edit :
    We all need to install and use pfSense for a while to discover what device (hardware) we actually need.
    And while using pfSense, our needs change.

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    Completed Bounties Expired/Withdrawn Bounties
    456
    Topics
    6.4k
    Posts

    dennypageD

    @HLPPC said in FQ_Codel IEEE pulse match rules/code/(applet?)/ $500:

    Detection has to detect devices passing through managed switches to negotiate with the pSense, or correctly detect pulses while passing through pfSense in a bridge configuration to negotiate with a different device/router...

    Since auto-negotiation is not visible outside the two ends of the physical link, how would you expect this to work?

  • 9.6k
    Topics
    62.9k
    Posts

    bmeeksB

    @Pizzamaka said in unbound stops and won't start again + high cpu:

    What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

    Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

    When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.