1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    222 Topics
    3k Posts
    GertjanG
    @Wylbur said in Now Available: pfSense CE 2.8.1-RELEASE: . I just dislike going back through manually putting in the various IP pools and static addresses for my network. That's why you have to put all chances on your side. As already said above : make use of the very single reason why pfSense exists (in the first place) : this is not the presence of a GUI t set things up, it's the fact that you can 'backup' or 'save' one single config file, and later on, on the same system ( ! ) you can install from an USB drive, do minimal initialisation, probably mostly accepting the default) and as soon as the GUI comes up : import the config, and 'done'. If your connection is slow, or you have (had) many pfSense packages installed, just be patient. All packages will get installed 'fresh', and their settings will get applied before they are started. Be ware that race conditions can exist, like you use the OpenVPN (client or server) and to opted for FreeRadius authentification, but the pfSense FreeRadius package wasn't installed yet ... So, when hing have settled out, the dust is cleared, just reboot pfSense (GUI or console command) onces more. My update/upgrade check list : First : if you made any special changes to your system, document them all. Use for example the pfSense Notes packages, as this info will get stored in the config file, so it will be in your backup. Before you update/upgrade, go to the console or GUI, and restart the system. It would be perfect if you could use the console access (not SSH) and log this reboot process. Scan that log for any potentiel issue. This will be the perfect moment you'll your disk is full - or in bas shape (disk always die) Let your system running for a while, and test any functionality that you depend on. Then use the same console access (or SSH) to do the upgrade. If possible, have this logged to disk on your device. If an issue shows up, you have a trace. If you have trace, you can copy past here exactly what happens, so we see the exact issue, so fast answer are possible. Me writing all this took probably more time as you doing all this. Getting experiences in learning all this isn't lost time. The day a re install really counts, and it has to be done fast (as always), you know the drill. This was previously known as 'learning'. Using a plan and prepare well with reverse the Murphy's law : all your good preparation will be for nothing as everybody goes smooth.

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    192k Posts
    tinfoilmattT
    @MaxPresi said in pfSense loses internet connection with no error: Realtek LAN ports Fairly certain I've seen nothing but bad things said about this flavor of NIC around here, so I think you're headed down a better track migrating hardware. You haven't said if you're running CE or Plus, so it may or may not even be relevant—but be aware that the swap will probably generate a new NDI. My understanding is that this only affects a Plus install, and only until you obtain Netgate's assistance. But if you're CE, any concern here is moot.

  • Discussions about Multi-Instance Management.

    24 Topics
    158 Posts
    M
    It will be available when the product is launched (including the correct link in the docs).

  • Discussions about installing or upgrading pfSense software

    10k Topics
    63k Posts
    stephenw10S
    Hmm. Inconsistent booting from the same device without changing anything is even more weird. Hard to imagine what could cause that. Some slight timing variation perhaps. But from an SSD that's unexpected.

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    johnpozJ
    @Gertjan said in Not sure this is normal: stashed somewhere in an obscure registry key Not sure I would call obscure Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    E
    I’m trying to make a device on the remote side of a WireGuard VPN (point B) accessible from the Internet using pfSense’s public IP. pfSense has a public IP on WAN and a WireGuard tunnel to a MikroTik behind NAT. The tunnel works perfectly — I can reach all devices on the remote network (e.g., 172.16.10.1, 172.16.10.2). I want to expose the MikroTik’s web service (port 80) via pfSense’s public IP, for example: incoming WAN:8080 → 172.16.10.2:80 (through WireGuard). The problem: The port forward works if the target is a LAN IP. It fails when the target is an IP inside the WireGuard tunnel. Routes are configured, the WireGuard interface is assigned, and outbound NAT and firewall rules are correct. Still, pfSense doesn’t apply the NAT redirect to the WireGuard interface. Why does pfSense skip NAT when forwarding to a WireGuard peer, and what’s the correct way to make a remote WireGuard host publicly accessible through pfSense? Looking for a technical explanation and possible workarounds (loopback alias, double NAT, pf rules, etc.).

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    V
    Hi, I have a PfSense HA Setup using Wireguard Point-to-point with FRR/BGP to connect to 3 different Systems. The tunnels are setup on the CARP IP of the HA setup. Now I run into the problem, that I found no way to export/import or sync the Wireguard setup to Pfsense2. Is there anything I oversee? I need the same Keys and peers on the second Pfsense in case of the CARP switches to it. Otherwise I would have to create 3 extra Tunnels on Pfsense2? Thank you for any hint.

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    D
    Thank you for the replies, I was sort of able to figure it out and get it/them working But its not how I expected? I setup the VLAN's on the switch and according to everything I could figure and you guys too it should have worked but it didnt? After going back-n-forth with this for a few days I decided to give it a rest for a couple days. When I got back to it I went to login to the switch and was unable? No matter what I tried couldnt get it so I did a hard reset (unplug) and tried to log back in, I was able to get into the switch and all the config was there so I plugged my laptop in and it pulled the .20 IP??? More testing and it did what it is supposed to do? Best I can figure is that the switch didnt like what I was telling it and decided it needed a refresh to then give what I was telling it? IDK but its working now. To all Thank You especially johnpoz , theother, and patient0! :-)

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    42k Posts
    A
    @pfnewb2016 said in Traffic on Tier2 Gateway w/out Failover Event: Tech support provided the help needed to get this resolved. Set Kill State on Gateway Recovery fnaf This setting is under Advanced-->Miscellaneous, not Gateway or Gateway Groups so it's easy to miss, as I did. Use Diagnostics-->States to view what traffic was using the T2 Gateway (Starlink). Set the Gateway Group as the specified Gateway on the firewall rules that were incorrectly using the T2 Gateway (Starlink). I believe setting the Gateway Group in the rule, vs relying on the Default Route = Gateway Group, was necessary because of this issue specific to Starlink: Classless static routes received on DHCP WAN can override chosen default gateway Despite configuring a default route, your network traffic was incorrectly utilizing the T2 Gateway (Starlink), necessitating the explicit setting of the Gateway Group on firewall rules rather than relying on the default route. What is the specific issue with Starlink's behavior that makes it necessary to explicitly define the Gateway Group in firewall rules, rather than relying on the default route, to prevent incorrect traffic routing?

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    S
    @shellbr I know the docs say "It does not care about bandwidth on interfaces, only the priority" but in my experience the limits on WAN and LAN are enforced.

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    johnpozJ
    @TonyB972-0 said in WAN seems to be getting next hop IP address, not public IP address: 192.83.xxx.1 address that was not. 192.83 is public IP. Your maybe thinking of 192.168 which is rfc1918 btw - not sure where your using some 208.93.xxx.xxx, because your not talking to pfsense with that IP, nor does your history ever show you connecting with an IP that starts with those 2 octets.

  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    M
    So, it wasn't until I got down to 0 unblocked IOT clients that the problem resolved. Meaning, the problem wasn't caused by a specific client. I went to check the IOT SSID setting in the Unifi controller. It had something called "Proxy ARP" enabled. I disabled it. Miraculously, all problems with IPv6 on the wired Windows hosts went away. This is really crazy.

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    tinfoilmattT
    @KevCar87 said in Web browser over IPSEC VTI tunnel doesn't work. Pings work though: I have other sites connecting to site A and I never have to do anything. Although all the other sites are using Watchguard but I don't see how that would be different. Because WatchGuard gets paid to hand-hold—like 'automagically' configuring proper NAT between like boxes as you've now seen. Major difference. Viragomann is something like the IPsec resident expert around here. Take that for what you will.

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    M
    OK... I figured it out... I need a rule set on Firewall->NAT->Outbound. Set Mode to Manual and save. Add a rule set below [image: 1762981320073-nat.png]

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    S
    @Leksandr hi hope you are doing well.i read your post.pkease can you share your work as i have one such requirement. We will ask some info and use that . To give a demo I am ok if the information gathered from user is stored in the local file in pfsense. Much appreciated it

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    H
    I'm sorry if that's duplicate, I couldn't find a way to search only in a specific group. I'd like to know if there is a reason for tha behavior below or if I could present a fix for that: When presenting the list of CAs or the list of certificate, the main column is "Distinct Name", that is obtained from an array in the decoded certificate by function cert_get_subject in /etc/inc/certs.inc. For some reason, the elements of DN are sorted alphabetically by key, that means, the country (C) is always first, state (ST) usually the last with other elements in between. That order has no sense at all, so I see no help at all in two commands there. Although a distinct name is understood by many application, no matter the order of the elements, there are some where that matters a lot. IPsec, for example, will not allow conection if the ID used is a DN in a order different from the actual certificate. So, copying the DN from the Certificates GUI and pasting in IPsec phase 1 settings will give you a headache with no purpose. More, as said, the new alphabetic order means not but non-sense. To get worst, creating the string, the function join the elements backwards (starting with ST, ending with C). The actual order in the certificates created by pfSense webGUI makes much more sense (starts with CN - more specific, ends with C - less specific). In my point of view, it helps nothing the reordering and is less helpful also, as we can't use it in other applications (we actually must open the certificates details and copy the DN record that is exactly the name above, but, this time, in the correct order. If that's an issue, the correction is very easy, deleting two lines (the sorting) and adjusting other two (the one that is assembling the elements in the reverse order.

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    S
    "Enable DNS registration" did the trick. I can now access WIFI (Win11) and LAN (Win7) hosts in both directions via host name. On Win7 I had to modify OS firewall rule to add the WIFI subnet address to allow file sharing. I did not have to change Win11 OS firewall at all, from the default. Also found out where the "localdomain" comes from; it is set in pfSense :) There are still quirks to work out, such as LAN host not showing up automatically in WIFI host's list of discovered network devices and vice versa. I have to explicitly enter the LAN host. I understand, or guess, it's an issue with blocking protocols that are responsible for the discovery part. At some point I'll look at that but it is not a pressing issue. I have to now apply this change to my parent's network, which have the same issue. Thank you to everyone that helped.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    7k Posts
    M
    Are you able to reproduce this, e.g. by rolling back the BE and trying the update again?

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    430 Topics
    3k Posts
    N
    This discussion about using pfSense for VPN interfaces and game server port forwarding is quite technical but very useful for gamers and network enthusiasts who want secure and optimized connections. It reminds me of how watching online movies หนังออนไลน์ also depends on stable and well-configured networks both require speed, security, and smooth performance to fully enjoy the experience. Just like setting up pfSense ensures a seamless gaming session, having a good connection makes online movie streaming effortless and enjoyable.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    M
    I have a virtual machine based on KVM, which has 4 vCPUs and 8GB of RAM. When there is a lot of traffic, I experience packet loss: [image: 1762243948150-bmyi5fghd7fsrap2-resized.png] (The beginning has a lot of packet loss because I reset the machine with more power, thinking that might be the cause. However, real traffic begins at 11:40 a.m., and you can see that the latency and packet loss increase at that point). CPU usage is around 10%, so that shouldn't be the problem. I have disabled ‘hardware checksum offload’. There is no difference, except that CPU usage is higher. I don't know what else could be causing this. Many thanks in advance for your help.

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    G
    As @stephenw10 said, there's no need for the VGA cable. You can watch the BIOS POST, update the BIOS and boot an OS all with the serial cable!

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

  • Categories that are no longer active, but are present for reference

    10k Topics
    64k Posts
    L
    @dennypage Out of curiosity are you getting any hits for qat in vmstat? I'm configured in a nearly identical way and it must be that I must either not be using the right ciphers or IPsec-MB is so efficient it absolutely makes QAT useless.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.