Subcategories

  • Announcements and information about pfSense software posted by the project team

    218 Topics
    3k Posts
    Bob.DigB
    said in Now Available: pfSense Plus 25.07.1-RELEASE: Coincidence? Yes, indeed.
  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    190k Posts
    johnpozJ
    @marcg well that is good, then it should work for the OP.
  • Discussions about Multi-Instance Management.

    15 Topics
    114 Posts
    R
    Does anyone know when licensing costs etc for Nexus / MIM will be announced? It seems a little odd to release it with 25.07 but not have ability to get licenses for it.
  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    A
    I have this issue too, it will fail to boot (it's a VM in unraid) The fix, to change console to video first
  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    D
    Nice catch. Thanks!
  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    M
    -------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Network f000::/4 Destination: Any Description: Block internal IPv6 (f000::/4) from leaving via WAN -------- Just letting people know i made a little mistake here while writing the tutorial it's actually: -------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Any Destination: Network f000::/4 Description: Block internal IPv6 (f000::/4) from leaving via WAN --------
  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    G
    Hi all, I’m running pfSense 2.8.0 CE on my main router and I’d like to build a cold spare in case the primary fails. Main box: 4 ports in use → WAN / LAN / IoT / Guest Spare box: Only 3 ports available → I’d drop the Guest network if I needed to switch over I know I can install pfSense cleanly on the spare, but I’m unclear on the best way to: Transfer my current configuration to the spare. Keep that configuration up to date as I make changes on the main router. Questions: Is it best practice to back up and restore configs manually, or is there a cleaner way to sync across different hardware (since the interfaces don’t match)? How do others handle maintaining a cold spare so it’s ready to go at short notice? Any practical tips, workflows, or “gotchas” to watch out for would be really appreciated. Thanks!
  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    johnpozJ
    @HidekiSenpai what does it show in your dns lookup diag..
  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    w0wW
    foranalyze2.anonymized.txt
  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    W
    I cannot say more about questions Q1 and Q2. About Q3. I have a PPPoE line, 1Gbps/300Mbps, MTU is 1492. My line is fine also without limiters, I had a solid A for bufferbloat, RTT is 6ms (first hop) I tried limiters, using 1506 as quantum (1492 + 14 interface overhead), set limit at 7ms for download and 5ms for upload, bandwidth (950/285) I tested with thoese limiters, set the floating rules as per netgate instructions, and now I have a solid A+ on bufferbloat test, with average speeds of 930/280. I suggest to test against bufferbloat issues before using limiters, then repeat the test using limiters so you can see if they are working and improving latency management.
  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    F
    Update from my side: issue hasn't appeared again since disabling ntopng, so seems that was the culprit (or one of them, anyway).
  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    JonathanLeeJ
    I just learned…. “The public recursors at 74.82.42.42 / 2001:470:20::2 / ordns.he.net now also support DNS over TLS (DoT) and DNS over HTTPS (DoH) for those who wish to use those interfaces.“ If anyone wants to test out DoH over a ipv6 HE tunnel broker check it out.
  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    keyserK
    @bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..
  • Discussions about OpenVPN

    10k Topics
    53k Posts
    H
    @patient0 Thank you for the question. I am using pfSense Community Edition 2.8. I found the url on gpt and also searched for the package in the website but with no luck
  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    R
    @Gertjan Thanks for your reply. However, in your screenshot, you added "192.168.1.33" in the "Allowed IP Addresses", which means that even before being officially authenticated on the hotspot, it's possible to access all ports of the "192.168.1.33" address. Moreover, it clearly states: "All connections to the address are allowed", which confirms that there is no filtering — all ports, from 0 to 65,535, are open to that IP. As far as I understand, IPs listed under "Allowed IP Addresses" completely bypass the rules defined in the "PORTAL" tab. So my question remains: How can filtering be applied before user authentication — especially for IPs listed under "Allowed IP Addresses"? Also, if I connect to your hotspot (without a Wi-Fi password, for example) and I don’t have any login credentials, technically, if I run an Nmap scan on "192.168.1.33", I would see all the open ports — and potentially exploit them.
  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    johnpozJ
    @nasheayahu where is this CA from? You can for sure create your own CA, and sign certs for any domain and use those certs anywhere. And as long as you add this CA to your browser, or other device to trust certs its signed then you can create a cert for any host.domain.tld, even can put in rfc1918 IP addresses as SAN, so your browser can access via name or even IP and trust the cert. I am pretty sure have gone over how to do that many times over the years - here is an old post where I went over it https://forum.netgate.com/post/831783 I use certs signed by my local CA for lots of things, printer web gui, switches web gui, nas gui, yes my pfsense web gui, etc. etc.
  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    stephenw10S
    Nice. Yes that's a much better setup if you don't need them on the same subnet.
  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now
  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.
  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    6k Posts
    stephenw10S
    Hmm that's an interesting setup. I don't think I've ever seen that before. I assume it was working previously with mpd5/negraph? Can you say which ISP that is?
  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    427 Topics
    3k Posts
    L
    @BMD Good to hear it’s stable now.
  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    nazar-pcN
    My patch https://github.com/pfsense/FreeBSD-src/pull/57 fixing above redmine ticket (by enabling corresponding driver in kernel config) was merged last month and will be a part of 2.9.0, whenever that comes out.
  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    T
    Based on what I can see in the man pages, there should be support in the latest versions of pfSense (which are based on FreeBSD 15) through the bnxt driver: https://man.freebsd.org/cgi/man.cgi?query=bnxt&apropos=0&sektion=4&manpath=FreeBSD+15.0-CURRENT&arch=default&format=html @stephenw10 - can you please confirm that the bnxt driver is included with pfSense? I have not used Broadcom cards myself with pfSense, but have had good experiences with both Intel and Chelsio. Hope this helps.
  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.
  • 10k Topics
    64k Posts
    stephenw10S
    Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.