1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    207
    Topics
    2.3k
    Posts

    A

    @delphin_007 : please see this thread if my patch /Work around helps you.

    https://forum.netgate.com/topic/190987/squid-error-fatal-unknown-http_port-option-no_tlsv1/9?_=1735383414679

    There is indeed an issue with Squid when acting as mitm. Some options are broken, hopes that someone Will Make a proper fix

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    26.2k
    Topics
    183.9k
    Posts

    stephenw10S

    Nice! Yes pfSense itself should not normally have a gateway defined on the LAN. The only time you would use that is if you have some other router on LAN with subnets behind it that pfSense needs to route to.

  • Discussions about Multi-Instance Management.

    7
    Topics
    84
    Posts

    stephenw10S

    There isn't any specific handling in MIM for HA setups yet. It's something we expect to have though. It's exactly the sort of thing I'd want to see there.

  • Discussions about installing or upgrading pfSense software

    9.4k
    Topics
    60.2k
    Posts

    stephenw10S

    Yes from 2.4.4 I would just install 24.11 clean and restore your config. That's a big jump from 2.4.X, you'd need to run several upgrade steps otherwise.

  • Discussions about firewalling functionality in pfSense software

    9.6k
    Topics
    57.7k
    Posts

    jimpJ

    They are regex fields, so 192\.168\.174\.1$ should exactly match the .1 address and only the .1 address. It works for me here, with or without the starting anchor (^). In this case you shouldn't need the start anchor but for an address with 1-2 numbers in the first octet, it could be necessary.

    If that doesn't find anything then there may not be any matching logs for that one address at the time you searched.

  • Discussions about Network Address Translation (NAT)

    5.5k
    Topics
    30.8k
    Posts

    V

    @CubedRoot
    1:1 NAT of multiple IPs to a single backend IP cannot work at all.
    1:1 means, that packets addressed to the external IP are forwarded to the internal IP AND outbound traffic from the internal IP is natted to the stated external IP.
    While the first part might be possible, the second cannot be done. Which external IP should be used for outbound traffic of the single internal? The first, the second, both alternating?

    You should rather configure port forwarding rules for both external IP.

    If you also want to use these IPs for outbound traffic from the server set up an outbound NAT rule for it.
    You can translate it to one of them or to both alternating by adding both to an alias and use it as translation address in round-robin mode.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    2.6k
    Topics
    11.6k
    Posts

    A

    In HAProxy, when filling in a backend's server list, you can type in a server's hostname instead of an IP.

    This hostname appears to be converted to an IP internally by HAProxy. As far as I know, actually using hostnames in the config file does work, so why does the pfSense version replace it with the IP?

    Another issue is that HAProxy never checks this again. If the server's IP changes, or even if you change the hostname to a different one, this gets completely ignored and HAProxy keeps trying to reach the original IP from the first hostname ever entered.

  • Discussions about Layer 2 Networking, including switching and VLANs

    1.2k
    Topics
    9.9k
    Posts

    JKnottJ

    @Sergei_Shablovsky said in Mixed MTUs on different NIC's interfaces on same pfSense bare metal:

    How mixed MTUs impact on FreeBSD overall performance and throughput as this server are BORDER firewall ?
    (PCI bus pressure, RAM pressure, etc...)

    You can have different MTU on different sides of a router, as they are separate networks and the router will handle the MTU difference with Path MTU Discovery (PMTUD) or sometimes with fragmentation.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    8.4k
    Topics
    40.8k
    Posts

    johnpozJ

    @totalimpact said in Pfsense cannot port forward to Layer 3 switch:

    having static routes requires a gateway on the Transit network.

    Not on the interface - you create a gateway to the IP on the transit network, but you don't actually put that gateway on the interface of pfsense on the transit.. Or pfsense thinks a wan interface and creates an outbound nat on it.

    You create the gateway in the routing gateway section not on the specific interface.

    pfsense-layer-3-switch.png

  • Discussions about traffic shaping and limiters

    3.0k
    Topics
    15.8k
    Posts

    R

    Re: TCP - UDP timeout for VoIP

    Thank you so much, Uglybrian, for your reply. I have applied the conservative mode and am testing to see if the drops disappear.
    Best regards.

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    6.4k
    Topics
    41.1k
    Posts

    GPz1100G

    Perhaps the solution is to release the lease prior to disconnecting either network.

    Unplugging a network connection is different than releasing the lease then disconnecting the cable.

    If this is windows, it's possible to create a task based on a trigger. In this case I don't think it will work. The trigger would be loss of network connection, but once lost, can't issue a dhcp release.

    You could however run a script that would do the same via commandline. Just have to remember to execute it before switching wired<>wireless.

    I use something like this for my screen blanking. I have a rodent that suffers from tourette's syndrome, manifesting as random movements when the the trackball is not even touched. This results in the screen waking for no good reason.

    Using such a script it's set to disable the mouse, then induce screen sleep mode. Of course I can't wake the mouse but can with keyboard. A trigger based on wakeup runs another script that re-enables the rodent.

    This particular box has 2 ethernet nics + wifi. AP is configured for for a different vlan than the primary lan. Both wifi and wired can be on at the same time (with different IP's).

    What is your use case for keeping the same ip for both interfaces?

  • Discussions about IPv6 connectivity and services

    2.0k
    Topics
    19.1k
    Posts

    D

    @JKnott

    I was younger than you when I got mine, but based upon your other historical background, I suspect that you're a few years older than me as well. Too bad we didn't know each other back then. I think we would have had a lot of fun.

    Thank you again for engaging with me in this discussion, and for keeping it civil. I've enjoyed the discussion, and look forward to communicating with you again.

  • Discussions about IPsec VPNs

    5.7k
    Topics
    23.3k
    Posts

    S

    @Decepticon Thanks for the reply. This is an IPSec VPN, and I use the gateway monitoring for multi-wan failover. The IPSec gateways don't show in that section but do think it has something with a route not advertising.

  • Discussions about OpenVPN

    9.7k
    Topics
    52.7k
    Posts

    N

    I just ran into this crash, same errors as OP.
    This is the first time i've ever seen the openvpn server crash. Usually my prod system is a i3-4130 (for years now), but i've been testing on an n100 system for about a week now and this crash just happened. Same pfsense version and config from the i3 system.
    I'm running pfsense 2.7.1 w/openvpn 2.6.8_1 so the new version doesn't fix it

    # pkg info
    openvpn-2.6.8_1 Secure IP/Ethernet tunnel daemon

    # openvpn --version
    OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
    library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
    DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_1-n255918-774957be06d: Wed Nov 15 17:41:06 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/obj/amd64/GScwGwyy/var/jenkins/workspace/pfSense-CE-snapshots-2_7_1-main/sources/F

  • Discussions about Captive Portal, vouchers, and related topics

    3.5k
    Topics
    18.6k
    Posts

    S

    @EDaleH , @Gertjan ;

    Found a bug in

    One line 1742 you will find function "portal_ip_from_client_ip"

    If someone calls https://MYDOMAIN.tld:8003/index.php and omit "zone=MyZone", this throws an Exception in PHP on line 1746 due to global variable $cpzone being "" empty string.

    I added the following to /etc/inc/captiveportal.inc

    function portal_ip_from_client_ip($cliip) { global $cpzone; /* Fixes bug when portl URL is called without zone */ if(empty($cpzone)) { return false; }

    The function returns false at the end, if it cannot find what zone interface you belong too by default. So all this does is the same, but fixes that bug that will show a message in pFsense crash reports.

  • Anything that does not fit in other categories related to the webGUI

    2.1k
    Topics
    9.8k
    Posts

    M

    @Gertjan said in RESOLVED Configuration history hanging php:

    And "backupcount" is set to what ? 100 ?

    I couldn't check this value exactly because it was hanging.
    But based on the config size and the folder size, I would say a hundred indeed.

    This one ?

    Yes. How I didn't see that option to change the behavior 😢
    Just changed to "Automatically backup on a regular schedule" and enabled ACB again.

  • Discussions about wireless networks, interfaces, and clients

    1.7k
    Topics
    11.1k
    Posts

    R

    Got it, thanks for the confirmation! The restriction of =< 802.11n and no AP mode works OK for my situation: we have one 3d printer which, for some reason, doesn't work well with the office wifi, and it's located right next to our pfSense gateway. It also doesn't have an Ethernet port (incredibly unfortunate). (So if it doesn't support station, but does support adhoc mode, I'm good here.)

    This hardly something that I'd want to call "production ready" and more "a useful hack" until we get a better 3D printer with real functionality.

    I'll do a cross-compile and report back with the results.

  • Discussions about monitoring via SNMP

    196
    Topics
    594
    Posts

    C

    Hello,

    I am experiencing constant crashes of the bsnmpd service on a Netgate 4200 router running pfSense 24.03. The SNMP service settings are default; it is polled by an external monitoring application (Prometheus/snmp_exporter) every 5 seconds. The following entries appear in the log:

    [24.03-RELEASE][admin@pfSense.home.arpa]/var/log: cat system.log | grep snmp Nov 8 03:58:33 pfSense kernel: pid 578 (bsnmpd), jid 0, uid 0, was killed: failed to reclaim memory Nov 8 11:46:11 pfSense snmpd[57864]: disk_OS_get_disks: adding device 'da0' to device list Nov 8 23:50:22 pfSense kernel: pid 57864 (bsnmpd), jid 0, uid 0, was killed: a thread waited too long to allocate a page Nov 10 11:01:04 pfSense snmpd[57763]: disk_OS_get_disks: adding device 'da0' to device list

    Any solution/workaround?

  • Discussions about pfSense documentation, including the book

    182
    Topics
    1.3k
    Posts

    P

    I am looking at a GRE attack agains my system (https://nvd.nist.gov/vuln/detail/CVE-2022-20946), my entry looks like this:

    4,,,1000000103,mvneta0,match,block,in,4,0x0,,50,50087,0,DF,47,gre,1090,59.127.81.214,192.168.2.11,datalength=1070

    I can see that IP 59.127.81.214 is probing the sytem, I just do not know the other fields is there any documentation, https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html doesn't show any.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    CE 2.8.0 Development Snapshots
    1.1k
    Topics
    5.9k
    Posts

    O

    @stephenw10 I don't think kernel debug symbols are really going to be of much use to me. And Xdebug is a php debugger, but I need debug symbols for php83-pecl-radius (and php-fpm I suppose).

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    422
    Topics
    2.8k
    Posts

    S

    @nbk333 When you added the blocks did you kill the open states?

    https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

    Obviously you need to identify which IPs or hostnames are being used. They could well change over time, for instance it may use multiple servers.

    It can get a bit difficult on some devices. Most mobile phone default to using a privatized/unique MAC address so it can be difficult to assign an IP, and/or it may use IPv6 and temporary IPv6 IPs.

    FWIW I have a Netgate device at home so for school Chromebooks over which I have no control we had to block by MAC address which pfSense Plus can do via Ethernet rules (using a schedule).

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    1.9k
    Topics
    11.7k
    Posts

    R

    Hello!

    It´s possible to install CloudWatch Agent on pfSense server to monitor memory use?

  • Discussions about pfSense hardware support

    7.5k
    Topics
    68.2k
    Posts

    GertjanG

    @andrew_cb

    Humm.
    Nice write up.
    Most of what you have written exsietd already in my head, as I used these kind of questions when I had decide what type of device to buy, or to be more exact : what storage options ?

    pfSense, when used without any addition - read : packages - runs just fine on any device, from the 1100 to he 8x00, and the only difference will be ! how many NICs, and the overall throughput.

    Anyway, for the reasons you've shown, I bought a 4100, and I had the option : base or max, I went for the max, and you've summed up the real (for me) reasons. Which tells me that the mmc can be replaced (added ?) with a NVME drive rather easily on that (4100) device.

    Still, I'm not using the packages that create huge amounts of write cycles.
    I do use pfBlockerng with a minimal DNSBL list.

    And you're right, when we go out buying that no-name router, we don't look for "what RAM" or what storage it has. But pfSense brings new issues : suddenly, there are a lot of things to click and activate.
    And these new functionalities often start to 'do' things on the router (pfSense) and they log a lot so nice charts and images can be shown (and pfSense isn't even a pi-hole yet).

    edit :
    We all need to install and use pfSense for a while to discover what device (hardware) we actually need.
    And while using pfSense, our needs change.

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    Completed Bounties Expired/Withdrawn Bounties
    456
    Topics
    6.4k
    Posts

    dennypageD

    @HLPPC said in FQ_Codel IEEE pulse match rules/code/(applet?)/ $500:

    Detection has to detect devices passing through managed switches to negotiate with the pSense, or correctly detect pulses while passing through pfSense in a bridge configuration to negotiate with a different device/router...

    Since auto-negotiation is not visible outside the two ends of the physical link, how would you expect this to work?

  • 9.6k
    Topics
    62.9k
    Posts

    bmeeksB

    @Pizzamaka said in unbound stops and won't start again + high cpu:

    What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

    Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

    When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.