pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

218 Topics

3k Posts

All, On my SG5100 just upated to 25.07.1 over the weekend. No issues. It uninstalled and re-installed one package automatically. Otherwise I did nothing else. To be clear, my setup is fairly simple. Phizix

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

190k Posts

Ran a traceroute yesterday, [25.07.1-RELEASE][root@firewall]/root: traceroute -P 41 184.1.1.1 traceroute to 184.1.1.1 (184.1.1.1), 64 hops max, 40 byte packets 1 dsldevice.attlocal.net (192.168.1.254) 0.574 ms 0.472 ms 0.469 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 192.205.32.138 (192.205.32.138) 14.657 ms 15.537 ms * 7 * * * A separate run on that showed a different path but at a similar point I got a response from something and then nothing else. One solution that I keep seeing during my searching is to switch to a business account. Just got a basic price list for that and it's flat out ridiculous. Over a thousand dollars a month to be provisioned at 1Gbps and no idea if I'd still see this problem or not.

Multi-Instance Management

Discussions about Multi-Instance Management.

16 Topics

119 Posts

@marcosm said in pf-sense-api-client: What pfSense version is that on? 25.07.1-RELEASE (amd64)

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

62k Posts

918MB is potentially not enough available space. You should remove some older BEs and retry. I would normally expect to see the 'not enough space' alert if it hits that though.

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

59k Posts

Fyi, I had previously opened a ticket with the website administrators but have had no reply... until today, after I started this chat. So... they just told me that they're already aware of the issue and it probably has to do with the recaptcha quotas. This website is used by many people so, they probably will have to upgrade the plan. I'm sorry to have taken your time on this, and thank you for that.

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

-------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Network f000::/4 Destination: Any Description: Block internal IPv6 (f000::/4) from leaving via WAN -------- Just letting people know i made a little mistake here while writing the tutorial it's actually: -------- Action: Block Interface: WAN Address Family: IPv6 Protocol: Any Source: Any Destination: Network f000::/4 Description: Block internal IPv6 (f000::/4) from leaving via WAN --------

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

@girkers said in Best way to set up and maintain a cold spare for pfSense 2.8.0 CE: How do others handle maintaining a cold spare so it’s ready to go at short notice? On my cold spare I load the current version of pfsense (and maintain it in the current series so configuration import is compatible) Load the configuration from the main unit. Most easily done via the GUI so interface reassignment can be easily seen. This is do both so plug and play will probably work but also as a dry run in-case a newer configuration has to be loaded in a hurry. Back up the main units configuration to a location accessible without a functioning pfsense router (to enable use during an emergency restore). I actually use my cold spare for other things when not needed as a router by running pfsense under Proxmox but configuring dual boot would achieve similar functionality

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

@HidekiSenpai not sure why you think a query to quad9 would be authoritative.. quad9 is not the authoritative ns for google.com Your unbound setting there are resolver mode, for you to be able to resolve you would have to be able to talk to all the NS on port 53.. If your upstream is blocking this then yeah your going to have issues. What does dns lookup on the diagnostic menu dns lookup report? To test if you can resolve and to see where you might be having issues do a dig + trace on pfsense. [25.07.1-RELEASE][admin@sg4860.home.arpa]/root: dig google.com +trace ; <<>> DiG 9.20.6 <<>> google.com +trace ;; global options: +cmd . 84617 IN NS d.root-servers.net. . 84617 IN NS f.root-servers.net. . 84617 IN NS e.root-servers.net. . 84617 IN NS m.root-servers.net. . 84617 IN NS j.root-servers.net. . 84617 IN NS b.root-servers.net. . 84617 IN NS c.root-servers.net. . 84617 IN NS g.root-servers.net. . 84617 IN NS k.root-servers.net. . 84617 IN NS l.root-servers.net. . 84617 IN NS a.root-servers.net. . 84617 IN NS h.root-servers.net. . 84617 IN NS i.root-servers.net. . 84617 IN RRSIG NS 8 0 518400 20250915050000 20250902040000 46441 . r2EKEjvLOSDMWT4XAMJK+3McQntRgJ/wtG2WXCZ90DdKxUgNUCU1Q1R+ YDovtNQExt87dM1gu8S10al5FJPNkLM6pbQM010+1E2AnyCQyt4DQrJh JgMhwcYONIbT/gGrXfQS7sdN8B5g0ob2HcqXRxqMkDOldxdBCJy7B5ZM AufoQlrCrdazkGHVxC+vzsDIDVYnAFLlLkoHtcpbLmiK1w6MiVNfzfWt EC4v7Bibau5rMYzhYZ0EwGv4CCG6dn8HiGEg0rNBmMi7onXndKhq2S4H T9b1jkIj1qG1GfVOzVuqmzv7OWgW9+0jbqel3VR7AAfO9plH7JLeVNY1 EmTLTg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 20250915050000 20250902040000 46441 . PuEt7PPZTytXpON7kI4PR4ePmn1RbbZwWwksIwQqStFADSXkHLtaCWBk 6rjtDQogfGqqcRZnJzXTwq7FD+lsB//y3DBBkzBB+ag7XmldiFGtkV3Y 9ueUEL4ydZnyftPClzOtBYbtzMVA2oC6gfNbi7LyIFUUH8xc0IZUPJah 9IQF443ZocHNNl8jPpSilA7QVkSf6rKRH5CNUdTsJ6qhfXUEOWgNqIaV yLCrPzsnyl7+PoU1dBpPmsbUY0DUO2A0E5Zs5lBpcgjThoEK/SMokB1v Rb75/7Yvb+MGyDWmZVwd9uKdVadxzn6jdJgxgSM+SBuxaSpkWlnqhJnx fYnP/w== ;; Received 1170 bytes from 2001:503:c27::2:30#53(j.root-servers.net) in 9 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250908002603 20250831231603 20545 com. I5bq7mPPNzfXbaaD27hOUwaUOIQJi6EcJYwN+Ab4FiMqp5GgoHWsfgSm LHUn2Mg3jXAGfxykTCnJXfUQYtJ+oQ== S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG S84BOR4DK28HNHPLC218O483VOOOD5D8.com. 900 IN RRSIG NSEC3 13 2 900 20250909012623 20250902001623 20545 com. 1Sn2h2Xvf9GUFWqqEDwCOD+aZFVhrEhV+87H/RxeCGuNoA42E7tz5Oq6 A7hnIkd0J8coWN0C9M9gQlJLjrrfvw== ;; Received 644 bytes from 192.26.92.30#53(c.gtld-servers.net) in 27 ms google.com. 300 IN A 172.217.2.46 ;; Received 55 bytes from 216.239.36.10#53(ns3.google.com) in 25 ms The dig + trace is exactly what the resolver would do - so seeing all the steps can show you were you might be failing in the process.

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

41k Posts

foranalyze2.anonymized.txt

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

I have a NetGate 6100 unit running pfSense+ 25.07. My LAN network is 10 GbE and the LAN connection to the 6100 is a 10 Gbit/s SFP+ uplink from my main switch. LAN is dual stack with internal traffic being mainly IPv6. My WAN connection is a 2.5 Gbits FTTH connection using PPPoE over VLAN 911. WAN is dual stack with over 50% of my traffic using IPv6. This includes some of my most important traffic. I've configured FQ_CODEL as per the recipe in the pfSense documentation, with some small tweaks, to try to optimise latency while minimising the impact on throughput. My results have been great for IPv4 where my bufferbloat test score has gone from A/B to A+. However results are not so good for IPv6. Specifically: Simply having the firewall rule in place to apply FQ_CODEL to IPv6 traffic reduces IPv6 multi-stream iperf3 throughput by ~10% (I do not see any measurable impact on IPv4). My bufferbloat score for IPv6 is only marginally improved. I've also run my own tests (as opposed to using various bufferbloat test sites) and I see the same results as above; IPv4 is performing really well, IPv6 much less so. Is it just that FQ_CODEL isn't very good for IPv6? Or are there additional things that I can do to improve things for IPv6?

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

43k Posts

@Jeremy11one said in Confused about DNS forwarding and local domains: Here's a 2018 Microsoft page I found with contrary advice: link. I'm interested in your opinion to see if there's something that article hasn't taken into consideration. While generally @johnpoz does have a point on the issues with leaky DNS when using public domains internally, it should be noted it only happens if mistakes are made in internal DNS setup (like fx. Transparent vs. Static, and searchdomains and such). There are a lot of arguments for using a public internal domain when it comes to user transparency/understanding and just generally making lives easier because of “easy use” of short hostnames instead of FQDN. Also, I highly disagree with the argument that a private domain internally makes things easier - it does not in the majority of management cases with large userbases. It will create a lot of double maintenance in DNS, proxies and firewall setups (reflection) if your userbase generally are using webbased tools in their interaction with company ressources that are a mix of internally and externally hosted servers. Much easier to maintain with a public internal domain, and no need for NAT reflection which is a PITA. So both solutions works and each have their advantages. It’s safe to assume MS made that recommendation from years of support and understanding what problems was caused by each model. Yes, a private domain is the “correct” technical solution, but ease of use and maintenance has a tendency to win ;-) It should be noted as we increasingly move towards SAAS in cloudservices, the public internal domain advantage in maintenance does “diminish” as those require you to make double maintenance in DNS if they are named in the public domain.

IPv6

Discussions about IPv6 connectivity and services

2k Topics

20k Posts

I just learned…. “The public recursors at 74.82.42.42 / 2001:470:20::2 / ordns.he.net now also support DNS over TLS (DoT) and DNS over HTTPS (DoH) for those who wish to use those interfaces.“ If anyone wants to test out DoH over a ipv6 HE tunnel broker check it out.

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

@bradsm87 I assume we are talking about the clients using the native IKEv2 client built into the operation system (Windows, MacOS, Linux, Android and IOS)? Locking those down to approved clients only requires a change from EAP-RADIUS (MSchapv2) to EAP-TLS which is Client certificate based authentication as far as I know. PfSense IKEv2 and the OS Built-in clients does not support combining multiple authentication models concurrently like fx. MSchapv2 (username/password) and TLS or PSK (certificates or preshared key auth). So the only way to “preapprove” clients is by changing the authentication models to EAP-TLS and use enrolled client/user certificates on the VPN clients. This means you need to have more control over the clients to deploy a client/user certificate on them to be used for VPN. Usually this is done using a MDM like fx. Microsoft Intune Alternatively you could look into using OpenVPN instead as that does support multiple authentication models concurrently - fx. Clients need a preshared key or certificate + being able to pass username/password authentication. But then you need control over the clients in order to deploy the VPN Client…..

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

@viragomann Can you possibly elaborate on this? A floating rule on the client pf? both instances? (active and stby?)

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

@rds25 said in Captive Portal: Restrict Ports for Allowed IP Address?: As far as I understand, IPs listed under "Allowed IP Addresses" completely bypass the rules defined in the "PORTAL" tab. That's what I initially also thought. This is the portal rule that blocks all portal-to-LAN IPv4 traffic : [image: 1756797401971-c9aa3733-1739-40f8-b7cf-757f4f3abb37-image.png] I connected my phone to the portal, it got 192.168.2.10, and then I started to send ICMP packets to 192.168.1.33. While doing so, I was packet capturing on my portal interface for ICMP traffic, send by 192.168.2.10, my phone. I saw the packets, ICMP requests, coming in - but no answers logged. At the same moment, I was : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: tail -f /var/log/filter.log and I saw : ... <134>1 2025-09-02T09:15:05.661320+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,271,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1564 <134>1 2025-09-02T09:15:06.661321+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,52479,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1664 <134>1 2025-09-02T09:15:07.661337+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,19671,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1764 <134>1 2025-09-02T09:15:08.661389+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,9817,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1864 <134>1 2025-09-02T09:15:09.661321+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,17809,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,1964 <134>1 2025-09-02T09:15:10.661336+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,16478,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,2064 <134>1 2025-09-02T09:15:11.661399+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,17854,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,2164 <134>1 2025-09-02T09:15:12.661402+02:00 pfSense.bhf.tld filterlog 75062 - - 164,,,1655045805,igc1,match,block,in,4,0x0,,64,34051,0,none,1,icmp,84,192.168.2.10,192.168.1.33,request,63694,2264 ... which tells me that my firewall rule (shown above) was blocking my ICMP requests (to 1492.168.1.33). GUI equivalent : [image: 1756797907823-8d2a4a54-06d5-45d4-afb3-c5e359d61e79-image.png] The firewall log label is "LAN Block" so I knew which firewall rule was blocking, the one I showed above. This really makes me think that even when you Allow an IP address, the portal's GUI firewall rules still apply. As soon as I activated this first portal's firewall line : [image: 1756797755652-ed4331af-495b-42e3-ae7e-5464c718cba4-image.png] which allows ping packets from the portal interface to go to my LAN, 192.168.1.33, my NAS, ping packets came back / the NAS was replying.

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

@SteveITS Hi, Let me clarify. This is a 1 NIC Setup which pfsense calls it WAN while in fact it is a LAN interface with local ip address of 192.168.0.241. This setup is normaly accessible from webhui without any issue. For very specific reasons, we needed a clone of this VM to work in parallel with the existing one. So we made a clone and changed it's IP from the console before connecting it to the Hyper-V network, in order to avoid duplicate IPs on the network. After doing that, we have the webgui no access issue described on the original post. Hope this clarifies things. Any suggestions?

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

Nice. Yes that's a much better setup if you don't need them on the same subnet.

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

186 Topics

1k Posts

As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

1k Topics

6k Posts

@azalea This doesn’t look like a problem with PPPoE or DHCPv6 itself. It seems more like dpinger isn’t starting for some known reason. Your log shows that you successfully obtained an IPv6 address, so I assume that if you go to System → Routing, edit your IPv6 PPPoE gateway, and disable gateway monitoring, your IPv6 should work again. This looks similar to the issue described here: https://forum.netgate.com/topic/198627/struggling-to-get-if_pppoe-kernel-module-working

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

428 Topics

3k Posts

@BMD Good to hear it’s stable now.

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

My patch https://github.com/pfsense/FreeBSD-src/pull/57 fixing above redmine ticket (by enabling corresponding driver in kernel config) was merged last month and will be a part of 2.9.0, whenever that comes out.

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

It is in 2.8: [2.8.0-RELEASE][admin@t70.stevew.lan]/root: kldstat -v | grep bnxt 94 pci/bnxt 93 bnxt_mgmt I've never tested that NIC though.

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

Retired

Categories that are no longer active, but are present for reference

10k Topics

64k Posts

Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.