Subcategories

  • Announcements and information about pfSense software posted by the project team

    216 Topics
    3k Posts
    Y
    I did another clean upgrade 24.11 to 25.07 release, and what really changed regarding the dhcp6 client is that pfsense now picks up the manually assigned static ipv6, which is set up in my ISP box settings, instead of an auto generated one derived from MAC. In 24.11 this manual setting was ignored or malfunctionning. So far so good ! No need to change the DUID. Though on some ISP connections, the ipv6 ping to google from the DHCP-PD range was ok only after a few minutes, maybe due to routing check or appliance check on ISP side. So you should plan the upgrade form a redundant ipv6 WAN, or a dedicated management network, or from a remote ipv4 access.
  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    190k Posts
    Mr_JinXM
    @stephenw10 it sure is, i have a pair of 8200's
  • Discussions about Multi-Instance Management.

    14 Topics
    106 Posts
    luckman212L
    I didn't really go much further but I'll test again. I was clearly misunderstanding the "The pfSense+ instance that Nexus is running on doesn't need to be registered since that's handled automatically" part Thanks
  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    R
    I attempted an reinstall on a netgate device at first I could get to pf sense list of command options before help, but after inputing usb recovery I got as far as netgate installer then for peculiar reason My Ethernet connection was unconnected and installer could not communicate with netgate server now when I boot into the machine I only can get <<Marvel>>. Can some one assist or tell me why I loose connection and why I can’t get to pf sense boot option list? I thank you for the welcome to the community and any assistance you can provide in trouble shooting this difficulty is appreciated. Sincerely Rtunnel
  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    JKnottJ
    Why are you talking about NAT with IPv6. The only reason for it was the address shortage in IPv4 and it also breaks some things. Please learn to do things properly with IPv6 and unlearn the bad habits from IPv4.
  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    P
    Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?
  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    U
    Hi there, So I've recently seen some issues which I think might be related to pfSync. Running on whitebox hardware and pfsense plus 2507 The interface order is exactly identical across nodes pfSync states is enabled on both nodes in the cluster I've verified that I can see all the states on both nodes before I initiate maintenance on the primary node. When maintenance mode is initiated I can see that the sessions seems to be dropped on the secondary because the states goes to 0-give or take a few and then starts rising again. No errors in the logs. Hardware is identical. Are there anything we could try here?
  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    C
    @keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.
  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    luckman212L
    @stephenw10 / @marcosm any chance we can relocate this busy/lively thread to the regular Routing and Multi WAN section? It seems it isn't and probably never was specific to 25.07 RC anymore...
  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    G
    @stephenw10 , In versions 2.7.x and 2.8, the problem with limiters on a WAN that isn't the default route occurs. The last version that worked correctly was 2.6.0. The evidence and tests performed in each version are documented. Thank you very much and I hope you can validate from version 2.7.x onwards that the limiters no longer work in a WAN that is not the default . thanks. In 2.6.0 the limiter uses the private IP as source and destination, to control the BW for each IP In 2.8 and 2.7.x the limiter uses the public IP as the source and the private IP as the destination, that is, for the upload it uses the public IP after applying NAT, this does not limit each connection from the LAN, it limits the entire bandwidth [image: 1754342256028-3031a675-6d14-4702-98be-a788da8e8744-image.png]
  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    johnpozJ
    @elgranjeff that does seem odd.. I will see if I can duplicate it - I don't use azure, but I do use cloudflare. But your saying it gives you an error just putting it into the form? [image: 1754862484606-really.jpg] edit - yeah that does seem like a bug in 2.8.. [image: 1754863057656-save.jpg] Have to look to see if there is a redmine about it.. I will have to update my 2.8 to the 2.8.1 beta and see if fixed in that.
  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    beerguzzleB
    I'll state the obvious here... I went to System->Advanced->Networking and unchecked "Allow IPv6". Poof, the firewall log entries went away. I had found the reddit webpage on this topic: https://www.reddit.com/r/PFSENSE/comments/1hzmc5y/ipv6_noise_protocol_options_to_ff0216/ and started down knox203's suggested fix for quieting the syslogs. I already had "Allow IPv6" checked, and wondered why I need IPv6 on my network at all. Unchecked it and bliss.
  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    C
    I definitely will do this next week and post here the results. Thank you
  • Discussions about OpenVPN

    10k Topics
    53k Posts
    GertjanG
    @ipguy said in I need BF-CBC: https://forums.openvpn.net/viewtopic.php?t=35809#p111709 These openvpn options : providers legacy default data-ciphers-fallback BF-CBC compat-mode 2.3.18 check if they still exist in the version used by pfSense. First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual. If it's the case, then use them here : [image: 1754303064757-c6da93cf-9502-4171-b791-b119919f5e6f-image.png] for example, I use the option status /var/log/openvpn.status; status-version 1; for my own needs. When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors. Also check the openvpn config file (the one created with the GUI parameters) for consistency. You can find the file here : /var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file. Don't (bother) edit(ing) this file as it is auto generated by the GUI.
  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    GertjanG
    @DominikHoffmann said in Captive portal with external code?: Am I correct? You can upload the files you need, like css file with the portal's file manager. From then on, you can use these files in your 'main' portal login html file, error file etc.
  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    S
    @mmkkoo Every HTTP request is logged. So everything that updates on the dashboard.
  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    provelsP
    @opticalc Intel.
  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now
  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.
  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    6k Posts
    stephenw10S
    Hmm, I would expect that to work. It's pretty much exactly what I run myself. What do you see logged at boot compared with when you restart dpinger?
  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    427 Topics
    3k Posts
    W
    I am on 24.11. I have several consoles at home, PS5, PS4, Nintendo's. No issues at all. I just assigned a fixed IP to them put those IP in the ACL allow list. Outbound NAT with static port for the consoles. The only "issue" is that port mappings remain there for days. I have to manually cancel them. At the moment I did not find any solution to remove them via cron job scripts.
  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    P
    @KOM Oh! :) Thanks!
  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    stephenw10S
    Is it actually losing link? What do you see logged when that happens?
  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.
  • 10k Topics
    64k Posts
    stephenw10S
    Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.