1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    211 Topics
    2k Posts
    N

    @FollyDude-0 As the logs say, receiving a pado without requesting it is an indication of something wrong in the setup, possibly outside pfsense config.

    I have no such issues with new pppoe too.

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    188k Posts
    stephenw10S

    Yes, unfortunately the tsunami of spam that happens if we disable that filter makes the forum basically unusable. 😞

  • Discussions about Multi-Instance Management.

    9 Topics
    92 Posts
    P

    @pfGeorge
    good, thank you

  • Discussions about installing or upgrading pfSense software

    9k Topics
    61k Posts
    C

    @patient0 thanks! I will try one night this week and report back

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    58k Posts
    bmeeksB

    Your problem is stemming from multicast packets having the IP Options flag set. See the official documentation here: https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#ip-options. The traffic is not matching your pass rule and is instead being handled by the default deny rule.

    This is newly fixed "improper" former behavior. In the past, the firewall did not discriminate packets with IP Options set, but really should have. That was fixed a while back and resulted in the log messages you are seeing. Adding a PASS rule is not enough. You must enable the IP Options match as detailed in the docs.

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    B

    HomeLab Game Server1 (1).png I would like to preface this by saying thank to anyone willing to help me out. I know many of us are skilled and have spent time learning the skills necessary to be achieve their goals.

    Notes about the setup.

    I have a physical FIrewall (Firewalla)

    The physical host is hosting a pfsense VM and a windows VM. These are both on the same physical machine.

    I would ideally like to filter traffic from pfsense to my physical host and not have a VM game server but I was told that pfsense would not be able to do this.

    So now I want to make a DMZ and send that traffic to the VM where ill put the game server.

    [HomeLab Game Server1.pdf](Invalid file type. Allowed types are: .png, .jpg, .bmp, .txt, .gif, .xls, .gz, .zip, .pcap, .pcapng, .7z, .xml, .jpeg, .diff, .patch, .tgz, .tar, .0, .cap)

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    federicopF

    I have an IIS server with RDS configured and accessible at rds.mydomain.local, and everything works fine.

    Now, I’d like to connect within the LAN and via VPN using a different mapped domain (still local, since I'm connecting via VPN), to prevent clients from accessing the RDS server directly.

    For example, instead of rds.mydomain.local, I want to use mysite.intra.net.

    Here’s what I’ve configured:

    Backend: points to the RDS server on port 443 (I’ve changed pfSense’s default port), with HTTP health check set to GET /healthcheck.html

    c6f5aa1b-5252-478a-a816-1220171e91b5-immagine.png

    Frontend: listens on a custom IP on pfSense with port 443 SSL, and uses an ACL to match mysite.intra.net and route to the backend

    58068959-7cd6-45f2-b489-3ee275c8a6b0-immagine.png

    7fb6d620-7c52-4b4b-8c0f-f043f75e445a-immagine.png

    132579af-64a1-40e1-a919-08c6bd7de4d3-immagine.png

    6d33c267-b587-455f-9c6c-f6fde3d1a227-immagine.png

    DNS Resolver: configured to resolve mysite.intra.net to the RDS server

    The server seems reachable…

    5700bbd4-4cd4-48fd-9fde-8838034a4159-immagine.png

    …but when I try to open the page, I get a 503 error.
    I’ve tried generating the certificate using both ACME and pfSense's internal CA.

    Any suggestions?

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    johnpozJ

    @Antonio1971 if you setup a bridge - then your firewall rules would have to allow the traffic over your bridge..

    While bridging can "some what" simulate the actions of a switch - it is not a switch.. A 20$ gig switch would solve your issue ;) shoot if your only after 3 connections a 10$ 5 port gig switch solve your problem

    The time you have spent on this clearly exceeds the cost of a switch - I can tell you for sure if I charged for my time in answering you could of gotten multiple smart switches, and I have spent only a couple of minutes - hehehe

    A bridge does have specific uses cases.. Trying to turn 2 discrete interfaces into a switch is not one of them. The only time I would even think of doing it would be if production was down and it needed to be up NOW.. And the switch won't be here til tmrw..

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    N

    @Al2108 You need to solve the same gateway issue first.
    Some device in nat mode in between maybe?

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    C

    @br8bruno said in Traffic Shaper Limiters just won't work - FQ_CoDel:

    @br8bruno

    The suggested configuration did introduce a limit and as it seems, it does work consistently.
    I have set the limiters to 900/450 on a 1000/500 connection.
    However, the limit is resulting in speeds much lower than what is set. I get 525/260. This was not the case before, the results were much closer to what was set and I did not loose this much bandwidth.
    If I go up on the setting, close to the connection capability I still loose a lot of bandwidht, and get bufferbloat although not close to the limit.

    88fc5414-0755-4783-85b1-36dcab255ab7-image.png

    There is a bug that exists in 2.7.2 (but should be patched on 2.8 beta and latest plus) that can halve the throughput on dummynet because its applying shaper twice. So your speeds are potentially affected by that, it can be overcome by setting double the limit so e.g. for 500mbit set 1000mbit. I am not convinced this is your issue though as your speeds are a bit above half, you might just be hitting process limits.

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    42k Posts
    A

    I currently have pfsense in 2 physical locations, connected with an IPSEC tunnel. I have services deployed in each of these locations. I have HAProxy in each location, handling each location's services. In both locations, I add host overrides in the DNS resolver for every single server, and point them at the correct HAProxy. I have well over 40 services across the two networks. Having to put those in each DNS resolver means I have 80 entries. This works, and I can access each service from either network, but this is not ideal. Some services are also deployed in each network, so I have the hosts as someservice.example.com and someservice2.example.com

    I don't forward the entire domain, because it's used for both locations. My idea is to start using a subdomain for each location, and forward the entire subdomain to the respective HAProxy. Everything under firstlocation.example.com gets forwarded to the HAProxy in the first location, and secondlocation.example.com gets forwarded to second location's HAProxy. Then I can just go to someservice.firstlocation.example.com, and it's routed properly

    I cannot seem to figure this out however. Just to start, I'm trying to get firstlocation.example.com working within the first location. I have created a domain override in the DNS resolver. I put firstlocation.example.com as the domain, and HAProxy's IP for the IP address. I've also updated the frontend ACL for the service in HAProxy to be Host Matches: someservice.firstlocation.example.com, and send that to the right backend.

    This doesn't seem to work. Trying to navigate to the site just times out, saying the IP couldn't be found. Using dig, it either returns nothing, or a timeout. Looking at the DNS resolver logs, it does look like it says it's forwarding to HAProxy. However, HAProxy's logs don't contain the request. I've enabled detailed logging on the appropriate frontend. Something to note, it does look like by default, it forwards to port 53 for HAProxy. HAProxy listens on 443. I've changed this to <ip>@443 in the resolver, and it didn't work. Other than the port changing in the logs, everything else is the same. HAProxy still shows nothing.

    I'm not sure what I should try. Looking online, most people work with just host overrides, not subdomain overrides, so I couldn't really find anything relevant. ChatGPT also just hallucinated a bunch. I'm happy to provide more details of my configuration if needed. Any help on this would be much appreciated!

  • Discussions about IPv6 connectivity and services

    2k Topics
    19k Posts
    G

    @BigTulsa said in Alternate gateway monitoring and IPv6:

    I'll take your word for that as my knowledge of IPv6 and how it works is limited for now.

    Just a suggestion, look up like the beginning of a current Cisco CCNA course. They cover IPv6 stuff in great detail before they start to get into the specific Cisco stuff. Really good way to get spun up on all the settings.

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    A

    I have run into the same issue a while ago.
    As others have mentioned, it is due to Windows using DH group 2 (1024 bit) at re-key time, even if it the P1 and P2 are configured with a stronger DH group.

    Changing the re-key interval to something like 9 hours is the easiest way to minimize disruption.

    Other options are to create the client connections using PowerShell to specify a higher DH group, or use DH group 2 on the server.

    https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2025-ps

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    JKnottJ

    @pietsnot56 said in Endpoint address family (IPv6) is incompatible with transport protocol (udp4):

    Any idea what's wrong?

    Many cell networks are now IPv6 only. On Android devices, 464XLAT is used to connect to IPv4 only sites over an IPv6 only network. iPhones use something similar, but I don't know the details. Perhaps there's some issue there. My phone gets the IPv4 address 192.0.0.4, which is reserved for 464XLAT, as well as a global IPv6 address.

    I have pfSense configured to allow openVPN to use either IPv4 or IPv6 to connect. Do you have IPv6 available from Telenet?

    BTW, Telenet used to be an X.25 packet switched network back in the dark ages. The company I used to work for provided Telenet in Canada and I maintained part of that system.

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    R

    I'm working on configuring a captive portal where Authentication Method is currently set to none. I would like to add a text box/field to the login form where the user enters an "access code". I have customized the login page html, and I'm looking into modifying index.php, to possibly add an option for authentication "none", and comparing what's entered in the "access code" text field, before allowing access. Ideally, the captive portal itself would be modified to allow entering/saving the "access code" value in the web gui settings, but I'm OK with periodically updating it directly in index.php, etc.
    I have looked over Username Only Captive Portal, Show a username without Authentication, etc., but haven't gotten very far.
    Any suggestions for implementing this, perhaps using a different Authentication Method...?

    Thank you!

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    GertjanG

    @luckman212 said in WebGUI populates syslog when dashboard running:

    but in my opinion, "normal" nginx access logs belong in /var/log/nginx/access.log like on a standard system,

    A normal FreeBSD, or actually any OS, true, and that folder and file even exist.
    Or, pfSense isn't 'normal, it groups all log files into the same /var/log/

    That said, if you trust your devices - trust yourself and those who access pfSense, then there is nothing that can stop you from doing what you want : change the default pfSense behaviour.

    Have a look at /var/etc/nginx-webConfigurator.conf - probably line 22.

    Because it's just for you, no need to create a

    d446ed0c-d5e6-4597-ae56-9db90af50e4f-image.png

    go ahead a change this one : here it is.

    and I get it, that "Status > System Logs > System > GUI Service" log only has - default - 2000 entries are so, which means "useful info" will be gone pretty fast. 👍 to send it to a remote syslogger right away, and your internal pfSense drive will say "thank you". Knowing that some of us use internal drives that just 'die' if to much solicited ...
    I'm pretty sure this access_log option permits you to do do.
    Best solution imho would be : make you own patch, and put it into the System > Patches.
    Then click on it, and your own patch is active. (you will have to restart the nginx web server process)
    Click again, and your pfSense is 'native' again.

    Anyway, that is what I would do ^^

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    N

    @elvisimprsntr thanks for the chart! Getting rid of the ISP's Bridge Mode router and plugging the ethernet cable from the wall directly in Vault's WAN port has solved it...hopefully permanently.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C

    I figured it out 🤦. My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either...
    So this issue is solved now

  • Discussions about pfSense documentation, including the book

    183 Topics
    1k Posts
    J

    For others with issues, it appears that Godaddy has cut off DNS API access for those with less than 10 domain names. You may want to consider migrating to Cloudfare or another provider.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    7k Posts
    stephenw10S

    Nope, none of those are a big concern. Some of that could be cleaned up but they are just ugly.

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    426 Topics
    3k Posts
    B

    @Uglybrian The /29 was to try and get the range of IP's for both of the systems and their docks (2 Docks hardwired, and then the WiFi of each unit).

    I think I actually managed to track this down to an issue with the WireGuard instance I had running for my phone to VPN back with, as once I disabled that my connections were fixed, getting NAT B and was able to play online for quite awhile without incident.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    M

    @stephenw10 My bad, i'm trying with this.
    I will tell you if it solved my issue.

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    T

    @mgc6288 Hey! I was complimenting you on getting along for so long on older parts and deciding to move up to newer parts. And it sounds like the newer parts were available without having to purchase! A win all the way around!

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    S

    @winkmichael Thanks so much. I'll look into it some more, but you were a great help. What I meant by a 0 point release is that is it basically an alpha or beta version until it reaches version 1.x This to me has historically been an indication that it shouldn't be deployed in mission critical spaces or commercial spaces, but good to hear it is very active and very reliable. thanks again

  • Categories that are no longer active, but are present for reference

    10k Topics
    63k Posts
    bmeeksB

    @Pizzamaka said in unbound stops and won't start again + high cpu:

    What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

    Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

    When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.