Subcategories

• Messages from the pfSense Team

  Announcements and information about pfSense software posted by the project team
  220 Topics

  3k Posts

  S

  I believe there's a backend limitation because I know that has been discussed internally previously. Hopefully something we can work past at some point.
• General pfSense Questions

  Discussions about pfSense software that do not fit into one of the more specific categories below.
  27k Topics

  191k Posts

  S

  Hmm, that's interesting. I wouldn't expect larger packets to make any difference there.
• Multi-Instance Management

  Discussions about Multi-Instance Management.
  22 Topics

  148 Posts

  P

  Hello, There is a bug when attempting to add an alias from MIM. Alias names do not accept the special character _ (underscore) through this interface. However, the _ character is accepted correctly when using the WebUI and when using a PFAPI request.
• Problems Installing or Upgrading pfSense Software

  Discussions about installing or upgrading pfSense software
  10k Topics

  62k Posts

  R

  @stephenw10 said in Upgrade 24.11 > 25.07.1 fails: Nothing yet. What do you see from: mount -p pfSense/ROOT/default / zfs rw,noatime,nfsv4acls 0 0 devfs /dev devfs rw 0 0 pfSense/tmp /tmp zfs rw,nosuid,noatime,nfsv4acls 0 0 pfSense/var /var zfs rw,noatime,nfsv4acls 0 0 pfSense/home /home zfs rw,noatime,nfsv4acls 0 0 pfSense /pfSense zfs rw,noatime,nfsv4acls 0 0 pfSense/var/log /var/log zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/var/db /var/db zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/cf /cf zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/var/empty /var/empty zfs rw,noatime,nfsv4acls 0 0 pfSense/var/tmp /var/tmp zfs rw,nosuid,noatime,nfsv4acls 0 0 pfSense/reservation /pfSense/reservation zfs rw,noatime,nfsv4acls 0 0 pfSense/var/cache /var/cache zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/cf/conf /cf/conf zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/ROOT/default/cf /cf zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/ROOT/default/var_cache_pkg /var/cache/pkg zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 pfSense/ROOT/default/var_db_pkg /var/db/pkg zfs rw,noexec,nosuid,noatime,nfsv4acls 0 0 tmpfs /var/run tmpfs rw 0 0 [24.11-RELEASE][root@gateway.nlfunhouse.com]/root:
• Firewalling

  Discussions about firewalling functionality in pfSense software
  10k Topics

  59k Posts

  P

  Thank you all for helping me. In the end I've managed to make it work. As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively. [image: 1760577607694-4278df83-2799-41fa-a032-8ae0b9205d44-image.png] There are some things that I learned along the way: When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.
• NAT

  Discussions about Network Address Translation (NAT)
  6k Topics

  31k Posts

  R

  Hello, I have two vlans, client is in vlan1, tftp server is in vlan2. I allowed port 69 from client to server and tftp didnt work (as expected). So I enabled tftp-proxy on interface of vlan 1 and it still dind't work. If I allow the ephemeral ports on fw everything works, but I thought that tftp-proxy exists to circumvent this. What am I missing?
• HA/CARP/VIPs

  Discussions about High Availability, CARP, and utilizing additional IP addresses
  3k Topics

  12k Posts

  S

  @netblues the shared IP isn't its own interface or speed. Is the master/backup status correct for all IPs on both routers?
• L2/Switching/VLANs

  Discussions about Layer 2 Networking, including switching and VLANs
  1k Topics

  10k Posts

  O

  Ok this is all kinds of messed up - nothing is actually wrong, the server management keeps showing me absolutely nonsense IP connected on that particular port. Even after a reboot. WTF?
• Routing and Multi WAN

  Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)
  9k Topics

  42k Posts

  P

  Also, there are 3 IPSEC tunnels on the WAN interface. [image: 1760391120631-tls_pfsense_ipsec_251013.png]
• Traffic Shaping

  Discussions about traffic shaping and limiters
  3k Topics

  16k Posts

  S

  No support are in the same situation we are. It would require building a 25.07.2 release. It's fixed in 25.11 snapshots if you're able to test there. The first public beta is close.
• DHCP and DNS

  Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues
  7k Topics

  43k Posts

  4

  @SteveITS Intel i3-8130U (2 cores / 4 threads) is a low-power dual-core CPU, but it handles multi-threaded network daemons like Kea quite well — as long as you size thread pools carefully. Clients / Requests per second Recommended threads <100 (home/small office) 1–2 100–1000 2 >1000 (ISP / campus) 4–8 (on bigger CPUs) Unfortunately, your suggestion doesn't work as the code has to go under dhcp4 "Dhcp4": { "multi-threading": { "enable-multi-threading": true, "thread-pool-size": 2, "packet-queue-size": 64 }, "interfaces-config": { ...... } I am pretty sure my system will more than suffice with a pool size of 1
• IPv6

  Discussions about IPv6 connectivity and services
  2k Topics

  20k Posts

  P

  @louis2 said in Filter an IPV6-address not possible !!?? :(: No idea why I had this trouble ! Note that I still can not enter an address where the text states 'alias or address' Mmmh, if I set the 'Address Familty' to 'IPv6' it does work for me (but not if set to 'IPv4+IPv6')
• IPsec

  Discussions about IPsec VPNs
  6k Topics

  24k Posts

  M

  Hello everyone, I'm asking for your attention regarding my problem because, despite digging, I haven't been able to resolve the following: One of my sites has IPv6 + cgnat internet access, and the other has IPv4 + IPv6. The networks I want to route between this site and the "hub" router are IPv4. The firewalls on each side are pfsense. The tunnel runs between the two firewalls (phase 1 and 2). From the IPsec monitoring, I can clearly see outgoing traffic when I ping a device on the other end. From neither side, I see any incoming traffic from the IPsec monitoring (0 packets). The firewall rules for IPsec are well defined. In short, I'm having a nightmare. In terms of logs, I have nothing to suggest there's a problem with IPsec. And at the network level, I should at least see incoming packets on the monitoring. IPSec I've thoroughly examined the VPN troubleshooting section of the Netgate documentation, and as for my specific situation... A little help wouldn't be amiss. Any ideas? The "hub" part runs on a vm on Azure, it is impossible to assign a public ipv6 address, a dnat (1to1) is therefore automatically created and this cannot be circumvented, could the problem come from the nat-t?
• OpenVPN

  Discussions about OpenVPN
  10k Topics

  53k Posts

  A

  @SteveITS I do not have a rule to pass ICMP traffic in the WAN interface. I’ll have to wait until I get home before I add a rule. Editing firewall rules via remote iPhone connection is sketchy at best…
• Captive Portal

  Discussions about Captive Portal, vouchers, and related topics
  4k Topics

  19k Posts

  G

  @PhilC168 I also have a hotel here, pfSense, and my LAN is fully dual stack for a couple of years now. There are days, weeks, eve, month where IPv6 traffic is bigger as IPv4. But, today, mid octobre 2025, I don't recall ever see one client asking me why my portal doesn't support 'IPv6'. More serious : I even doubt that I saw a client this year who knew what 'IPv6' or 'IPv4' is. That one person that didn't ask the reception about IPv6 didn't even bother : he connected to the portal over IPv4, fired up his "IPv6 aware VPN" connection and surfed away using IPv6 over my IPv4 only network ^^ So, imho, no IPv6 yet isn't a show stopper. I already feel sorry for the guy @netgate who gets the mission to implement that one. Btw : @Enrica_CH said in IPv6 support for Captive Portal planned?: IPv4 addresses will by more and more rare so that some day a part of the internet won't support IPv4 anymore. That didn't age well ^^ Since 2016, there are no more 'free' IPv4 left, and still, IPv4 is still pretty mandatory everywhere. Tens of thousand of IPv4 devices can access the internet just fine over just one ISP IPv4. Most IPv6 aware ISP don't implement IPv6 - the prefix part, very well. Miost of them can give you a IPv6/128, but a prefix ? euh, oh, "we call you back". Yes, IPv4 will fade out in the future. That's fact. Some one who starts to admin a pfSense today, and this person is 20 years old, then maybe he will see the end of 'IPv4' when he finishes his IT career ...
• webGUI

  Anything that does not fit in other categories related to the webGUI
  2k Topics

  10k Posts

  E

  Hello Professionals, Can anyone had experienced this issue before? My new Netgate4200 firewall doesn't show me the details of Alias. Rules what I made is working great though. [image: 1760651817676-5a1f5887-36f3-4322-a783-711023345de2-image.png] I have tried update OS, but still same problem. Could it be bug? or some kind of hardware issue..? Thank you for your time.
• Wireless

  Discussions about wireless networks, interfaces, and clients
  2k Topics

  11k Posts

  S

  Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.
• SNMP

  Discussions about monitoring via SNMP
  197 Topics

  609 Posts

  C

  I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now
• Documentation

  Discussions about pfSense documentation, including the book
  186 Topics

  1k Posts

  O

  As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.
• Development

  Topics related to developing pfSense: coding styles, skills, questions etc.

  • Plus 25.11 Development Snapshots
  1k Topics

  7k Posts

  W

  I've experimented a lot with code, here is what I did to make it work with “buggy” config. pppoe_ha_event.php . The biggest difference is that we shouldn’t run pfSctl -c 'interface reload <friendly>' (e.g., wan) if the PPPoE interface already exists. We only do that if, for some reason, the interface doesn’t exist. The shell script does the same, by the way. Changes: MASTER bring-up path updated: on MASTER we now first try ifconfig <real pppoeX> up if the PPPoE interface already exists; if it doesn’t, we fall back to pfSctl -c 'interface reload <friendly>' (e.g., wan). (Original only triggered the pfSctl reload path.) CARP event suppression window: after switching to MASTER, the script temporarily ignores further CARP events (~60 seconds total in two 30s steps) to prevent flapping during stabilization. Staged targeted reconciles: after ~30s (still MASTER) run a focused reconcile; after another ~30s run a safety reconcile. These checks act only if state truly differs (see next point). Smarter reconcile rules: if MASTER and PPPoE already has a valid IPv4 P2P or global IPv6 address, do nothing; if BACKUP, ensure the real PPPoE iface is down. BACKUP/INIT handling refined: on BACKUP/INIT we bring the real PPPoE interface down. On INIT we first re-read actual CARP state; only bring the PPPoE real iface down if the current state is truly BACKUP. Actually ignores init state, only backup brings pppoeX down. Quiet periodic health check: every 5 minutes, perform a low-noise reconcile (skipped during the suppression window) to keep state honest if it missed for some reason. - this feature currently broken and I don't think iti is needed anyway @perrin I apologize for the possibly clunky AI-assisted code changes—I hope it works for you too. For now it’s been running quite stably on my side. Failover is instant and stable. Thank you for bringing it to life in a more acceptable form than what I had.
• Gaming

  Discussions about playing network-based games behind pfSense from consoles, PCs, etc.
  429 Topics

  3k Posts

  N

  This discussion about using pfSense for VPN interfaces and game server port forwarding is quite technical but very useful for gamers and network enthusiasts who want secure and optimized connections. It reminds me of how watching online movies หนังออนไลน์ also depends on stable and well-configured networks both require speed, security, and smooth performance to fully enjoy the experience. Just like setting up pfSense ensures a seamless gaming session, having a good connection makes online movie streaming effortless and enjoyable.
• Virtualization

  Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc
  2k Topics

  12k Posts

  W

  @lifeofguenter Ah. I see that now. I did not realized the windows scrolled. @weehooey your script does not work. When I install qemu-guest-agent it already installs a start script: What you are showing is not what our script does. I can tell you that we tested using the script we provided, and it works on 2.8.1. Perhaps you have not marked your script as executable?
• Hardware

  Discussions about pfSense hardware support
  8k Topics

  69k Posts

  S

  There is no M350. The M390 is an ARM device so can't run pfSense. For the M370 it depends on what CPU you're running and how many ports you use. But with the stock Celeron G3900 I see ~18W at idle with my (totally uncalibrated) kill-a-watt style meter.
• Bounties

  Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

  • Completed Bounties
  • Expired/Withdrawn Bounties
  457 Topics

  6k Posts

  J

  Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.
• Retired

  Categories that are no longer active, but are present for reference

  • CE 2.8.0 Development Snapshots (Retired)
  • Plus 25.07 Develoment Snapshots (Retired)
  • Plus 24.11 Development Snapshots (Retired)
  • Plus 24.03 Development Snapshots (Retired)
  • Plus 23.09 Development Snapshots (Retired)
  • Plus 23.05 Development Snapshots (Retired)
  • Plus 23.01 Development Snapshots (Retired)
  • Plus 22.05 Development Snapshots (Retired)
  • Plus 22.01 Development Snapshots (Retired)
  • 21.02.2/2.5.1 Snapshots (Retired)
  10k Topics

  64k Posts

  R

  @stephenw10 Finally found the availability to go through this one again and for good. Old Kingston was no good, bought a new Sandisk and no joy. Eventually got it working with a very old usb flash drive. "efi_load_pe: Invalid DOS Signature" was gone. Reinstalled it but got into a new problem where ada0 was not recognized. Boot loop where only usb would work. Support was GREAT! They helped me and did a remote session and they nailed it with a "setenv pfsenseboot" command. At some point I believe we were even tricked by " being different from ' not sure to be honest, we did it a lot of times. But we got it! Reinstall to 25.07.1 worked well at the end. Did a new environment and tested my restore. All good and no surprises! Restored and rebooted and halted a couple of times to test if ada0 would kick in every time, which did ever since. People in the forum say the support is great, I can confirm! Thank you to those in forum.netgate and those at portal.netgate. Thanks! P.S. I will now try to fight again with unbound that insists to be delayed by either openvpn or pfblockerng :)