1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    209
    Topics
    2.4k
    Posts

    M

    I am testing now also 2.8 Beta, PERFECT! THX

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    26.5k
    Topics
    186.7k
    Posts

    G

    @dwhacks I agree, Router B in Proxmox is not an issue. Doesn't matter if you have passthru for the NIC or VirtIO, it works perfectly fine. I have a similar setup as you do with the main difference being that I have my fiber going to a switch and my two FW's connected to that (so no ISP router in between). But you clearly have public IP's, and different one's, on both A and B.

    So if you can't access a service on site B from A, I'm thinking there must be an internal issue, on site A.
    Perhaps you have some old rules still on site A, like Host overrides?
    Check under Services > DNS Resolver - Host overrides...

  • Discussions about Multi-Instance Management.

    7
    Topics
    84
    Posts

    S

    There isn't any specific handling in MIM for HA setups yet. It's something we expect to have though. It's exactly the sort of thing I'd want to see there.

  • Discussions about installing or upgrading pfSense software

    9.5k
    Topics
    60.8k
    Posts

    P

    @Gertjan I had no idea about the RSS feed for the dashboard... it was not there by default. Good to know! Thx.

  • Discussions about firewalling functionality in pfSense software

    9.6k
    Topics
    58.2k
    Posts

    P

    @helis821 to recap:

    Main router net 192.168.1.x (/24?) Static route on main router to route 192.168.50.0/24 to pfSense WAN IP pfSense WAN - IP in the 192.168.1.x subnet, per DHCP pfSense LAN IP 192.168.50.1, LAN network 192.168.50.0. (/24?)

    Does the pfSense WAN get the same IP (static mapping) from the main router? I assume so if you set a static route on the main router.

    Is pfSense doing NAT? If pfSense doing NAT then I don't really see how a static route is necessary since everything behind pfSense is hidden from upstream.

  • Discussions about Network Address Translation (NAT)

    5.5k
    Topics
    31.0k
    Posts

    K

    @viragomann

    Yes the Public IP is assigned to that interface.

    I changed the Mappings to use the drop-down entry instead.

    Still did not work.

    Static Ports are in use because of VoIP Calls.
    If I do not use Static Ports, the calls end up with one-way audio.

    What did fix the Mapping issue is:
    I rebooted the pfSense this morning - then it started working as expected.

    I have seen issues with KEA DHCP resolved with reboots.
    But now also this...

    I should not have to be rebooting pfSense in production environments to make things work.
    I am quite disappointed with what I have been seeing with pfSense recently.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    2.6k
    Topics
    11.7k
    Posts

    T

    @YannL I have experienced similar (or same) issues since years and could not fix it. All investigation I did, did not find the real issue.

    dedicated HA sync interface which is officially supported (in our case an additional LAN card with intel chipset instead of built in RJ45 ports), MTU lowered to 1360 instead of default 1500 (https://forum.netgate.com/topic/190990/ha-sync-does-not-work-error-operation-timed-out/2) Interface physical connection is stable (permanent ping with high frequency, big packets, etc. all stable and fast iperf3 tests forward and backwards are close to the theoretical maximum of 1 GBit/s firewall rules: allow any - any on each HA interface in both pfsense cluster members user login credentials and permissions for the ha user checked webconfigurator processes set to 500 (max allowed value) cpu is idle (never less than 95% free) ram is > 90% free mbuffers increased io statistics of SSDs on both sides are very low bandwidth usage on ha interfaces during ha sync / xmlrpc is very low (just some kbit/s) checked nginx logs, system logs, error logs => no specific reason found checked the ha documentation multiple times: no error in our config found. each time ha sync / xmlrpc is happening, I can see on the console of the backup/passive member messages that port bindings of the captive portal ports fail: Message from syslogd@srvwlan02 at Apr 10 01:39:53 ... nginx: 2025/04/10 01:39:53 [emerg] 44580#101678: bind() to [::]:8006 failed (48: Address already in use)

    maybe you have some idea what you can check further or not. We are lost...

  • Discussions about Layer 2 Networking, including switching and VLANs

    1.2k
    Topics
    10.0k
    Posts

    N

    After 14 months of research and development, I have come to the following conclusion about the actual network functions of Netgate/PFSENSE :

    Netgate/Pfense is capable of interconning sites on VPLS-like Architecture using your secure MPLS internet connection or your unsecure FTTH, 4G/5G, Satellite, XDSL connections. With no need to know the public ip address of the site.
    VPLS Point-to-point , point-to-multipoints, multipoints-to-multipoints are possible into L2-to-L2

    Site-to-site IPSEC over OPENVPN L2 Tunnel has been tested.

    FRR ( BGP, OSPF and so on are partially tested on this architecture.

    For any intersite connection problems with Netgate/PFSENSE, please do not hesitate to contact me.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    8.5k
    Topics
    41.1k
    Posts

    I

    I have an IPSEC VPN setup between our data center and our AWS cloud network. The VPN connection is up and I can communicate from my AWS cloud computers to any devices on the subnet of the firewall (192.168.2.0/24). The firewall has a default gateway of 192.168.2.1 that routes traffic to/from our other networks (192.168.3.0, 192.168.4.0, etc.). Traffic from the VPN cannot talk to anything outside of the 192.168.2.0 network. I was assuming the VPN IPSEC traffic would follow the default gateway to get out, but it doesn't. I'm assuming I need to configure some other routes, but not sure how to get this done. Any help would be appreciated.

  • Discussions about traffic shaping and limiters

    3.0k
    Topics
    15.8k
    Posts

    P

    Version 24.11

    Traffic shaping limiters do not apply to freshly created wireguard tunnels. Recreated multiple times.

    Environment: Multiple tunnels, multiple interfaces with multiple gateways as failover.

    Temporary Solution:

    Create wireguard tunnel/peer/interface/gateway Delete existing traffic shaper limiters REBOOT pfsense Recreate traffic shaping limiter rules Reapply traffic shaping limiter rules to floating firewall rule Reload filter and re-test

    Sorry if this is already a known bug. Hopefully you haven't wasted too much time trying to figure out why only some of your tunnels have great bufferbloat results and some dont.

    1.png

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    6.5k
    Topics
    41.9k
    Posts

    F

    @Gertjan said in Adding Custom Configuration in Kea DHCP Server with pfSense+ 25.03:

    Kea agreed for the requested IP : 192.168.1.254 - yours will be different.
    And see also the Option 43 proposal :

    Vendor-Option (43), length 6: 1.4.192.168.1.6

    Excellent, that worked great!

    I setup the packet capture as you detailed and ran it, then for good measure, unplugged and plugged the LAN RJ45 to the Flex-Mini Switch. In the packet capture I got exactly as you stated, the "Vendor Option (43)" but with the IP of my Unifi Network Controller.

    Thanks for the confirmation and I hope others going to KEA on pfSense CE 2.8 Beta can find this thread to also help them out.

    BTW, the Unifi USW Flex-Mini (old 1G version) is one of the only Unifi Switches that does not have SSH capability, so the DCHP Option 43 is the only way to set the "Inform" IP for an out of sub-network Unifi Controller. Just some info for others in the same situation as I am.

  • Discussions about IPv6 connectivity and services

    2.0k
    Topics
    19.3k
    Posts

    A

    The only way I can have v6 connectivity last >24h05m00s is by:

    route -6 add -host 2a02:fb8::11 -interface igb0
    ping6 -c1 2a02:fb8::11
    ndp -s 2a02:fb8::11 4e:6d:58:87:10:17 permanent

    Without adding the permanent ndp entry, it defaults to 24 hours, then 5 minutes after the logs you see above, v6 dies. Once I add the permanent ndp entry I can go past 24 hours.

  • Discussions about IPsec VPNs

    5.8k
    Topics
    23.5k
    Posts

    T

    Same thing just happened again. 54 minutes after the last one it went down for roughly 45 seconds.

    🤦

    Thanks again all!

    TSoF

  • Discussions about OpenVPN

    9.8k
    Topics
    53.1k
    Posts

    A

    This is a config.

    client setenv SERVER_POLL_TIMEOUT 4 nobind remote IP 1194 tcp dev tun dev-type tun ns-cert-type server reneg-sec 604800 sndbuf 100000 rcvbuf 100000 auth-retry nointeract verb 3 cipher AES-256-GCM ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM auth SHA256 ca /config/openvpn/keys/ca.crt cert /config/openvpn/keys/phone1.crt key /config/openvpn/keys/phone1.key

  • Discussions about Captive Portal, vouchers, and related topics

    3.5k
    Topics
    18.7k
    Posts

    1

    My pfsense portal is 192.168.24.58. How should I set the portal for the subnet of 172.16.69.0?

  • Anything that does not fit in other categories related to the webGUI

    2.1k
    Topics
    10.0k
    Posts

    GertjanG

    You saw this ;

    @newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

    My screen is like your screenshot, except under Protocol it says: "No Certificates have been defined. A certificate is required before SSL/TSL can be enabled. Create or Import a Certificate".

    and I presume that you installed pfSense a couple of day ago :

    @newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

    I got a Protectli Vault, on which I installed pfSense.

    One of the things that happens when you install : a cert like :

    0660ed0d-22b9-4bc4-8c1f-d0f87d4f4daa-image.png

    is created so you can use it for the https access.
    Its a self signed certificate, which means it isn't signed by the big "trusted" (by your browser) companies, so your browser should through a message on the screen that it can't trust the cert. Just tell it to go ahead and accept.

    If there are no certificates listed here :

    1d6ffa05-c54d-4ca3-afb9-26b4c3045fde-image.png

    then that's a real issue / not normal.
    Some one deleted something ^^
    That said, you can create a new one with the click of a mouse button.

  • Discussions about wireless networks, interfaces, and clients

    1.7k
    Topics
    11.2k
    Posts

    w0wW

    If I had to choose between purchasing the OpenWrt One or a Chinese equivalent from AliExpress, I would prefer the OpenWrt One. Although I'm not particularly fond of the manufacturer due to their tendency to frequently release devices and then either barely support or not update the software for them, in this case, it's a good combination of price, hardware, and OpenWrt, with which support is unlikely to be an issue on this device.

    Unfortunately, I had already purchased a similar device from AliExpress and spent a lot of time experimenting with firmware. But... Filogic is very fast; it's probably the fastest OpenWrt router I've had.

  • Discussions about monitoring via SNMP

    197
    Topics
    602
    Posts

    dennypageD

    @cct-ckatri do you have both net-snmp and bsnmp enabled?

  • Discussions about pfSense documentation, including the book

    183
    Topics
    1.3k
    Posts

    J

    For others with issues, it appears that Godaddy has cut off DNS API access for those with less than 10 domain names. You may want to consider migrating to Cloudfare or another provider.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    Plus 25.03 Develoment Snapshots CE 2.8.0 Development Snapshots
    1.2k
    Topics
    6.3k
    Posts

    U

    To be able to do testing with you I switched to RA router mode "managed" and enabled DHCPv6 service (ISC DHCP for now) on the LAN interfaces.

    I do not think that the communication DHCPv6 service to the clients on the LAN subnets is the initial/first/main issue.

    The pfSense interfaces do not get an IPv6 address with the new prefix and the new prefix is also not listed in the DHCPv6 service config screen.

    To resolve both issues manually as a workaround I'm going to the WAN interface and save and apply.
    Afterthat everything is correct:

    Interfaces got a valid IPv6 new prefix is listed on DHCPv6 service config screen clients get a new IPv6 IP with correct prefix assigned client have Internet connectivity.

    This is listed in the system logs while doing the "WAN interface and save and apply."

    68c80eb0-60f7-47fe-8250-a57e891e4056-Pasted Graphic 4.png

    I assume not all tasks are required on a upstream router IPv6 prefix change.
    But some needs to be initiated automatically to allow client IPv6 communication again.

    Thanks for your support.

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    424
    Topics
    2.8k
    Posts

    GertjanG

    @skogs

    Add to what is said above, be aware of P2P filtering "for your own good" ?
    P2P software is everywhere, even Windows update (Microsoft) uses it.

    From what I recall, big games have a lot to update. if this is the case, test : shut down this process, only update while not are using the star citizen app.
    edit :
    What happens when you start up the game, and moments before, a new map or whatever was updated. Nothing special, but a 1 Gbytes files has to be updated before you can start the game. The official game update server can't just spew out this info to the thousands of clients it has. So they build in a P2P concept : you can take a part from them, but also from others. And you can give what you have to others (the basis of P2P is very social, in theory, everybody wins). And that where a potential issue can be found : what if your UP stream gets loaded, and the UP is way smaller as the DOWN ? If the UP is full, packets negotiation comes to a halt, especially if TCP is used. So, fill up your UP, and your way bigger DOWN becomes pretty useless, even when it is not full at all.
    To help you with this check if your game has settings where your can adapt what you share (the speed, bandwidth).
    end edit.

    Also : check the software the came with your NIC : my Dell XPS came with some super nice GUI interface to "optimize" my network card (wired). A day or so later I totally removed it from my new PC, and lived happily afterwards.

    Next suspect : Wifi : this one shows the most perfect bit rate will it's doing 'nothing' for you. Start put a load on it, and suddenly you've not much left (although this would not influence other non wifi uses on your network. If your fellow network user are on the same on the same AP : have a chat with your AP, or do what gamers do : use wires and be done with it.

    Lat but not least : Our ISP love to sell us Megas if not Gigas. You knew it, they lied. The theoretical bandwidth is available if the moon, jupiter and earth are aligned. The sun doesn't need to be aligned, but solar flares will break the deal also.
    edit : If you use Starlink or comparable, this isn't a joke anymore, its serious.
    For small loads, your ISP will somewhat deliver. But big loads, they will apply their secret bandwidth limiter rule, this rule, they will never admit that they use it, of course. But they have to, as if not, to many clients would find out that they actually oversold the bandwidth. After all, if you were an ISP, and you own a 10 Gbit/sec POP to some big data center that gives you an Internet access, would you sell 10 x 1 Gbit or sell 30 x 1 Gbit with a small print somewhere that says "best effort" ? 😊

    These examples are just the "seen that, been there before" situations. Some might apply to you, some don't.

    Your router, pfSense, is just a device with "2 NICs" using, most probably, 1 Gbit/sec on both sides in both directions. It's the only thing it has to do : throwing packets between these two NICs at max speed. Most often, it can do this faster as the NICs can handle it, so 1 Gbit/sec both directions on every NIC it will be.
    pfSense doesn't care what ports IP's protocols you throw at it. It just copy the bits from one NIC to the other.
    The admin can do "things" with with pfSense that will impact this behavior, but by default, it doesn't. Only the admin can tell you more.

    @berlandtm said in Internet Download/Upload speeds drop significantly when launching Star Citizen:

    case as I do not have any additional packages installed to monitor for this

    Status > Traffic Graph
    or look at the real number, go console (or better, SSH), and use menu option 9 : pfTop

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    1.9k
    Topics
    11.7k
    Posts

    BismarckB

    @maitops Thanks for the detailed explanation.

    No hvevent storm here for 6 days and 23.5 hours since my last update, but it probably needs at least 20 and more days to be significant.

    Theory: Server 2022 Hyper-V power management, network driver changes may be incompatible with some FreeBSD kernel components, causing issues under certain conditions. Windows and Debian guests in Hyper-V Manager display more detailed information (e.g., RAM usage) than FreeBSD 14 guests. Interesting that the MS Hyper-V FreeBSD Guest compability list only goes to 13 and 2019, where pfSense runs just fine.

  • Discussions about pfSense hardware support

    7.5k
    Topics
    68.7k
    Posts

    S

    @rrocha said in Stuck In Marvel U-Boot:

    setenv bootcmd 'setLED; run emmcboot;'

    You need another 'run' in there like:
    setenv bootcmd 'run setLED; run emmcboot;'

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    Completed Bounties Expired/Withdrawn Bounties
    457
    Topics
    6.4k
    Posts

    J

    There has been a demand for something like a Reverse Portal on this forum and elsewhere on the internet for at least two decades. Here I propose an implementation and extend an offer to build it in exchange for a bounty.

    Implementation

    A basic statement of what it should do is simple enough:

    Setup UI to configure the following: Choose an interface to bind and serve web requests for the login page. What pass rule to apply when a user has authenticated from an IP. Run a web service with login and connected pages. When a user authenticates and loads the connected page, add the configured rule. When the user disconnects, remove the rule. To track disconnects precisely, require the user to keep the connected page open throughout the duration of their session with a live SSE connection to the web service & regular heartbeats; when the connection times out then the rule is removed. Ability to run multiple instances of the Reverse Portal, like Captive Portal "zones"

    Note: Admins would be responsible for ensuring clients can access the web service before logging in, and for configuring the firewall to default-deny clients until the configured rule is added.

    Implementation seems straightforward, if not simple. Here are some relevant resources:

    A related bounty was posted in 2008: Conditional Connection Daemon {Now $400} This is essentially how Captive Portal works; here is where it calls /sbin/pfctl with rule changes piped via stdin. It may be a good idea to reuse the captive portal login page. See also: FreeBSD uses a ported version of OpenBSD PF firewall; OpenBSD PF docs; OpenBSD pfctl docs pfSense Docs: Developing Packages SSE (Server-Sent Events) with PHP and JS / Streaming with PHP Bounty

    I don't have funds to contribute to this proposal, but -- assuming the above implementation proposal is roughly feasible -- I think I could develop it in 30 hours at a rate of $100/hr; $3000 total. My qualifications, such as they are: this detailed proposal, polyglot senior software developer, familiar with web technology and firewall fundamentals, I have never developed against FreeBSD, with PHP, or used pfSense until recently. I believe my estimate is padded enough to account for learning the required technologies. 🤷

    I would not be offended if someone more qualified swipes the bounty for less as long as I get to use it too. 😃

    Maybe this is more of a solicitation for bounties rather than an offer to pay a bounty... I hope that's allowed! 🙏 🙇

  • 9.6k
    Topics
    62.9k
    Posts

    bmeeksB

    @Pizzamaka said in unbound stops and won't start again + high cpu:

    What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

    Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

    When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.