pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

216 Topics

3k Posts

I did another clean upgrade 24.11 to 25.07 release, and what really changed regarding the dhcp6 client is that pfsense now picks up the manually assigned static ipv6, which is set up in my ISP box settings, instead of an auto generated one derived from MAC. In 24.11 this manual setting was ignored or malfunctionning. So far so good ! No need to change the DUID. Though on some ISP connections, the ipv6 ping to google from the DHCP-PD range was ok only after a few minutes, maybe due to routing check or appliance check on ISP side. So you should plan the upgrade form a redundant ipv6 WAN, or a dedicated management network, or from a remote ipv4 access.

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

190k Posts

@stephenw10 it sure is, i have a pair of 8200's

Multi-Instance Management

Discussions about Multi-Instance Management.

14 Topics

106 Posts

I didn't really go much further but I'll test again. I was clearly misunderstanding the "The pfSense+ instance that Nexus is running on doesn't need to be registered since that's handled automatically" part Thanks

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

62k Posts

I attempted an reinstall on a netgate device at first I could get to pf sense list of command options before help, but after inputing usb recovery I got as far as netgate installer then for peculiar reason My Ethernet connection was unconnected and installer could not communicate with netgate server now when I boot into the machine I only can get <<Marvel>>. Can some one assist or tell me why I loose connection and why I can’t get to pf sense boot option list? I thank you for the welcome to the community and any assistance you can provide in trouble shooting this difficulty is appreciated. Sincerely Rtunnel

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

59k Posts

Why are you talking about NAT with IPv6. The only reason for it was the address shortage in IPv4 and it also breaks some things. Please learn to do things properly with IPv6 and unlearn the bad habits from IPv4.

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

Hi there, So I've recently seen some issues which I think might be related to pfSync. Running on whitebox hardware and pfsense plus 2507 The interface order is exactly identical across nodes pfSync states is enabled on both nodes in the cluster I've verified that I can see all the states on both nodes before I initiate maintenance on the primary node. When maintenance mode is initiated I can see that the sessions seems to be dropped on the secondary because the states goes to 0-give or take a few and then starts rising again. No errors in the logs. Hardware is identical. Are there anything we could try here?

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

@keyser Thanks for the reply. I have a spare port on my router and I will use it to experiment with.

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

41k Posts

@stephenw10 / @marcosm any chance we can relocate this busy/lively thread to the regular Routing and Multi WAN section? It seems it isn't and probably never was specific to 25.07 RC anymore...

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

@stephenw10 , In versions 2.7.x and 2.8, the problem with limiters on a WAN that isn't the default route occurs. The last version that worked correctly was 2.6.0. The evidence and tests performed in each version are documented. Thank you very much and I hope you can validate from version 2.7.x onwards that the limiters no longer work in a WAN that is not the default . thanks. In 2.6.0 the limiter uses the private IP as source and destination, to control the BW for each IP In 2.8 and 2.7.x the limiter uses the public IP as the source and the private IP as the destination, that is, for the upload it uses the public IP after applying NAT, this does not limit each connection from the LAN, it limits the entire bandwidth [image: 1754342256028-3031a675-6d14-4702-98be-a788da8e8744-image.png]

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

43k Posts

@elgranjeff that does seem odd.. I will see if I can duplicate it - I don't use azure, but I do use cloudflare. But your saying it gives you an error just putting it into the form? [image: 1754862484606-really.jpg] edit - yeah that does seem like a bug in 2.8.. [image: 1754863057656-save.jpg] Have to look to see if there is a redmine about it.. I will have to update my 2.8 to the 2.8.1 beta and see if fixed in that.

IPv6

Discussions about IPv6 connectivity and services

2k Topics

20k Posts

I'll state the obvious here... I went to System->Advanced->Networking and unchecked "Allow IPv6". Poof, the firewall log entries went away. I had found the reddit webpage on this topic: https://www.reddit.com/r/PFSENSE/comments/1hzmc5y/ipv6_noise_protocol_options_to_ff0216/ and started down knox203's suggested fix for quieting the syslogs. I already had "Allow IPv6" checked, and wondered why I need IPv6 on my network at all. Unchecked it and bliss.

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

I definitely will do this next week and post here the results. Thank you

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

@ipguy said in I need BF-CBC: https://forums.openvpn.net/viewtopic.php?t=35809#p111709 These openvpn options : providers legacy default data-ciphers-fallback BF-CBC compat-mode 2.3.18 check if they still exist in the version used by pfSense. First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual. If it's the case, then use them here : [image: 1754303064757-c6da93cf-9502-4171-b791-b119919f5e6f-image.png] for example, I use the option status /var/log/openvpn.status; status-version 1; for my own needs. When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors. Also check the openvpn config file (the one created with the GUI parameters) for consistency. You can find the file here : /var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file. Don't (bother) edit(ing) this file as it is auto generated by the GUI.

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

@DominikHoffmann said in Captive portal with external code?: Am I correct? You can upload the files you need, like css file with the portal's file manager. From then on, you can use these files in your 'main' portal login html file, error file etc.

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

@mmkkoo Every HTTP request is logged. So everything that updates on the dashboard.

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

@opticalc Intel.

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

186 Topics

1k Posts

As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

1k Topics

6k Posts

Hmm, I would expect that to work. It's pretty much exactly what I run myself. What do you see logged at boot compared with when you restart dpinger?

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

427 Topics

3k Posts

I am on 24.11. I have several consoles at home, PS5, PS4, Nintendo's. No issues at all. I just assigned a fixed IP to them put those IP in the ACL allow list. Outbound NAT with static port for the consoles. The only "issue" is that port mappings remain there for days. I have to manually cancel them. At the moment I did not find any solution to remove them via cron job scripts.

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

@KOM Oh! :) Thanks!

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

Is it actually losing link? What do you see logged when that happens?

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

Retired

Categories that are no longer active, but are present for reference

10k Topics

64k Posts

Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.