pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

222 Topics

3k Posts

@dennypage Create an igmp rule on your floating rules, and do not set the direction to in. Set: Interface Leave: Direction to any Set: Protocol to IGMP only Set: Source to any Set: Destination to any Set: Quick Set: Adavanced Options, Allow IP options For example if you have pfblocker dnsbl auto rules (ping auto rule, permit auto rule) on top, it can cause trouble on the states. Check: the States of this rule. You should see tcp and upd packets as well, 443. If you set the direction on your lan intarfce to in, you should see igmp only, otherwise you have to place at the very top of all your other floating rules before everything else.

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

192k Posts

Patient0, Thank you for your reply. My English isn't great, and I'm afraid of messing everything up :-( Is this the order I need to place? pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade

Multi-Instance Management

Discussions about Multi-Instance Management.

24 Topics

158 Posts

It will be available when the product is launched (including the correct link in the docs).

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

63k Posts

@tinfoilmatt said in Fresh install of version 2.8 fails to boot: @coffeecup25 FYI... [image: 1763342432874-21850f97-3e53-4bc1-912f-6f7cfea52688-image.png] Aren't you the clever one. So smart. FYI, I'm a terrible typist. And I never get all of my ideas out the first draft. That's that the edit button is for. Am I supposed to be embarrassed or are you supposed to look smart. Neither is true. Does your discovery somehow prove something about the issue at hand in your mind? pfSense still did not load right. And I'm not using it any longer. OPNsense has no issues like the ones I described and it appears more stable given some of the issues that mut be considered during a common, ordinary upgrade. My main router is OPNsense and so is my spare. And the disk holding the last attempt at pfSense was reformatted. Thanks for giving me the opportunity to make these final points.

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

59k Posts

Hello all hope this is the right place for the question.... I'd like to attache the PfSense logs (PfBlocker, Snort, etc) to a SEIM server and just do not know the best opensource (free) one to experiment with. If it works well, I have around 20 PfSense appliances I'd monitor (moving to commercial product if needed). But, I really need to see how it will work and the value of the data via remote logging. Can someone recommend a good SEIM platform? Wasuh? OSSEC? Splunk Free? or another? Being able to install on Win11 as well as linux would be helpful as well Thanks for any suggestions

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

@luckman212 said in Why is there an automatic Outbound NAT for ::1/128: NAT it to the routable V6 interface IP assigned to my ix0 LAN And why would it do that, you have it set on what your calling wan6 it was adding NAT rules for some site to site WG tunnels that I already had static routes for No it wasn't.. Unless you set it like that.. Example - I have an wg interface, only traffic that gets natted to that is traffic I route out that interface [image: 1763396222121-nat.jpg]

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

@UserCo I'm seeing something similar. I've had terrible luck with keadhcp in HA mode. It works, until it randomly doesnt. This last time for me the logging just stopped a day or two before I noticed and the last message was that it couldnt reach the HA partner. The web UI showed that everything was fine, restarted the services on both nodes and that did nothing. Ended up rebooting both to get it back.

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

@patient0 Not a production environment just home environment. Thanks for your suggestion I'll give it a try. Best Regards and thanks again....

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

42k Posts

@Jaritura I wonder if that really works. On WAN direction 'in' means connections from the public to the WAN. Your first rule keeps the state for all these connections. Have you implemented this and it works?

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

@shellbr I know the docs say "It does not care about bandwidth on interfaces, only the priority" but in my experience the limits on WAN and LAN are enforced.

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

43k Posts

The next world war should be a hoot!

IPv6

Discussions about IPv6 connectivity and services

2k Topics

20k Posts

I got caught up in work and dropped this for a while. I'm back now and I've made a little progress. Xfinity / Comcast is give me a /60 (16 /64 subnets). I have the LAN interface tracking WAN using hex 0. This gives my LAN the address of 2601:abc:abcd:fd00:a236:9fff:fef2:383a . This is the last 0 in fd00. I want to pass down to my layer 3 switch a /61 to split among the other VLANs/subnets on that switch. FYI, the L3 switch is the only device on that VLAN. In pfSense, I've changed to the KEA DHCP backend. In SERVICES > DHCPv6 SERVER, on the LAN interface, I see: PRIMARY ADDRESS POOL: PREFIX: Delegated Prefix: WAN/0 (2601:0abc:abcd:fd00::/64)/64 [image: 1763432218723-72bc82e2-4a51-4a05-be4b-ec46d865e660-screenshot-from-2025-11-17-18-00-07.png] In PREFIX DELEGATION POOL I'm trying to serve out a /61 (which should be 8 /64 subnets) to the downstream layer 3 switch. I ran a packet capture on the LAN interface and cleared out the IPV6 DHCP client on that VLAN/LAN interface. It looks like pfSense is only sending a single /64 address. [image: 1763432238823-07003cd3-c7c3-470a-be07-c4097fc66713-screenshot-from-2025-11-17-18-06-47-sanitized.png] I'm not sure where to go from here. I think I've got the DHCP server configured correctly. Does anyone have any thoughts on this? Thanks!

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

To stop the logs getting full of rubbish I added an explicit "block IPv4 any any" to the WAN interfaces on a pair of firewalls which are connected using an IPsec VPN. This seemed to work fine until the phase 2s tried to rekey. The rekeying failed and the whole VPN was ripped down and reestablished. Is that expected? Disabling the block rules made everything work properly again. Should I have added rules of allow IKE and ESP before the block rule? Or should the automatically added ones been enough? Where do the automatically generated IPsec rules end up in processing order? Is there a way I can see this? Is there a better way to stop the default block rules logging?

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

@chpalmer this screams incoming spam..

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

Have you considered the possibility of this being a DHCP issue.? When Captive Portal checks for authorization it only checks the MAC address, It accepts the user if the MAC matches but everything comes apart if the IP has changed (index.php in /usr/local/captiveportal). This is why the DHCP lease timeout must be longer than the voucher timeouts to avoid the device showing up on a different IP. If you have a situation where the same MAC gets a different IP (extremely common in KEA DHCP), you could have two IPs authenticated in the the CP databases that have the same MAC address. Both would be associated with the same MAC address and voucher. The original IP would still have connectivity but the new IP would not. If a MAC existed in the Database with a different MAC address as another with the same IP, then there would be equal chaos and all the counters would be wrong. You would also likely have many complaints until the original voucher times out which could very well leave "ghost" users as well. This ties into the totally broken lease affinity subject under KEA DHCP after a reboot.

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

Re: Suricata cannot change HOME NET list? I am trying to customize HOME_NET for Suricata on pfSense CE and something seems inconsistent between the GUI and the actual rule evaluation. What I did (following the recommended procedure from this thread): Created an alias SURICATA_HOME_NET containing: 10.0.10.0/24 10.0.20.0/24 10.0.30.0/24 10.0.40.0/24 192.168.200.200/32 (WAN IP of the firewall) Created a Pass List, added that alias at the bottom, saved it. In Suricata → Interface Settings (WAN), in “Networks Suricata Should Inspect and Protect”, I selected this Pass List as HOME_NET, saved and restarted Suricata. In the WAN interface I can see via “View HOME_NET” that 192.168.200.200/32 is indeed listed as part of HOME_NET, and EXTERNAL_NET looks correct as !HOME_NET. I added the following two custom rules to custom.rules on the WAN interface: alert tcp any any -> $HOME_NET 1:1024 (msg:"LAB T1046 SYN to HOME_NET"; flags:S; sid:4000001; rev:4;) alert tcp any any -> 192.168.200.200 1:1024 (msg:"LAB T1046 SYN to WAN"; flags:S; sid:3999999; rev:3;) After Save + Apply + restart of Suricata on WAN, I run: nmap -sS -Pn -p1-1024 192.168.200.200 Result: list itemThe rule with the literal IP (sid:3999999) triggers alerts as expected. The rule using $HOME_NET (sid:4000001) never fires, even though 192.168.200.200/32 is clearly shown in the HOME_NET list in the GUI. At the same time, a very simple test rule: alert icmp any any -> any any (msg:"LAB TEST ICMP ANY"; sid:4999999; rev:1;) does fire normally on the same interface, so custom.rules is loaded and working. So the situation is: custom rules are loaded and working, HOME_NET/EXTERNAL_NET Pass List is configured and visible in “View HOME_NET”, traffic definitely hits the WAN interface (the static-IP rule sees it), but rules using $HOME_NET as destination do not match that same traffic. Is this a known issue or am I misunderstanding how HOME_NET from a Pass List is applied internally? Any hints how to debug why $HOME_NET does not seem to include 192.168.200.200/32 at rule evaluation time, even though the GUI says it does?

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

@w0w You can also run Squid on OpenWRT I am told there is so many packages I have been playing with OpenWRT because TP-Link was doing so weird data harvesting and pfsense caught it in the act after I just installed openwrt per @johnpoz recommendations. I just run it in bridge mode now

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

186 Topics

1k Posts

As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 25.11 Snapshots

1k Topics

7k Posts

I did the upgrade to the RC this morning, coming from 25.07.1. I then enabled Endpoint-independent Outbound NAT for my machine and pfSense crashed. And it crashed on every boot so I had to use the zfs-snapshot feature. Dump header from device: /dev/gpt/swap1 Architecture: amd64 Architecture Version: 4 Dump Length: 381952 Blocksize: 512 Compression: none Dumptime: 2025-11-19 10:51:17 +0100 Hostname: pfSense.internal Magic: FreeBSD Text Dump Version String: FreeBSD 16.0-CURRENT #33 plus-RELENG_25_11-n256497-084b5f7b7bcd: Tue Nov 18 17:18:00 UTC 2025 root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-Plus-s Panic String: page fault Dump Parity: 1574524171 Bounds: 0 Dump Status: good I saved the dumps if they are of interest. I will give 25.11 RC another chance without using this feature.

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

430 Topics

3k Posts

This discussion about using pfSense for VPN interfaces and game server port forwarding is quite technical but very useful for gamers and network enthusiasts who want secure and optimized connections. It reminds me of how watching online movies หนังออนไลน์ also depends on stable and well-configured networks both require speed, security, and smooth performance to fully enjoy the experience. Just like setting up pfSense ensures a seamless gaming session, having a good connection makes online movie streaming effortless and enjoyable.

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

I have a virtual machine based on KVM, which has 4 vCPUs and 8GB of RAM. When there is a lot of traffic, I experience packet loss: [image: 1762243948150-bmyi5fghd7fsrap2-resized.png] (The beginning has a lot of packet loss because I reset the machine with more power, thinking that might be the cause. However, real traffic begins at 11:40 a.m., and you can see that the latency and packet loss increase at that point). CPU usage is around 10%, so that shouldn't be the problem. I have disabled ‘hardware checksum offload’. There is no difference, except that CPU usage is higher. I don't know what else could be causing this. Many thanks in advance for your help.

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

@lavenderfox2430 Still using the box. Ended up switching to the two 10g sfps for all my physical links. Could not make the 4 pass-through nics to be normal mode. With so many nic’s, I didn’t feel the need to explore other possibilities. .

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

Retired

Categories that are no longer active, but are present for reference

10k Topics

64k Posts

@dennypage Out of curiosity are you getting any hits for qat in vmstat? I'm configured in a nearly identical way and it must be that I must either not be using the right ciphers or IPsec-MB is so efficient it absolutely makes QAT useless.