pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

196
Topics

2063
Posts

D

@defenderllc thank you so much, I just fixed the issue using this method 😊👌
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

23891
Topics

157824
Posts

G

@tjabas said in Pfsense keeps crashing:

will i also loose the boot

No, of course not.
That why you make these regular daily Diagnostics > Backup & Restore Backup & Restore
And that's why you've set up Services > Auto Configuration Backup > Settings

A new disk means of course : you need a install media, an USB drive with the 'latest'.
After install, import de config. Reboot. Done.

@tjabas said in Pfsense keeps crashing:

icap interface,clam antivirus,squid and squidguard

These can produce a lot of disk activity.
If the drive is 'small', a lot of sectors will be rewritten often. That's what kills even the best SSD.
Installation and Upgrades

Discussions about installing or upgrading pfSense software

8846
Topics

54970
Posts

N

I need to install certain packages (haproxy) and can't do it until I upgrade.
I tried the GUI upgrade and it failed while checking the integrity.

I rebooted, tried again and now I get this:
>>> Updating repositories metadata... Updating pfSense-core repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: . done Processing entries: .. done pfSense-core repository update completed. 15 packages processed. Updating pfSense repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: .......... done Processing entries: Processing entries............. done pfSense repository update completed. 549 packages processed. All repositories are up to date. >>> Removing vital flag from php81... done. >>> Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (62 candidates): .......... done Processing candidates (62 candidates): .......... done Checking integrity... done (50 conflicting) - php82-session-8.2.4 [pfSense] conflicts with php81-session-8.1.11 [installed] on /usr/local/include/php/ext/session/php_session.h - php82-pear-Crypt_CHAP-1.5.0_2 [pfSense] conflicts with php81-pear-Crypt_CHAP-1.5.0_2 [installed] on /usr/local/share/pear/Crypt/CHAP.php - php82-pear-Net_Socket-1.2.2 [pfSense] conflicts with php81-pear-Net_Socket-1.2.2 [installed] on /usr/local/share/doc/pear/Net_Socket/LICENSE - php82-zlib-8.2.4 [pfSense] conflicts with php81-zlib-8.1.11 [installed] on /usr/local/include/php/ext/zlib/php_zlib.h - php82-dom-8.2.4 [pfSense] conflicts with php81-dom-8.1.11 [installed] on /usr/local/include/php/ext/dom/dom_ce.h - php82-simplexml-8.2.4 [pfSense] conflicts with php81-simplexml-8.1.11 [installed] on /usr/local/include/php/ext/simplexml/php_simplexml.h - php82-pfSense-module-0.95 [pfSense] conflicts with php81-pfSense-module-0.91 [installed] on /usr/local/include/php/ext/pfSense/php_pfSense.h - php82-shmop-8.2.4 [pfSense] conflicts with php81-shmop-8.1.11 [installed] on /usr/local/include/php/ext/shmop/php_shmop.h - pfSense-Status_Monitoring-php82-1.8_3 [pfSense] conflicts with pfSense-Status_Monitoring-1.8 [installed] on /etc/inc/priv/pfSense-Status_Monitoring.priv.inc - php82-pecl-rrd-2.0.3 [pfSense] conflicts with php81-pecl-rrd-2.0.3 [installed] on /usr/local/include/php/ext/rrd/rrd_info.h - php82-pdo-8.2.4 [pfSense] conflicts with php81-pdo-8.1.11 [installed] on /usr/local/include/php/ext/pdo/php_pdo.h - php82-curl-8.2.4 [pfSense] conflicts with php81-curl-8.1.11 [installed] on /usr/local/include/php/ext/curl/curl_file_arginfo.h - php82-readline-8.2.4 [pfSense] conflicts with php81-readline-8.1.11 [installed] on /usr/local/include/php/ext/readline/readline_cli.h - php82-pecl-radius-1.4.0b1_2 [pfSense] conflicts with php81-pecl-radius-1.4.0b1_2 [installed] on /usr/local/include/php/ext/radius/radius_init_const.h - aws-sdk-php82-3.232.3 [pfSense] conflicts with aws-sdk-php81-3.232.3 [installed] on /usr/local/www/aws-sdk/Aws/ACMPCA/ACMPCAClient.php - php82-mbstring-8.2.4 [pfSense] conflicts with php81-mbstring-8.1.11 [installed] on /usr/local/include/php/ext/mbstring/php_mbregex.h - php82-tokenizer-8.2.4 [pfSense] conflicts with php81-tokenizer-8.1.11 [installed] on /usr/local/include/php/ext/tokenizer/tokenizer_arginfo.h - php82-ldap-8.2.4 [pfSense] conflicts with php81-ldap-8.1.11 [installed] on /usr/local/include/php/ext/ldap/ldap_arginfo.h - php82-sysvmsg-8.2.4 [pfSense] conflicts with php81-sysvmsg-8.1.11 [installed] on /usr/local/include/php/ext/sysvmsg/config.h - php82-pear-Net_URL2-2.2.1 [pfSense] conflicts with php81-pear-Net_URL2-2.2.1 [installed] on /usr/local/share/doc/pear/Net_URL2/docs/6470.php - php82-pear-XML_RPC2-1.1.5 [pfSense] conflicts with php81-pear-XML_RPC2-1.1.5 [installed] on /usr/local/share/doc/pear/XML_RPC2/docs/Makefile - php82-posix-8.2.4 [pfSense] conflicts with php81-posix-8.1.11 [installed] on /usr/local/include/php/ext/posix/posix_arginfo.h - php82-sockets-8.2.4 [pfSense] conflicts with php81-sockets-8.1.11 [installed] on /usr/local/include/php/ext/sockets/sendrecvmsg.h - php82-8.2.4 [pfSense] conflicts with php81-8.1.11 [installed] on /usr/local/bin/php - php82-pear-Cache_Lite-1.8.3,1 [pfSense] conflicts with php81-pear-Cache_Lite-1.8.3,1 [installed] on /usr/local/share/doc/pear/Cache_Lite/LICENSE - php82-sqlite3-8.2.4 [pfSense] conflicts with php81-sqlite3-8.1.11 [installed] on /usr/local/include/php/ext/sqlite3/sqlite3_arginfo.h - php82-xmlreader-8.2.4 [pfSense] conflicts with php81-xmlreader-8.1.11 [installed] on /usr/local/include/php/ext/xmlreader/config.h - php82-xml-8.2.4 [pfSense] conflicts with php81-xml-8.1.11 [installed] on /usr/local/include/php/ext/xml/xml_arginfo.h - php82-pear-Net_SMTP-1.10.1 [pfSense] conflicts with php81-pear-Net_SMTP-1.10.1 [installed] on /usr/local/share/doc/pear/Net_SMTP/LICENSE - php82-pcntl-8.2.4 [pfSense] conflicts with php81-pcntl-8.1.11 [installed] on /usr/local/include/php/ext/pcntl/pcntl_arginfo.h - php82-intl-8.2.4_1 [pfSense] conflicts with php81-intl-8.1.11_1 [installed] on /usr/local/include/php/ext/intl/intl_error.h - php82-bcmath-8.2.4 [pfSense] conflicts with php81-bcmath-8.1.11 [installed] on /usr/local/include/php/ext/bcmath/config.h - php82-pear-Net_IPv6-1.3.0.b4_2 [pfSense] conflicts with php81-pear-Net_IPv6-1.3.0.b4_2 [installed] on /usr/local/share/pear/Net/IPv6.php - php82-bz2-8.2.4 [pfSense] conflicts with php81-bz2-8.1.11 [installed] on /usr/local/include/php/ext/bz2/php_bz2.h - php82-phpseclib-2.0.17 [pfSense] conflicts with php81-phpseclib-2.0.17 [installed] on /usr/local/www/phpseclib/Crypt/AES.php - php82-openssl_x509_crl-1.3_2 [pfSense] conflicts with php81-openssl_x509_crl-1.3_1 [installed] on /usr/local/share/openssl_x509_crl/ASN1.php - php82-sysvshm-8.2.4 [pfSense] conflicts with php81-sysvshm-8.1.11 [installed] on /usr/local/include/php/ext/sysvshm/php_sysvshm.h - php82-xmlwriter-8.2.4 [pfSense] conflicts with php81-xmlwriter-8.1.11 [installed] on /usr/local/include/php/ext/xmlwriter/config.h - php82-gettext-8.2.4 [pfSense] conflicts with php81-gettext-8.1.11 [installed] on /usr/local/include/php/ext/gettext/gettext_arginfo.h - php82-pecl-mcrypt-1.0.6 [pfSense] conflicts with php81-pecl-mcrypt-1.0.5 [installed] on /usr/local/include/php/ext/mcrypt/php_mcrypt.h - php82-libbe-0.1.4.1 [pfSense] conflicts with php81-libbe-0.1.4.1 [installed] on /usr/local/include/php/ext/libbe/libbe_private.h - php82-pear-HTTP_Request2-2.5.1,1 [pfSense] conflicts with php81-pear-HTTP_Request2-2.5.1,1 [installed] on /usr/local/share/doc/pear/HTTP_Request2/LICENSE - php82-ctype-8.2.4 [pfSense] conflicts with php81-ctype-8.1.11 [installed] on /usr/local/include/php/ext/ctype/ctype_arginfo.h - php82-pear-Mail-1.4.1,1 [pfSense] conflicts with php81-pear-Mail-1.4.1,1 [installed] on /usr/local/share/doc/pear/Mail/LICENSE - php82-sysvsem-8.2.4 [pfSense] conflicts with php81-sysvsem-8.1.11 [installed] on /usr/local/include/php/ext/sysvsem/sysvsem_arginfo.h - php82-opcache-8.2.4 [pfSense] conflicts with php81-opcache-8.1.11 [installed] on /usr/local/include/php/ext/opcache/zend_file_cache.h - php82-pear-1.10.13 [pfSense] conflicts with php81-pear-1.10.13 [installed] on /usr/local/bin/pear - php82-filter-8.2.4 [pfSense] conflicts with php81-filter-8.1.11 [installed] on /usr/local/include/php/ext/filter/filter_arginfo.h - php82-pdo_sqlite-8.2.4 [pfSense] conflicts with php81-pdo_sqlite-8.1.11 [installed] on /usr/local/include/php/ext/pdo_sqlite/php_pdo_sqlite.h - php82-pear-Auth_RADIUS-1.1.0_4 [pfSense] conflicts with php81-pear-Auth_RADIUS-1.1.0_4 [installed] on /usr/local/share/doc/pear/Auth_RADIUS/examples/radius-acct.php Child process pid=17164 terminated abnormally: Killed __RC=1 __REBOOT_AFTER=10
Firewalling

Discussions about firewalling functionality in pfSense software

9010
Topics

53738
Posts

G

@brunorocha__ said in DEBUG FIREWALL:

IPs of my LAN to be able to release some sites/ports in the firewall rules

A LAN IP should release a site ? port ?
Because it 'holds on' ( ? ) to it ?
What do you mean ?

This Diagnostics > States > States or this Diagnostics > States > Reset States ?
NAT

Discussions about Network Address Translation (NAT)

5261
Topics

29055
Posts

M

I am trying to set up a segment that is completely natted with static 1:1 natting, where the traffic only passes when using the natted address.

My network looks like this:
Untitled.jpg

I created a Virtual IP at 10.3.3.88 and set up a 1:1 nat for host 10.7.7.8. Host 10.3.3.123 should only communicate with 10.3.3.88, never trying to reach the 10.7.7.8 address directly.

Traffic leaving 10.7.7.8 appears to be natted as host 10.3.3.123 sees the traffic as coming from 10.3.3.88. But traffic from .123 to .88 fails unless I create a rule allowing traffic from .123 to .7.7.8. When I do this, traffic from .123 can pass directly to .7.7.8 without having to use the natted address (.88) at all.

I want to block traffic going directly to .7.7.8 and force any traffic for that host to use the natted address (10.3.3.88) only. How can I do this?
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

2385
Topics

10923
Posts

W

@Gabri-91 I have a dynamic connection in pppoe on vlan 835, I have performed all the steps but it doesn't connect using the carp interface.
I double checked all the steps and it seems to be ok, but it doesn't want to connect to the wan...
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

947
Topics

8191
Posts

G

@RickyBaker

As Bingo : we don't know.
If a cam on the CAMS network plays nicely, and uses DHCP to obtain a IP, DNS, gateway etc, it will know how to go to the internet, and where to go to find DNS.
If the cams are using static IP settings : go check them again ?

Last image :
For clarity, the second rule, the 'permit DNS', should be placed on top. I would also include other ports, like 123 (NTP)
Then, for the reminder 'firewall destination' ports, on the second place, a block rule. No alias needed, as all ports can be blocked.

The third rule : if 10.10.10.7 is a device on your LAN, then all traffic with 10.10.10.7 will go to that device. No NAT or whatever needed.
Something to check : the 10.10.10.7 : does it accept traffic ? It's often een it accepts only traffic from devices on it's own network, 10.10.10.x - and nothing else. Activate the 'from everywhere'.
You can also use the Diagnostics > Packet Capture tool.
Select LAN as an interface.
And 10.10.10.7 as the destination.
And ICMP as the protocol.
Now ping from your cams net to 10.10.10.7. I bet you see the packets arrive at the LAN, and this knock on 10.10.10.7.
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

7976
Topics

38268
Posts

L

Hello, I'd like to ask for help resolving asymetric routing issue, here is the topology:

FW1 (one site)
WAN - no public IP, local VLANs internet access LAN - clients, printers SERVER - network services VPN - TAP OpenVPN client, link to FW2
FW2 (second site)
WAN2 - public IP, local VLANs internet access SERVER2 - network services VPN - TAP OpenVPN server (used also for other things than FW1)
When doing port forward from FW2 to service in SERVER2, everything works as it should, problem is making publicly accessible service at SERVER network, portforward there works in only one direction, but packets going back takes WAN route (as they should if they would not been forwarded from WAN2). How to make this work, keeping "unforwared" traffic going through WAN, but forwarded traffic taking correct route through WAN2?

It is probable, that I am missing some (otherwise) obvious setting of gateway/route/NAT somewhere, but I was not able to find it so far, I have my doubt that some advanced setting would resolve this, but any advice would help.
Traffic Shaping

Discussions about traffic shaping and limiters

2882
Topics

15537
Posts

J

@johngoutbeck

So NO answer.

Does this mean traffic shaping cannot be done for a transparent tunnel?
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

5742
Topics

35797
Posts

J

@johnpoz I don't know :( I thought let me give it a try, that NULL IP thing is so random.
IPv6

Discussions about IPv6 connectivity and services

1809
Topics

17027
Posts

D

@ansel That was the weird part there was nothing in the logs and the interface showed up.

I say "was" as it hasn't happened in the last week. Sigh.

Heisenbug? Sun Spots?
IPsec

Discussions about IPsec VPNs

5432
Topics

22296
Posts

M

Hi Guys,

I had another topic open for a resolution an issue we've got where a customer wants to NAT an IP on an IPsec to direct traffic to another isolated network. We was provided a resolution/workaround below which involved adding a new P2 tunnel.

https://forum.netgate.com/topic/177905/ipsec-dnat-not-working?_=1685971552379

I've got this working on a lab, but not on production. I'm curious if the order of Phase 2 tunnels matter?

If I put the main tunnel at the top of the list (VTI tunnel) both tunnels establish but networking drops over this tunnel.
If I put the tunnel mode P2 workaround (for the NAT issue) at the top, the tunnel doesn't establish at all but the main tunnel works as expected.

I'm of course wanting both tunnels to establish and neither to drop traffic.

Any advice or suggestions would be awesome :)
OpenVPN

Discussions about OpenVPN

8999
Topics

49031
Posts

G

Something like (second rule) :

798325ff-b2d9-498b-a265-969db483cb69-image.png
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

3358
Topics

17511
Posts

J

@Gertjan Thanks
webGUI

Anything that does not fit in other categories related to the webGUI

1919
Topics

9173
Posts

B

@youcangetholdofjules Could be this:
https://forum.netgate.com/topic/180313/firewall-alias-import-bug-after-upgrade-to-23-05-release-amd64/6
Wireless

Discussions about wireless networks, interfaces, and clients

1667
Topics

10516
Posts

B

@SkippyTheMagnificent

Well done 👍

Feels good ... Doesn't it

/Bingo
SNMP

Discussions about monitoring via SNMP

176
Topics

532
Posts

J

https://redmine.pfsense.org/issues/13976
Documentation

Discussions about pfSense documentation, including the book

173
Topics

1215
Posts

J

This should be OK now if you try it again. The server-side redirects are back in place.
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 23.09 Development Snapshots CE 2.7.0 Development Snapshots Plus 23.05 Development Snapshots (Retired) Plus 23.01 Development Snapshots (Retired) Plus 22.05 Development Snapshots (Retired) Plus 22.01 Development Snapshots (Retired) CE 2.6.0 Development Snapshots (Retired) 2.5.2 Release Candidate Snapshots (Retired) 2.5 Development Snapshots (Retired) 21.02.2/2.5.1 Snapshots (Retired)

1822
Topics

11656
Posts

P

@cappie Thank you for the information. I read over and will add to the list of things to investigate. So far the unit has not crashed or frozen. It is trucking along. So im going to give it the night back in the garage since me and my wife are not working. I talked with the vendor and they are going to send me a box with a J4125 chip but with less ram (8gb vs 16gb). the hardware is overkill but I like having maxed out hardware for the just in case or new project ideas.
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

393
Topics

2560
Posts

J

@jonathanlee everything else works roblox, amazon prime, disney plus. Tubi works for one movie only and requires app reset to work again.
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1787
Topics

10956
Posts

A

I have an Intel X710-T2L installed in my server running pfSense in a Hyper-V VM. SR-IOV is enabled on both the LAN and WAN virtual switches. If I configure the VM to enable SR-IOV, pfSense can't connect. I get the following in the console:

Untitled-1.png

and there is no connectivity. Disabling SR-IOV results in the connections being restored.

So, is there a driver that I need, or does FreeBSD not support this configuration yet?

Thanks!
Hardware

Discussions about pfSense hardware support

7164
Topics

64441
Posts

R

@Dobby_ said in PC ENGINES EOL, trusted HW option?:

I dont want to buy some appliances from Aliexpres etc.
I do not trust to such devices.

Why?

There are many concerns about hardware from no-name businesses having legit and functional hardware, and then when you have a warranty issue getting someone to honor the warranty.

Then there's the licensing issues with sellers on AliExpress preinstalling pfSense Plus on their devices to make the i226 interfaces usable but the device is non-functional because 1) the license doesn't match the new NDI and 2) the installation was done against the terms of the Plus licensing.
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties Expired/Withdrawn Bounties

453
Topics

6370
Posts

D

@darkphox said in ATT Uverse RG Bypass (0.2 BTC):

@DefenderLLC I understand your sentiment, considering you're still stuck with the gateway using this bypass method. I liked the idea of putting the gateway behind my firewall, but it also made it easier to co-locate my network hardware with an UPS...the ONT is in a weird spot in my house. As a secondary benefit, I've noticed a slight to moderate increase in overall performance.

I've yet to see a speedtest actually reach full gigabit speed, but before the bypass I'd hit around 800Mbit with latency of 15 to 20 ms. After the bypass I'm hitting roughly 920Mbit with 8-10 ms latency. It's minor and surely not noticeable to my dulled senses, but it's measurable.

I haven't accessed the gateway itself since the bypass...Setting it up on a 'modem' interface keeps me from getting at it via the ol' 192.168.1.254, but I may see if I have time to mess around and look into the RG logs if they're easily accessible.

AT&T generally oversubscribes the service, but if you’re using a 1 gig port from the gateway to your LAN of course you’re not going to get any speeds faster than that. Port number 1 (the blue one) is a 5 Gb port on the newer models and will step down to 2.5Gb or 1Gb. Now the ONT modules are built into the modem itself. You have no choice but to use it.

I went back to the one gig service and this is what I get from my UDM-SE which sits behind my Netgate 6100 MAX with IPS enabled on both firewalls (dual NAT).

b077c0ed-9bba-4738-8451-72f731e9ff94-image.jpeg
Retired

Categories that are no longer active, but are present for reference

2.4 Development Snapshots 2.3.3 Development Snapshots 2.3.2 Development Snapshots 2.3.1 Snapshots Testing and Feedback - ARCHIVED 2.3-RC Snapshot Feedback and Issues - ARCHIVED 2.2.5 Snapshot Feedback and Issues 2.2.3 Snapshots Problems and Feedback - ARCHIVED 2.2 Snapshot Feedback and Problems - RETIRED 2.1.1 Snapshot Feedback and Problems - RETIRED 2.1 Snapshot Feedback and Problems - RETIRED

8644
Topics

54899
Posts

J

Set Debug in the DHCP6 Client Configuration on WAN as well, then check the logs (main system log, routing log, etc) to see what shows up.

1 / 1