Subcategories

  • Announcements and information about pfSense software posted by the project team

    212 Topics
    2k Posts
    O

    @SteveITS You are correct. The SG1100 is an arm product - however I run my CE variant on an Intel x86 platform. Even though I test on the home lab - I still like to have something to use if the CE RC gets completely borked. 😉

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    188k Posts
    R

    Thank you all for your responses, here is some more information - I was a bit tired last night at 3am. BLUF - the nic passthrough works great and is much faster than going through the Proxmox bridges once you get the physical ports mapped over and manually re-assign all the VLAN's and interfaces, etc. However, it inexplicably causes all kinds of other bizarre issues with pfSense seemingly unrelated to interfaces at all. I am all but certain if I rolled a new box with all the hardware setup exactly this way and manually reconfigured every setting via the GUI that it would work perfectly.

    The version is pfsense Plus 24.11 fully (23.11 was a typo).

    (restoring onto 2.7.2) Keep in mind that a backed up pfSense config is meant to be restored on the same machine. It could be restored into another device, but be ready to deal with the Interface changes.

    Yes, I went through and made sure that the interfaces are in the exact same order and have the exact same name as on the old system using screenshots. I also have made sure that all of the VLAN's are changed to the correct parent interface (LAN) which changed. I've done this 6 or 7 times, so I know it is being done correctly.

    pfSense-upgrade -d -c gets multiple errors

    I will restore the broken VM and post the full details of all errors and commands hopefully tonight.

    So it was working as expected but slow before you tried to move to passing the NICs through to pfSense in Proxmox.

    Let me explain better - I recently replaced a 4 port 2.5G nic with a 4 port 10G nic as part of an upgrade to the rest of the LAN to 10G. It currently works fine with the 4 port 10G nic when used via Proxmox bridge interfaces, but the bridges simply are not able to get more than ~2G through them.

    The 4 port nic currently has 3 of the ports mapped to bridges, and those bridges are assigned to the pfSense VM. All of the other VM's and the Proxmox host itself are on two separate physical NIC cards. I didn't grab the output of pciconf while booted with the Nic passed through, but I can do that tonight. It is 10Gtek and the part number is XL710-10G-4S(4xSFP+) - it's a cheap card but I've tried four other brands that were no good and I'm using these in 3 other servers. The firmware is fully upgraded. I added Nic3 to move the VMLan off of that physical Nic so I can pass the entire Nic card through to the pfSense. In the broken configuration with Nic2 passed through to the VM I was able to see at least 5G without making any additional tweaks to the OS or Nic such as mtu, offload settings, etc.

    Upon starting up the pfsense with the 10G nic passed through it of course asks me to assign interfaces. LAN is now ixl1 and WAN is now ixl3. At this point I have internet and can connect to the pfsense gui via the LAN - so the passthrough is working and the ethernet ports are mapped correctly. However, booting takes forever and the gui is painfully slow. There seem to be lots of errors related to the pfsense Plus registration at boot, I will capture dmesg and add it. Also in the GUI if I go to System -> register rather than saying "Your device does not require registration" it appears ready to accept an activation token - however even if I put in the token the gui just freezes for 20 minutes and nothing changes.

    Could this be a license issue for pfsense plus? If so, how am I supposed to swap hardware in my pfsense devices in the middle of the night - do I have to do a bunch of license coordination stuff with Netgate the day before to swap out a Nic? This can't possibly be the case...can it?

    Server Nics

    x used; - not used Nic1 2.5G | x | -> Proxmox host Nic2 10G | - x x x | -> Pfsense VM Nic3 10G | x | -> VMLan (All other VM's)

    Label is a literal label sticker on the server case for the 4 port Nic

    #Label Name BEFORE AFTER MAC 0 ----- ----- ---- ixl0 98:b7:85:XX:XX:XX CONFIRMED 1 pflan LAN vtnet0 ixl1 98:b7:85:XX:XX:XX CONFIRMED 2 pfsync pfsync vtnet2 ixl2 98:b7:85:XX:XX:XX CONFIRMED 3 WAN WAN10500 vtnet1 ixl3 98:b7:85:XX:XX:XX CONFIRMED

    Using Proxmox bridges:

    $ pciconf -lv ... virtio_pci4@pci0:6:21:0: class=0x020000 rev=0x00 hdr=0x00 vendor=0x1af4 device=0x1000 subvendor=0x1af4 subdevice=0x0001 vendor = 'Red Hat, Inc.' device = 'Virtio network device' class = network subclass = ethernet

    Proxmox host before passthrough:

    # lshw -C network ... *-network:3 description: Ethernet interface product: Ethernet Controller X710 for 10GbE SFP+ vendor: Intel Corporation physical id: 0.3 bus info: pci@0000:01:00.3 logical name: enp1s0f3np3 version: 01 serial: 98:b7:85:XX:XX:XX size: 10Gbit/s capacity: 10Gbit/s width: 64 bits clock: 33MHz capabilities: pm msi msix pciexpress bus_master cap_list rom ethernet physical fibre 10000bt-fd configuration: autonegotiation=off broadcast=yes driver=i40e driverversion=6.8.12-10-pve duplex=full firmware=9.54 0x8000fb7a 1.2527.0 latency=0 link=yes multicast=yes speed=10Gbit/s resources: iomemory:600-5ff iomemory:600-5ff irq:16 memory:60e0000000-60e07fffff memory:60e2800000-60e2807fff memory:80a00000-80a7ffff memory:60e2000000-60e21fffff memory:60e2820000-60e289ffff ...

    VLAN's - there are 10 but only 2 of them are in use and are not critical. The pfsense LAN port obviously needs to be VLAN aware, and on Debian you would configure these settings for the Nic's in /etc/network/interfaces i.e.:

    auto enp1s0f1np1 iface enp1s0f1np1 inet manual post-up /sbin/ethtool -K enp1s0f1np1 rxvlan off post-up /sbin/ethtool -K enp1s0f1np1 rx-vlan-offload off auto pflan iface pflan inet manual bridge-ports enp1s0f1np1 bridge-stp off bridge-fd 0 bridge-vlan-aware yes bridge-vids 20 30 40 50 60 70 80 90 55
  • Discussions about Multi-Instance Management.

    9 Topics
    92 Posts
    P

    @pfGeorge
    good, thank you

  • Discussions about installing or upgrading pfSense software

    9k Topics
    61k Posts
    stephenw10S

    Yeah it definitely could be more obvious. Maybe even a required step in the installer because the installer itself boots to both consoles.

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    58k Posts
    H

    Good day, I think I found the error. It seems that there is a problem with the national diacritics, when I removed the national texts, CRON failed. Otherwise, my cron looks like this:

    /bin/sh -c 'gateway_status=$(/sbin/pfctl -s gateway | grep -c "down"); if [ $gateway_status -gt 0 ]; then current_time=$(date); logger -t watchdog "[$current_time] Gateway detected as down, rebooting system"; sleep 5; /sbin/reboot; fi'

    but when I used this, it doesn't work:

    /bin/sh -c 'gateway_status=$(/sbin/pfctl -s gateway | grep -c "down"); if [ $gateway_status -gt 0 ]; then current_time=$(date); logger -t watchdog "[$current_time] Brána detekována jako nedostupná, restartuji systém"; sleep 5; /sbin/reboot; fi'

    and if it works, then I'll consider something like this:

    /bin/sh -c 'LOCKFILE=/tmp/watchdog.lock; MAX_RESTARTS=2; RESTART_PERIOD=10800; if [ -f $LOCKFILE ]; then RESTART_COUNT=$(cat $LOCKFILE); LAST_RESTART=$(stat -f %m $LOCKFILE); CURRENT_TIME=$(date +%s); if [ $((CURRENT_TIME - LAST_RESTART)) -lt $RESTART_PERIOD ]; then if [ $RESTART_COUNT -ge $MAX_RESTARTS ]; then logger -t watchdog "Max number of restarts reached ($MAX_RESTARTS) in 3 hours. Skipping restarts."; exit 0; fi; else echo 0 > $LOCKFILE; RESTART_COUNT=0; fi; else echo 0 > $LOCKFILE; RESTART_COUNT=0; fi; if ! ping -c 3 8.8.8.8 >/dev/null 2>&1; then NEW_COUNT=$((RESTART_COUNT + 1)); echo $NEW_COUNT > $LOCKFILE; current_time=$(date); logger -t watchdog "[$current_time] Internet unavailable, restart #$NEW_COUNT"; sleep 5; /sbin/reboot; fi'

    to prevent constant rebooting when the internet is unavailable from outside...

    or do you have any better solutions?

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    N

    @STEPHANK Freepbx runs fine behind pfsense in various setups and is rather straight forward to configure
    In general not much is needed and in most cases not even any port forwards too.

    Do describe your configuration and setup.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    W

    Nope, it's still the same. If only one interface fails for some reason, you end up in a split situation and it's not working.

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    P

    Hi,

    I have my current pfsense setup as:
    On-board:

    em0: wan igb4: management vlan

    PCIe nic adapter:

    igb0: interface with 2 vlans igb1: interface with 5 vlans igb2: directly connected interface to surveillance igb3: empty

    I'm changing the 4 ports igb nic to a 2 ports ixl nic

    I plan to first assign my igb1 vlans to the same interface on igb0
    Then optionally assign igb2 interface to igb1

    Then boot up after swapping cards. I assume :

    em0 will stay on-board igb4 will be renamed to igb0 I guess two new interfaces appear: ixl0 and ixl1

    Will I loose all my firewall rules on boot as all vlans will need to be assigned to new ixl0 interface instead of previous igb0 which was on the old nic ? Do I need to recreate all vlans on new ixl0 and the firewall rules? Any way to avoid it?

    I then need to swap wan to ixl0, vlans to ixl1, management to em0 and surveillance to igb0. To achieve this, I plan to remove the surveillance interface, assign the 3 others, then add back the surveillance

    Is there a simpler way you advice to have the hardware upgrade done easily without a full setup of rules ?

    Thank you for the help

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    D

    eabc93a8-57d3-42a7-a238-9dc201c9bca6-image.png

    VPN Only is essentially just the rule up above.

    NAT wise I've added this rule:
    68d71407-e473-4694-b9ec-6679e6575c41-image.png

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    W

    @Bob-Dig

    I don't know how and why, but it does. :(
    I confirmed the unintended traffic shaping with simple iperf3 between local devices. With floating rules off there is shaping, with the floating rules off, I get gigabit speed again. The shaping is bidirectional.

    Are you saying regardless of the traffics IPv6 adress being globally routable, they should be treated as local traffic since the interface is still LAN?

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    42k Posts
    tinfoilmattT

    @penguinpages said in DNS - Bind Redirect Error - Rebinding settings:

    web01.core.acme.com and www.web01.core.acme.com to 172.16.100.120

    Should these CNAME answers be pi.core.acme.com?

  • Discussions about IPv6 connectivity and services

    2k Topics
    19k Posts
    B

    @Superfletch I did using outbound NAT6, but I since switched to openwrt and no longer use pfSense

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    S

    Hello,

    I have an IPSec tunnel from home to a Meraki MX-95 in the data center. Due to the way Meraki handles site-to-site VPNs with non-Meraki devices, I can't do a 0.0.0.0/0 P2 entry on my pfSense box; I have to list each exported subnet on the Meraki site as a P2 entry on my pfSense box. This leaves me with 11 P2 entries. It's not a problem; it connects and works. The issue is that this leaves me with a split-tunnel VPN, which I do not want (some of our customers don't allow this). I cannot figure out how to add a gateway/route on the pfSense side to force all traffic on my work subnet at home through the Meraki without having to set it up in Windows every time I boot my laptop, which I would prefer not to do.

    If I try to create a gateway and enter any IP on the Meraki, I get an error stating that it doesn't live on one of the chosen interface's subnets, which makes sense. I know this isn't a normal use case, but it is what I have and any help is greatly appreciated.

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    Z

    Hi everyone,

    I'm running pfSense 2.6.0 (FreeBSD 12.3-STABLE), and I'm trying to terminate a specific OpenVPN client connection by clicking the "X" button in the OpenVPN widget on the dashboard.

    However, when I do this, the system crashes with the following PHP error:

    PHP Fatal error: Uncaught ArgumentCountError: Too few arguments to function openvpn_kill_client(), 2 passed in /usr/local/www/widgets/widgets/openvpn.widget.php on line 285 and exactly 3 expected in /etc/inc/openvpn.inc:2106 Stack trace: #0 /usr/local/www/widgets/widgets/openvpn.widget.php(285): openvpn_kill_client('server1', 'IP_ADDRESS') #1 {main} thrown in /etc/inc/openvpn.inc on line 2106

    Has anyone else encountered this issue or know how to resolve it?
    Thanks in advance!

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    GertjanG

    @regexaurus

    I do the same thing since ... not sure, for neraly a decade now.
    I 'strtolower()' the user and password field, as more and more people use only uppercase in whatever they write (not sure why ...).

    When the patch package became available, I wrote my own 'patch' so, when the system updates, chances are great that the patch still applies , and I don't need to manually edit anything.

    36c4277b-4158-4dcb-8e51-a0e878c68ef6-image.png

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    O

    Hi there,

    I recently migrated my pfSense setup on a GoWin R86S-N from RJ45 to SFP28(using SFP+ modules in the SFP28 ports).
    Since the change, the Dashboard takes a very long time to load, and sometimes even crashes the entire WebGUI with the error:

    "The web server encountered an error processing this request. 50x Error"

    I'm currently running 2.8.0.r.20250516.1521, but the issue also occurred on 2.7.0.

    When I restart PHP-FPM, the WebGUI becomes responsive again — until I try to open the dashboard, which then causes the same problem all over again.

    In the /var/log/nginx.log, I found the following (possibly related) entries:

    [error] 13612#100388: *12 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.1.151, server: , request: "GET / HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.1.1", referrer: "https://192.168.1.1/haproxy/haproxy_pools.php" [error] 13821#100517: *307 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.1.151, server: , request: "POST / HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.1.1", referrer: "https://192.168.1.1/"

    Everything else (e.g., HAProxy pages) works fine — only the dashboard seems to cause this issue.

    Has anyone experienced something similar or has a clue how to fix or debug this further?

    Thanks in advance!

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    N

    @elvisimprsntr thanks for the chart! Getting rid of the ISP's Bridge Mode router and plugging the ethernet cable from the wall directly in Vault's WAN port has solved it...hopefully permanently.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C

    I figured it out 🤦. My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either...
    So this issue is solved now

  • Discussions about pfSense documentation, including the book

    183 Topics
    1k Posts
    J

    For others with issues, it appears that Godaddy has cut off DNS API access for those with less than 10 domain names. You may want to consider migrating to Cloudfare or another provider.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    7k Posts
    RobbieTTR

    @stephenw10

    As I'm still running v24.11 (still no hotplug events etc) I re-saved the interface for comparison later:

    Time Process PID Message May 23 19:29:21 php_pfb 44380 [pfBlockerNG] filterlog daemon started May 23 19:29:20 tail_pfb 44127 [pfBlockerNG] Firewall Filter Service started May 23 19:29:20 lighttpd_pfb 42103 [pfBlockerNG] DNSBL Webserver started May 23 19:29:20 php_pfb 39811 [pfBlockerNG] filterlog daemon stopped May 23 19:29:20 tail_pfb 38493 [pfBlockerNG] Firewall Filter Service stopped May 23 19:29:20 lighttpd_pfb 38314 [pfBlockerNG] DNSBL Webserver stopped May 23 19:29:20 rtsold 15216 Received RA specifying route fe80::xxx:xxxx:xxxx:b100 for interface wan(pppoe0) May 23 19:29:20 avahi-daemon 71022 Server startup complete. Host name is Router-7.local. Local service cookie is 830558610. May 23 19:29:20 avahi-daemon 71022 Network interface enumeration completed. May 23 19:29:20 avahi-daemon 71022 New relevant interface ice0.IPv4 for mDNS. May 23 19:29:20 avahi-daemon 71022 Joining mDNS multicast group on interface ice0.IPv4 with address 10.0.1.1. May 23 19:29:20 avahi-daemon 71022 New relevant interface ice0.IPv6 for mDNS. May 23 19:29:20 avahi-daemon 71022 Joining mDNS multicast group on interface ice0.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:20 avahi-daemon 71022 New relevant interface ice0.1003.IPv4 for mDNS. May 23 19:29:20 avahi-daemon 71022 Joining mDNS multicast group on interface ice0.1003.IPv4 with address 172.16.1.1. May 23 19:29:20 avahi-daemon 71022 New relevant interface ice0.1003.IPv6 for mDNS. May 23 19:29:20 avahi-daemon 71022 Joining mDNS multicast group on interface ice0.1003.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:20 avahi-daemon 71022 No service file found in /usr/local/etc/avahi/services. May 23 19:29:20 avahi-daemon 71022 avahi-daemon 0.8 starting up. May 23 19:29:20 avahi-daemon 71022 Successfully dropped root privileges. May 23 19:29:20 avahi-daemon 71022 Found user 'avahi' (UID 558) and group 'avahi' (GID 558). May 23 19:29:19 php-fpm 16922 /rc.start_packages: Starting service avahi May 23 19:29:19 avahi-daemon 35171 avahi-daemon 0.8 exiting. May 23 19:29:19 avahi-daemon 35171 Leaving mDNS multicast group on interface ice0.IPv4 with address 10.0.1.1. May 23 19:29:19 avahi-daemon 35171 Leaving mDNS multicast group on interface ice0.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:19 avahi-daemon 35171 Leaving mDNS multicast group on interface ice0.1003.IPv4 with address 172.16.1.1. May 23 19:29:19 avahi-daemon 35171 Leaving mDNS multicast group on interface ice0.1003.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:19 avahi-daemon 35171 Got SIGTERM, quitting. May 23 19:29:19 php-fpm 16922 /rc.start_packages: Stopping service avahi May 23 19:29:19 php-fpm 16922 /rc.start_packages: Restarting/Starting all packages. May 23 19:29:19 avahi-daemon 35171 Joining mDNS multicast group on interface ice0.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:19 avahi-daemon 35171 Leaving mDNS multicast group on interface ice0.IPv6 with address fe80::1:1. May 23 19:29:19 avahi-daemon 35171 Joining mDNS multicast group on interface ice0.1003.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:19 avahi-daemon 35171 Leaving mDNS multicast group on interface ice0.1003.IPv6 with address fe80::1:1. May 23 19:29:18 check_reload_status 667 Reloading filter May 23 19:29:18 check_reload_status 667 Reloading filter May 23 19:29:18 check_reload_status 667 Starting packages May 23 19:29:18 php-fpm 62604 /rc.newwanipv6: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - -> 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc - Restarting packages. May 23 19:29:18 php-fpm 62604 /rc.newwanipv6: Creating rrd update script May 23 19:29:18 php-fpm 62604 /rc.newwanipv6: Resyncing OpenVPN instances for interface WAN. May 23 19:29:17 php-fpm 62604 /rc.newwanipv6: The command '/usr/sbin/arp -s '192.168.1.1' '3c:xx:xx:xx:xx:22'' returned exit code '1', the output was 'arp: set 192.168.1.1: Operation not permitted' May 23 19:29:15 php_pfb 5629 [pfBlockerNG] filterlog daemon started May 23 19:29:15 tail_pfb 5244 [pfBlockerNG] Firewall Filter Service started May 23 19:29:15 lighttpd_pfb 2862 [pfBlockerNG] DNSBL Webserver started May 23 19:29:15 php_pfb 978 [pfBlockerNG] filterlog daemon stopped May 23 19:29:15 tail_pfb 217 [pfBlockerNG] Firewall Filter Service stopped May 23 19:29:15 lighttpd_pfb 23 [pfBlockerNG] DNSBL Webserver stopped May 23 19:29:15 avahi-daemon 35171 Server startup complete. Host name is Router-7.local. Local service cookie is 354485446. May 23 19:29:15 avahi-daemon 35171 Network interface enumeration completed. May 23 19:29:15 avahi-daemon 35171 New relevant interface ice0.IPv4 for mDNS. May 23 19:29:15 avahi-daemon 35171 Joining mDNS multicast group on interface ice0.IPv4 with address 10.0.1.1. May 23 19:29:15 avahi-daemon 35171 New relevant interface ice0.IPv6 for mDNS. May 23 19:29:15 avahi-daemon 35171 Joining mDNS multicast group on interface ice0.IPv6 with address fe80::1:1. May 23 19:29:15 avahi-daemon 35171 New relevant interface ice0.1003.IPv4 for mDNS. May 23 19:29:15 avahi-daemon 35171 Joining mDNS multicast group on interface ice0.1003.IPv4 with address 172.16.1.1. May 23 19:29:15 avahi-daemon 35171 New relevant interface ice0.1003.IPv6 for mDNS. May 23 19:29:15 avahi-daemon 35171 Joining mDNS multicast group on interface ice0.1003.IPv6 with address fe80::1:1. May 23 19:29:15 avahi-daemon 35171 No service file found in /usr/local/etc/avahi/services. May 23 19:29:15 avahi-daemon 35171 avahi-daemon 0.8 starting up. May 23 19:29:15 avahi-daemon 35171 Successfully dropped root privileges. May 23 19:29:15 avahi-daemon 35171 Found user 'avahi' (UID 558) and group 'avahi' (GID 558). May 23 19:29:15 check_reload_status 667 Reloading filter May 23 19:29:14 php-fpm 79962 /rc.start_packages: Starting service avahi May 23 19:29:14 avahi-daemon 18747 avahi-daemon 0.8 exiting. May 23 19:29:14 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.IPv4 with address 10.0.1.1. May 23 19:29:14 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.IPv6 with address fe80::xxxx:xxxx:xxxx:ebdc. May 23 19:29:14 avahi-daemon 18747 IP_DROP_MEMBERSHIP failed: Can't assign requested address May 23 19:29:14 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.1003.IPv4 with address 172.16.1.1. May 23 19:29:14 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.1003.IPv6 with address fe80::1:1. May 23 19:29:14 avahi-daemon 18747 Got SIGTERM, quitting. May 23 19:29:14 php-fpm 79962 /rc.start_packages: Stopping service avahi May 23 19:29:14 php-fpm 79962 /rc.start_packages: Restarting/Starting all packages. May 23 19:29:13 check_reload_status 667 Starting packages May 23 19:29:13 php-fpm 46785 /interfaces.php: Creating rrd update script May 23 19:29:13 check_reload_status 667 Reloading filter May 23 19:29:12 php-fpm 46785 /interfaces.php: The command '/usr/sbin/arp -s '192.168.1.1' '3c:xx:xx:xx:xx:22'' returned exit code '1', the output was 'arp: set 192.168.1.1: Operation not permitted' May 23 19:29:11 php-fpm 46785 /interfaces.php: Resyncing OpenVPN instances for interface LAN. May 23 19:29:08 php-fpm 46785 /interfaces.php: The command '/usr/sbin/arp -s '192.168.1.1' '3c:xx:xx:xx:xx:22'' returned exit code '1', the output was 'arp: set 192.168.1.1: Operation not permitted' May 23 19:29:05 php-fpm 62604 /rc.newwanipv6: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1748024945] unbound[17454:0] error: bind: address already in use [1748024945] unbound[17454:0] fatal error: could not open ports' May 23 19:29:04 php-fpm 62604 /rc.newwanipv6: rc.newwanipv6: on (IP address: 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc) (interface: wan) (real interface: pppoe0). May 23 19:29:04 php-fpm 62604 /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. May 23 19:29:04 avahi-daemon 18747 Joining mDNS multicast group on interface ice0.1003.IPv6 with address fe80::1:1. May 23 19:29:04 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.1003.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:29:04 check_reload_status 667 updating dyndns opt3 May 23 19:29:03 php-fpm 46785 /interfaces.php: The command '/usr/sbin/arp -s '192.168.1.1' '3c:xx:xx:xx:xx:22'' returned exit code '1', the output was 'arp: set 192.168.1.1: Operation not permitted' May 23 19:29:00 check_reload_status 667 Restarting IPsec tunnels May 23 19:28:59 nginx 2025/05/23 19:28:59 [crit] 62339#100601: *361 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:2b90, server: [::]:8443 May 23 19:28:57 kernel ice0: Media change is not supported. May 23 19:28:57 avahi-daemon 18747 New relevant interface ice0.IPv4 for mDNS. May 23 19:28:57 avahi-daemon 18747 Joining mDNS multicast group on interface ice0.IPv4 with address 10.0.1.1. May 23 19:28:57 php-fpm 46785 /interfaces.php: The command '/sbin/ifconfig 'ice0' media '10Gbase-Twinax'' returned exit code '1', the output was 'ifconfig: SIOCSIFMEDIA (media): Operation not supported by device' May 23 19:28:57 avahi-daemon 18747 Joining mDNS multicast group on interface ice0.IPv6 with address fe80::xxxx:xxxx:xxxx:ebdc. May 23 19:28:57 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.IPv6 with address fe80::1:1. May 23 19:28:57 avahi-daemon 18747 Joining mDNS multicast group on interface ice0.IPv6 with address fe80::1:1. May 23 19:28:57 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.IPv6 with address 2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:ebdc. May 23 19:28:57 avahi-daemon 18747 Interface ice0.IPv4 no longer relevant for mDNS. May 23 19:28:57 avahi-daemon 18747 Leaving mDNS multicast group on interface ice0.IPv4 with address 10.0.1.1. May 23 19:28:52 check_reload_status 667 Syncing firewall May 23 19:28:52 php-fpm 79962 /interfaces.php: Configuration Change: admin@2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:2b90(Local Database): Interfaces settings changed May 23 19:28:06 php-fpm 16922 /interfaces_assign.php: Creating rrd update script May 23 19:28:06 check_reload_status 667 Syncing firewall May 23 19:28:06 php-fpm 16922 /interfaces_assign.php: Configuration Change: admin@2a02:xxx:xxxx:x:xxxx:xxxx:xxxx:2b90(Local Database): Interfaces assignment settings changed

    Nothing of note to my eyes on the old firmware and the brief upset was noted by the switch. No 'hotplug' events during the interface re-save / change either.

    I'll switch to the 25.03 beta later this evening and re-run this test point.

    ☕️

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    426 Topics
    3k Posts
    B

    @Uglybrian The /29 was to try and get the range of IP's for both of the systems and their docks (2 Docks hardwired, and then the WiFi of each unit).

    I think I actually managed to track this down to an issue with the WireGuard instance I had running for my phone to VPN back with, as once I disabled that my connections were fixed, getting NAT B and was able to play online for quite awhile without incident.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    L

    A couple of weeks ago I encountered a situation for which I did want to compare an older pfSense config with my actual setup.

    The only option for that turned out to:

    run an pfSense instance in a VM and modify the original config in such a way that:
    a) one of the inter faces is a full NIC (without vlan's) to be used as management port
    b) assign all other vlan's including the WAN to a second NIC
    After doing so I could start a (TrueNAS based) VM only having two virtIO interfaces. One as management interface and one as trunk for all other pfSense vlan's

    At the same time I felt the need to have an backup for my physical pfSense system. And when having the VM I felt it could serve both purposes.

    In the picture my actual setup.

    bd68062b-fe23-4854-9c1e-d9d2021217c3-image.png

    At this moment I have this setup running as ^pfSense-config viewer^, but not yet as real pfSense system.

    I hope I did help others with this Idea, but I also have questions.

    As said at this moment I have only used this setup as ^pfSense-config viewer^ so I wonder:

    if my idea to assign a complete physical TrueNas NIC as virtIO-1 works / if that interfaces is going to transport the set of vlan's the pfSense VM is trying to forward to the 10G switch above (I did not do any test in that regard yet) of course I can not expect the VM to be as powerfull as my normal physical pfSense system, however would a setup as this allow a thru put of a couple of Gbit !?? Of course I am interested to hear the experience of others heaving more ore less the same setup

    PS. the NAS is relatively power full. The VM has a NVME-SSD, a couple of virtual CPU's and GB of RAM assigned. However .. I had to do that to make the VM reasonable responsive.

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    w0wW

    6cfae39a-0cb1-4a60-83ed-a3fa9a33bc67-{E2DA8678-EDF7-4E1A-A637-D8AC18F33CB7}.png

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    S

    @winkmichael Thanks so much. I'll look into it some more, but you were a great help. What I meant by a 0 point release is that is it basically an alpha or beta version until it reaches version 1.x This to me has historically been an indication that it shouldn't be deployed in mission critical spaces or commercial spaces, but good to hear it is very active and very reliable. thanks again

  • 10k Topics
    63k Posts
    bmeeksB

    @Pizzamaka said in unbound stops and won't start again + high cpu:

    What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

    Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

    When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.