pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

208
Topics

2.3k
Posts

S

That is fixed in the internal beta version. It will be fixed in the public RC.
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

26.4k
Topics

185.6k
Posts

S

Hmm, I wonder if you have some service defined in the config that isn't actually installed any longer.

What do you see in Status > Services? Anything showing an error there?
Multi-Instance Management

Discussions about Multi-Instance Management.

7
Topics

84
Posts

S

There isn't any specific handling in MIM for HA setups yet. It's something we expect to have though. It's exactly the sort of thing I'd want to see there.
Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

9.4k
Topics

60.6k
Posts

S

@PlasticTarot What do the logs say after the restore/reboot? It should install the packages. DNS working on pfSense itself?

I found the update check can take a while, try your attempt again in 5-15 minutes. I recently upgraded several from 24.03 to 24.11 and had to wait on all of them to start it. Didn’t seem to be an issue yesterday coming from 23.09…
Firewalling

Discussions about firewalling functionality in pfSense software

9.6k
Topics

58.0k
Posts

S

@scharbag See if you have deduplication checked and if so uncheck it. It dedupes across lists so might yield unexpected results.

IIRC the Top Spammer list, despite the name, is just entire countries. “Rep” I think is things like military bases and embassies so it might actually be in Canada.
NAT

Discussions about Network Address Translation (NAT)

5.5k
Topics

30.9k
Posts

K

Hi Currently was wondering if someone could share some light on the issue im having,

Currently installing Mirotalk selfhosted, When i NAT the ports i can access it out side of the network but internally cant access it,

Currently i was reading https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html
but not sure if this applies to this?

As currently the NAT public IP is 181.xx.xx.xx.287

and my public IP which im running 181.xx.xx.xx.238

I cant do the Split DNS because mirotalk has to use the external IP and not the internally ip

I was checking the states and found the packets being dropped
LAN tcp 192.168.1.143:64412 -> 192.168.3.52:80 (181.xxxx.237:80) CLOSED:SYN_SENT 5 / 0 260 B / 0 B WAN2 tcp 181.xxx.xxx:40251 (192.168.1.143:64412) -> 192.168.3.52:80 SYN_SENT:CLOSED 5 / 0 260 B / 0 B LAN tcp 192.168.1.143:64414 -> 192.168.3.52:80 (181.xxxx.237:80) CLOSED:SYN_SENT 5 / 0 260 B / 0 B WAN2 tcp 181.xxx.238:36171 (192.168.1.143:64414) -> 192.168.3.52:80 SYN_SENT:CLOSED 5 / 0 260 B / 0 B LAN tcp 192.168.1.143:64415 -> 192.168.3.52:80 (181.xxxx.237:80) CLOSED:SYN_SENT
already tried Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection.
also On NAT rules, set NAT reflection to Enabled (Pure NAT).
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

2.6k
Topics

11.7k
Posts

T

@SteveITS It is sync most of it. I was asking as I'd never "added" on to an existing, just done completely new installs where it was all setup before anything was configured.

Thanks for the reply!

TSoF
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1.2k
Topics

9.9k
Posts

X

Today I started testing a pfSense firewall that a friend gave me (https://www.amazon.es/Firewall-Appliance-Mikrotik-OPNsense-HUNSN/dp/B0B4NXZZ6N).

Before installing it, I messed around locally with the office switch connected to the LAN. I made a LAN Bridge to check the scenario of having to use the FW as a switch due to lack of ports.

After having configured it (I attach screenshots), when I connect a PC directly to the LAN ports (eth1 to eth5) the device does not negotiate at 1Gbps but at 100Mbps.

Captura de pantalla de 2025-02-23 00-03-11.png

Captura de pantalla de 2025-02-23 00-03-22.png

Is this normal?
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

8.5k
Topics

40.9k
Posts

I

Policy routing started behaving after I changed my WAN ipv6 configuration from "none" to "6to4 tunnel".
I have strange feeling that redirected hist will be able to escape redirection if remote hist is resolving to ipv6 address though.
Traffic Shaping

Discussions about traffic shaping and limiters

3.0k
Topics

15.8k
Posts

K

I have a cable connection with Vodafone in Germany with a 1 Gbit/s download and 50 Mbit/s upload volume.
My cable router is switched to bridge mode and a pfsense is connected behind it.
I receive a WAN IPv4 and a WAN IPv6 address from the provider in dual-stack mode

With the standard settings of the FQ_CoDel Sceduler :

ECN: checked
Firewall > Traffic Shaper > Limiters:
* WANDownIPv4/WANDownIPv4Q
* bandwidth: 600Mbps
* Queue mgmt algo: Tail Drop
* Scheduler: FQ_CODEL (5/100/1514/10240/4096)
* Queue length: 3000
* ECN: unchecked
Especially with the target parameter 5 ms and the interval value of 100 ms, I always have the problem that the latency in the download only improves when I limit the download bandwidth from 1 Gbit/s to around 600 Mbit/s

I have found a document at Cablelabs in relation to Docsis and AQM, under the website: https://www-res.cablelabs.com/wp-content/uploads/2019/02/28094021/DOCSIS-AQM_May2014.pdf

In chapter 4.2 the author has made tests with modified target and interval parameters, which are more suitable for use in cable environments. In his tests, he increased the Targer value from 5 ms to 20 ms and increased the Interval value from 100 ms to 150 ms.

I did the same and was very positively surprised by the result.

here my changes:
Firewall > Traffic Shaper > Limiters:
* WANDownIPv4/WANDownIPv4Q
* bandwidth: 600Mbps
* Queue mgmt algo: Tail Drop
* Scheduler: FQ_CODEL (20/150/1514/10240/4096)
* Queue length: 3000
* ECN: unchecked
The result was so amazingly good that I upgraded my download limiter to 900 mbit/s and still achieved excellent results:

Bufferbloat_01.jpg

I have been testing for days and have further adjusted the target and the interval.

As we use both Docsis 3.0 and Docsis3.1 in Hibrid mode in Germany, I have set the target value to 10 ms for Docsis 3.0, as described in this document in section 3.2: https://www-res.cablelabs.com/wp-content/uploads/2019/02/28094118/Active_Queue_Management_Algorithms_DOCSIS_3_0.pdf

This is my final configuration at the moment:
Firewall > Traffic Shaper > Limiters:
* WANDownIPv4/WANDownIPv4Q
* bandwidth: 960Mbps
* Queue mgmt algo: Tail Drop
* Scheduler: FQ_CODEL (10/150/1514/10240/4096)
* Queue length: 4000
* ECN: unchecked
The results speak for themselves:

00b54e6b-9b31-461c-84d3-f1ce63a5b512-image.png

Here are a few more results:
https://www.waveform.com/tools/bufferbloat?test-id=69bb2004-77cc-4d1d-867f-a17de3ac2a1d
https://www.waveform.com/tools/bufferbloat?test-id=4f70df70-2058-49b6-b900-b346d5e6ce3f
https://www.waveform.com/tools/bufferbloat?test-id=041d3bc3-64da-4145-920a-9b3cf51d5deb
https://www.waveform.com/tools/bufferbloat?test-id=56b7bfad-aa20-435d-9981-505cf77d747d

The amazing thing is that with FQ_Codel I always had problems with the download latency never going down, so I even thought that the FQ_Codel implementation was buggy. Since a few days I know that I have to adjust the parameters target and interval for a cable internet connection. The default values for target 5 ms and interval 100 ms, as you can read everywhere on the Internet, are not optimal for cable connections based on my findings.
It would be nice if other users could also test these values.

Best regards kaj
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

6.5k
Topics

41.7k
Posts

G

@jaysee3 said in Adding Custom Configuration in Kea DHCP Server with pfSense+ 25.03:

I have just updated to the latest beta of pfSense+ 25.03

This :

488ad109-9acc-4caa-ba47-08b1035d3be9-image.png

tells me your 25.03 dates from early February, so the functionality isn't in our Beta, but in the new beta, not yet available.

As referenced in this thread (see above), go see here : https://forum.netgate.com/topic/190373/feature-15321-shows-how-to-use-option-114-in-kea/8?_=1740912940403, install the patch mentioned here : Redmine #15321.
This one :

fab22fdf-e00f-4256-9aac-9fa4b8ab2504-image.png

and the you'll see this :

f3bb939a-d205-4f5a-acfa-e1fc8a491df0-image.png

at the bottom of : Services > DHCP Server >Settings.

Or wait a while for a new, more recent beta to become available.
IPv6

Discussions about IPv6 connectivity and services

2.0k
Topics

19.2k
Posts

C

@JKnott

Last week I discussed with the ISP about splitting the prefix on their side, but as you predicted, the ISP won't do that.
So the conclusion is: multiple independent routers cannot be used with IPv6 unless NAT is used.

I'd suggest you put another pfSense between the ISP's gateway and your other pfSense boxes.

I will do that in the future. For now, I need to keep the current setup where the (parallel) routers are independent. Since I'm using a dual WAN for IPv4, I'll also have to ask the second ISP for an IPv6 setup on their side, but I assume they'll do a similar setup as the first ISP (and face the same problem).

Due to the dual wan requirement, it seems that the best strategy is to use ULA on the LAN side and perform outbound NAT. I have set this up in my LAB router and it seems to work as expected.
2025-02-27 08.09.15 193.165.139.206 cd334c9168f9.jpg

I also tried define a virtual IP (GUA block) on the WAN (use Proxy ARP) and set NPt to translate the ULA to the related GUA block, but it doesn't seem to work that way. Maybe because the Proxy ARP only applies to IPv4 ?
IPsec

Discussions about IPsec VPNs

5.7k
Topics

23.4k
Posts

K

@plep Yeah, it can be a bit confusing. PfSense by default attempts to “combine” the subnets in P2s into one. That causes issues just like described where your other P2’s are “extended” from only the remote subnet to 0.0.0.0/0. To avoid this you need to tick the “Split Connections” box on your P1 for the tunnel then it will create several independant P2’s like the other end.
OpenVPN

Discussions about OpenVPN

9.8k
Topics

52.9k
Posts

J

@Gertjan said in Any recent changes? Getting hard reset.:

Your "/sbin/ifconfig ovpns1 172.16.255.1/24 mtu 1500 up" seems to fail.

can't tell you why .....
No issues with my :

I couldn't seen any reason either, so I rebooted pfSense and that seemed to clear it.
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

3.5k
Topics

18.7k
Posts

G

@EDaleH

Installed "25.03-BETA (amd64)" ( 25.03.b.20250204.0023 ) - Updated the latest 'kea options' patch as mentioned in this thread : all is ok.
webGUI

Anything that does not fit in other categories related to the webGUI

2.1k
Topics

9.9k
Posts

G

@sammiorelli

What is your pfSEnse version ?
I didn't see any errors.
[24.11-RELEASE][root@pfSense.bhf.tld]/root: grep ^date -v-1d +"%D" /var/log/snort/snort_igb0*/alert | awk -F, '{a[$5]++;} END {for(i in a) print a[i]" "i}' | sed 's/"//g' | sort -r ; echo grep: No match.
Just : No match.

edit : I get it : you entered that command here :

ea836970-e55f-4f19-8675-1cd4eab6cca9-image.png

My advise : don't use the GUI for the more 'complex' commands.
Ok for a
ls -al /
and that's it.
Use the command line, console or better : SSH access.
Wireless

Discussions about wireless networks, interfaces, and clients

1.7k
Topics

11.2k
Posts

Z

@stephenw10 I was only testing with the mobile AP of my smartphone because this was planned to be the only use case. I have an identical second tiny pc which I plan to use for HA. Maybe I'll give the wifi setup a new try on this one before building up the cluster.

As I'm running pfsense in a vm on proxmox (I was passing through the wifi nic) I still could setup a small linux vm for the wifi stuff and do the failover via a virtual network. But as it is only a nice to have feature, there's no need for this to really function. It's more of a fun project trying to get the wifi failover working and getting deeper into freebsd/pfsense ;)
SNMP

Discussions about monitoring via SNMP

196
Topics

597
Posts

K

@cameloid Here’s the original post I made when I discovered the bug:

https://forum.netgate.com/topic/188050/24-03-causes-sustained-rise-in-processes-count-and-memory-usage
Documentation

Discussions about pfSense documentation, including the book

183
Topics

1.3k
Posts

J

For others with issues, it appears that Godaddy has cut off DNS API access for those with less than 10 domain names. You may want to consider migrating to Cloudfare or another provider.
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 25.03 Develoment Snapshots CE 2.8.0 Development Snapshots

1.2k
Topics

6.1k
Posts

W

@SteveITS said in Rules order randomly changes:

And this was on 25.03?

Yep.
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

424
Topics

2.8k
Posts

G

@skogs

Add to what is said above, be aware of P2P filtering "for your own good" ?
P2P software is everywhere, even Windows update (Microsoft) uses it.

From what I recall, big games have a lot to update. if this is the case, test : shut down this process, only update while not are using the star citizen app.
edit :
What happens when you start up the game, and moments before, a new map or whatever was updated. Nothing special, but a 1 Gbytes files has to be updated before you can start the game. The official game update server can't just spew out this info to the thousands of clients it has. So they build in a P2P concept : you can take a part from them, but also from others. And you can give what you have to others (the basis of P2P is very social, in theory, everybody wins). And that where a potential issue can be found : what if your UP stream gets loaded, and the UP is way smaller as the DOWN ? If the UP is full, packets negotiation comes to a halt, especially if TCP is used. So, fill up your UP, and your way bigger DOWN becomes pretty useless, even when it is not full at all.
To help you with this check if your game has settings where your can adapt what you share (the speed, bandwidth).
end edit.

Also : check the software the came with your NIC : my Dell XPS came with some super nice GUI interface to "optimize" my network card (wired). A day or so later I totally removed it from my new PC, and lived happily afterwards.

Next suspect : Wifi : this one shows the most perfect bit rate will it's doing 'nothing' for you. Start put a load on it, and suddenly you've not much left (although this would not influence other non wifi uses on your network. If your fellow network user are on the same on the same AP : have a chat with your AP, or do what gamers do : use wires and be done with it.

Lat but not least : Our ISP love to sell us Megas if not Gigas. You knew it, they lied. The theoretical bandwidth is available if the moon, jupiter and earth are aligned. The sun doesn't need to be aligned, but solar flares will break the deal also.
edit : If you use Starlink or comparable, this isn't a joke anymore, its serious.
For small loads, your ISP will somewhat deliver. But big loads, they will apply their secret bandwidth limiter rule, this rule, they will never admit that they use it, of course. But they have to, as if not, to many clients would find out that they actually oversold the bandwidth. After all, if you were an ISP, and you own a 10 Gbit/sec POP to some big data center that gives you an Internet access, would you sell 10 x 1 Gbit or sell 30 x 1 Gbit with a small print somewhere that says "best effort" ? 😊

These examples are just the "seen that, been there before" situations. Some might apply to you, some don't.

Your router, pfSense, is just a device with "2 NICs" using, most probably, 1 Gbit/sec on both sides in both directions. It's the only thing it has to do : throwing packets between these two NICs at max speed. Most often, it can do this faster as the NICs can handle it, so 1 Gbit/sec both directions on every NIC it will be.
pfSense doesn't care what ports IP's protocols you throw at it. It just copy the bits from one NIC to the other.
The admin can do "things" with with pfSense that will impact this behavior, but by default, it doesn't. Only the admin can tell you more.

@berlandtm said in Internet Download/Upload speeds drop significantly when launching Star Citizen:

case as I do not have any additional packages installed to monitor for this

Status > Traffic Graph
or look at the real number, go console (or better, SSH), and use menu option 9 : pfTop
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1.9k
Topics

11.7k
Posts

B

@stephenw10

Monitor top -aSHm cpu via SSH, and you'll see [kernel{hveventN}] consuming all your CPU until pfSense crashes or freezes. While it's difficult to reproduce, certain factors increase its occurrence, such as using large filter lists, extensive MAC filters for CP, bogonv6, scheduled rule times (cron 00/15/30/45), and actions triggering filter reloads.

This issue also occurs on bare metal, but it's so rare that most users don’t notice it; I experienced it twice since January. However, after transitioning from bare metal to Hyper-V two weeks ago, it now happens 2-3 times a week.

I suspect that under specific conditions, the filter reload causes a process to lose its thread connections, resulting in an event storm.

No such problems with version 2.6.0 on the same HW or Hypervisor.

I'm sure dtrace or maybe procstat can shed some light here but that's beyond my capabilities.
Hardware

Discussions about pfSense hardware support

7.5k
Topics

68.6k
Posts

R

@stephenw10 Hmm i'm pretty sure it was the serial image. To be sure, i'm going to rufus the thumbdrive again and make certain its the serial image. Then i'll boot the laptop again with the setup and install to the mSATA. Going to take screenshots of securecrt when the m270 boots this time too.
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties Expired/Withdrawn Bounties

456
Topics

6.4k
Posts

D

@HLPPC said in FQ_Codel IEEE pulse match rules/code/(applet?)/ $500:

Detection has to detect devices passing through managed switches to negotiate with the pSense, or correctly detect pulses while passing through pfSense in a bridge configuration to negotiate with a different device/router...

Since auto-negotiation is not visible outside the two ends of the physical link, how would you expect this to work?
Retired

Categories that are no longer active, but are present for reference

Plus 24.11 Development Snapshots (Retired) Plus 24.03 Development Snapshots (Retired) Plus 23.09 Development Snapshots (Retired) Plus 23.05 Development Snapshots (Retired) Plus 23.01 Development Snapshots (Retired) Plus 22.05 Development Snapshots (Retired) Plus 22.01 Development Snapshots (Retired) 21.02.2/2.5.1 Snapshots (Retired) CE 2.7.0 Development Snapshots (Retired) CE 2.6.0 Development Snapshots (Retired)

9.6k
Topics

62.9k
Posts

B

@Pizzamaka said in unbound stops and won't start again + high cpu:

What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

1 / 1