pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you may not be able to execute some actions.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

143
Topics

1067
Posts

C

ran a online update and all seems good. I came from 2.4.2 Nice to dhcp6 status screen fixed Nice to see I no longer need my custom patch for ntp status screen as base pfsense now allows it to wotih global noquery set. Nice to see my patch no longer needed for queue status screen refresh as base pfsense implemented custom refresh interval. Cpu utilisation is notably down I assume from the faster php 7.2. Also nice that unbound got updated, I was going to put a request in for it but was done anyway.
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

16613
Topics

90131
Posts

A

@jimp Is there a command that does use pfSense's specific shutdown procedure?
Installation and Upgrades

Discussions about installing or upgrading pfSense software

7496
Topics

45980
Posts

Not a typo, it's just what it sees in its repo at the time, but once the upgrade starts it picks up the most recent version. It only needs to see something more recent than what it has to trigger the upgrade message/process.
Firewalling

Discussions about firewalling functionality in pfSense software

6686
Topics

37225
Posts

T

My original pfSense box crapped out so I was using a store bought router until my new unit was delivered. It was delivered a couple days ago and I Installed the newest version of pfSense and then loaded in my config. While I was using the store bought router I had created a VM in FreeNAS running ubuntu. I had loaded Ombi and it was running fine. Now this is the one thing that wasn't present and wasn't part of the previous configuration and something doesn't seem to be working and I'm not sure whats going on. I can access the VM via VNC, i can also access ombi using the IP and port, so it seems that local network access seems ok. when I VNC into the VM an try to access the web is where the issue is, it doesn't seem to have access to the web. Every other thing thats running on the FreeNAS machine is working without any issue. I did not restart the FreeNAS machine when I swapped out the old router for the new pfSense router, I can not restart the machine currently because it is performing testing on a new 10TB disk and I'm waiting for the testing to complete before trying to restart the machine. I am some what of a novice with pfSense, always trying to learn new things. Here's a shot on my LAN rules And here's My WAN rules
NAT

Discussions about Network Address Translation (NAT)

4106
Topics

21912
Posts

R

@johnpoz said in NAT not opening on custom Ports: My bad wrong thread - how and the hell did that happen.. sok bud. So going back to the original message... thoughts?
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

1785
Topics

7936
Posts

B

I think I may have found the issue. Both device their selves were in the NAT range tied to the single VIP. I believe the secondary box was communicating out, but any reply went back to the primary box. I found a NAT setting to map "This Firewall" to it's WAN interface address and not the VIP. That seems to have worked on both devices. I did have our upstream provider NAT all to the same public IP: VIP x.x.x.1 Device 1 x.x.x.2 Device 2 x.x.x.3 Thank you all for the help!
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

80
Topics

620
Posts

P

@jknott Figured out the VLAN stuff, all set. Thanks for responding.
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

6208
Topics

28894
Posts

A

I can ping 192.168.2.114 and firewall is disabled on linux host. In addition to this, I have an access point on WIFI network on 172.16.10.2 ip. With the windows pc 192.168.1.110 I cannot connect to 172.16.10.2:80 on the tp-link admin panel, I can connect to this only with devices connected to WIFI on the same subnet (for example a mobile phone with ip 172.16.10.110) The strange thing is I can connect to ssh server... It was better I couldnt at all....
Traffic Shaping

Discussions about traffic shaping and limiters

2503
Topics

13569
Posts

@chrcoluk I am not able to recreate your findings based on the information you gave. I tested using two Flent clients running overlapping RRUL tests while I used a separate client to initiate an SSH session to a separate destination and held down a key and watched for any sticking or jumping of the cursor. I did not experience any sticking or jumping. The RRUL tests ran for 130 seconds each, overlapping, and easily saturated the limiters during the test. I set the limiters to more closely match what you had set for bandwidth. A couple of things i noticed about your config. You are using intervals, quantums, and limits that are not the default. If you set these to the defaults for each pipe does that change the behavior of SSH session while the limiters are under load? If you half your IN and OUT limiter bandwidth values, using the default FQ-CoDel scheduler values, does this change the behavior of the SSH session while the limiters are under load? Here is what my pipes, schedulers, and queues look like. I'm using the configuration I posted here https://forum.netgate.com/post/807490: Limiters: 00001: 18.000 Mbit/s 0 ms burst 0 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail sched 65537 type FIFO flags 0x0 0 buckets 0 active 00002: 69.000 Mbit/s 0 ms burst 0 q131074 50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail sched 65538 type FIFO flags 0x0 0 buckets 0 active Schedulers: 00001: 18.000 Mbit/s 0 ms burst 0 q65537 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail sched 1 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 NoECN Children flowsets: 1 00002: 69.000 Mbit/s 0 ms burst 0 q65538 50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail sched 2 type FQ_CODEL flags 0x0 0 buckets 0 active FQ_CODEL target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 NoECN Children flowsets: 2 Queues: q00001 50 sl. 0 flows (1 buckets) sched 1 weight 0 lmax 0 pri 0 droptail q00002 50 sl. 0 flows (1 buckets) sched 2 weight 0 lmax 0 pri 0 droptail
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

3751
Topics

21220
Posts

C

Perfect. Thanks for that. I guess I could just create an alias to those 3 and then insert that into the redirect the following instead of selecting 127.0.0.1 which would send all my lan traffic. Or create a VLAN for these 3 devices and apply rule to that
IPv6

Discussions about IPv6 connectivity and services

1222
Topics

10025
Posts

@edooze said in A looped back NS message is detected during DAD: It is to do with pfSense, because the error is in pfSense. If the resolution is not, so be it, but that's what we're here to find out. I suggest you read up on how IPv6 duplicate address detection works. With it, a device is supposed to send out a NS to see if any other device is using the address it wants to use. If that address is in use, the device will then have an error condition to deal with. It has nothing to do with pfSense.
IPsec

Discussions about IPsec VPNs

4014
Topics

16122
Posts

S

Hey Everyone, Running pfsense 2.4.4 on both sides and was having a slow vpn issue in one direction. (Sending traffic from my older firewall to my newer firewall) I'm ready to buy some new hardware to replace this Celeron G1101 because it doesn't support aes-ni but I had one concern. Cpu is sitting at 90% idle in top, I'm assuming I should be seeing more load than that if I'm cpu bound? I'm using aes128 for vpn. iperf -c internal.ip.over.vpn Client connecting to internal.ip.over.vpn, TCP port 5001 TCP window size: 85.0 KByte (default) [ 3] local 10.10.1.100 port 46840 connected with internal.ip.over.vpn port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.1 sec 9.88 MBytes 8.23 Mbits/sec iperf -c external.ip.over.nat Client connecting to external.ip.over.nat, TCP port 5001 TCP window size: 85.0 KByte (default) [ 3] local 10.10.1.100 port 54158 connected with external.ip.over.nat port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.1 sec 64.9 MBytes 54.1 Mbits/sec Best, Steven
OpenVPN

Discussions about OpenVPN

5959
Topics

31035
Posts

B

@chpalmer Yes, the modem management is accessible via VPN.
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

2845
Topics

13918
Posts

S

The failure happened today and actually every single day in the past. Whats your idea?
webGUI

Anything that does not fit in other categories related to the webGUI

1488
Topics

7003
Posts

J

I'm on Suricata 4.0.13_11 with 2.4.4 and the same issue exists. Is there something specific about the Alias's name in order to be able to select the list? Tried creating two Aliases - one of IP and one of Networks - neither is available within the drop down list selection for Suricata. The problem is the value for $HOME_NET due down downstream networks (same as original poster). Thanks!
Wireless

Discussions about wireless networks, interfaces, and clients

1482
Topics

8662
Posts

Damn, now it's work! So well, just in short, I write two thing about. Thankfully your nice layout diagram I understand more better your scenario. First thing I notice is about firewall rules on WIFI, but and LAN as well, something is wrong. Step one , if you dont'use IPV6 you may will to blocking/disabling this protocol trought System / Advanced / Networking Or if you will use IPV6 protocol, please take apart for now and disabing the rules related. Or atleast do the same logic trought interfaces, (ex. if in your lan here ipv4 and ipv6 is detached , why you make ipv4+ipv6 in one at WIFI? this is not consistent according to me) Step two , You know after restoring pfSense default's rule "Allow LAN to any" under LAN tab, well you need to respect same logic as LAN to WIFI and set it according, you need to changhe LAn net to WIFI net for this job, and delete your top rule at WIFI "any to any" because this overlaps the right rule below. (right rule if you change it as described above) for example look my rule below: Well after this, now hottest topic, your configuration needs ovpn review according to me. For avoid some kind of your last problem i advice you to forget bridging at all and set interfaces properly with respective subnet address , dhcp server pool and add "other" routing path under ovpn tunnel configuration, this last done by editing your current tunnel or add new one. After this I'm absolutley sure you can go trought on internet- At this stage maybe you miss routing instruction, and bridges will fail under some kind of special scenario like yours. Because is better live within standard configuration if knowdledge isn't enough. Unfortunatley I "hate" ovpn's at all :D hehe it's more complex and full of mistery for me, and my defaults in mind is ipsec based protocol, allow me all kind of routing I need between interfaces / wan / interfaces and work easy with easy setup, so if you can do, better forgive ovpn and setup ipsec. If you love ovpn's stuffs so go to learn more about and find your way.
SNMP

Discussions about monitoring via SNMP

145
Topics

444
Posts

B

That's great. Thanks for all your (speedy) help!
Documentation

Discussions about pfSense documentation, including the book

135
Topics

1052
Posts

A

@roberz For android phones (depending on with android version) auto config has issues so you have to manually enter in the proxy settings. If things like Skype and Facebook Messenger are being blocked make sure you also have set up transparent proxy with splice all for SSL Man In the Middle Filtering. The idea is First use the WPAD to connect to the proxy (if the device has auto config issues you have to manually add it). If a program does not have proxy settings the transparent proxy and SSL Man In the Middle should catch the rest. The reason why to first use the WPAD is that some programs/software (like windows updates) have connection issues with transparent proxy and SSL Man In the Middle, splice all. So first use the WPAD as a shortcut so you do not have to configure all devices on your network to use your proxy. Then for devices that have auto conf issues manually config them. Finally have the transparent proxy and SSL Man In the Middle splice all to catch any traffic that cannot use the proxy . Hope this was helpful
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

2.4 Development Snapshots

1415
Topics

8682
Posts

Nope, that's up to FreeBSD. It looks pretty far down their Python todo list, though.
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

309
Topics

1899
Posts

G

I have a very unique issue, hopefully someone can chime in. As we all know you need a static port set for consoles to get an open nat type. However, when I do this for 2 or more ps4's they will not play black ops 4 at the same time. I have to disable one static port (giving me a strict nat) for the other console to connect to call of duty servers simultaneously. When I use a cheap home router, they work just fine together. I have been at this for days and any light would be much appreciated. Maybe even a pfsense alternative that does better with gaming as a last resort? I noticed black ops 4 will only go for port 3074 so maybe this has something to do with it? Older cod games would go after 3075 if the first port was full. But as I said, it works fine on the consumer router. One just ends up with a moderate nat which I am okay with.
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1335
Topics

8082
Posts

N

@unsunghero The sort answer is unfortunately, NO. pf is an enterprise grade firewall solution. It is never meant to be a plug and play box. It can do many complicated things, but then its like driving a racing car. You have more things to do apart from the steering wheel and the gas pedal. Here is a great reference for all things pfsense https://www.netgate.com/docs/pfsense/book/ It will answer all your questions, but then you need to invest some time and effort.
Hardware

Discussions about pfSense hardware support

Vendors

6148
Topics

52780
Posts

L

FYI we just asked today to our SFR commercial if she could help us with this issue, she looked for an option on our contract / data plan and she activated the sl2sfr APN. We now can successfully use it (Data only sim card). We'll just keep an eye on the invoice...
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties
Expired/Withdrawn Bounties

434
Topics

5799
Posts

S

Aha! I am not the only one. Have had ATT gigabit fiber service at my house for the last two years and been running PfSense for 5. Since the latest update to PfSense I have also has slow throughput around 50 down/120 up. My modem was always on bridge mode DMZ before with Around 940 up and down. I noticed if I take the ATT modem out of bridge/DMZ mode I get around 250 down / 300 up but still nowhere near where I was at before. No idea what is going on. When I have time I plan to bypass the modem.
Retired

Categories that are no longer active, but are present for reference

2.3.3 Development Snapshots
2.3.2 Development Snapshots
2.3.1 Snapshots Testing and Feedback - ARCHIVED
2.3-RC Snapshot Feedback and Issues - ARCHIVED
2.2.5 Snapshot Feedback and Issues
2.2.3 Snapshots Problems and Feedback - ARCHIVED
2.2 Snapshot Feedback and Problems - RETIRED
2.1.1 Snapshot Feedback and Problems - RETIRED
2.1 Snapshot Feedback and Problems - RETIRED
2.0-RC Snapshot Feedback and Problems - RETIRED
1.2.3-PRERELEASE-TESTING snapshots - RETIRED
1.2.1-RC Snapshot Feedback and Problems-RETIRED

8027
Topics

50085
Posts

C

@RonpfS: https://forum.pfsense.org/index.php?topic=126523.msg699285#msg699285 Thank you very much :)

pfSense® Software

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

1 / 1