1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    220 Topics
    3k Posts
    Machine22M
    Hey Mates, Just completed an upgrade to 2.8.1 from 2.8.0 all is working fine, no crushes despite ignoring the instructions to first remove all packages before doing the upgrade. I went with my way, and all is perfect. If you haven't please do the necessary. Africa is up-to-date.............

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    191k Posts
    M
    Today I upgraded my 4300 from 24.07 to 25.11 via the web interface. Upgrade went well. I rebooted before starting, the removed all the packages, upgraded, deleted the Nexus package (which I don't think I need since I'm not doing multi-instance management) and installed the new versions of the rest of the packages. I tested multi-wan failover/fail-back, VLANs, etc and all those aspects seem to work normally. I have Starlink and T-Mobile Home Internet as my primary and backup services, respectively. I don't have VPNs. Packages are apcupsd, cron, mailreport, pfBlocker_NG, Status_traffic_totals, System_patches. The only problem I can see is it appears all my history for Status_traffic_totals is gone. I thought all packages left their data intact upon removal/reinstallation unless explicitly directed otherwise. What happened in this case?

  • Discussions about Multi-Instance Management.

    18 Topics
    139 Posts
    T
    I'll look into this for you. I can renew certificates that I created in the new GUI, but none of the others. It does seem that it uses the CA endpoint to renew regular certificates though. So you should be able to use system/certauth/{refid}/renew until it's fixed.

  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    S
    @WN1X said in State table gets stuck after the update: state table size is a function of memory Yes but it's changeable: https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-states I was also going to ask about OP's conclusion. And what is "the manager process"?

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    D
    @Gertjan if I run this little bit of php: $file = 'test.txt'; file_put_contents($file, "BLOCK ANY | No internet via this device". PHP_EOL, FILE_APPEND); The piped text is appended just fine to my testfile, so I think the script crash is more related to the code printing the contents of the filter_reload_status file.

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    V
    @Pagi So I guss, the NAT address changed to the WAN address. Set it to LAN3 address and it should do, what you want.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    W
    Hi all, I am setting up an HA config using the netgate docs as well as this video from Lawrence Systems (https://www.youtube.com/watch?v=-1Og5ogkyZY) Everything seems to work as expected, although when my outbound NAT rules are enabled, the internet breaks. I can ping a few things, but most sites and things do not load. When I disable the outbound NAT rules everything works again as expected. Has anyone else had this issue / any idea how to resolve it?[image: 1758662932253-outboundnatpic-resized.png]

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    GertjanG
    @jogovogo said in No Internet access with VLAN via OPT1: My first surprise is that I'm now on the firewall, but why? The web server that serves the pfSense GUI runs on all assigned interfaces. When you installed pfSense, there was a pass rule for incoming traffic on the initial LAN interface : it accepts all traffic. When you add more LAN type interfaces, the ones called OPTx, there will be no inital rules, so you can't access anything. DHCP will work as pfSense will add hidden DHCP (UDP port 67 and 68) rules, but nothing else (no http https dns icmp etc etc etc etc). When you add a pas rules for TCP, UDP, etc, things "start to work". When you use addresses like this : [image: 1758697659291-89b7f27a-e729-4579-81c1-cb12989a7d3f-image.png] you use IP addresses. So, even is DNS is not working, then that won't be an issue. Your browser doesn't need to use use DNS (for translating host names to IP addresses) as you already gave an IP. It can contact the device 192.168.151.1 right away. You've allowed TCP IPv4 traffic to port 477, which is apparently your changed your pfSense https web GUI interface port. @jogovogo said in No Internet access with VLAN via OPT1: The issue has been resolved, simply, by restarting the DNS resolver. Euh ...... As you've changed lost of things at the same moment, it's hard to tell why dns (== the resolver) didn't work initially. Normally, when you add an new interface like your OPT1 interface, system processes like DNS (the resolver) gets restarted. The resolver will listen to All Interfaces : [image: 1758698045123-e07276c8-27b7-4a13-b999-ca154f396adf-image.png] by default so it would work right away on the new OPT interface. Again, you still have to add a firewall rule to allow DNS traffic to reach the pfSense DNS port 53 of course.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    V
    @richardsago said in Should failover for WAN1 and should not failover for WAN2: For my setup I copy-pasted the 2nd to 4th line from a youtuber You should not believe any bullshit on YT. @richardsago said in Should failover for WAN1 and should not failover for WAN2: For my setup I copy-pasted the 2nd to 4th line from a youtuber who said the 2nd and 3rd lines will allow users to connect to the internet only if they set pfsense as their DNS Server As mentioned above, the second rule will force any UDP DNS traffic destined to pfSense interface to the WAN gateway. The 3rd rule blocks any DNS (UDP) from VLAN 10. Hence the devices will not be able to resolve host names, at least not via UDP. Note that DNS may also use TCP. So you should use "TCP/UDP" as protocol in DNS rules. Best way to ensure, that all your devices use your local DNS is redirecting the traffic to your server. Here is my port forwarding rule for this purpose: [image: 1758802714924-2531d9f0-f545-48c0-8957-2bc8bc6815ac-grafik.png] My Unbound is listening on localhost. With this rule no matter, which server the client requests, it is rediected to Unbond and the client gets the respond from it with the origin requested IP as souce IP and is happy. As you can see, I do the same with NTP.

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    J
    @chpalmer Thanks for your experience and thoughts. Good points all.

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    GertjanG
    @JonathanLee said in Serving different WPADs per subnet with Unbound: for Netflix not liking the HE ipv6 tunnel That was also solved with the help of pfBlockerng : [image: 1758778353680-eca53c7f-080b-4bc2-ab1a-cf4abc9e9f38-image.png] and enter all the domain names you don't want to be resolved as AAAA, only A. In my he.net days, this worked very well.

  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    GertjanG
    @chrcoluk said in Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved: looking for another rule that might be whats allowing the traffic I presume your monitoring service pings (right ?!) from 'somewhere on the outside, somewhere from the Internet' so a firewall rule on the WAN interface is needed to allow this traffic coming into the WAN. The good news : normally ^^ you don't have many rules on WAN and typically none on the floating tab. So the matching rule is easy to find. In this case : look for the rules that match ICMP (or any), and a : 'any' as a source. @chrcoluk said in Where are the inbound rules for routeable IPv6 on LAN interfaces? Solved: If that makes sense. Yep. Re saving the firewall rules doesn't terminate already exiting states. Normally, these will time out, and disappear. But this is a case where you have to 'reset' them all, even loosing other connections, like the very noticeable web browser LAN pfSense GUI connection : you have to login again before you can see the changes. And that is just the tip of the iceberg, as more services on any LAN device that had open connections will get interrupted. Example : that gmail app in your phone, that update service in your PC and any other other service that wants to have a connection at all times for whatever reason. These will all get signaled : the connection closed, and they will re open one. You could have used an intermediate step to discover the IP of the Internet based device : Packet capture. [image: 1758694519433-81ca2312-fea4-4b87-b989-68f9d2803897-image.png] You'll see multiple packet popping up very regularly. The most obvious one : the pfSense WAN monitoring tool called dpinger, sending out an ICMP ping request, and getting an ICMP ping reply back. You can recognize these bu the sending IP? and replying destination. You will also see the ICMP ping request coming IN, and pfSense sending an ICMP ping reply - to the IP that is monitoring your WAN from the outside. Maybe you'll find other devices (== IPs) that are pinging pfSense WAN IP ^^

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    S
    @keyser Is it in the FreeRADIUS package though? I've clicked around and may be blind but am not seeing it. I did find a forum post from 2015 mentioning it though. :)

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    GertjanG
    @adrianp918 If your VPN client (on the remote device) uses the pfSense resolver as its DNS source, you could create a host name on pfSense for this printer. from then on you can use (example) : "printer.your-pfsense-domain.tld" as that will resolve to the LAN IP of the printer.

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    GertjanG
    @neuf_16 Scrapped ? About about not using it ? I won't disable it , as it is working pretty well for me for the last 15 years or so. I'm using it for a hotel, and no instructions or guide lines are shown no where. People, more often then not, are total computer-illustrate but can still connect to the hotel Wifi, login (room number and password interpreted on their room key). That said, not all devices can work with a captive portal. More often because the owner made some 'DNS' related decisions, and/or installed so called 'security' software (apps) that totally make the device 'portal' incompatible. Not just the pfSense portal, but any portal, as they all work the same. In that case it isn't your portal's (or your) fault. It's their choice. As a firewall/router admin, part of your live will be : explaining people that they can mess up their DNS, but they will have bear the consequences. Example : July and August just came by, so I saw a lot of tourists. A guy had issues connecting with it's phone, while his laptop was doing fine. DHCP lease, etc, all was well, but no login browser screen would show up. After some inspection (Packet capturing on my = pfSense) side, I saw his device wanted to speak to "8.8.8.8" only. I didn't even asked if this was his own doing, or if it was the phone OS enforcing this behavior. So, yeah, so be it. I already learned I can't make everybody happy. Let's get into it : @neuf_16 said in Captive Portal Stops Working pfsense 2.8.0. Hitting 'save' resolves the issue: The experience from an end device is that it will have an IP via dhcp but the captive portal page will not appear. Try this. Have a look at them all first. I know, these video's are a bit old but still very valid. @neuf_16 said in Captive Portal Stops Working pfsense 2.8.0. Hitting 'save' resolves the issue: Device then has no internet and cannot ping the gateway As soon as the device connects to the portal network, using wire or wifi, it should (has to !) ask for a DHCP lease. On the captive portal interface you should have a DHCP up and running. DHCP isn't blocked by the 'captive portal' firewall rules. So : captive portal or not, DHCP should work as usual. If you use a Microsoft Windows device, type : ipconfig /all the result should tell you an lease IP was obtained, and the gateway and DNS should (must be !) the pfSense captive portal's interface IPv4. On a phone you can see the wifi details/status screen where the same info is shown. @neuf_16 said in Captive Portal Stops Working pfsense 2.8.0. Hitting 'save' resolves the issue: The gateway could not ping the device nor vice versa The device should be logged in. You have to pass (allow) ICMP on the portal's firewall GUI interface. Be ware that not all device reply to 'ping' when they are connected to 'unknown' networks. A Microsoft PC won't, for example. @neuf_16 said in Captive Portal Stops Working pfsense 2.8.0. Hitting 'save' resolves the issue: pfsense 2.8.0 Upgrade to 2.8.1. If the forum was littered with messages saying "don't install 2.8.1, stay with 2.8.0" you shouldn't stay with a version that contains 'old bugs'. Get the version with the new bugs, as these are all discussed right now, and workarounds have been found. Afaik, there are no 'real' portal issues right now. This said, I'm using 25.7.10, but the portal part of pfSense is identical to 2.8.1.

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    S
    Hi, not sure where to place this enhancement, but is it possible to add SIPS (5061) and NFS (2049) to the defaults in the port list? [image: 1758635740176-pfsense-ports-2025-09-23_15-52.png]

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    stephenw10S
    Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    6k Posts
    stephenw10S
    No worries. I'm happy you're able to test an early dev snaphot. Finding these issues earlier makes it much easier for us.

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    429 Topics
    3k Posts
    W
    @Randy_T If you have a public ip (static or dynamic?), just create the port forward rule and the associated PASS firewall rule on WAN, this last is crucial because pfSense by default will block unsolecited incoming traffic. Maybe it is better if you post some screenshots just to let us see if everything is ok. Again if your VPN doesn't support port forwarding you cannot use the VPN interface. If the WAN IP changes you need to use a DDNS service to keep your gaming server IP updated.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    weehooeyW
    @lifeofguenter Ah. I see that now. I did not realized the windows scrolled. @weehooey your script does not work. When I install qemu-guest-agent it already installs a start script: What you are showing is not what our script does. I can tell you that we tested using the script we provided, and it works on 2.8.1. Perhaps you have not marked your script as executable?

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    planedropP
    @stephenw10 OH yeah, forgot about that lol. Thanks for the reminder.

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

  • Categories that are no longer active, but are present for reference

    10k Topics
    64k Posts
    stephenw10S
    Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.