Subcategories

• Messages from the pfSense Team

  Announcements and information about pfSense software posted by the project team

  182
  Topics
  1785
  Posts

  M

  pfSense Plus version 22.05 BETA is now available for testing. This BETA offers pfSense Plus users a chance to preview and test some of the exciting new features coming to pfSense Plus software. See our recent blog post for more details and highlights.

  Users can switch to the development branch by navigating to System>Update and selecting "Latest development snapshots" from the Branch dropdown menu. Keep in mind, however, that this release is still under development and has a potential for instability.

  Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.

  Do not update packages before upgrading! Either remove all packages or do not update packages before running the upgrade.

  The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such as installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.

  Consult the Upgrade Guide for additional information about performing upgrades to pfSense software.

• General pfSense Questions

  Discussions about pfSense software that do not fit into one of the more specific categories below.

  22037
  Topics
  138892
  Posts

  P

  We have started granting Users administrator (Groups: admins) SSH access.
  We noticed using the admin account, the Console options are displayed:

  *** Welcome to pfSense 2.5.2-RELEASE (amd64) on pfSense *** WAN (wan) -> igb0 -> v4/DHCP4: 192.168.0.173/24 v6/DHCP6: 2001:8003:300e:6601:2f1:f3ff:fe21:3f99/64 LAN_MGMT (lan) -> igb1 -> v4: 192.168.1.1/26 0) Logout (SSH only) 9) pfTop 1) Assign Interfaces 10) Filter Logs 2) Set interface(s) IP address 11) Restart webConfigurator 3) Reset webConfigurator password 12) PHP shell + pfSense tools 4) Reset to factory defaults 13) Update from console 5) Reboot system 14) Disable Secure Shell (sshd) 6) Halt system 15) Restore recent configuration 7) Ping host 16) Restart PHP-FPM 8) Shell Enter an option:

  We have added so it's identical to the default admin account:
  User - System: Shell account access Indicates whether the user is able to login for example via SSH. (admin privilege)

  But additional User accounts (within the Groups: admins), drop straight into their home directory into the shell.

  Is it possible to configure User accounts to display the Console options too?

• Installation and Upgrades

  Discussions about installing or upgrading pfSense software

  8634
  Topics
  53516
  Posts

  

  When reinstalling from scratch, with an existing config file.

  What to do if one has applied patches.

  I'm still a bit confused about patches, when reinstalling (from scratch).
  I'm think i saw rcoleman mention that one should revert the patches, before saving the config. Else the patch system could be out of "sync".

  Did i get that correct ?

  My take would prob. be to save the config , then:
  Open the config in an editor , and erase everything between

  <patches> </patches>

  Maybe there should be a "Save wo. patches" or "Restore wo. patches" option in backup.

  How does pfSense keep track on the patches applied ?

  On my current 22.01 i have appled these
  2293b4b6-682f-4fb0-a126-33abbc11ba7e-image.png

  But my 22.01 config shows this (empty patch section) :
  <patches></patches>

  How does it know what Recommended patches i have applied/activated ?

  My old 2.5.2-p1, where manually (patch-id) pointed to some patches Netgate recommended.

  Had sections like this in the config:

  <patches> <item> <descr><![CDATA[pscd mem lek]]></descr> <location>https://github.com/pfsense/pfsense/commit/afcc0e9c97c1993ae6b95f886665fcb4375d26c7.patch</location> <pathstrip>2</pathstrip> <basedir>/</basedir> <ignorewhitespace></ignorewhitespace> <uniqid>6200c0676fd4b</uniqid> <patch>RnJv ...... </patch>

  Is "Manually pointed to" patches kept in the config , and Recommended patches kept in another place ??

  /Bingo

• Firewalling

  Discussions about firewalling functionality in pfSense software

  8529
  Topics
  50123
  Posts

  

  @artooro said in Floating Rules Not Applying to pfSense:

  Floating rules can prevent the firewall from reaching specific IP addresses, ports, and so on."

  So you want to stop something from leaving the firewall, even the firewall. Then that would be a floating outbound rule on the wan interface..

  Really the only rule I do that for being a good netizen is block outbound rfc1918..

  So example

  See the rule in my floating tab.. it is block (red X) on the wan in the outbound direction (see the little arrow in a circle).. It is set as quick (2 double green arrowheads) and it set to log (little hamburger with checkmarks)

  So I try and ping some rfc1918 address this not on my local networks, so per routing pfsense would send this out the wan.

  Fails, and is logged as blocked.

  block.jpg

  Also keep in mind if you tried to do something, that was allowed you would have created a state. Which are evaluated before rules, so yeah blocking something after the state has been created - you really need to make sure no states exist for that traffic before your block rule would take effect. You could either kill any specific states, or all of them. Wait for them to timeout on their own, reboot the firewall is the oh there is a spider in my house, burn down the house response to removing states ;)

  Now if I disable that rule, see how its grayed out.

  Now if I ping I just get timeouts.. And notice if I sniff on my wan, traffic actually left the want trying to get to 192.168.42.42

  disabled.jpg

  Maybe if you actually gave some details of what exactly your attempting to block we could show rule to do that.

  Common mistake users make is they test something, it works, then they test it again right after they create a block.. And yeah their rule isn't even evaluated because there was a state already that allowed the traffic, which allowed it - even with your block.

• NAT

  Discussions about Network Address Translation (NAT)

  5052
  Topics
  27576
  Posts

  

  @rhicinus you can use the patch manager in CE, it just doesn't auto fill patches and you have to add them... The info need should be in the redmine

  I do see a commit id listed in the redmine

• HA/CARP/VIPs

  Discussions about High Availability, CARP, and utilizing additional IP addresses

  2295
  Topics
  10498
  Posts

  B

  @m4rek11 @Przemyslaw85 Sure I will. I hope that I will back with good news. Stay tuned

• L2/Switching/VLANs

  Discussions about Layer 2 Networking, including switching and VLANs

  749
  Topics
  6242
  Posts

  Z

  akuma1x,
  I'm starting to understand. I need to read the post and digest it. I'm not sure how to configure the X, Y, Z ports between the switches. I never thought about doing that.

• Routing and Multi WAN

  Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

  7662
  Topics
  36409
  Posts

  B

  I tested multi-Wan after updating to 22.05b today.

  Primary Internet Cable (Default Gateway, primary for internal clients, backup for guest network ) Secondary PPoE DSL (Primary for guest network, backup for internal clients)

  Everything works well, routes as expected, until the PPoE connection fails to the primary. Once that secondary connection goes down, it will move traffic to the primary connection, that works well. But it appears to never route over the secondary when it comes back up. This is true even for new connections/clients that have zero states in the firewall.

  I was hoping that the fix in 22.05b would fix that: Fixed: Services are not restarted when PPP interfaces connect #12811. (https://redmine.pfsense.org/issues/12811).

  It appears the same. If I save a rule in the firewall, or bounce the interface again, the traffic immediately goes out the secondary again. Just not doing it automatically.

  Anybody else have this issue?

• Traffic Shaping

  Discussions about traffic shaping and limiters

  2825
  Topics
  15304
  Posts

  B

  @steveits

  Hey Steve, Thanks for the reply. Not using the captive portal. The limiters are applied to a floating rule in the firewall.

• DHCP and DNS

  Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

  5324
  Topics
  32661
  Posts

  H

  My long-standing setting to update my IP do Digital Ocean stopped working.
  Here is info from log:

  May 21 06:38:02 php-fpm 359 /services_dyndns_edit.php: phpDynDNS (xxxxxxxx): PAYLOAD: {"id":"bad_request","message":"invalid character '-' in numeric literal","request_id":"56edd74e-14e0-49f1-b491-30607c2216a2"}
  May 21 06:38:02 php-fpm 359 /services_dyndns_edit.php: phpDynDNS (xxxxxxxx): (Unknown Response)

  Pfsense is up to date.

  I can't find any new info on this error. Any help?

  Thanks!

• IPv6

  Discussions about IPv6 connectivity and services

  1666
  Topics
  15398
  Posts

  J

  After I reset pfSense, and did a new setup, the issue still remain. I can't connect to archlinux.org via IPv6.

  @johnpoz said in Not able to connect to some website:

  I would suggest he moves his lan back to 1500, and then get with his ISP for the proper setup for his wan connection.. A common pppoe mss clamp size is like 1452.. But for optimal working with his ISP he should contact them for proper setup.

  I agree, I should consult my ISP for help. I left MTU and MSS default. Will it related to PMTUD no working? The last result might be using pfSense in transparent mode. I've never tested it yet.

  Another issue is ICMP req always failed (tested using ipv6-test.com), even I allow it on WAN interface. This didn't happen on my last configuration, which is pretty much the same as this one except I left DHPCv6 enable. I think I disable DHCPv6 last time, MyPC use RDNSS instead. I'm scratching my head off.

• IPsec

  Discussions about IPsec VPNs

  5202
  Topics
  21273
  Posts

  O

  All my IPsec connections have this setting

  553a5388-98f9-450c-bc20-070690fc841c-afbeelding.png

  As of lately sites do not auto connect anymore?

• OpenVPN

  Discussions about OpenVPN

  8439
  Topics
  45882
  Posts

  B

  Good thing I noticed this.
  I was about to send out an appliance using shared to to middle of nowhere and this saved me a bunch of future headache.

  Whereas I could setup a shared key OpenVPN in mere minutes, the TLS method is a bit more complicated. I spent this afternoon learning it and testing - now I believe would be fairly fast to setup.

• WireGuard

  Discussions about WireGuard

  293
  Topics
  1897
  Posts

  

  I probably should have looked at GitHub first, I am not a programmer but this looks like it might be a solution:
  https://github.com/pfsense/FreeBSD-ports/commit/21c83fc18c324b248bb75cf51019dc7a1af332ac

• Captive Portal

  Discussions about Captive Portal, vouchers, and related topics

  3269
  Topics
  16959
  Posts

  

  @maherg while its possible to detect a nat via the ttl being lower than default 64, 128, etc. different OSes would/could use a different standard ttl value. When you go through a router this ttl is lowered by 1.

  So it is in theory possible to detect a connection that has gone through a router and not directly connected to "your" router.. It is also possible to circumvent that by having the router your using to say share the connection to not lower the ttl of the traffic it sends on.

  I am not aware of any built in function to filter on non standard ttls.. I would have to look through the advanced options available to see if doing something like that is possible on a firewall rule. But you have to also be aware of different OSes using different standard ttl values and account for all of those that might be seen with different clients behind your pfsense.

  edit: from a quick look at the advanced options in firewall rules, I do not see a way to do this by looking at the ttl value. But you might be able to do it with

  https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#source-os

  It is "possible" that maybe the finger print that identifies os XYZ would look at the ttl, and if its not the standard for that OS, say it dropped by 1 because of a downstream router handling the traffic (sharing internet).. It might not match and could be filtered.

  Other option might be doing something with IPS package..

  Might be a good feature request for future version of pfsense.

• webGUI

  Anything that does not fit in other categories related to the webGUI

  1832
  Topics
  8753
  Posts

  A

  Hey everyone, would really appreciate a second set of eyes on this, let me know if I did something wrong. Getting what seems like an odd msg regarding my LAN connection. (pls see bold question below)

  Installed an SFP module into a Netgate 6100 and Ubiquiti switch. Connected both with a Fiber Cable:

  Gear:
  Fiber Patch Cable - LC to LC OM3 10Gb/Gigabit Multi-Mode Jumper Duplex 50/125 LSZH Fiber Optic Cord for SFP Transceiver, Computer Fiber Networks

  SFP in the 6100
  10Gtek
  10GBase-SR SFP+ Transceiver, 10G 850nm MMF, up to 300 Meters, Compatible with Cisco SFP-10G-SR, Meraki MA-SFP-10GB-SR, Ubiquiti UniFi UF-MM-10G

  SFP in the Ubiquiti Switch
  Ubiquiti U Fiber Multi-Mode SFP 10G - UF-MM-10G

  Its working, but wondering if everything is correct, like maybe I used the wrong kind of cable?

  I see this on my dashboard:
  10Gbase-SR <full-duplex,rxpause,txpause>

  is the rxpause,txpause ok?

  Settings (its my LAN connection)
  Screen Shot 2022-05-20 at 4.39.21 PM.png

  Screen Shot 2022-05-20 at 4.42.43 PM.png

• Wireless

  Discussions about wireless networks, interfaces, and clients

  1632
  Topics
  10053
  Posts

  R

  @stephenw10 said in TPLINK Deco M4 with pfSense:

  @hismuth said in TPLINK Deco M4 with pfSense:

  U6 Lites

  I've never used them so it's hard to comment. There are not a mesh system though as far as I know. So if you require a mesh to get full coverage now you may need to run more Ethernet lines to position APs in different places.

  Steve

  They can be meshed if that's really what you want, but it's best to avoid meshing if you can hardwire.

• SNMP

  Discussions about monitoring via SNMP

  168
  Topics
  516
  Posts

  R

  @viragomann I thought that initially but it would reflect it in the system, too.

  @RedSock if you go to Diagnostics -> System Activity what's using all the RAM? If it is pcscd then that bug has patches that will fix it for 2.5.2, or you can upgrade to 2.6-RELEASE and it will be fixed there.

• Documentation

  Discussions about pfSense documentation, including the book

  170
  Topics
  1206
  Posts

  S

  @steveits Done, thanks for pointing me in the right direction. :)

• Development

  Topics related to developing pfSense: coding styles, skills, questions etc.

  Plus 22.05 Development Snapshots

  CE 2.7.0 Development Snapshots

  Plus 22.01 Development Snapshots (Retired)

  CE 2.6.0 Development Snapshots (Retired)

  2.5.2 Release Candidate Snapshots (Retired)

  2.5 Development Snapshots (Retired)

  21.02.2/2.5.1 Snapshots (Retired)
  1464
  Topics
  8781
  Posts

  

  Today I made another attempt (this time 22.05.b.20220520.0600) and no problem, as if it never existed. 👍

• Gaming

  Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

  371
  Topics
  2398
  Posts

  

  I tried Tixati to test UPnP and that gives actionfailed messages.

  6536c8b1-fd3b-4000-98fd-6eb315bac0f2-image.png

• Virtualization

  Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

  1675
  Topics
  10235
  Posts

  K

  @matt_nz Did you get to the bottom of this buddy, I am having this issue now with Vodafone Gigafast and VLAN 911 using PPPoe credentials.

• Hardware

  Discussions about pfSense hardware support

  Vendors
  6952
  Topics
  62149
  Posts

  

  @youraveragehomelabber
  in the firmware folder there are 2 folders, one for the 510 and one for 5x0, are you sure you flashed the correct one (5x0)?

  Everything is well explained in the readme.boot-flash.txt file in the root folder 😊

  From my point of view you, if you flashed the correct file, then you forgot the latest command after flashing.

  ./dmi-tool -w -p EDGE520 -v 1

  ok, so anyway i extracted my firmware with the command :

  flashrom -r /root/velocloud-520ac-01.00.00.05.rom -p internal

  Here is the file below :
  velocloud-520ac-01.00.00.05.zip

• Bounties

  Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

  Completed Bounties

  Expired/Withdrawn Bounties
  452
  Topics
  6274
  Posts

  

  Thanks, @stephenw10, @nedyah700, @sgc -- that worked!

  For posterity :)

  If you've been running in BYPASS MODE and want to get right back to it after a reinstall of pfSense and a restore of a backed-up configuration ...

  1> Prepare a USB memstick:
  https://docs.netgate.com/pfsense/en/latest/install/write-memstick.html

  2> Choose your backup config file, make a copy, and rename the copy config.xml

  3> Open config.xml in a text editor and change all references to pfatt.sh so they read like this: /root/pfatt/pfatt.sh

  4> Put config.xml on the FAT partition on the memstick. Follow these instructions:
  https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html

  5> Make a copy of your backup of pfatt.sh, open that copy in a text editor and make sure the values for ONT_IF, RG_IF, and RG_ETHER_ADDR are appropriate for your environment.

  6> Copy the reviewed/edited copy of pfatt.sh to the root of the FAT partition on the memstick.

  7> Install pfSense
  https://docs.netgate.com/pfsense/en/latest/install/install-walkthrough.html

  8> Near the end of the process, the installer will ask if you'd like to open a shell to make any final manual modifications. Answer yes.

  9> These next commands will copy pfatt.sh from the memstick to the pfSense volume. They may not be 100% correct for all environments. Google will help you out 👍

  mkdir -p /root/pfatt mkdir -p /mnt/usb mount -t msdosfs /dev/da0s3 /mnt/usb/ cp /dev/da0s3/pfatt.sh /root/pfatt/pfatt.sh chmod -R 555 /root/pfatt exit

  10> Reboot your pfSense and profit.

  Caveats:

  In step 9, the FAT partition on my memstick was /dev/da0s3. Yours may be different. You can start by viewing the output of this command and (probably) appending 3 for the FAT partition. Google can get you the rest of the way if you need help.

  camcontrol devlist

  For some reason, my installer wouldn't pick up config.xml during the installation process, so, I left my memstick plugged in for the first reboot and used the computer's boot manager to start pfSense from the hard disk. The ECL took over and all was right in the world.

  If you're running pfBlockerNG in Python mode, you may have to disable Python in the DNS resolver before your fresh system will download any packages .... including pfBlockerNG. You can re-enable Python mode after everything settles down.

  I hope all this typing helps someone out of a bind some day :)

• Retired

  Categories that are no longer active, but are present for reference

  2.4 Development Snapshots

  2.3.3 Development Snapshots

  2.3.2 Development Snapshots

  2.3.1 Snapshots Testing and Feedback - ARCHIVED

  2.3-RC Snapshot Feedback and Issues - ARCHIVED

  2.2.5 Snapshot Feedback and Issues

  2.2.3 Snapshots Problems and Feedback - ARCHIVED

  2.2 Snapshot Feedback and Problems - RETIRED

  2.1.1 Snapshot Feedback and Problems - RETIRED

  2.1 Snapshot Feedback and Problems - RETIRED
  8644
  Topics
  54899
  Posts

  

  Set Debug in the DHCP6 Client Configuration on WAN as well, then check the logs (main system log, routing log, etc) to see what shows up.