pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

206
Topics

2.3k
Posts

C

@DominikHoffmann The oven is running and a release build is baking. Soon.
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

26.1k
Topics

182.1k
Posts

S

Yeah seems like it should be pulling a lease from a remote dhcp server at AT*&T somewhere. But that gateway you're getting is outside the range of both....
Multi-Instance Management

Discussions about Multi-Instance Management.

4
Topics

65
Posts

J

@stephenw10 said in request handler failed:

Great feedback. Thanks!

Yeah I have some configs with deliberately huge aliases and it gets....interesting!

Pleasure.
I think the biggest problem that results in no aliases/rules shown will be the empty descriptions that are/were allowed in the past, many configs will spout them,
Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

9.4k
Topics

59.8k
Posts

P

@ws6 maybe @stephenw10 has a better idea if there are still limitations of the new Netgate installer.

Regarding the link to the legacy installer, I guess Netgate would rather people use the new one.

For me the new installer is not a good fit, with the legacy one the installation takes a few minutes max, with the new one it takes forever with a crappy internet connection, over and over again :/
Firewalling

Discussions about firewalling functionality in pfSense software

9.5k
Topics

57.5k
Posts

S

@muab Check https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied
NAT

Discussions about Network Address Translation (NAT)

5.5k
Topics

30.7k
Posts

J

@SquirrelSloth said in Can't get NAT to work: ISP modem >> (WAN) pfSense (LAN) >> (WAN) home router:

not sure why without the PfSense I was able to connect to FTP server without playing around with my AV software

possible when the pc noticed a new connection it flipped back on? Windows for example will flip its firewall profile from private to public if the mac of the gateway changes, even if same IP scheme, etc.

To be honest in all the years have been here and using pfsense, I really don't recall ever seeing an actual problem with pfsense and port forwarding.. It always comes down to pebkac of some sort. The traffic not even getting to pfsense wan to be forwarded, client running some security software or not even using pfsense as its gateway, user set source port in the forward (this is very common). etc..

Glad you finally got it sorted, and yes football is starting ;)
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

2.5k
Topics

11.6k
Posts

S

@SteveITS said in WAN Gateway on Backup server in CARP shows down:

https://docs.netgate.com/pfsense/en/latest/recipes/high-availability.html#wan-addressing

Hi @SteveITS
Thanks for the prompt response. I have assinged uniqe ips on wan port of each pfsense box . and uniquie ip on lan of both pfsense.

yet when a pfsense box is in Backup mode i cannot get to wan from it. all pings form it fails. eve cannot get a ping replies when i ping the wan ip of another pfsens which has wide open rule on that interface,
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1.2k
Topics

9.8k
Posts

N

Re: SOLVED: SONOS across multiple VLANSrr

I was tyring to get the LAN Feature on my govee llights to work ity clearly states the API in the documentation I did see the 239.255.255.250 with igmp proxy even tried switching it off and using my switches igmp features. in the end I bit the bullet created an IOT SSID and put it on the same vlan as where I need access. works this way perhaps the ip traffic won't be so uniform and clean but what can ya do
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

8.4k
Topics

40.6k
Posts

H

I setup a basic configuration and it's been working for a few months as a test. I wanted to change my Arris G54 modem/router to bridge mode, and let everything be handled by PfSense as a firewall and possibly a VPN server. In the future, running Dynamic DNA for devices on my network.

The Arris device is what I had before getting new equipment and has a 10G port, so I'm trying to get it to be a 10G modem. I'm using DAC cables and dongles to connect all the hardware. Those have been working well and giving a 10G route from Switch>Router>PfSense>Modem/Router>Internet.

I have my VLANs defined in the Omada router.

I wanted to change the Modem/Router into bridge mode. When I do, I can't get PfSense to connect. It's been connected for several weeks with the Arris Modem/Router in router mode. I can also by pass the PfSense and connect the Omada router into the Arris Modem/Router in bridge mode and it will connect.

I've walked through these Help Doc pages starting here and updating the settings on both WAN3 and WAN4 on the Netgate device.
https://docs.netgate.com/pfsense/en/latest/interfaces/wanvslan.html

In tinkering with the settings and following the Help Docs, it seems the IPv6 was connecting but not the IPv4. Even when I disable the IPv6 gateway, it still seems to be connecting. I know the Arris device will only allow one connecting in Bridge mode.

I've attempted to setup bulk 'all everything' NAT and firewall rules but I just can't get it to work. I have Charter/Spectrum internet. Myself and my spouse work from home and both use outgoing VPNs for work so I'm attempting to maintain as high a speed as possible in the setup.

Hardware setup
Omada Switch, SG3438XPP-M2, Port25, 10G > Omada ER8411, SPF+ WAN1, 10G >WAN 4, 10G, Negate 6100, PfSense, WAN3 10G > Arris G54, LAN Port 1, 10 G

I have LAN port 1 on the Netgate device setup as a 'Console' port I have my desktop plugged into to tinker with the setting and monitor it.

In the future I'd like to use Dynamic DNS for my NAS and Security Camera setup. This is way I'm wanting the Arris device in bridge mode and to utilize it's 10G port. I'd also like to eventually be able to use a VPN to access my home network while traveling.

alt text

alt text

alt text
Traffic Shaping

Discussions about traffic shaping and limiters

3.0k
Topics

15.8k
Posts

D

I have HFSC enabled on a highly asymmetric ADSL2 connection. I want to keep a real time channel open for VoIP applications.
ADSL.png

When I set my upload queue limit to 750 kbps, and I fill the upload queue with actual traffic, all is well. My VoIP traffic shows minimal packet loss in this condition, as verified by an external SIP client. i750 kbps seems a little lower than I expected, but not unreasonably low.
UploadData.png UploadData-Loss.png

However, when the upload queue is filled with ACKs from download traffic, the same VOIP shows significant packet loss. The VOIP channel is set to allow a minimum of 100 kbps real time data. Also note that the effective upload rate has dropped by around 150 kbps.
UploadAcks.png UploadAcks-Loss.png

And indeed, if I throttle the upload queue to around 550 kbps, the VoIP packet loss mostly clears up again.
CappedAcks.png CappedAcks-Loss.png

I believe that HFSC isn't calculating the per-packet overheads correctly. A rough linear interpolation implies that each additional packet cuts into the data budget by 285 bits, or about 36 bytes. (It also implies that the maximum upload is closer to 768 kbps instead of the 850 kbps that the 95% rule of thumb leads me to expect, but that's a separate problem. And yes, my MTU is set to 1492 on the PPPoE WAN.)

Graph.png

Is there any feature in pfsense / FreeBSD that would allow me to adjust the packet overhead used in the HFSC calculations? I've looked for something comparable to Linux tc-stab but I came up empty. It would be nice if I didn't have to keep the upload capped at 550 kbps just to address this worst-case ACK scenario. Likewise, I don't want to cap the ACK queue because that impacts my download speeds.
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

6.4k
Topics

40.7k
Posts

C

@viragomann Thank you but I figured out the issue. I couldn't disable DHCP on the LAN or I lost GUI. Solution was to make the change shown below:

44f4e9f4-7486-4fe9-a31f-24f34285fbe1-image.png

Default is /32. I reset it to 24. Then under Services==>DHCP Server an additional tab showed up for Bro. Enable DHCP on that one. Go back to Lan tab and disable DHCP. Done
IPv6

Discussions about IPv6 connectivity and services

2.0k
Topics

19.0k
Posts

J

@Gertjan said in Setting up IPv6 on my Netgate:

The fe80 are like RFC1918

Actually, unique local addresses are like RFC1918. You can pick whatever addresses you want within the ULA block and, like RFC1918 addresses, they are routeable, just not on the public Internet.
IPsec

Discussions about IPsec VPNs

5.7k
Topics

23.2k
Posts

T

Correction to my previous post: the working iOS 18.1.1 device actually does NOT have LE's CA cert manually imported. (LE is apparently now a trusted a root authority in iOS.)

The VPN configuration profile itself is self-signed however—and it's that signer's CA cert that's manually installed on this working device.

Doubtful that any of this is relevant. Just wanting to clarify. Apologies for any confusion.
OpenVPN

Discussions about OpenVPN

9.7k
Topics

52.5k
Posts

R

Hi to all

so, little RECAP

SITE A:
Operator Router-> SWITCH -> ESXi with PFsense
Public IP -> Internal Lan 192.168.1.0/24 -> PFSENSE wan 192.168.1.240 with GTW 192.168.1.1 and virtual Interface ovpn peer2peer

SITE B:
Operator Router-> Mikrotik -> Internal LAN
Public IP -> wan 192.168.8.1 - LAN 192.168.88.1 -> Internal Lan 192.168.88.1/24

Peer to Peer tunnel 10.10.11.0/28 ( site A 10.10.11.1 / site B 10.10.11.2)
Connection OK between site
ping - other service from B to A -> OK
ping - other service from A to B -> KO

PFSENSE CONFIG:
29216526-883e-4dcf-be61-40e878d39ca4-image.png
7512a6dc-e92b-4e3e-b89e-7c34e5d06f27-image.png
6c54caac-b910-4b03-ad33-d67d0fddbc9f-image.png
e4dd2f8a-3d7c-423c-bb16-400bbe6aae84-image.png
0d34858e-90ff-4c9a-80c5-82a955a1864f-image.png
a38cbe88-9c96-4f29-9d8d-863c109cc347-image.png

With and Without CSO tested, but nothing change.

NAT
925d14c9-775d-4135-99b7-05c7910ba1a2-image.png

Rules
b0188b3d-c32f-4b06-96c4-c3e98b48c821-image.png

2e40e12b-3fc8-441c-8e79-1dcf651b606d-image.png

ROUTING
69cb7bb0-c088-4e88-a8c3-619c3f95dce1-image.png
bbda0e24-58d8-484c-b538-dc7b43ad78ae-image.png

SITE B: MIKROTIK

5d692e75-0ebe-4a90-a297-6944770da4e3-image.png
7bb9e00c-ba65-4c21-9bc2-48d1c9d75a53-image.png

Sorry for all the photos, but, it's to understand how the 2 devices were configured.
Any help is welcome, I don't know what else to check or other configurations to try.
Esxi has no rules on the internal switch.

**thank you so much for all the advice already writed, and have a nice new week.

ANDDD sorry for my English XD.**

REGARDS
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

3.5k
Topics

18.5k
Posts

J

@Gertjan hm
lets see something
361b2c56-81fb-4796-90cf-0bb70f0b6652-image.png
10.223.110.155 is pfSense ip address while 192.168.15.1 is opt which I bind to CaptivPortal
5e5fa06a-28aa-4cfe-8cb5-2971f4777520-image.png

My concerns is following: if I want to reach 192.168.15.1 which is Captiv Portal , how should I do it since this network is on virtual interface of my VMware.
Does it mean I have to configure new vlan and configure it through the network or I have to than configure rules on pfSense?

Should this network range being used by clients connecting to SSID even if I have already configred DHCp for that SSID on Win side? hm
Regarding HTML, I would like first focus on solving this.

Best regards,
Jozy
webGUI

Anything that does not fit in other categories related to the webGUI

2.1k
Topics

9.8k
Posts

S

@fireix You could run "top" and see what the CPU usage is. 10 seconds is not that long compared to say a 2100 or 3100 loading a couple dozen entries with, say, all US IPs as an alias.
Wireless

Discussions about wireless networks, interfaces, and clients

1.7k
Topics

11.1k
Posts

R

Got it, thanks for the confirmation! The restriction of =< 802.11n and no AP mode works OK for my situation: we have one 3d printer which, for some reason, doesn't work well with the office wifi, and it's located right next to our pfSense gateway. It also doesn't have an Ethernet port (incredibly unfortunate). (So if it doesn't support station, but does support adhoc mode, I'm good here.)

This hardly something that I'd want to call "production ready" and more "a useful hack" until we get a better 3D printer with real functionality.

I'll do a cross-compile and report back with the results.
SNMP

Discussions about monitoring via SNMP

196
Topics

594
Posts

C

Hello,

I am experiencing constant crashes of the bsnmpd service on a Netgate 4200 router running pfSense 24.03. The SNMP service settings are default; it is polled by an external monitoring application (Prometheus/snmp_exporter) every 5 seconds. The following entries appear in the log:
[24.03-RELEASE][admin@pfSense.home.arpa]/var/log: cat system.log | grep snmp Nov 8 03:58:33 pfSense kernel: pid 578 (bsnmpd), jid 0, uid 0, was killed: failed to reclaim memory Nov 8 11:46:11 pfSense snmpd[57864]: disk_OS_get_disks: adding device 'da0' to device list Nov 8 23:50:22 pfSense kernel: pid 57864 (bsnmpd), jid 0, uid 0, was killed: a thread waited too long to allocate a page Nov 10 11:01:04 pfSense snmpd[57763]: disk_OS_get_disks: adding device 'da0' to device list
Any solution/workaround?
Documentation

Discussions about pfSense documentation, including the book

182
Topics

1.3k
Posts

P

I am looking at a GRE attack agains my system (https://nvd.nist.gov/vuln/detail/CVE-2022-20946), my entry looks like this:
4,,,1000000103,mvneta0,match,block,in,4,0x0,,50,50087,0,DF,47,gre,1090,59.127.81.214,192.168.2.11,datalength=1070
I can see that IP 59.127.81.214 is probing the sytem, I just do not know the other fields is there any documentation, https://docs.netgate.com/pfsense/en/latest/monitoring/logs/raw-filter-format.html doesn't show any.
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 24.11 RC Snapshots CE 2.8.0 Development Snapshots

2.0k
Topics

13.8k
Posts

S

Hmm, OK. Significant.
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

419
Topics

2.7k
Posts

F

I have experienced the exact same. Including when updating the game as well. I've noticed that when I run an update, for the inital 15ish minutes it will run at my regular speed, then it will drop down to 10mbps. If I pause and resume the download, then it will resume back to the normal speed. Pausing/unpausing has saved me a ton of time for large updates. Strange behavior overall. Unfortunately I am locked with my xfinity router at the moment, so I can't do much additional investigation/tweaking.
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1.9k
Topics

11.7k
Posts

S

Hmm, unfortunately nothing there really looks like an issue. Certainly not something that would cause it to stop responding entirely.

We could try running dtrace against it to see what's using the cycles but I think we'd need some way to trigger it before it stopped responding.

If you create a test instance in the same hypervisor does that also stop responding?
Hardware

Discussions about pfSense hardware support

7.5k
Topics

68.1k
Posts

S

Hmm, well that sounds like the Netgear is internally untagging the VLANs from the SSIDs to it's own ports? Which implies it is somehow separating the traffic from the SSIDs at least.

Is it really not possible to have it just pass the tagged traffic?

You could use your switch to put them back on a single linked tagged but that seems like it should be unnecessary.
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties Expired/Withdrawn Bounties

456
Topics

6.4k
Posts

D

@HLPPC said in FQ_Codel IEEE pulse match rules/code/(applet?)/ $500:

Detection has to detect devices passing through managed switches to negotiate with the pSense, or correctly detect pulses while passing through pfSense in a bridge configuration to negotiate with a different device/router...

Since auto-negotiation is not visible outside the two ends of the physical link, how would you expect this to work?
Retired

Categories that are no longer active, but are present for reference

2.4 Development Snapshots 2.3.3 Development Snapshots 2.3.2 Development Snapshots 2.3.1 Snapshots Testing and Feedback - ARCHIVED 2.3-RC Snapshot Feedback and Issues - ARCHIVED 2.2.5 Snapshot Feedback and Issues 2.2.3 Snapshots Problems and Feedback - ARCHIVED 2.2 Snapshot Feedback and Problems - RETIRED 2.1.1 Snapshot Feedback and Problems - RETIRED 2.1 Snapshot Feedback and Problems - RETIRED

8.6k
Topics

54.9k
Posts

J

Set Debug in the DHCP6 Client Configuration on WAN as well, then check the logs (main system log, routing log, etc) to see what shows up.

1 / 1