pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

222 Topics

3k Posts

@dennypage Create an igmp rule on your floating rules, and do not set the direction to in. Set: Interface Leave: Direction to any Set: Protocol to IGMP only Set: Source to any Set: Destination to any Set: Quick Set: Adavanced Options, Allow IP options For example if you have pfblocker dnsbl auto rules (ping auto rule, permit auto rule) on top, it can cause trouble on the states. Check: the States of this rule. You should see tcp and upd packets as well, 443. If you set the direction on your lan intarfce to in, you should see igmp only, otherwise you have to place at the very top of all your other floating rules before everything else.

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

192k Posts

Solved reset pfsense and selected dhcp. all ok (Couldnt determine if ISP had fixed it or the reset worked)

Multi-Instance Management

Discussions about Multi-Instance Management.

23 Topics

157 Posts

It will be available when the product is launched (including the correct link in the docs).

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

63k Posts

Ok I can see how this would break it but, for some reason, I'm now failing to replicate it. Digging....

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

59k Posts

Better option is to use a self hosted VPN on pfSense to remotely connect to devices or services on your LAN. That way you are not opening ports on your firewall for miscreants to attack. Tailscale is what i use.

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

@njc :) here’s a couple

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

So I disconnected the backup device and my network is back to normal (even though I haven't removed the CARP and HA settings yet). Just for the sake of testing, I configured two identical Steelheads CX770s with Opnsense and got the same results as with pfSense. I get the same results with two sets of completely different hardware! How can this be possible?! I thought it was the connection to the switch (since both firewalls connect to the same stack) but as soon as I remove the backup unit from the HA setup, all network connectivity is restored. Has anyone here encountered this problem before? Martin M. Mune US Army Combat Veteran Operation Iraqi Freedom Volunteer Soldier International Legion for the Defense of Ukraine Слава Україні! Героям Слава!

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

@patient0 Not a production environment just home environment. Thanks for your suggestion I'll give it a try. Best Regards and thanks again....

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

42k Posts

I have a Netgate 4200 with 25.07.1 and I want to drop another router (OpenWrt) behind with it's existing network setup without having to change much for now. I also want to get data usage statistics for all the machines inside there from my Netgate 4200, so I figured an easy way to do that would be to disable NAT and just let my Netgate4200 see all the host IPs. On the pfsense box I set up a gateway and set the firewall rules to allow everything. On the test OpenWrt network I turned off it's NAT and adjusted the firewall rules. Here is my network setup pfsense └── port2 └── unmanaged_switch └── OpenWrt └── laptop2 Here two of the tests I ran that show the main problem: | ping source > dest, response | pfSense tcpdump | OpenWrt tcpdump | laptop2 tcpdump | |-----------------------------------+-----------------+-----------------+-----------------| | ping laptop2 > pfsense, | saw req | saw req | saw req | | ping pfsense > laptop2, got reply | saw req & reply | saw req & reply | saw req & reply | pfSense can ICMP echo request laptop2 and get a reply laptop2 can ICMP echo request pfSense, but pfSense never sends a reply All addresses are in private network ranges. Any ideas? edit: I should probably mention that if I ping from the openwrt or any other machine hanging off of port2 to pfsense I get a reply. So pfsense is replying to pings.

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

Our ISP operates 3 separate VLANs over a single 1Gb fibre connection, for each of which we have a WAN interface setup, routed to the relevant VLAN Gateway IP of the ISP's router. All our of internal traffic comes from a single LAN connection (due to the way UniFi's L3 routing works). WAN1 (VLAN2) WAN2 (VLAN3) <> LAN1 (VLAN4040) <> Internal Network (L3 Switch) WAN3 (VLAN4) I am hoping to set up traffic shaping, in order to improve connection quality for our VoIP calls, but I am at a loss as to the best way to do this correctly. Do I use the multi-WAN wizard and distribute the bandwidth, or do I set each WAN the same? Is anyone able to offer any pointers?

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

43k Posts

@JKnott Of course it's not required. However, when you have lots of devices of the same brand/model, especially IOT, the name they show up as in both pfSense and Unifi by default is not distinctive. Sometimes even duplicate. I have over 40 TP-Link KP125 smartplugs that all showed up as "KP125", for instance. It is mpossible to tell which is which in the controller. The 218 Wiz light bulbs use wiz_last 6 of the MAC. So, I created DHCP reservations for each of them, and described them in pfSense. The tool ensures that the description matches. Otherwise, it is a manual process - you have to update it in 2 places. And if you forget, it is very confusing. Especially if you move and repurpose a devicex which happens a fair bit with the smartplugs. With 302 Wi-Fi clients, double manual edits did not cut it. Hence why I created the tool.

IPv6

Discussions about IPv6 connectivity and services

2k Topics

20k Posts

@ahole4sure My interpretation was, the sites see Hurricane Electric as a VPN. I ran into some pretty specific things like "this content not available in your region" type of stuff like they blocked access from non-US IPs or whatever. Also I found HE was not that fast. Though of course it's free bandwidth so what should one expect. You should be able to just disable IPv6 on LAN. May need to disable Router Advertisement or DHCPv6 first. The LAN devices may need a restart to clear out IPv6 IPs though that will drop off eventually.

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

@thespirit I don't think it is really a bug. If it was changed so the auto-added rules were not overridden by a block all rule then that would be equally confusing as block all wouldn't mean block all. The way the code which generates the rules works it is pretty clear that user added rules should always take priority it probably just needs to be mentioned in the documentation somewhere.

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

OpenVPN server is set up with FreeRADIUS as auth source, Mobile-One-Time-Password turned on, users in FreeRADIUS. Config option static-challenge "Please enter your TOTP PIN" 1 is pushed to the clients. When client connects from OpenVPN Connect with PIN (password in Connect) + TOTP from Google Authenticator, gets "User authentication failed". Reason is because client adds TOTP before PIN, and server expects it to be after PIN. How can I reconfigure OpenVPN server on pfSense to accept TOTP after PIN?

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

@marcosm the pacth looks beautifull : [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: pfSsh.php playback pfanchordrill ################ # ethernet rules ################ ether anchor "cpzoneid_2_auth" on igc1 l3 all { anchor "192.168.2.38_32" all { ether pass in quick proto 0x0800 from 32:e4:ee:0b:29:c8 l3 from 192.168.2.38 to any tag cpzoneid_2_auth dnpipe 2016 ether pass out quick proto 0x0800 to 32:e4:ee:0b:29:c8 l3 from any to 192.168.2.38 tag cpzoneid_2_auth dnpipe 2017 } anchor "192.168.2.42_32" all { ether pass in quick proto 0x0800 from 26:e4:a6:2f:22:15 l3 from 192.168.2.42 to any tag cpzoneid_2_auth dnpipe 2010 ether pass out quick proto 0x0800 to 26:e4:a6:2f:22:15 l3 from any to 192.168.2.42 tag cpzoneid_2_auth dnpipe 2011 } anchor "192.168.2.43_32" all { ether pass in quick proto 0x0800 from 9a:65:2b:20:a3:b3 l3 from 192.168.2.43 to any tag cpzoneid_2_auth dnpipe 2012 ether pass out quick proto 0x0800 to 9a:65:2b:20:a3:b3 l3 from any to 192.168.2.43 tag cpzoneid_2_auth dnpipe 2013 } anchor "192.168.2.44_32" all { ether pass in quick proto 0x0800 from ac:1e:9e:70:cd:2d l3 from 192.168.2.44 to any tag cpzoneid_2_auth dnpipe 2014 ether pass out quick proto 0x0800 to ac:1e:9e:70:cd:2d l3 from any to 192.168.2.44 tag cpzoneid_2_auth dnpipe 2015 } } ether anchor "cpzoneid_2_passthrumac" on igc1 l3 all { anchor "28704e6249e5" all { ether pass in quick from 28:70:4e:62:49:e5 l3 all tag cpzoneid_2_auth dnpipe 2000 ether pass out quick to 28:70:4e:62:49:e5 l3 all tag cpzoneid_2_auth dnpipe 2001 } anchor "28704e6260bd" all { ether pass in quick from 28:70:4e:62:60:bd l3 all tag cpzoneid_2_auth dnpipe 2002 ether pass out quick to 28:70:4e:62:60:bd l3 all tag cpzoneid_2_auth dnpipe 2003 } anchor "9c05d6320095" all { ether pass in quick from 9c:05:d6:32:00:95 l3 all tag cpzoneid_2_auth dnpipe 2004 ether pass out quick to 9c:05:d6:32:00:95 l3 all tag cpzoneid_2_auth dnpipe 2005 } anchor "d8b370834988" all { ether pass in quick from d8:b3:70:83:49:88 l3 all tag cpzoneid_2_auth dnpipe 2006 ether pass out quick to d8:b3:70:83:49:88 l3 all tag cpzoneid_2_auth dnpipe 2007 } } ether anchor "cpzoneid_2_allowedhosts" on igc1 l3 all { anchor "188.165.53.87_32" all { ether pass in quick proto 0x0800 l3 from any to 188.165.53.87 tag cpzoneid_2_auth dnpipe 2008 ether pass in quick proto 0x0800 l3 from 188.165.53.87 to any tag cpzoneid_2_auth dnpipe 2009 } } ################### # translation rules ################### nat-anchor "natearly/*" all { } nat-anchor "natrules/*" all { } rdr-anchor "tftp-proxy/*" all { } ############## # filter rules ############## anchor "openvpn/*" all { } anchor "ipsec/*" all { } anchor "userrules/*" all { } anchor "tftp-proxy/*" all { }

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

Re: Suricata cannot change HOME NET list? I am trying to customize HOME_NET for Suricata on pfSense CE and something seems inconsistent between the GUI and the actual rule evaluation. What I did (following the recommended procedure from this thread): Created an alias SURICATA_HOME_NET containing: 10.0.10.0/24 10.0.20.0/24 10.0.30.0/24 10.0.40.0/24 192.168.200.200/32 (WAN IP of the firewall) Created a Pass List, added that alias at the bottom, saved it. In Suricata → Interface Settings (WAN), in “Networks Suricata Should Inspect and Protect”, I selected this Pass List as HOME_NET, saved and restarted Suricata. In the WAN interface I can see via “View HOME_NET” that 192.168.200.200/32 is indeed listed as part of HOME_NET, and EXTERNAL_NET looks correct as !HOME_NET. I added the following two custom rules to custom.rules on the WAN interface: alert tcp any any -> $HOME_NET 1:1024 (msg:"LAB T1046 SYN to HOME_NET"; flags:S; sid:4000001; rev:4;) alert tcp any any -> 192.168.200.200 1:1024 (msg:"LAB T1046 SYN to WAN"; flags:S; sid:3999999; rev:3;) After Save + Apply + restart of Suricata on WAN, I run: nmap -sS -Pn -p1-1024 192.168.200.200 Result: list itemThe rule with the literal IP (sid:3999999) triggers alerts as expected. The rule using $HOME_NET (sid:4000001) never fires, even though 192.168.200.200/32 is clearly shown in the HOME_NET list in the GUI. At the same time, a very simple test rule: alert icmp any any -> any any (msg:"LAB TEST ICMP ANY"; sid:4999999; rev:1;) does fire normally on the same interface, so custom.rules is loaded and working. So the situation is: custom rules are loaded and working, HOME_NET/EXTERNAL_NET Pass List is configured and visible in “View HOME_NET”, traffic definitely hits the WAN interface (the static-IP rule sees it), but rules using $HOME_NET as destination do not match that same traffic. Is this a known issue or am I misunderstanding how HOME_NET from a Pass List is applied internally? Any hints how to debug why $HOME_NET does not seem to include 192.168.200.200/32 at rule evaluation time, even though the GUI says it does?

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

@w0w You can also run Squid on OpenWRT I am told there is so many packages I have been playing with OpenWRT because TP-Link was doing so weird data harvesting and pfsense caught it in the act after I just installed openwrt per @johnpoz recommendations. I just run it in bridge mode now

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

186 Topics

1k Posts

As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 25.11 Snapshots

1k Topics

7k Posts

Yes.

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

430 Topics

3k Posts

This discussion about using pfSense for VPN interfaces and game server port forwarding is quite technical but very useful for gamers and network enthusiasts who want secure and optimized connections. It reminds me of how watching online movies หนังออนไลน์ also depends on stable and well-configured networks both require speed, security, and smooth performance to fully enjoy the experience. Just like setting up pfSense ensures a seamless gaming session, having a good connection makes online movie streaming effortless and enjoyable.

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

I have a virtual machine based on KVM, which has 4 vCPUs and 8GB of RAM. When there is a lot of traffic, I experience packet loss: [image: 1762243948150-bmyi5fghd7fsrap2-resized.png] (The beginning has a lot of packet loss because I reset the machine with more power, thinking that might be the cause. However, real traffic begins at 11:40 a.m., and you can see that the latency and packet loss increase at that point). CPU usage is around 10%, so that shouldn't be the problem. I have disabled ‘hardware checksum offload’. There is no difference, except that CPU usage is higher. I don't know what else could be causing this. Many thanks in advance for your help.

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

Can a i5 2500 route 10 gig? I have a spare Dell mini tower that cannot be upgraded to Win 11. Its motherboard has a Pcie v2 x16 slot Bought a x540 T2 which can run at 10 gig. I have been offered 5 Gig for a good price.

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

Retired

Categories that are no longer active, but are present for reference

10k Topics

64k Posts

The blue-square LED turning purple indicates an upgrade is available. There was a backend glitch last week that showed the public RC available to some users. You probably saw that. https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/io-ports.html#status-leds