pfSense® Software

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

217 Topics

3k Posts

@KOM Ah. Those were the days. Spend three days typing in the code and then two weeks debugging. Got some great skills from those days.

General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

27k Topics

190k Posts

I think it's time one of the MODS lock this thread.

Multi-Instance Management

Discussions about Multi-Instance Management.

14 Topics

113 Posts

It's normally not recommended but it should be fine for a quick edit. IIRC it's under the system tree - it will be obvious since it's a long base64 string.

Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

10k Topics

62k Posts

https://jumpshare.com/s/wIn5syv1KFQ0VrLvrSdX

Firewalling

Discussions about firewalling functionality in pfSense software

10k Topics

59k Posts

@nirmelamoud said in Nat stop working after certificate renewal: I See access denied (its 403) There is no possible way pfsense could do that - and when I go to the IP and see your website with pictures via https - I just get a timeout I get no 403, a 403 is telling you you can't got there.. Not the firewall. And if your seeing traffic to 443 blocked in the logs - why/how could it be sending a 403??? You understand when you block in a firewall all it does is ignore the traffic.. So your client just never gets an answer. If you are not going to actually show us your rules, rule order matters, maybe you have it set for udp or something, nor do any off the basic port forwarding troubleshooting that takes all of 30 seconds tops to do - nobody is going to be able to help you.. Go to can you see me . org - send traffic.. Sniff on your wan do you see the traffic come in.. Do you see any sort of response, ie a Syn,ACK? If you see no response, now sniff on the lan side do the same test do you see pfsense send on the traffic.. If you do then pfsense did its thing whatever is not working for you has zero to do with pfsense.

NAT

Discussions about Network Address Translation (NAT)

6k Topics

31k Posts

@sho1sho1sho1 nothing in the resolver would or could do that.. You running pfblocker? Show the rule in your ruleset. There is this feed in pfblocker [image: 1755628936429-pfblocker.jpg] That sure doesn't even look like a NS ;; QUESTION SECTION: ;4.64.4.64.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.64.4.64.in-addr.arpa. 28800 IN PTR wnpgmb0273w-dr09-v924.mts.net. And it doesn't even answer dns, atleast not from me. That is a bell canada IP.. Is that who you use for ISP?

HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

3k Topics

12k Posts

Alright last post from me. Leaving it here so someone can find it. The documentation concerning carp is wrong: "A High Availability cluster using CARP needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface." The fact is, a High Availability cluster using CARP needs only one IP address. It only ever needed one IP address. This statement directly contradicts all the documentation available from carp(4) and the FreeBSD handbook. The distinction that I initially missed, but now have reread and understand is that when using a single IP assigned to a VIP, so long as there isn't an existing network with another IP in that same network, then the network for that VIP should in fact be a whatever that network is. Otherwise it should be a /32. Let's put it this way for a further understanding (sudo interface configuration): Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.0.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.0.3/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias In the above example, if the OS chooses the VIP of 192.168.0.1/24 for packets sourced from Backup, Backup will never see the response, as they'll go to Primary instead. Going to primary is the expected part. Source selection of 192.168.0.1 is the unexpected but, It's unexpected because the netgate documentation is just wrong as this VIP should have been a /32. Documentation where the VIP isn't a /32 to which netgate is correct: Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.1.1/24 alias ifconfig em0.123 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.1.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias

L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1k Topics

10k Posts

@piook said in Take two at this a year and no replies later.: But when I connect the LAN port to the switch and everything over that port is 1GB Full duplex Which port on the USW Pro Max 16 are you connection the LAN cable. Of course you are aware that only 4 ports are 2.5G on that switch (according to the product page) What speed selection does is show if you remove the LAN cable, still 1G the fastest speed selectable? What happens when you switch the ports from the pc and the LAN cable? In general you would have better support on the Unifi forum I think.

Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

9k Topics

41k Posts

I gonna give up and return the Range Extender. There does not appear to be a workaround or resolution to it isolating itself and devices connected to it when in Wifi Range Extender mode. Wired AP Mode is just not possible for me as running cable to the garage is not an option. I'll look into converting my setup to a Mesh system as that appears to be the best solution. Thank you, @SteveITS , for all your help and suggestions. Cheers.

Traffic Shaping

Discussions about traffic shaping and limiters

3k Topics

16k Posts

I don't believe it is the same root cause. That is fixed in 2.8.1-beta. https://redmine.pfsense.org/issues/16282

DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

7k Topics

43k Posts

@Gertjan I think you misunderstood, the lease works fine, the machine gets the proper IP, it just that it doesn't register the IPv6 to the DNS Resolver.

IPv6

Discussions about IPv6 connectivity and services

2k Topics

20k Posts

Hi all, today I would like to seek help for a connection problem which I was not able to solve for a while now. The description below is all about IPv6. V4 works fine. This is my setup: internet ^ | +---------+ | pppoe0 | | | | igb0 | +---------+ | v LAN/Wifi In the LAN, there are Windows, Linux and Android clients. Android Clients don't have any problem. Windows and Linux clients do have problems with a few websites, but not all. Example for a problematic site: https://www143.your-server.de Example for a working site: htps://ipv6.google.com or test-ipv6.com (10/10 points there) On the problematic site, the client just gets a timeout, for example: raspi$ time curl -6 -sS --max-time 10 https://www143.your-server.de curl: (28) Connection timed out after 10001 milliseconds real 0m10,066s user 0m0,165s sys 0m0,043s If I do the exact same call on the pfsense itself, it works without problems: /root: time curl -6 -sS --max-time 10 https://www143.your-server.de > /dev/null 0.068u 0.015s 0:00.13 53.8% 194+237k 0+0io 0pf+0w In my understanding this tells me that there must be a problem on the client (not likely) or on the pfSense (most likely). From the ISP (Dt. Telekom) onwards all works fine as we see. I took network traces on the raspi. What I see there is that the TCP handshake is OK (small packets), and I think also the get request goes out OK (packet no. 4 with length 591). [image: 1756033659902-raspi-failed.png] When I take a trace on pppoe0 and make a working curl-call in the pfsense, I see the same packets going in and out, but then a couple of big packets come in, which contain the payload I guess (packets 6 and 7) [image: 1756033784290-pfsense-pppoe0-success.png] Now all of this looks not very exciting. ICMP "Packet too big" is dropped by some paranoid filter, IPv6 black hole, that's it. BUT first of all: I don't see any such ICMP packet coming in on pppoe0. There is no ICMP traffic at all on pppoe0 when I run the curl call on the raspi. Secondly: I just don't have no firewall rule that would block ICMP. I suspect that the pfSense is misbehaving. The reason for this is that I played around with NPt. And I read somewhere that "Packet too big" messages get lost when NPt is active. However, I disabled NPt completely and deleted any related config. And anyway there are no packet-too-big packets anyway, so none can get lost. If someone is interested I can provide the trace files. Does anyone here have any idea what steps I could take next?

IPsec

Discussions about IPsec VPNs

6k Topics

24k Posts

I have a hub and spoke setup using IPSEC policy routing (tunnel mode, not VTI mode). Currently my “spoke” sites have a P2 in their tunnel to the “hub” that is 10.0.0.0/8 (all my sites have lans that are 10.X.0.0/16, replace X with a different number per site). The P2s in the hub site obviously list each spoke site’s LANs as remote networks and 10.0.0.0/8 as a local network. This enables traffic to move not only from any spoke to the hub, but also allows traffic to pass from any spoke to any other spoke by transiting through the hub. This has worked very seamlessly. However I am looking at making some on premise services have more redundancy. This is centered mostly around radius authentication and domain controllers. I’d like to have a situation where the “spokes” have direct tunnels to three “core” locations, while still using the current “hub” as a transit site for spoke to spoke traffic and as a “core” location with redundant infrastructure. It occurs to me that just adding two additional tunnels for each spoke might not be a good idea. The P2s of the new tunnels will have each core site listed as a remote network. The 10.0.0.0/8 will remain for the links to the hub but this will obviously overlap with the new core site P2s. What are the potential issues with this? I have considered going to VTI + OSPF for this and I’m not really interested in it. I can run it in a lab with no issue, but in production all my sites have HA/CARP running. VTI + OSPF involves adding an Interface Assignment for every vpn tunnel. It’s already aggravating enough getting the physical interfaces and vlan interfaces added in exactly the correct order for HA to work. I am extremely uninterested in complicating that problem further to the point I am willing to abandon the entire project if it’s the only way. My only solutions are policy IPSEC with overlapping P2s if that will work without issues or OpenVPN + OSPF (this config seems to work without making manual interface assignments but it’s OpenVPN and, therefore, slow). Has anyone tried policy ipsec in this configuration? Does it work? Does it work but with issues?

OpenVPN

Discussions about OpenVPN

10k Topics

53k Posts

@Antibiotic said in OPENVPN DCO pfsense 25.07.1: @yon-0 f you ever connect to older OpenVPN servers (e.g., 2.4.0–2.4.4), you’ll need to disable DCO on your client to fall back to DATA_V1: The DATA_V2 format in OpenVPN is a streamlined, secure packet structure designed for use with AEAD ciphers (like AES-GCM or ChaCha20-Poly1305) and Data Channel Offload (DCO). It replaces the older DATA_V1 format and is required for kernel-level acceleration and modern encryption. When OpenVPN prepares a DATA_V2 packet: It selects an AEAD cipher Generates a Packet ID (used as part of the nonce) Encrypts the payload and attaches the Auth Tag Sends the packet with Opcode, Peer-ID, and encrypted content No IV or HMAC is needed — AEAD handles it all internally. Generates a Packet ID (used as part of the nonce) Sends the packet with Opcode, Peer-ID, and encrypted content how do it?

Captive Portal

Discussions about Captive Portal, vouchers, and related topics

4k Topics

19k Posts

Yeah this use to be an issue, where once a new release came out updating packages could install package from new release even if you were on old.. But I thought that was addressed while back. From my understanding you shouldn't see new packages available for version Y when you are still on X.

webGUI

Anything that does not fit in other categories related to the webGUI

2k Topics

10k Posts

@marcosm Thanks for the info. "Do not wait for a RA" was not checked. I checked it, enabled DHCP6 Debug, and rebooted the system. I'll watch for a recurrence of the behavior reported here.

Wireless

Discussions about wireless networks, interfaces, and clients

2k Topics

11k Posts

@opticalc Intel.

SNMP

Discussions about monitoring via SNMP

197 Topics

609 Posts

I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

Documentation

Discussions about pfSense documentation, including the book

186 Topics

1k Posts

As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

Development

Topics related to developing pfSense: coding styles, skills, questions etc.

1k Topics

6k Posts

This section of the pfSense Docs says: Any shell script can be placed in the /usr/local/etc/rc.d/ directory. The firewall will execute every shell script ending in .sh in this directory at boot time and also during certain system events (e.g. interface link changes, IP address changes, and gateway events). Is it documented somewhere exactly which system events these are, and what scripts will be triggered?

Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

427 Topics

3k Posts

@BMD Good to hear it’s stable now.

Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

2k Topics

12k Posts

Hey I've seen this post regarding the vm_fault with page error on this forums before however the language was in Ukraine. I'm running pfSense 2.8.0 CE virtualized on xcp-ng. The VM is allocated 8Gb RAM with 200 GB disk space. I've rebooted the VM however I'm still getting: Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) Aug 24 08:28:01 kernel vm_fault: pager read error, pid 28551 (rrdtool) From what I've read this seems like a hardware error, however this is in a virtual environment. I don't see any error within the xcp-ng hypervisor host or other VM's running on the hypervisor. Am I best running a mem86 test on the host, see if there is failing RAM -- replace if needed -- and if not recreate pfsense VM?

Hardware

Discussions about pfSense hardware support

8k Topics

69k Posts

@Conjurer No worries, thank you for the reply. I was hoping you did the HWP on modification on your own and could help me achive it for my 13th ge. system since the bios from this forum will brick my machine.

Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

457 Topics

6k Posts

Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

Retired

Categories that are no longer active, but are present for reference

10k Topics

64k Posts

Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.