1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    215 Topics
    3k Posts
    brezlordB

    UI Update output.

    >>> Updating repositories metadata... Updating pfSense-core repository catalogue... Fetching meta.conf: . done Fetching data.pkg: . done Processing entries: . done pfSense-core repository update completed. 5 packages processed. Updating pfSense repository catalogue... Fetching meta.conf: . done Fetching data.pkg: .......... done Processing entries: .......... done pfSense repository update completed. 733 packages processed. All repositories are up to date. >>> Setting vital flag on pkg...done. >>> Setting vital flag on pfSense...done. >>> Renaming current boot environment from 25.03 to 25.03_20250719205419...done. >>> Cloning current boot environment 25.03_20250719205419...done. >>> Removing vital flag from php83...done. >>> Upgrading packages in cloned boot environment 25.03... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (10 candidates): .......... done Processing candidates (10 candidates): .......... done The following 10 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: if_pppoe-kmod: 25.03.b.20250515.1415.1500029 -> 25.07.r.20250715.1733.1500029 [pfSense] pfSense: 25.03.b.20250515.1415.1500029 -> 25.07.r.20250715.1733.1500029 [pfSense] pfSense-base: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense-core] pfSense-boot: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense-core] pfSense-default-config-serial: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense] pfSense-kernel-pfSense: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense-core] pfSense-pkg-Nexus: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense] pfSense-pkg-System_Patches: 2.2.21_1 -> 2.2.21_2 [pfSense] pfSense-repoc: 20250419 -> 20250520 [pfSense] unbound: 1.22.0_1 -> 1.23.0 [pfSense] Number of packages to be upgraded: 10 The operation will free 12 MiB. 214 MiB to be downloaded. [1/10] Fetching unbound-1.23.0.pkg: .......... done [2/10] Fetching pfSense-pkg-System_Patches-2.2.21_2.pkg: ......... done [3/10] Fetching if_pppoe-kmod-25.07.r.20250715.1733.1500029.pkg: ... done [4/10] Fetching pfSense-pkg-Nexus-25.07.r.20250715.1733.pkg: .......... done [5/10] Fetching pfSense-kernel-pfSense-25.07.r.20250715.1733.pkg: .......... done [6/10] Fetching pfSense-base-25.07.r.20250715.1733.pkg: .......... done [7/10] Fetching pfSense-25.07.r.20250715.1733.1500029.pkg: .......... done [8/10] Fetching pfSense-boot-25.07.r.20250715.1733.pkg: .......... done [9/10] Fetching pfSense-default-config-serial-25.07.r.20250715.1733.pkg: . done [10/10] Fetching pfSense-repoc-20250520.pkg: .......... done Checking integrity... done (0 conflicting) [1/10] Upgrading unbound from 1.22.0_1 to 1.23.0... ===> Creating groups Using existing group 'unbound' ===> Creating users Using existing user 'unbound' [1/10] Extracting unbound-1.23.0: .......... done [2/10] Upgrading pfSense-repoc from 20250419 to 20250520... [2/10] Extracting pfSense-repoc-20250520: .. done [3/10] Upgrading if_pppoe-kmod from 25.03.b.20250515.1415.1500029 to 25.07.r.20250715.1733.1500029... [3/10] Extracting if_pppoe-kmod-25.07.r.20250715.1733.1500029: .. done [4/10] Upgrading pfSense-boot from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [4/10] Extracting pfSense-boot-25.07.r.20250715.1733: .......... done [5/10] Upgrading pfSense-pkg-System_Patches from 2.2.21_1 to 2.2.21_2... [5/10] Extracting pfSense-pkg-System_Patches-2.2.21_2: .......... done [6/10] Upgrading pfSense-pkg-Nexus from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [6/10] Extracting pfSense-pkg-Nexus-25.07.r.20250715.1733: .......... done [7/10] Upgrading pfSense-kernel-pfSense from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [7/10] Extracting pfSense-kernel-pfSense-25.07.r.20250715.1733: .......... done [8/10] Upgrading pfSense-base from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [8/10] Extracting pfSense-base-25.07.r.20250715.1733: ... done ===> Keeping a copy of current version mtree ===> Removing schg flag from base files ===> Extracting new base tarball ===> Removing static obsoleted files [9/10] Upgrading pfSense from 25.03.b.20250515.1415.1500029 to 25.07.r.20250715.1733.1500029... [9/10] Extracting pfSense-25.07.r.20250715.1733.1500029: .......... done [10/10] Upgrading pfSense-default-config-serial from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [10/10] Extracting pfSense-default-config-serial-25.07.r.20250715.1733: [10/10] Extracting pfSense-default-config-serial-25.07.r.20250715.1733... done Failed

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    189k Posts
    M

    @SteveITS

    Thank you for the clarification. You're right — better to be safe. I’ll update FW2 when I'm on site, and then FW1, which is my usual one.

  • Discussions about Multi-Instance Management.

    12 Topics
    100 Posts
    M

    You're right, that will work on the upcoming pfSense+ 25.07 release.

  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    W

    Hi,

    I recently upgrade from 2.7 to 2.8.

    As the upgrade process recommends - I uninstalled the packages before the upgrade, and installed them back after the upgrade.

    Is the packages config and integration with pfSense retained in this way? or should I restore from backup or do anything else?

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    johnpozJ

    @rasputinthegreatest well blocking and not log would just be any any udp to that ff0e::c address or port 1900 anything, etc. And don't have it log.

    As to the scanners - that is a pfblocker alias I have.. And put that in a floating rule.

    scandeny.jpg

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    P

    @iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself!

    Hopefully your setup will remain stable going forward.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    I

    Hello! Same thing here using Dyndns. 2.8 and 2.7.2 side by side, and it doesn't work in 2.8, it's getting the interface address, it doesn't seem to obey the Virtual IP instruction. The virtual IP field selects which (virtual) IP should be used when this group applies to a local Dynamic DNS, IPsec or OpenVPN endpoint.

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    M

    @spickles Not following your entire note. Hopefully this is helpful.

    First, barring hosts that can tag their own traffic, in general every host that you want to place on a VLAN requires either a switch port somewhere to tag traffic onto the desired VLAN or, for WiFi, an AP that can tag hosts on an SSID onto the desired VLAN. (There are some exceptions to this like using a VLAN-aware switch to tag all traffic from a downstream dumb switch and Ubiquiti's Virtual Network Override, but let's not go there ...)

    Second, if the question is whether you can create a port on a pfSense box that can process multiple VLANs as separate subnets, the answer is yes. For example, I have a physical port, igc1, carrying 4 tagged VLANs and an untagged one between pfSense and the downstream switch fabric. pfSense routes for all of them.

    The four tagged VLANs are all tied to igc1 (so, igc1.15, igc1.20, etc.) under Interfaces>VLANs as shown in the first pic. A pfSense Network Port is created for each. Once created, each can be assigned to an Interface and configured with subnets and addresses under Interfaces/Interface Assignments, have DNS, DHCP, Firewall, etc., just like a physical interface. That's the second pic (black boxes to reduce the distraction of the box's other interfaces). So, 4 tagged VLANs plus 1 untagged on a single port. The untagged interface is igc1.

    dd20f6e5-e51c-4a46-9694-99dbf38bb5a0-image.png
    bd53a7c6-22b9-4f41-b89e-c9838a44781c-image.png

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    T

    Hello pfSense users,

    I have 3 WANS. I setup aliases to route different IPs of my LAN subnet to different WANS. The device that is using a VPN (OpenVPN) to connect to the pfsense box is using 10.11.83.0/24 and is assigned 10.11.83.2, I can access the device on the computers that are using the same WAN as the VPN is on. The other computers that are using the other 2 WANS can not access or ping the device.

    Is there a way to set pfSense to route the 10.11.83.0/24 subnet to all the WANS so all the computers can access the device?

    Thanks for any help to this question.

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    K

    @gemg83 I see what you're saying - it could be the jump from 12.3 to 14 on the BSD side.

    It really hampers the use of limiters in multi-WAN setups so it feels like an important bug (I call it a bug as it doesn't behave at all how the UI or documentation suggests, it's more like using them on a floating rule).

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    42k Posts
    johnpozJ

    @70tas said in Dynamic DNS (DDNS) fails to obtain public IP:

    how do you assume I have the wrong settings.

    Don't have to assume anything - your xml you posted has the wrong username.. you have your domain name in there - its not your email or you zone id for that domain.. So with how pfsense updates it no it would never work.

  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    S

    e.g. https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/opt-lan.html#reject-other-firewall-bound-traffic

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    stephenw10S

    @jvangent100 said in Upgrade from 2.7.2 to 2.8.0 ipsec:

    Is this a known issue ?

    No.

    Do you see blocked traffic in the firewall logs?

    Do you see the packet counters on the tunnels increasing still? In either direction?

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    M

    @mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

    So setting openvpn to bind only to the CARP VIP works fine for me

    Multi-WAN with HA there?
    If so, it would be a better idea to run openVPN server on localhost instead.
    This would allow it to receive connections from all WANs.

    No need to select a VIP, just forward packets from the WANs VIPs to localhost.
    You can use DNS, thus the client would connect to the WAN that is UP.
    Or
    You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.

    Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    stephenw10S

    Maybe you have 'https login' set?

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    N

    @Gertjan said in Modifying Login Screen looks / logo.svg:

    so no documented way of doing things.

    Until now :)

    I have tweaked a bit and found out how to clean up the login screen, with the end result like so

    pfsense_simple.png

    This was fairly easily achieved. But remember, I am just a guy, i like to play around with stuff for fun to see how it works and what i can mod, so dont blame me if stuff breaks. Do this at your own risk, and always make sure you can roll back. But really we are just editing some css values and its likely fine, or easily fixed. Because pfSense is built beautifully. So to be more exact, this is how i did it:

    in system > advanced > Admin Access, check 'Enable Secure Shell' , so we can SSH into the pfSense box.

    in System > User Manager > Users, enable the 'admin' user, to enable root access to the SSH server *(It is considered good practice to disable this account afterwards again, to create a separate account from 'admin' and elevate it to the adminstrators group. But in pfsense 'admin' seems to be bound to the Linux 'root' account, so enabling this will allow us to SSH in using the 'root' user and modify the login page.

    In System > General Setup, enable the pfSense-dark theme. *(This is the theme I worked from. The results for other themes may vary)

    and also in System > General setup, select a background colour for the middle part of the login screen. You can add custom colors to this list, by editing /usr/local/www/system.php, near the end of that file is an item called 'Login page color'. You can add one or more items to this comma separated list like: ' "00ff00;" => gettext("newcolorname"), ' and your new color will be selectable.
    But you will have to modify 'login.css' by hand to include your new color if you want a uniform login screen. Since the banner at the top, and the footer at the bottom of the login screen are defined in this file, seperate from the 'login page background' color option you choose here.

    Then, SSH into the pfSense box as user 'root' and the password for the pfSense 'admin' user

    choose option '8) Shell'. (notice the prompt ending in '/root:', indicating you now have root access.

    type 'cd /usr/local/www/css'

    type 'vi login.new', and the VI editor will open a new file.

    press 'i' to start inserting text, then paste the following (right click in putty/kitty will paste the clipboard)

    @import url("/css/logo.css"); body, html { height: 100%; padding: 0; margin: 0; background-color: #000000; } body { width: 100%; } header { } #headerrow { position: fixed; height: 90px; top: 0; width: 100%; background-color: #000000; } .pagebody { position: absolute; top:90px; bottom:25px; width: 100%; color: #2a8c8e; overflow: hidden; } .pagebodywarn { position: absolute; top:140px; bottom:25px; width: 100%; color: #2a8c8e; } .nowarning { height: 80px; padding-top: 10px; } #hostspan { text-align: right; font-weight: bold; color: #ff0000; text-shadow: 2px 2px 2px #0000ff; } .msgbox { padding-right: 60px; padding-top: 25px; } @media only screen and (max-width : 768px) { /* only size 'xs' and below */ #headerrow { height: 100px; } .pagebody { top: 100px; } .pagebody2 { top: 250px; } .nowarning { height: 60px; } .msgbox { padding-right: 0px; padding-top: 0px; } #hostspan { text-align: center; } } #footertext { position: fixed; height: 1px; bottom: 0; width: 1%; background-color: #000000; color: #000000; text-align: center; } .loginCont { position: absolute; top: 50%; left: 50%; transform: translate(-50%,-50%); height: 55%; width: 80%; } .error-panel a { color: #2a8c8e; } p.form-title { font-family: 'Open Sans' , sans-serif; font-size: 25px; font-weight: 999; text-align: center; color: #ff0000; margin-top: 5%; text-transform: uppercase; letter-spacing: 12px; } form.login { max-width: 270px; margin: 0 auto 20px auto; } form.login input[type="text"], form.login input[type="password"] { width: 100%; margin: 0; padding: 10px 10px; background: 0; border: 0; border-bottom: 1px solid #FFFFFF; outline: 0; font-style: italic; font-size: 18px; font-weight: 600; letter-spacing: 1px; margin-bottom: 5px; color: #FF0000; outline: 0; } form.login input[type="submit"] { width: 60%; font-size: 14px; text-transform: uppercase; font-weight: 700; border: 4; border-color: #ff0000; color: #ff0000; margin-top: 36px; outline: 0; cursor: pointer; letter-spacing: 1px; display: block; margin : 0 auto; margin-top: 36px; background-color: #000000; } form.login input[type="submit"]:hover { transition: background-color 0.5s ease; color: #ffffff; } form.login label, form.login a { font-size: 12px; font-weight: 400; color: #00ff00; } form.login a { transition: color 0.5s ease; } form.login a:hover { color: #2a8e8c; } .logoCol { height: 100%; } #logodiv svg#logo { width: 1px; height: 1%; background-color: #ff0000; } /** Re-style web-kit browser autocomplete boxes (Fixes Chrome's ugly yellow background) **/ @-webkit-keyframes autofill { to { color: #00ced2; background: transparent; } } input:-webkit-autofill { -webkit-animation-name: autofill; -webkit-animation-fill-mode: both; }

    then press 'Escape' to exit editing mode

    write ':wq' to write the text to file and quit the VI editor.

    then write 'mv login.css login.old'

    and 'mv login.new login.css'

    then type 'exit'.

    Then, after you opened your browser and enjoyed your new clean login screen, you can disable the 'admin' user and Secure Shell again :)

    Some notes:

    These modifications will presumably be reset by every update. this is mainly why i made this write up ;)

    The fix for the original question about removing the logo.svg, and the footer, was to make the logo and the footer 1px high by 1% width in the login.css file.

    With minor modifications it is easy to make any 2 color setup with this, by adding a custom color for the background to system.php, and modifying login.css and pfSense.css/pfSense-dark.css to include the new background and foreground color.

    Where it says 'Login to pfSense' is also where the hostname would be if you select the option to display the hostname on the login page. It is possible to remove this text, as well as the 'SIGN IN' text above the user field, by editing the login.css and making the text the same color as the background and 1px high.

    The 'Sign In' button will always fade to the default green button once you press it. I have not yet found how to fix that behavior.

    I have not yet found how to edit the grey color of the 'Username' and 'Password' that are pre-filled in the input boxes. I think that is a default behavior like the green Sign in button on-press, and since it is not defined it is hard to find. The text filled into those boxes do correspond with the red in this theme, and are defined in login.css as well.

    The CSS for pfSense is highly customisable, it will allow for text decorations and some shadow effects up to a limit. above the limit the effect will disable itself.

    If you also edit pfSense.css or pfSense-dark.css, you can edit some colors from the pfSense interface as well, to match the login screen. Mainly the pfsense logo color and the highlighted text color are nice to get in line with the color scheme chosen for the login screen.

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    N

    @elvisimprsntr thanks for the chart! Getting rid of the ISP's Bridge Mode router and plugging the ethernet cable from the wall directly in Vault's WAN port has solved it...hopefully permanently.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C

    I figured it out 🤦. My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either...
    So this issue is solved now

  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO

    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    7k Posts
    stephenw10S

    Hmm, so both the service and none of the tunnels were up after rebooting several times?

    Nothing logged at boot or in the system log? No errors shown?

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    427 Topics
    3k Posts
    jimpJ

    Updated with Switch 2 info at the end of the first post. tl;dr same as Switch 1 for IPv4, but the console itself appears to support IPv6 (likely depends heavily on the game and peers).

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    T

    Yesterday we built a new pfSense 2.7.2 cluster, master firewall was running for over a week without problems, but about half an hour after setting up CARP and pfSync to the new slave it died with known hvevent problem. It then died several times, again and again.. Not sure but maybe it has something to do with either CARP/ConfigSync/pfSync or multicast traffic (because we know dying pfsense setups without carp configured, so might be multicast traffic in the network which triggers something).

    We have had the same experience with our only OPNsense setup, of which the master is running smoothly since we removed the slave firewall.

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    B

    For anyone interested in the exciting conclusions... it worked fine in the 16x slot for 2 weeks and is still in there now
    I put an I340-T4 in the 1x slot at the same time and left that running and that has been perfectly fine as well

    It seems to be an incompatibility between the 1x slot and the I350 specifically but i'm not sure why. In either case, the issue seems to be resolved

    It may be something specific to AM5 and the I350 in the 1x, or just the I350 and the 1x alone but if anyone else for some reason tries the same, at least you know what symptoms manifest and what the cause was

    Thanks again for those that helped and commented

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    S

    @winkmichael Thanks so much. I'll look into it some more, but you were a great help. What I meant by a 0 point release is that is it basically an alpha or beta version until it reaches version 1.x This to me has historically been an indication that it shouldn't be deployed in mission critical spaces or commercial spaces, but good to hear it is very active and very reliable. thanks again

  • Categories that are no longer active, but are present for reference

    10k Topics
    63k Posts
    M

    @Patch Yes, I have just confirmed that it is related to early DNS registration

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.