1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    207
    Topics
    2.3k
    Posts

    stephenw10S

    Hmm, well I no idea how that could happen. I would expect to see some sort of config change logged. 😕

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    26.3k
    Topics
    184.5k
    Posts

    stephenw10S

    If states have already been opened they will continue to pass traffic even if new rules would prevent those states.

  • Discussions about Multi-Instance Management.

    7
    Topics
    84
    Posts

    stephenw10S

    There isn't any specific handling in MIM for HA setups yet. It's something we expect to have though. It's exactly the sort of thing I'd want to see there.

  • Discussions about installing or upgrading pfSense software

    9.4k
    Topics
    60.3k
    Posts

    stephenw10S

    Is there anything actually connected to that SATA channel?

    If not you can probably disable it in the BIOS.

    Otherwise I'd try this system tunable:
    https://man.freebsd.org/cgi/man.cgi?query=ahci#SYSCTL

    Steve

  • Discussions about firewalling functionality in pfSense software

    9.6k
    Topics
    57.8k
    Posts

    bmeeksB

    @pfuser23984 said in CPU 100%, unbound and dhcpd restarting whenever the filter reloads:

    Just don't automatically discount the NIC, though. As mentioned, the Realtek devices can work okay and then start to get flaky when traffic loads increase. Lots of Google search results detailing that.

    When you installed the latest kmod driver, did you follow the steps outlined in this post:
    https://forum.netgate.com/topic/160529/realtek-nic-and-watchdog-timeout/13?

    SOMMOMMA!@##@!!

    That did it.
    I am used to linux where loading kernel drivers is easy to do and easy to verify. I did ithe install with pkg install realtek-re-kmod and rebooted... but the echo 'if_re_load="YES"' >> /boot/loader.conf.local was needed to load the new driver. Not really an intuitive process.

    I ran through my tests, and the problem is gone now. I've even restored gateway monitoring, patches and watchdog. The rc.newwanip still does its thing, but the re1 NIC no longer flaps, the dhcpd / unbound services no longer crash, the CPU no longer spikes making the system unusable until php-fpm is restarted.

    Thank you so much.

    Glad that fixed it for you 🙂.

  • Discussions about Network Address Translation (NAT)

    5.5k
    Topics
    30.8k
    Posts

    johnpozJ

    @SteveITS said in Port Forward is Ignored:

    There is also the “don’t block the world, allow your country” discussion which takes much less memory.

    ^Exactly - I use this method.. I only want US ips and currently Belgium (family living there using my plex) - so I just allow those in my port forwards and wan rules.. This by its very nature blocks all the other ones.. No reason to load up into the tables of bad countries IP of them, all need to load is the IPs that are US and Belgium.

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    2.6k
    Topics
    11.7k
    Posts

    P

    Re: Custom CARP failover script

    I followed the instructions per the referred script. I want to launch a specific script when the node becomes CARP MASTER and another then the node becomes CARP BACKUP.

    I went to /etc/pfSense-devd.conf and I added at the end:

    notify 100 { match "system" "CARP"; match "type" "MASTER"; action "/usr/local/myscript.sh start"; }; notify 100 { match "system" "CARP"; match "type" "BACKUP"; action "/usr/local/myscript.sh stop"; };

    However, upon reboot of the BACKUP node, the script command referred in the MASTER is launched within the node (i.e. myscript.sh receives a start command), whereas it should not be launched at all)!

    If we manually stop the script at BACKUP and perform a failover (i.e. BACKUP now becomes MASTER), the start script is not invoked.

    It is as if the start script is launched at node startup, irrespective of CARP status, and nothing is performed on HA failover.

    MASTER node is version 24.11
    BACKUP node is version 2.7.2

    Any ideas?

  • Discussions about Layer 2 Networking, including switching and VLANs

    1.2k
    Topics
    9.9k
    Posts

    G

    @johnpoz Yes, I noticed that as well, so clearly things are working fine with NC and port forwards.

    You prob want to look into using acme (lets encrypt) to get a valid cert for whatever the fqdn that points to your public IP via your ddns entries.

    @dkthedriftking
    So take a look at HAProxy and try to set it up so that you secure your setup with a real signed certificate. Alternatively, perhaps depending on how you installed NextCloud on that machine... is it virtualized? You could install Nginx Proxy Manager which it likely even simpler to set up for this purpose, and other future servers.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    8.4k
    Topics
    40.8k
    Posts

    F

    This was too disruptive to the client to troubleshoot this further. We sent someone out to do a clean install of 2.7, then load the config back in. No issues since.

  • Discussions about traffic shaping and limiters

    3.0k
    Topics
    15.8k
    Posts

    D

    Hello

    I have Tailscale installed on my 2100 and it works very well.
    I publish 1 route to an internal server for clients.

    The internal server does NOT have Tailscale installed on it. I rely on the route being in place.
    I have also seen that all traffic from these Tailscale clients, to this internal server, appears to come from the router(PfSense's) ip address. This is expected.

    My question is :
    How do I limit/shape traffic for a tailscale client ?

    I thought of using limiters and the 100.x.x.x Tailscale IP address that the client has but the 100.x.x.x IP is not "visible/available" to be processed by the firewall. I assume this is because of the src ip being the router (above).

    Any advice ?
    I hope my question makes sense.

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    6.5k
    Topics
    41.2k
    Posts

    provelsP

    @johnpoz I do run a "Smart TV Blocklist" that's pretty aggressive; I have had to WL a few things to get the built-in app to work. I think the Pi default was 1000 hits before throttling, I dropped it to 250, thought I'd want to know if something went wild (and it did). I think I'll go ahead and WL that domain and leave it be. It's probably Samsung just wanting to know everything I've looked at today so they can squeeze their advertisers some more. Thanks again for all your input!

  • Discussions about IPv6 connectivity and services

    2.0k
    Topics
    19.1k
    Posts

    A

    @JKnott After coming back to this a few days later all the wifi clients are now getting ipv6. Must of been some sort of delay from when the ISP gives out the ip addresses.

  • Discussions about IPsec VPNs

    5.7k
    Topics
    23.4k
    Posts

    L

    I do notice in 24.11, the LAN interface and LAN subnet are having a different link number:

    192.168.6.0/24 link#21 U lagg0.4091 192.168.6.1 link#16 UHS lo0

    You can see link#21 vs link#16.

    I don't have a 24.03 anymore, but on my other 22.05, the link numbers are same:

    10.147.10.0/24 link#20 U lagg0.40 10.147.10.1 link#20 UHS lo0

    Could this impact how ipsec policy does the route selection?

  • Discussions about OpenVPN

    9.7k
    Topics
    52.8k
    Posts

    johnpozJ

    @rajukarthik its just the normal openvpn community edition.

    [2.7.2-RELEASE][admin@test.mydomain.tld]/root: openvpn --version OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10

    Yeah it is a bit dated, sure that will update when 2.8 drops.. but its not the access server version.

    As to soc2 - As to the just community edition, prob not - since really the user of said edition can pretty much do anything they want with the config, were with the AS and Cloud versions of their server being more strictly controlled in what can be configured.

    Those 2 versions are not free, so sure they can get certification of meeting specific standards, etc. But I doubt they would run through such trouble with audits of controls, etc. for something the user might easy override even a config change.

    If you really want to make sure its soc2 compliant - I would run either of those on something other than pfsense. I have not heard of anything about being able to run say the as version on pfsense.

    I run an as version on one of my vpses - you can run it for free for max of 2 concurrent connections. Which for me is plenty for my use case.

  • Discussions about Captive Portal, vouchers, and related topics

    3.5k
    Topics
    18.6k
    Posts

    GertjanG

    @dmchavoc

    Vouchers are login codes that are created in a set. The set defines the duration of the codes it contains.
    As soon as a code is sued and validated, it's marked as 'activated' and the counter, defined by the set starts running.
    When the time is up, the voucher is marked as used, and can no longer be used.

    When you activate vouchers in pfSense, you can see a third line showing up on the captive portal login page, that is the place to enter the voucher code. It is advisable to create your own 'html' login page, so only the voucher code is requested from the portal user.

    If you make you html (php) login page, you could omit to show up the password text field, and in the code hard code it to for example "123456".
    Just leave the "User name" and rename it "Voucher".

    Now you can use FreeRadius, and set up a user :

    74386810-ec46-40bc-9b43-a250fb307b42-image.png

    ( the password is also set to 123456 here)

    and pick the time setting you want :

    0b00de48-6885-4d19-ab10-9e6e099f13b8-image.png

    As soon as the Voucher code "Voucher-code-secret" is used, the user can spend 30 minutes online before he gets kicked of the portal for this month. (The Forever option gave me errors ...)
    You, as the admin, you generate new and cleanup old "voucher" codes for example;ones a month.

  • Anything that does not fit in other categories related to the webGUI

    2.1k
    Topics
    9.9k
    Posts

    GertjanG

    @patient0 said in Error Response Received / Can't access the Web GUI But seems to be Working:

    And I would have thought that installing AdGuard (not an pfSense package AFAIK)

    @doug_gordon41 :
    A non pfSense package that uses the DNS port, thus blocking the resolver from using it.
    It has a web server, thus blocking the pfSense GUI from using it.
    Etc.

    Read Using Software from FreeBSD again ...

    Imho : re install pfSense.

  • Discussions about wireless networks, interfaces, and clients

    1.7k
    Topics
    11.1k
    Posts

    johnpozJ

    @DenverDesktopsSupport you should see your AP sending traffic to the IP of the controller over 8080

    Here I can see my APs talking to the controller 192.168.2.13, .2 is AP, .3 is AP .6 is a flex mini - sure if I let it run longer would see .4 checking in. Another one of my AP.

    root@UC:/home/user# tcpdump tcp port 8080 -n tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes 18:06:51.984496 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [S], seq 1295904412, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 18:06:51.984574 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [S.], seq 1349332694, ack 1295904413, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 18:06:51.985319 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], ack 1, win 1825, length 0 18:06:51.985819 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], seq 1:2921, ack 1, win 1825, length 2920: HTTP: POST /inform HTTP/1.1 18:06:51.985872 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [.], ack 2921, win 497, length 0 18:06:51.985903 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], seq 2921:5841, ack 1, win 1825, length 2920: HTTP 18:06:51.985917 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [.], ack 5841, win 485, length 0 18:06:51.985953 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], seq 5841:7301, ack 1, win 1825, length 1460: HTTP 18:06:51.985966 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [.], ack 7301, win 479, length 0 18:06:51.985986 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], seq 7301:8761, ack 1, win 1825, length 1460: HTTP 18:06:51.985996 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [.], ack 8761, win 473, length 0 18:06:51.986032 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [P.], seq 8761:9995, ack 1, win 1825, length 1234: HTTP 18:06:51.986042 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [.], ack 9995, win 467, length 0 18:06:51.992519 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [P.], seq 1:739, ack 9995, win 501, length 738: HTTP: HTTP/1.1 200 18:06:51.992926 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], ack 739, win 1918, length 0 18:06:51.993288 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [F.], seq 9995, ack 739, win 1918, length 0 18:06:51.999471 IP 192.168.2.13.8080 > 192.168.2.2.33366: Flags [F.], seq 739, ack 9996, win 501, length 0 18:06:51.999900 IP 192.168.2.2.33366 > 192.168.2.13.8080: Flags [.], ack 740, win 1918, length 0 18:06:53.722261 IP 192.168.2.3.43278 > 192.168.2.13.8080: Flags [S], seq 783712136, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 18:06:53.722342 IP 192.168.2.13.8080 > 192.168.2.3.43278: Flags [S.], seq 4229788064, ack 783712137, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 18:06:53.723115 IP 192.168.2.3.43278 > 192.168.2.13.8080: Flags [.], ack 1, win 1825, length 0 18:06:53.723890 IP 192.168.2.3.43278 > 192.168.2.13.8080: Flags [P.], seq 1:8071, ack 1, win 1825, length 8070: HTTP: POST /inform HTTP/1.1 18:06:53.723948 IP 192.168.2.13.8080 > 192.168.2.3.43278: Flags [.], ack 8071, win 473, length 0 18:06:53.735694 IP 192.168.2.13.8080 > 192.168.2.3.43278: Flags [P.], seq 1:571, ack 8071, win 501, length 570: HTTP: HTTP/1.1 200 18:06:53.736341 IP 192.168.2.3.43278 > 192.168.2.13.8080: Flags [.], ack 571, win 1897, length 0 18:06:53.736530 IP 192.168.2.3.43278 > 192.168.2.13.8080: Flags [F.], seq 8071, ack 571, win 1897, length 0 18:06:53.739507 IP 192.168.2.13.8080 > 192.168.2.3.43278: Flags [F.], seq 571, ack 8072, win 501, length 0 18:06:53.739953 IP 192.168.2.3.43278 > 192.168.2.13.8080: Flags [.], ack 572, win 1897, length 0 18:06:54.183099 IP 192.168.2.2.33368 > 192.168.2.13.8080: Flags [S], seq 572379967, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 18:06:54.183179 IP 192.168.2.13.8080 > 192.168.2.2.33368: Flags [S.], seq 2259487007, ack 572379968, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 18:06:54.183523 IP 192.168.2.2.33368 > 192.168.2.13.8080: Flags [.], ack 1, win 1825, length 0 18:06:54.186178 IP 192.168.2.2.33368 > 192.168.2.13.8080: Flags [P.], seq 1:1048, ack 1, win 1825, length 1047: HTTP: POST /inform HTTP/1.1 18:06:54.186237 IP 192.168.2.13.8080 > 192.168.2.2.33368: Flags [.], ack 1048, win 501, length 0 18:06:54.189203 IP 192.168.2.13.8080 > 192.168.2.2.33368: Flags [P.], seq 1:221, ack 1048, win 501, length 220: HTTP: HTTP/1.1 200 18:06:54.201339 IP 192.168.2.2.33368 > 192.168.2.13.8080: Flags [.], ack 221, win 1892, length 0 18:06:54.201339 IP 192.168.2.2.33368 > 192.168.2.13.8080: Flags [F.], seq 1048, ack 221, win 1892, length 0 18:06:54.201816 IP 192.168.2.13.8080 > 192.168.2.2.33368: Flags [F.], seq 221, ack 1049, win 501, length 0 18:06:54.202194 IP 192.168.2.2.33368 > 192.168.2.13.8080: Flags [.], ack 222, win 1892, length 0 18:06:55.250457 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [S], seq 2944371139, win 2144, options [mss 536], length 0 18:06:55.250533 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [S.], seq 3678065154, ack 2944371140, win 64240, options [mss 1460], length 0 18:06:55.251135 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], ack 1, win 2144, length 0 18:06:55.251869 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], seq 1:537, ack 1, win 2144, length 536: HTTP: POST /inform HTTP/1.1 18:06:55.251919 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 537, win 63784, length 0 18:06:55.251968 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [P.], seq 537:1073, ack 1, win 2144, length 536: HTTP 18:06:55.251978 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 1073, win 63784, length 0 18:06:55.252691 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], seq 1073:1609, ack 1, win 2144, length 536: HTTP 18:06:55.252732 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 1609, win 63784, length 0 18:06:55.252769 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [P.], seq 1609:2145, ack 1, win 2144, length 536: HTTP 18:06:55.252778 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 2145, win 63784, length 0 18:06:55.253495 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], seq 2145:2681, ack 1, win 2144, length 536: HTTP 18:06:55.253531 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 2681, win 63784, length 0 18:06:55.253575 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [P.], seq 2681:3217, ack 1, win 2144, length 536: HTTP 18:06:55.253585 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 3217, win 63784, length 0 18:06:55.254271 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], seq 3217:3753, ack 1, win 2144, length 536: HTTP 18:06:55.254292 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 3753, win 63784, length 0 18:06:55.254334 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [P.], seq 3753:4289, ack 1, win 2144, length 536: HTTP 18:06:55.254345 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 4289, win 63784, length 0 18:06:55.255010 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], seq 4289:4825, ack 1, win 2144, length 536: HTTP 18:06:55.255087 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 4825, win 63784, length 0 18:06:55.255465 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [P.], seq 4825:4887, ack 1, win 2144, length 62: HTTP 18:06:55.255489 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [.], ack 4887, win 63784, length 0 18:06:55.257519 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [P.], seq 1:275, ack 4887, win 63784, length 274: HTTP: HTTP/1.1 200 18:06:55.258734 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [F.], seq 4887, ack 275, win 1870, length 0 18:06:55.260294 IP 192.168.2.13.8080 > 192.168.2.6.61641: Flags [F.], seq 275, ack 4888, win 63784, length 0 18:06:55.260772 IP 192.168.2.6.61641 > 192.168.2.13.8080: Flags [.], ack 276, win 1869, length 0

    No need for wireshark - you can do the packet capture right on pfsense, or right on the AP even - here is running tcpdump right on the AP and you can see the traffic to the controller from this AP

    Hallway-BZ.6.7.10# tcpdump tcp port 8080 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 18:13:02.035317 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [S], seq 1380051285, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 18:13:02.035816 IP 192.168.2.13.8080 > 192.168.2.2.33482: Flags [S.], seq 3050138923, ack 1380051286, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 18:13:02.035995 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [.], ack 1, win 1825, length 0 18:13:02.037520 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [.], seq 1:1461, ack 1, win 1825, length 1460: HTTP: POST /inform HTTP/1.1 18:13:02.037621 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [.], seq 1461:2921, ack 1, win 1825, length 1460: HTTP 18:13:02.037697 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [.], seq 2921:4381, ack 1, win 1825, length 1460: HTTP 18:13:02.037771 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [.], seq 4381:5841, ack 1, win 1825, length 1460: HTTP 18:13:02.037815 IP 192.168.2.13.8080 > 192.168.2.2.33482: Flags [.], ack 1461, win 501, length 0 18:13:02.037879 IP 192.168.2.13.8080 > 192.168.2.2.33482: Flags [.], ack 4381, win 491, length 0 18:13:02.038025 IP 192.168.2.2.33482 > 192.168.2.13.8080: Flags [.], seq 5841:7301, ack 1, win 1825, length 1460: HTTP 18:13:02.038565 IP 192.168.2.13.8080 > 192.168.2.2.33482: Flags [.], ack 9960, win 497, length 0 18:13:02.043170 IP 192.168.2.13.8080 > 192.168.2.2.33482: Flags [P.], seq 1:739, ack 9960, win 501, length 738: HTTP: HTTP/1.1 200

  • Discussions about monitoring via SNMP

    196
    Topics
    597
    Posts

    keyserK

    @cameloid Here’s the original post I made when I discovered the bug:

    https://forum.netgate.com/topic/188050/24-03-causes-sustained-rise-in-processes-count-and-memory-usage

  • Discussions about pfSense documentation, including the book

    183
    Topics
    1.3k
    Posts

    S

    I am trying to follow the directions in this section of the documentation:

    https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html

    I am having no luck trying to set up outbound NAT at the distant end of an IPSec sit-to-site VPN, I have started a topic in the NAT section of the forum and am hoping someone can chime in. Meanwhile, these instructions cannot be followed since they specify to set the outbound NAT interface to "Interface address" which is not an option. From what I read, there are forum posts dating to 2023 that discuss how this option was removed. I would really like to see this section updated with info that matches the current system, or failing that, getting some replies in my topic in the NAT section that provide the assistance I'm needing.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    CE 2.8.0 Development Snapshots
    1.1k
    Topics
    6.0k
    Posts

    R

    You're absolutely right to question whether pfSense_get_interface_addresses() takes into account deprecated IPv6 addresses. From what you’ve described, it seems likely that the function doesn’t prioritise valid over deprecated addresses, which could indeed disrupt Dynamic DNS updates during prefix changes. This behaviour would need further investigation by reviewing the source code.

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    423
    Topics
    2.8k
    Posts

    G

    @semtex99 With Moderate NAT you will be fine for the most part, especially when playing on public servers since they are typically set up to have Open NAT. With Moderate NAT you will even be able to play private matches in CoD, as long as your friends also have at least Moderate or Open NAT.
    There is one odd thing with MW2 (the old 2009 version) if you play that? It will not report anything but Strict NAT unless you have UPnP enabled. Even though it does work fine if you set up port forwarding manually...

    Perhaps make some tests with and without your Static Port rule in your Outbound NAT settings as well, to see what you get from that.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    1.9k
    Topics
    11.7k
    Posts

    B

    Re: High interrupt CPU usage in v2.7.1

    Bringing this back alive again since it is still an "issue". Has anyone found something concrete? Is it just a reporting bug?

    This also happens with pfSense +

  • Discussions about pfSense hardware support

    7.5k
    Topics
    68.3k
    Posts

    stephenw10S

    Hmm, and you're tying to compile the kmod pkg? I'm confused about where that Linux kernel reference came from?

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    Completed Bounties Expired/Withdrawn Bounties
    456
    Topics
    6.4k
    Posts

    dennypageD

    @HLPPC said in FQ_Codel IEEE pulse match rules/code/(applet?)/ $500:

    Detection has to detect devices passing through managed switches to negotiate with the pSense, or correctly detect pulses while passing through pfSense in a bridge configuration to negotiate with a different device/router...

    Since auto-negotiation is not visible outside the two ends of the physical link, how would you expect this to work?

  • 9.6k
    Topics
    62.9k
    Posts

    bmeeksB

    @Pizzamaka said in unbound stops and won't start again + high cpu:

    What still puzzles me is why starting unbound through UI does not work whereas running pfblocker update does start unbound.

    Not 100% sure, but it could be that when killed unbound leaves behind its PID file in /var/run/. A shell script could potentially just unilaterally delete any existing unbound PID file before attempting to restart it. That's just a guess on my part, though, as I have not looked at the code in the pfBlockerNG scripts.

    When you attempt to restart the DNS Resolver from the GUI, do you see anything in the pfSense system log at that time mentioning a PID file for unbound? If you do, that would validate my guess.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.