pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

174
Topics

1695
Posts

@dylan-fraser said in pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!:

ISSUE WITH UPGRADE - Netgate SG-3100

OPENVPN client on Netgate SG-3100 issue with portfowarding traffic from OVPN interface.

pfsense.PNG

I run OpenVPN on generic router box and had no issues with 2.5.x releases.
I would assume that for Netgate SG-3100 issue it'd be addressed by Netgate guys quickly. Do we have a confirmed bug for this problem in the tracking system ?
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

20327
Topics

121938
Posts

L

@NollipfSense now I added any to any.

alt text
Installation and Upgrades

Discussions about installing or upgrading pfSense software

8490
Topics

52674
Posts

D

After a discussion with support I decided my new upgrade procedure will be:
Download img for current install version (if I don't already have it). Download img for new release. Backup my config. Run the upgrade from the console. If it is successful -> done If it fails install the img from the new release with the retain config option. If the new img is successful but the config failed restore the config from backup. If the new img install fails do #6/7 using the old img.
Determining what is successful can be subjective or could take a while to realize. Fortunately our firewall configuration is somewhat static so we can run on a new release for a while and still roll back relatively easily.

For major releases (21.02) I'm leaning towards going directly to a img install on those.
Firewalling

Discussions about firewalling functionality in pfSense software

8041
Topics

46418
Posts

@kps1234

Per what connection?
NAT

Discussions about Network Address Translation (NAT)

4812
Topics

26090
Posts

V

I am also just a user who shares your pain, stuck on 2.5.1, any guesses will just be speculation at at this time.
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

2145
Topics

9834
Posts

@mitchell-0 High Availability on the interfaces should be enough justification for /29s on the interfaces.
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

554
Topics

4586
Posts

T

Well, I'm no expert but I got it working on my end, esxi 6.7, but using layer 2 'lite' layer 3 switches from Netgear though. I kept the management network on my default LAN, thinking that if there were issues with the VLAN, I want to be able to reach the management network without a fuss. I put two nics on that original vswitch, for the management network, and put the rest on a new port group on a second vswitch that I created for the VLAN. Put it in VLAN 4095 (will probably move it to the right VLAN at some point- 4095 means all VLANS). I then set the Netgear switch ports that came from the VMs in ESXI to the correct VLAN and it's working.

I don't know why it drops, maybe more information as to how it is set? One vswitch with everything in it (management/vlans all in the same vlan) or multiple vswitches..., plus I don't know how your physical switch handles the vlans, I never tried TP Link with vlans before.
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

7284
Topics

34387
Posts

T

I attempted to submit this as a bug on this issue but it was rejected blaming it on my configuration or my provider. the problem doesn't exist with release candidate 2.5.1.r.20210403.0300. As I stated no config changes were made. The configuration has worked for several years However with version 2.5.1 and later the packet loss issues appear. I roll back to the release candidate or older all works as before. I've installed from scratch & attempted multiple configuration changes with no success. Is there anyone using multiple OpenVpn clients in a similar failover fashion confirm that this problem stated above does or does not exist for them? When community forums aren't helpful and bug reports are rejected where does one turn? OPNSense?
Traffic Shaping

Discussions about traffic shaping and limiters

2750
Topics

14960
Posts

C

I have Codel enabled. It's hard to post all the settings here, there are lots of them. I basically just followed the video by Lawrence Systems on youtube. Recently I noticed that if I load the connection up to the point that I configured Codel to allow, pings from inside the LAN get dropped:
--- 1.1.1.1 ping statistics --- 835 packets transmitted, 64 received, 92.3353% packet loss, time 853240ms rtt min/avg/max/mdev = 11.313/19.177/77.871/8.155 ms
but pings from the pfSense machine itself are fine:
--- 1.1.1.1 ping statistics --- 19 packets transmitted, 19 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 16.753/22.770/32.509/4.013 ms
If I disable the Codel floating rule the ICMP packets don't get dropped at all.

This behavior is surprising to me because I expected that the codel algorithm would say "I'm going to allow these small, infrequent, IMCP packets through with high priority at the expense of the high throughput flows".

Does anybody understand what's going on here?
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

4891
Topics

29720
Posts

M

Update: I increased the DNS cache size from 20k to 50k, and that seems to have resolved the long average recursion time dropped from 100+ seconds to less than 2 seconds. Number of DNS queries dropped from about 40k per min to less than 400 per min. I guess the too small cache size was the key root cause.
IPv6

Discussions about IPv6 connectivity and services

1547
Topics

14167
Posts

V

Hello,

I attempted to upgrade to 2.5.1 last night but I believe that I encountered the problem above. I couldn't get IPv6 addresses or routing on any of my WAN connections. I tried troubleshooting for several hours but had to give up and rollback to 2.4.5_1.

From the messages above and in the bug tracker, it seems like this might be fixed but in a version that isn't released yet. Is that accurate? (I've been reading from https://redmine.pfsense.org/issues/11454 and they mention installing 2.5.1 plus a patch..) Is there any way to know when this should be published and I could re-attempt upgrading?

Thanks,
Ryan
IPsec

Discussions about IPsec VPNs

4926
Topics

20321
Posts

@jeffsmith82 Freeradius framed-ip addresses.

https://forum.netgate.com/topic/115795/guide-ikev2-ipsec-per-user-firewall-rule-settings-with-freeradius
OpenVPN

Discussions about OpenVPN

7841
Topics

42516
Posts

K

We are using OpenVPN GUI and have added a 3rd party MFA provider. The issue we are having is if a user has 2 emails in their MFA account, then the authentication factor never gets sent. Here is a snippet of the logs from MFA:

ChallengeState(String): challenge|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|ChooseOne
ChallengeTimeout(Double): 300
ReplyCommand(String): AccessChallenge
ReplyMsg(String): Enter an authentication method number:
1: Email... @ yahoo.com
2: Email... @ gmail.com

Is there anyway in OpenVPN that we can set that authentication method number to always be 1?
WireGuard

Discussions about WireGuard

102
Topics

949
Posts

V

Hi! I setup pfSense 2.6 on my Hyper-V lab and was able to get setup a Wireguard tunnel with TorGuard. Looks promising! I did notice a little more cpu load then I expected when running speedtests but I was able to utilize my 100Mbit internet connection.
WGTUN Interface (opt1, tun_wg0) Status up IPv4 Address 10.13.XX.XX Subnet mask IPv4 255.255.255.0 Gateway IPv4 10.13.XX.XX MTU 1500 In/out packets 509239/443583 (536.63 MiB/360.12 MiB) In/out packets (pass) 509239/443583 (536.63 MiB/360.12 MiB) In/out packets (block) 0/0 (0 B/0 B) In/out errors 0/0 Collisions 0
wg01.png
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

3164
Topics

16409
Posts

S

Hello!

A cursory look through some of the code indicates that some voucher info is stored in the config during a graceful shutdown/reboot. Even that wont help with ram disks, or if there is a power loss.

Check on the requirements that forced you to move from 2.4.5 to 2.5.x and see if any of those can be worked around.

Try building a fresh 2.5.x without ram disks and see how it works.

Moving back to "no ram disks" after initially using them might work with a little scripting.

Using the current rc.backup* and rc.restore* scripts as a template for manually saving and restoring the /var/db data...

While ram disks are still on...
rc.backup_db
#!/bin/sh # : ${DBPATH:=/var/db} : ${CF_CONF_PATH:=/cf/conf} : ${RAM_Disk_Store:=${CF_CONF_PATH}/RAM_Disk_Store} # Save the logs database to the RAM disk store. if [ -d "${DBPATH}" ]; then echo -n "Saving DB to RAM disk store..."; [ -f "${RAM_Disk_Store}/db.tgz" ] && /bin/rm -f "${RAM_Disk_Store}/db.tgz" if [ ! -d "${RAM_Disk_Store}" ]; then mkdir -p "${RAM_Disk_Store}" fi /usr/bin/tar -czf "${RAM_Disk_Store}/db.tgz" -C / "${DBPATH#/}/" echo "done."; fi
Turn off ram disks, reboot, manually run...
rc.restore_db
#!/bin/sh # : ${CF_CONF_PATH:=/cf/conf} : ${RAM_Disk_Store:=${CF_CONF_PATH}/RAM_Disk_Store} /usr/bin/tar -xzf "${RAM_Disk_Store}/db.tgz" -C / 2>&1
Restart captive portal and see if it picks up your newly restored /var/db

The standard system rc.restore_ramdisk_store might even catch & restore the db.tgz you created if it runs when rams disks are off (???).

This is a highly experimental process with lots of unknowns. Use at your own risk.
Maybe someone with more/better knowledge of the startup/shutdown and ram disk operations could chime in.

John
webGUI

Anything that does not fit in other categories related to the webGUI

1716
Topics

8173
Posts

W

@johnpoz

I am using pfSense 2.5.1, the issue was already existent in 2.5.0, but not in 2.4.5 before.

I also tried with browsers Firefox 88 and MS Edge 90, both no effect.
Wireless

Discussions about wireless networks, interfaces, and clients

1601
Topics

9757
Posts

L

@gertjan

Yes, I have 2 similar cellphones that don't get internet from the AP.

When I connect the Desktop to the AP using a USB WiFi adapter, it gets internet access from the AP as well.

I have gone ahead and purchased a different AP to see if there is an issue with this one. When I test it i'll let you know.

The thing is, I was using Untangle before, with this same AP and I never had this issue so I wanted to know if I misconfigured something in pfSense.
SNMP

Discussions about monitoring via SNMP

161
Topics

496
Posts

Y

Hello,
We manage the hard disk cache by swapstat_check.php.
It doesn't work sometimes. How can we monitor it by SNMP?
(We are using PRTG.)

Regards
Documentation

Discussions about pfSense documentation, including the book

162
Topics

1178
Posts

@tong Thanks for sharing your link. Not sure what happened to my original upload. I have re-uploaded. Here is a new link to my copy:

https://drive.google.com/file/d/1-k0u99CjNLqbb4WM0llzXrnO49k2Q2q5/view?usp=sharing
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

2.5 Development Snapshots (Retired)

1270
Topics

7428
Posts

W

https://docs.google.com/presentation/d/1WTiumQ8mO570Qpttvk5GycoON6t6WMZhBVfVC5DuK4Y/edit?usp=sharing
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

345
Topics

2161
Posts

This looks like some great points about the game. I love all Battlefields and the multiplayer is the best you can get for any shooting game. I don't think that Call of Duty can really be compared to it! The only Battlefield I have found really hard and challenging to play was battlefield 5 as the difficulty bar was raised way too much. I'm a bit ashamed to admit it, but sometimes I have to use bf5 hacks in order to be able to stay competitive. Of course I don't use them on online multiplayers.
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1576
Topics

9516
Posts

W

@ahking19 I set it up early last week to test it to see if that would remain stable. After it’s been up for nearly a week, I didn’t have time this weekend to roll back. I also made a few config changes on in the firewall and a VLAN tag that I would need to replicate from the 2.5.1 router that was crashing and the router on a stick back to the 2.4.5 VM. In this case, it’s not quite as simple as just hitting the “roll back” button.
Hardware

Discussions about pfSense hardware support

Vendors

6712
Topics

59272
Posts

Who's preconfigured system was that? I assume not from PCEngines directly.

You didn't have to install originally? That is UFS on mSATA?

Steve
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties
Expired/Withdrawn Bounties

449
Topics

6171
Posts

F

@netnerdy

You need to create a new switch (it can't be the same switch as your LAN). For the Switch, set the VLAN ID to (0) None. This will strip the VLAN tags off that interface. Make sure your physical adapter is mapped to that switch, and then connect that WAN switch to an interface on your PFSense VM. Enjoy.

BTW, the snapshotting feature is super useful when updates are having issues. :)
Retired

Categories that are no longer active, but are present for reference

2.4 Development Snapshots
2.3.3 Development Snapshots
2.3.2 Development Snapshots
2.3.1 Snapshots Testing and Feedback - ARCHIVED
2.3-RC Snapshot Feedback and Issues - ARCHIVED
2.2.5 Snapshot Feedback and Issues
2.2.3 Snapshots Problems and Feedback - ARCHIVED
2.2 Snapshot Feedback and Problems - RETIRED
2.1.1 Snapshot Feedback and Problems - RETIRED
2.1 Snapshot Feedback and Problems - RETIRED
2.0-RC Snapshot Feedback and Problems - RETIRED
1.2.3-PRERELEASE-TESTING snapshots - RETIRED
1.2.1-RC Snapshot Feedback and Problems-RETIRED

8644
Topics

54899
Posts

Set Debug in the DHCP6 Client Configuration on WAN as well, then check the logs (main system log, routing log, etc) to see what shows up.

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

1 / 1