pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

196
Topics

2063
Posts

D

@defenderllc thank you so much, I just fixed the issue using this method 😊👌
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

23882
Topics

157659
Posts

D

Hi,
New here on the forum.
Using PFsense for quite some years, but on a very basic level.

I am struggling with an answer to the following question (if not in the correct category, i appologise)

I have correctly configured an outgoing VPN connection to reroute outgoing traffic over a (payed) vpn server.
All of the clients use VPN now.
I now would like to choose what devices use the VPN, and what devices use the non-VPN route.
Is this possible, and if so, is there a tutorial to find somewhere?
Installation and Upgrades

Discussions about installing or upgrading pfSense software

8847
Topics

54972
Posts

G

@scottlindner

The System_Patches, currently version 2.2.3, is advised to install, and also, if it proposes 'build in' patches, you should 'apply' them all.
There is nothing more to do.

@scottlindner said in Should I uninstall a patch before/after an upgrade?:

I recently upgraded to latest and that patch still shows as applied but it really applies to the previous release of pfSense

There is an incoherence.
If you've upgraded (pfSense) that a patch you've put in place is still there, and can still be applied, this means that the issue that the patch addresses is still teher.
It can't apply against a previous version of pfSense, as it isn't there anymore.
Btw : You didn't say so, but I presume you talk about a patch that you added manually.

If this patch was 'valid' for, example 23.01 - and the patch (solution) didn't make it 23.05 then the patch would still match, and you could still apply it for 23.05.

Normally, when you've used the System_Patches under 23.01, there were several build in patches that all could be applied.
When upgrading to 23.05, the System_Patches package also upgraded, and now there are no build in patches anymore.
As the previous ones are no all part of 23.05 "out of the box".

You can continue to add manual patches, I've 3 of the right now :

96302ae6-b433-4888-a944-5a582915bb2d-image.png
Firewalling

Discussions about firewalling functionality in pfSense software

9006
Topics

53709
Posts

K

@thecancel Excellent - I’m a little surprised there is a difference between 23.xx and 2.6 on this point, but it has been an issue earlier, so perhaps the fix first came with 22.05 in the pfSense Plus series (Which is after 2.6 in CE).
NAT

Discussions about Network Address Translation (NAT)

5260
Topics

29046
Posts

P

Hello pfSense community!

I'm seeking assistance with configuring port forwarding on my pfSense router for my Minecraft server. Here's a summary of my setup:

My PC has a local IP address of 198.168.0.xxx.
I need to forward TCP and UDP connections on port 25565 to my PC.
I've already allowed incoming and outgoing connections on port 25565 in the Windows Defender firewall.
Here are the steps I've taken in pfSense:

Logged in to the pfSense web interface.

Navigated to Firewall > NAT > Port Forward.

Created a port forwarding rule as follows:

For TCP/UDP

Interface: WAN
Protocol: TCP/UDP
Source: Single host or alias > Type: WAN Address > Address/mask: leave blank
Source port range: From port 25565, To port 25565
Destination: WAN address
Destination port range: From port 25565, To port 25565
Redirect target IP: 198.168.0.xxx
Redirect target port: Port 25565
Description: Minecraft TCP/UDP
NAT reflection: Use system default
Filter rule association: None
I've also gone as far as to create a rule for WAN. still nothing. I kindly request the community's review of my configuration. If I have overlooked any steps or if there are additional measures I need to take for the correct port forwarding setup for my Minecraft server, please let me know.

Thank you for your support!
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

2385
Topics

10919
Posts

S

@damianhl If it has ZFS there is a Disks widget that can expand to show details:
e80dceed-465d-4da2-9b03-30e91c0a4dcd-image.png

Not sure about hardware RAID, have never used it. Unless FreeBSD/pfSense includes a driver the pfSense OS will probably only be able to see what the BIOS shows it.
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

945
Topics

8179
Posts

L

Update: This may not be a misconfiguration on pfSense side. I connected the isolated server directly to the pfSense port and created a VLAN2 on the server. It successfully got IP from VLAN2 DHCP server.

So maybe the problem is how I configured the managed switch? Completely no clue😂

Update 2: Solved! I forgot to set the PVID. It should match the VLAN ID on the port. Explained by ChatGPT:

When a frame comes into a port without a VLAN tag, the switch needs to know what VLAN that traffic should belong to. The PVID is the mechanism that does this. When the switch receives untagged traffic on a port, it assumes that the traffic belongs to the VLAN specified by the PVID for that port.
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

7973
Topics

38258
Posts

M

I'm trying to use ports 1 and 2 which are the enabled lagg group on my modem.

How do I make use of this within PFSense?

I have the Protectli Vault FW4B - 4 Port

At the end of the day, I'm trying to use two ports for dual cables going into my modem "1 ISP" and 2 cables going to my switch, which supports LACP LAGG

I have watched alot of videos but I don't have 2 ISP WANs, so I don't know if that makes a difference.

Other videos have talked about building Lagg groups, but can I do that on the WAN side?
If so, how? Because when I install the PfSense software the WAN port is already assigned. You can't add an interface to a lagg group that is assigned already.

I have enabled SUDO on the router, but I haven't changed anything there. I only did it so I could connect via SSH and run commands as root from a user account, because I disabled Admin for security.

I'm running pfSense plus version 23.05-RELEASE

Any guidance is greatly appreciated.
Traffic Shaping

Discussions about traffic shaping and limiters

2882
Topics

15536
Posts

_

Hello dear, I am using Netgate pfsense 7100 and after a week I am trying to create a traffic shaper in the limiter tab after putting the value and saving the changes I get the below error and the limiter is not getting made, I am using the latest firmware 23.05, any idea, please.
Crash report begins. Anonymous machine information: amd64 14.0-CURRENT FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05-n256102-7cd3d043045: Mon May 22 15:33:52 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/obj/amd64/LkEyii3W/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/sources/FreeBS Crash report details: PHP Errors: [30-May-2023 13:57:37 Asia/Kabul] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - int in /etc/inc/shaper.inc:5526 Stack trace: #0 /usr/local/www/firewall_shaper_vinterface.php(212): dnpipe_find_nextnumber() #1 {main} thrown in /etc/inc/shaper.inc on line 5526 [30-May-2023 14:04:29 Asia/Kabul] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - int in /etc/inc/shaper.inc:5526 Stack trace: #0 /usr/local/www/firewall_shaper_vinterface.php(212): dnpipe_find_nextnumber() #1 {main} thrown in /etc/inc/shaper.inc on line 5526 [30-May-2023 14:07:29 Asia/Kabul] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - int in /etc/inc/shaper.inc:5526 Stack trace: #0 /usr/local/www/firewall_shaper_vinterface.php(212): dnpipe_find_nextnumber() #1 {main} thrown in /etc/inc/shaper.inc on line 5526 [30-May-2023 14:36:39 Asia/Kabul] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - int in /etc/inc/shaper.inc:5526 Stack trace: #0 /usr/local/www/firewall_shaper_vinterface.php(212): dnpipe_find_nextnumber() #1 {main} thrown in /etc/inc/shaper.inc on line 5526 [30-May-2023 14:36:51 Asia/Kabul] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - int in /etc/inc/shaper.inc:5526 Stack trace: #0 /usr/local/www/firewall_shaper_vinterface.php(212): dnpipe_find_nextnumber() #1 {main} thrown in /etc/inc/shaper.inc on line 5526 [30-May-2023 14:37:04 Asia/Kabul] PHP Fatal error: Uncaught TypeError: Unsupported operand types: string - int in /etc/inc/shaper.inc:5526 Stack trace: #0 /usr/local/www/firewall_shaper_vinterface.php(212): dnpipe_find_nextnumber() #1 {main} thrown in /etc/inc/shaper.inc on line 5526 No FreeBSD crash data found.
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

5742
Topics

35772
Posts

J

Hello Fellow Netgate Community Members can you please help??

Quick Question:

With static assignments and setting the Squid proxy on the 192.168.1.1:3128 for example would you set up a DHCP for the firewall for a long time I did not list the firewall inside the DHCP, again I noticed it listed my firewall IP as a useable address, as soon as I added it now its green in the lease.

Screenshot 2023-06-04 at 11.25.55 PM.png
(STATIC ENTRY DHCP)

Screenshot 2023-06-04 at 11.31.01 PM.png
(Lease shows active)

I wanted to ask what other uses do that use static MAC entry and block all others.

I was surprised that it went to green as soon as I added it, Keep in mind I never added the firewall before. I still have full use of the system both ways.
IPv6

Discussions about IPv6 connectivity and services

1809
Topics

16996
Posts

G

@keyser said in Matureness of IPv6 generally:

One of the 4 requires DHCPv6 options and settings that pfSense does not support (Orange in France)

I'm using Orange @work, fiber since last January.
Because the connection is used by a company, I got a router update : The Livebox 6 and it's says it's the Pro version.
Just one device is attached to it : pfSense.

My WAN setup :

8fa4e203-84d1-4451-b5ef-dbd889e42cd3-image.png

No other checks or options ...

The WANv6 gets an IPv6 Local link addresses, and a IPv6 Address - and in the logs I can see it also got a prefix, which I'm using on my LAN.

I'm not using 'tracking' : I use the prefix obtained from the Livebox a a 'base' and set it up on my LAN :

927a4db8-99eb-4d97-b381-7659f75db01d-image.png

And from here on, I've set up the DHCPv6 on LAN, and all is well since.

I would love to use he tunnel as a spare IPv6 connection, as they never let me down for the last, many years : a rock solid IPv6 connection.
But surprise : I've tried everything but this new '6' Livebox router doesn't pass '6in4' protocol. The livebox 4, and 5 handled that protocol very well.

An there are more issues.
Even if the Livebox has a full /56 available, it only hands out one /64 prefix.

080eaa47-b254-4722-83c0-bce3415fd5ab-image.png

The entire story is detailed here.

But : I can't say IPv6 isn't working with Orange + pfSEnse. My LAN is fully IPv6 aware.

I can't 'open' an IPv6 address in the /64 'prefix' range, so I can access one of my LAN based devices. So, so be it, I'm using NAT + IPv4.
I can only reach my pfSense WAN over IPv6, so, technically, I could use IPv6 or IPv4 to reach my OpenVPN pfSense server.

ac254b59-d87f-4f66-9dea-d6adddff714b-image.png

The connection is very stable, even under full load, which is a nearly symmetric, close to 1 Gbit/sec.

A new firmware ( SG60-fr-G06.R00.C08_00 ) for my '6' box is in the queue.

Btw : I'm posting here on forum.netgate.com using IPv6 for years now.
IPsec

Discussions about IPsec VPNs

5430
Topics

22292
Posts

J

Hi, another patient here.
17 P1s with a lot more Child SAs and in irregular intervals they all just stop working, even without any interaction at all with the WebGUI etc.
Is this something that was/will be addressed in 2.7.0?
OpenVPN

Discussions about OpenVPN

8994
Topics

48997
Posts

R

Thank you, that made it.
I did not expect that I could use Client Specific Overrides to add a route on top of "Force all client-generated IPv4 traffic through the tunnel."

👍
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

3357
Topics

17507
Posts

G

@net-mas

Allowed IP Address is an IP address - not a network (/25).
webGUI

Anything that does not fit in other categories related to the webGUI

1917
Topics

9170
Posts

R

It's a really handy feature now and I have already used it to diagnose something on the WAN side.

A really helpful improvement on the original pcap function and I appreciate the effort people put into it to expand its functionality. 👍

☕️
Wireless

Discussions about wireless networks, interfaces, and clients

1666
Topics

10510
Posts

D

SparkLan WPEA-127N
hostap - AP mode support
Atheros AR9380 - miniPCIe (full-size)
pfSense+ 23.05 Release on PC Engines APU6B4
ath0@pci0:5:0:0: class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x0030 subvendor=0x168c subdevice=0x3112 vendor = 'Qualcomm Atheros' device = 'AR93xx Wireless Network Adapter' class = network
Compex WLE200NX
hostap - AP mode support
Atheros AR9280 - miniPCIe (full-size)
pfSense 2.7.0 Development on PC Engines APU4D4
ath0@pci0:5:0:0: class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x002a subvendor=0x168c subdevice=0x3099 vendor = 'Qualcomm Atheros' device = 'AR928X Wireless Network Adapter (PCI-Express)' class = network
SNMP

Discussions about monitoring via SNMP

176
Topics

532
Posts

J

https://redmine.pfsense.org/issues/13976
Documentation

Discussions about pfSense documentation, including the book

173
Topics

1215
Posts

J

This should be OK now if you try it again. The server-side redirects are back in place.
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 23.09 Development Snapshots CE 2.7.0 Development Snapshots Plus 23.05 Development Snapshots (Retired) Plus 23.01 Development Snapshots (Retired) Plus 22.05 Development Snapshots (Retired) Plus 22.01 Development Snapshots (Retired) CE 2.6.0 Development Snapshots (Retired) 2.5.2 Release Candidate Snapshots (Retired) 2.5 Development Snapshots (Retired) 21.02.2/2.5.1 Snapshots (Retired)

1820
Topics

11641
Posts

J

@Gertjan Pfsense has the ability to be the first firewall to compartmentalize docker os signatures / and host machines and actually control traffic in that manner:) wouldn't that be cool?
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

393
Topics

2560
Posts

J

@jonathanlee everything else works roblox, amazon prime, disney plus. Tubi works for one movie only and requires app reset to work again.
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1784
Topics

10933
Posts

E

@viragomann I just use the host machine as a personal desktop.
I previously ran Proxmox which ran nicely, however had to run Ubuntu as a vm.
My hope is to run Ubuntu with better performance not being a vm any longer.
Hardware

Discussions about pfSense hardware support

7165
Topics

64430
Posts

S

@stephenw10
Sorry, probably confusing things. On LAN I had same transceiver as WAN, tried a DAC cable that came in yesterday, set connection rate before inserting DAC to 10GBase. Couldnt get it to connect, when I put the transceiver back in it displayed the new speed options. They are gone now after reboot, I assume just carry over from the DAC options.
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties Expired/Withdrawn Bounties

453
Topics

6370
Posts

D

@darkphox said in ATT Uverse RG Bypass (0.2 BTC):

@DefenderLLC I understand your sentiment, considering you're still stuck with the gateway using this bypass method. I liked the idea of putting the gateway behind my firewall, but it also made it easier to co-locate my network hardware with an UPS...the ONT is in a weird spot in my house. As a secondary benefit, I've noticed a slight to moderate increase in overall performance.

I've yet to see a speedtest actually reach full gigabit speed, but before the bypass I'd hit around 800Mbit with latency of 15 to 20 ms. After the bypass I'm hitting roughly 920Mbit with 8-10 ms latency. It's minor and surely not noticeable to my dulled senses, but it's measurable.

I haven't accessed the gateway itself since the bypass...Setting it up on a 'modem' interface keeps me from getting at it via the ol' 192.168.1.254, but I may see if I have time to mess around and look into the RG logs if they're easily accessible.

AT&T generally oversubscribes the service, but if you’re using a 1 gig port from the gateway to your LAN of course you’re not going to get any speeds faster than that. Port number 1 (the blue one) is a 5 Gb port on the newer models and will step down to 2.5Gb or 1Gb. Now the ONT modules are built into the modem itself. You have no choice but to use it.

I went back to the one gig service and this is what I get from my UDM-SE which sits behind my Netgate 6100 MAX with IPS enabled on both firewalls (dual NAT).

b077c0ed-9bba-4738-8451-72f731e9ff94-image.jpeg
Retired

Categories that are no longer active, but are present for reference

2.4 Development Snapshots 2.3.3 Development Snapshots 2.3.2 Development Snapshots 2.3.1 Snapshots Testing and Feedback - ARCHIVED 2.3-RC Snapshot Feedback and Issues - ARCHIVED 2.2.5 Snapshot Feedback and Issues 2.2.3 Snapshots Problems and Feedback - ARCHIVED 2.2 Snapshot Feedback and Problems - RETIRED 2.1.1 Snapshot Feedback and Problems - RETIRED 2.1 Snapshot Feedback and Problems - RETIRED

8644
Topics

54899
Posts

J

Set Debug in the DHCP6 Client Configuration on WAN as well, then check the logs (main system log, routing log, etc) to see what shows up.

1 / 1