pfSense® Software

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Messages from the pfSense Team

Announcements and information about pfSense software posted by the project team

200
Topics

2.1k
Posts

M

Cool. I'm a FreeBSD user for a long time, have always preferred ZFS even on single disk systems because of Boot Environments.

Doing a major upgrade I've always done the "create a new BE, mount it, chroot to it and do the upgrade" process.
That lets you do the upgrade kernel, upgrade userlande, upgrade all the packages into the new BE while you are still running, then when you boot into that newly created BE everything is consistent, so you have a lot less risk of things going bad. They still can, but that's where the bootonce flag comes in. If the system fails to boot up completely (where the flag gets cleared) reboot and you are back to pre upgrade.

Automating this process is a very good thing to have. Very good stuff Netgate.
General pfSense Questions

Discussions about pfSense software that do not fit into one of the more specific categories below.

25.3k
Topics

173.2k
Posts

B

@Gertjan
My acl's are exactly the same.
Problems Installing or Upgrading pfSense Software

Discussions about installing or upgrading pfSense software

9.2k
Topics

57.8k
Posts

_

@stephenw10

[2.7.1-RELEASE][admin@pfSense]/root: gpart list
Geom name: ada0
modified: false
state: OK
fwheads: 16
fwsectors: 63
last: 1953525127
first: 40
entries: 128
scheme: GPT
Providers:
Name: ada0p1
Mediasize: 209715200 (200M)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r1w1e2
efimedia: HD(1,GPT,96fdba21-f4f5-11ea-95ee-503eaa11083a,0x28,0x64000)
rawuuid: 96fdba21-f4f5-11ea-95ee-503eaa11083a
rawtype: c12a7328-f81f-11d2-ba4b-00a0c93ec93b
label: efiboot0
length: 209715200
offset: 20480
type: efi
index: 1
end: 409639
start: 40 Name: ada0p2
Mediasize: 524288 (512K)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r0w0e0
efimedia: HD(2,GPT,97249595-f4f5-11ea-95ee-503eaa11083a,0x64028,0x400)
rawuuid: 97249595-f4f5-11ea-95ee-503eaa11083a
rawtype: 83bd6b9d-7f41-11dc-be0b-001560b84f0f
label: gptboot0
length: 524288
offset: 209735680
type: freebsd-boot
index: 2
end: 410663
start: 409640 Name: ada0p3
Mediasize: 2147483648 (2.0G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r1w1e0
efimedia: HD(3,GPT,976896a2-f4f5-11ea-95ee-503eaa11083a,0x64800,0x400000)
rawuuid: 976896a2-f4f5-11ea-95ee-503eaa11083a
rawtype: 516e7cb5-6ecf-11d6-8ff8-00022d09712b
label: swap0
length: 2147483648
offset: 210763776
type: freebsd-swap
index: 3
end: 4605951
start: 411648 Name: ada0p4
Mediasize: 997845893120 (929G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r1w1e1
efimedia: HD(4,GPT,97909eb8-f4f5-11ea-95ee-503eaa11083a,0x464800,0x742a2000)
rawuuid: 97909eb8-f4f5-11ea-95ee-503eaa11083a
rawtype: 516e7cba-6ecf-11d6-8ff8-00022d09712b
label: zfs0
length: 997845893120
offset: 2358247424
type: freebsd-zfs
index: 4
end: 1953523711
start: 4605952
Consumers: Name: ada0
Mediasize: 1000204886016 (932G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r3w3e6
Geom name: ada1
modified: false
state: OK
fwheads: 16
fwsectors: 63
last: 1953525127
first: 40
entries: 128
scheme: GPT
Providers:
Name: ada1p1
Mediasize: 209715200 (200M)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r0w0e0
efimedia: HD(1,GPT,98248a2a-f4f5-11ea-95ee-503eaa11083a,0x28,0x64000)
rawuuid: 98248a2a-f4f5-11ea-95ee-503eaa11083a
rawtype: c12a7328-f81f-11d2-ba4b-00a0c93ec93b
label: efiboot1
length: 209715200
offset: 20480
type: efi
index: 1
end: 409639
start: 40 Name: ada1p2
Mediasize: 524288 (512K)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r0w0e0
efimedia: HD(2,GPT,984f94f1-f4f5-11ea-95ee-503eaa11083a,0x64028,0x400)
rawuuid: 984f94f1-f4f5-11ea-95ee-503eaa11083a
rawtype: 83bd6b9d-7f41-11dc-be0b-001560b84f0f
label: gptboot1
length: 524288
offset: 209735680
type: freebsd-boot
index: 2
end: 410663
start: 409640 Name: ada1p3
Mediasize: 2147483648 (2.0G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r1w1e0
efimedia: HD(3,GPT,98949ca2-f4f5-11ea-95ee-503eaa11083a,0x64800,0x400000)
rawuuid: 98949ca2-f4f5-11ea-95ee-503eaa11083a
rawtype: 516e7cb5-6ecf-11d6-8ff8-00022d09712b
label: swap1
length: 2147483648
offset: 210763776
type: freebsd-swap
index: 3
end: 4605951
start: 411648 Name: ada1p4
Mediasize: 997845893120 (929G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r1w1e1
efimedia: HD(4,GPT,98b917b8-f4f5-11ea-95ee-503eaa11083a,0x464800,0x742a2000)
rawuuid: 98b917b8-f4f5-11ea-95ee-503eaa11083a
rawtype: 516e7cba-6ecf-11d6-8ff8-00022d09712b
label: zfs1
length: 997845893120
offset: 2358247424
type: freebsd-zfs
index: 4
end: 1953523711
start: 4605952
Consumers: Name: ada1
Mediasize: 1000204886016 (932G)
Sectorsize: 512
Stripesize: 4096
Stripeoffset: 0
Mode: r2w2e3
Firewalling

Discussions about firewalling functionality in pfSense software

9.3k
Topics

56.1k
Posts

M

One thing I like to do:
Diagnostics, Command Prompt and enter:
pfctl -sr

That will give you all the rules in the order and expanded. It helps me when I can't remember "which is applied first, floating interface or something else".

As for a block rule, if it's near/at the top of the list then yes it would be evaluated first, evaluation doesn't always mean applied. As @johnpoz says state would override application.
NAT

Discussions about Network Address Translation (NAT)

5.4k
Topics

30.2k
Posts

S

@EARDELaN What PBX?

We've set up several clients with Yealink phones using 3CX. 3CX has a way to have either a software program or even phone tunnel to the 3CX server "in the cloud." However it does require a correct firmware version or it will half-connect and can cause the server to blacklist the phone's public IP.

There is a list of things at https://docs.netgate.com/pfsense/en/latest/recipes/nat-voip-phones.html
HA/CARP/VIPs

Discussions about High Availability, CARP, and utilizing additional IP addresses

2.5k
Topics

11.4k
Posts

V

@CaptainKeyboard
The hint to consider rule was in my first post.

But glad, that's working now.
L2/Switching/VLANs

Discussions about Layer 2 Networking, including switching and VLANs

1.1k
Topics

9.0k
Posts

X

Resolved | Solved

It was a configuration in the ARUBA AP's own Firewall.

ApplicationFrameHost_4Ypo7mjMwX.png

thanks for the support
Routing and Multi WAN

Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

8.3k
Topics

39.7k
Posts

V

@VMlabman
As I wrote, this is an action which you can configure.

ffe2e6d2-ccdf-4a4c-9a46-38ee9074729d-grafik.png

Possibly you need to configure an ACL for it, which is ever true.

I don't use this function for my purposes, however, so I cannot give more details.
Traffic Shaping

Discussions about traffic shaping and limiters

2.9k
Topics

15.7k
Posts

I

@gawd21 I believe the netgate wiki indicate 50 as the default value to use.
DHCP and DNS

Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

6.1k
Topics

38.8k
Posts

G

@mwierowski said in Kea DHCP Feature Roadmap:

before ISC DHCP is completely removed from pfSense.

Why would Netgate remove it ? It will be kept, for those who want to use it, a bit like when unbound, the resolver replaced dnsmasq, the forwarder. The GUI front end will, evolve so more options can be used.
I guess a real security has to be found in ISC DHCP for Netgate to remove ISC DHCP.

All IMHO of course.
IPv6

Discussions about IPv6 connectivity and services

1.9k
Topics

18.4k
Posts

M

@Imesh_
Hello did you manage to get the ipv6 on the lan?
IPsec

Discussions about IPsec VPNs

5.6k
Topics

22.7k
Posts

V

@frog
Not that I know. But if your subnets are successive you can state a larger subnet, which includes all or multiple at least.

E.g. your subnets are
10.66.20.0/24
10.66.21.0/24
...
10.66.29.0/24
10.66.30.0/24

So set you local network to 10.66.25.0/20, which includes 10.66.16.0 - 10.66.31.255.

However, you will also have to configure the remote site accordingly.
OpenVPN

Discussions about OpenVPN

9.4k
Topics

51.3k
Posts

M

@Gertjan said in pfsense+ NordVPN slow speed:

it, you saw some youtuber and sai

Hello, If I use the NordVPN application directly on my phone or on my computer, the speeds are excellent (800Mbps download and 600Mbps upload).
So the problem is with NordVPN.

I didn't use NordVPN because a YouTuber told me to... I use NordVPN to secure my network infrastructure.

Here are the characteristics of my machine:
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0
CPU: Intel(R) Celeron(R) N5105 @ 2.00GHz (1996.80-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
cpu0: <ACPI CPU> on acpi0

My network cards are:
vendor = 'Intel Corporation'
device = 'Ethernet Controller I226-V'
Captive Portal

Discussions about Captive Portal, vouchers, and related topics

3.5k
Topics

18.1k
Posts

G

@uggiz said in Captive Portal - Cron - Authentication issues:

but I am starting to wonder if the max-octets-* should be there?

The max-octest-.... files shouldn't be deleted.
They are created when pfSense creates the config of FreeFradius when it starts FreeRadius. And only at that moment.

I'm curious : who/what (where ?) told you to wipe these 'max' files ?

All is is very 'AFAIK' of course.

edit : https://forum.netgate.com/topic/155445/freeradius-daily-reset-using-cron

I thought it was a simple question : where did these 3 cron liens come from ? Didi I put them there ? (back in 2014 or even before ?) Was I told to create them ? Even Google can't show me anything useful.

Maybe this : before using FreeRadius, I watched the 3 (?) Netgate pfSense Freeradius Videos (Youtube Netgate channel) as these are not 'optional' (Radius is and stays no easy to master). I'll advise you to do the same.
Since then, I use pfSense FreeRadius for the portal authentication and accounting. It just 'works'.
webGUI

Anything that does not fit in other categories related to the webGUI

2.0k
Topics

9.6k
Posts

A

@AnonymousRetard thanks for you reply,

I finally managed to complete my setup like this.
66bbb74c-86a6-4079-bf3b-17e90ede9090-image.png

To do this, you had to perform additional actions on the switch. I created 2 profiles.

1 - With the LAN in untag and the VLAN20 which is tagged
2 - With VLAN20 only

Then apply profile 1 on the port where the LAN arrives and apply profile 2 on the port where I want to connect the equipment (including my PC).
Wireless

Discussions about wireless networks, interfaces, and clients

1.7k
Topics

10.9k
Posts

P

Samsung WIS08BG2X LinkStick Wireless LAN Adapter (Ralink)
(Originally provided with my 2008 Samsung LCD TV)
Working in hostap mode, B/G only.
I never throw anything out!
rum0 on uhub0 rum0: <Abocom 802.11 bg WLAN, class 0/0, rev 2.00/0.01, addr 1> on usbus0 rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528
f131656f-b6dd-4719-9c95-0f8bb5c8680b-image.png
SNMP

Discussions about monitoring via SNMP

188
Topics

567
Posts

C

MRTG cfgmaker gave this result for devices such as gif, lo, ovpnc, ovpns:

gif or gif0 :
### The following interface is commented out because: * has no ifSpeed property
ovpns devices:
### The following interface is commented out because: ### * has no ifSpeed property
ovpnc devices:
### The following interface is commented out because: ### * has no ifSpeed property
No effect for administratively DOWN or operationally DOWN interfaces, or softwareLoopback devices: e.g.:

enc or enc0 :
### * it is administratively DOWN ### * it is operationally DOWN ### * has no ifSpeed property
lo or lo0 :
### * it is a Software Loopback interface ### * has no ifSpeed property
pflog or pflog0 :
### * it is administratively DOWN ### * it is operationally DOWN ### * has no ifSpeed property
pfsync or pfsync0 :
### * it is administratively DOWN ### * it is operationally DOWN ### * has no ifSpeed property
The solution was to change cfgmaker arguments:
/usr/bin/cfgmaker --zero-speed=10000000 -o outfile.cfg community@object
Additionally, --ifdesc=descr changed the Title to start with device or device.vlan where appropriate.

Here is the site that gave me the hint:
https://aacable.wordpress.com/2014/07/07/mrtg-monitoring-with-esxi-hosted-guest-return-interface-is-commented-has-no-ifspeed-property/

https://oss.oetiker.ch/mrtg/doc/cfgmaker.en.html

However, cfgmaker does not have an argument for enabling monitoring of loopback devices, though there is a more complicated method to work around that using something such as '--if-filter=($default_iftype && $if_admin)' with type 24, softwareLoopback as documented at the website above or something like below:
"--if-filter=($default || $if_type==24)"
The positional order is important, all flags need to precede community@router. --if-filter carries a caveat:
--if-filter=f Test every interface against filter f to decide wether or not to include that interface into the collection. Currently f is being evaluated as a Perl expression and it's truth value is used to reject or accept the interface. (Experimental, under development, might change)
The resulting command line argument contains double quotes:
/usr/bin/cfgmaker --ifdesc=descr --zero-speed=10000000 "--if-filter=($default || $if_type==24)" -o outfile.cfg community@router
If you run into an issue with the shell interpreting the contents, switch to the double quotes to single quotes.

Now lo0 is monitored by MRTG using bsnmpd. To monitor lo0 and everything ethernet:
/usr/bin/cfgmaker --ifdesc=descr --zero-speed=10000000 "--if-filter=($default || $if_type==24 || $if_type==6)" -o outfile.cfg community@router
Documentation

Discussions about pfSense documentation, including the book

180
Topics

1.2k
Posts

R

I submitted a few related bug reports and enhancement requests, in case anyone is going to track this or suggest solutions:

https://redmine.pfsense.org/issues/15199
https://redmine.pfsense.org/issues/15200
https://redmine.pfsense.org/issues/15203
https://redmine.pfsense.org/issues/15209
Development

Topics related to developing pfSense: coding styles, skills, questions etc.

Plus 24.03 Development Snapshots CE 2.8.0 Development Snapshots

2.0k
Topics

13.3k
Posts

J

@stephenw10 Just to chime in: I have a 6100 as a dev-box with 2 NVMes installed and with a ZMirror Pool, that one updated all the way from 23.09.1 to various betas to RC currently without problems with booting. So could be something more specific to the C2758 otherwise I'd guess I'd have stumbled upon it as well?

a9fa95f5-286c-4787-80ec-6cf78ec07964-image.png

Cheers
Gaming

Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

407
Topics

2.7k
Posts

C

9 years later! Wonder how many had this issue in that time.

To save someone else hours of pulling their hair out....

Don't forget to reset state tables!!!

Diagnostics / States / Reset States

Rebooting the router / PC / Game did not work!

Resetting state tables may take a while and not automatically refresh the page. Click on the pfsense logo and wait for the home page to load.
Virtualization

Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

1.9k
Topics

11.5k
Posts

Z

After RTFM I was able to stop the Intel i40en driver from disabling trusted mode on the virtual functions on every reboot, but that didn't resolve the error message. The good news is now the firewall doesn't come up from a boot in a broken state every time, but this confirms the AQ returned error VIRTCHNL_ERR_PARAM to our request CONFIG_RSS_KEY! error is unrelated to the i40en driver's handling of trusted mode.

Anyone else have any brilliant ideas for what could be causing the error message?

Anyone have any guess as to whether it can safely be ignored? It doesn't stop pfSense from passing traffic on the NIC so it seems to "work," but God forbid it's creating some sort of security vulnerability!
Hardware

Discussions about pfSense hardware support

7.4k
Topics

66.8k
Posts

G

@stephenw10 No, because my plan was to put this in my office... but that plan has now changed and it's going in a different room. Chances are I'll actually re-install the original fans for better cooling. When I do, I'll let you know what temps I get
Bounties

Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

Completed Bounties Expired/Withdrawn Bounties

454
Topics

6.4k
Posts

A

While researching ways to enhance our retail operations, I came across a source that shed light on the importance of choosing the retail software development services. It emphasized how critical it is to partner with developers who understand the unique needs of retail businesses. This advice was incredibly valuable, guiding us towards making informed decisions that have since improved our inventory management and customer service. It's clear that having the right technology partner can make a significant difference in the retail landscape.
Retired

Categories that are no longer active, but are present for reference

2.4 Development Snapshots 2.3.3 Development Snapshots 2.3.2 Development Snapshots 2.3.1 Snapshots Testing and Feedback - ARCHIVED 2.3-RC Snapshot Feedback and Issues - ARCHIVED 2.2.5 Snapshot Feedback and Issues 2.2.3 Snapshots Problems and Feedback - ARCHIVED 2.2 Snapshot Feedback and Problems - RETIRED 2.1.1 Snapshot Feedback and Problems - RETIRED 2.1 Snapshot Feedback and Problems - RETIRED

8.6k
Topics

54.9k
Posts

J

Set Debug in the DHCP6 Client Configuration on WAN as well, then check the logs (main system log, routing log, etc) to see what shows up.

1 / 1