1. Home
  2. pfSense® Software

Subcategories

  • Announcements and information about pfSense software posted by the project team

    217 Topics
    3k Posts
    X
    @KOM Ah. Those were the days. Spend three days typing in the code and then two weeks debugging. Got some great skills from those days.

  • Discussions about pfSense software that do not fit into one of the more specific categories below.

    27k Topics
    190k Posts
    E
    @stephenw10 said in Ecobee thermostat can’t connect to servers: And just to confirm when this happens everything else behind pfSense remains functional? Only the Ecobee seems to be affected? That is correct. Every other device that goes through the pfSense works normally.

  • Discussions about Multi-Instance Management.

    14 Topics
    113 Posts
    M
    It's normally not recommended but it should be fine for a quick edit. IIRC it's under the system tree - it will be obvious since it's a long base64 string.

  • Discussions about installing or upgrading pfSense software

    10k Topics
    62k Posts
    stephenw10S
    It should work in UEFI mode and everything vaguely modern should be using that. But that confirms it's the same issue we're looking at and not something new.

  • Discussions about firewalling functionality in pfSense software

    10k Topics
    59k Posts
    N
    @johnpoz THANKS for the detailed respone, my rounter fw it to another router that fw it to a web server I do not see the traffic in the internal router I see the rule on the external router that say it block the traffic , so I do not think it passed the fw agree I do not understand why I see access denied I used edge and chrome (on windows, and chrome on android phone) I do have pfblockgerNG on, but dont think its involved, it is blocking mainly other countries

  • Discussions about Network Address Translation (NAT)

    6k Topics
    31k Posts
    johnpozJ
    @sho1sho1sho1 nothing in the resolver would or could do that.. You running pfblocker? Show the rule in your ruleset. There is this feed in pfblocker [image: 1755628936429-pfblocker.jpg] That sure doesn't even look like a NS ;; QUESTION SECTION: ;4.64.4.64.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.64.4.64.in-addr.arpa. 28800 IN PTR wnpgmb0273w-dr09-v924.mts.net. And it doesn't even answer dns, atleast not from me. That is a bell canada IP.. Is that who you use for ISP?

  • Discussions about High Availability, CARP, and utilizing additional IP addresses

    3k Topics
    12k Posts
    P
    Alright last post from me. Leaving it here so someone can find it. The documentation concerning carp is wrong: "A High Availability cluster using CARP needs three IP addresses in each subnet along with a separate unused subnet for the Sync interface." The fact is, a High Availability cluster using CARP needs only one IP address. It only ever needed one IP address. This statement directly contradicts all the documentation available from carp(4) and the FreeBSD handbook. The distinction that I initially missed, but now have reread and understand is that when using a single IP assigned to a VIP, so long as there isn't an existing network with another IP in that same network, then the network for that VIP should in fact be a whatever that network is. Otherwise it should be a /32. Let's put it this way for a further understanding (sudo interface configuration): Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.0.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.0.3/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias In the above example, if the OS chooses the VIP of 192.168.0.1/24 for packets sourced from Backup, Backup will never see the response, as they'll go to Primary instead. Going to primary is the expected part. Source selection of 192.168.0.1 is the unexpected but, It's unexpected because the netgate documentation is just wrong as this VIP should have been a /32. Documentation where the VIP isn't a /32 to which netgate is correct: Server 1 (Primary): ifconfig em0 inet 192.168.0.10.1/24 ifconfig em0 inet 192.168.0.1.1/24 alias ifconfig em0.123 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias Server 2 (Backup): ifconfig em0 inet 192.168.0.0.2/24 ifconfig em0 inet 192.168.0.1.2/24 alias ifconfig em0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.0.1/24 alias

  • Discussions about Layer 2 Networking, including switching and VLANs

    1k Topics
    10k Posts
    patient0P
    @piook said in Take two at this a year and no replies later.: But when I connect the LAN port to the switch and everything over that port is 1GB Full duplex Which port on the USW Pro Max 16 are you connection the LAN cable. Of course you are aware that only 4 ports are 2.5G on that switch (according to the product page) What speed selection does is show if you remove the LAN cable, still 1G the fastest speed selectable? What happens when you switch the ports from the pc and the LAN cable? In general you would have better support on the Unifi forum I think.

  • Discussions about routing and Multiple WAN uplinks (WAN Failover, WAN Load Balancing, etc.)

    9k Topics
    41k Posts
    D
    I have a wifi network called Bob that does not extend to the garage very well. So I installed a Wifi Range Extender, called Mary, on Bob and connected those devices (camera, light switches) to Mary. Problem is, I can no longer access those Garage Camera and Light Switches (their admin web pages) from any of the other subnets on my pfSense router, whereas before when they were connected to Bob, I could. From what little I understand of this discussion: https://superuser.com/questions/586901/does-a-wi-fi-range-extender-create-a-separate-network "These are fake repeaters. Real repeaters require WDS to be configured at the access point. They do a form of NAT that impersonates their clients to the access point. This means seamless roaming is not possible." So, there is a NAT inside the Range Extender (Mary) that is preventing access to those connected devices from the other subnets on pfSense? Bob Wifi is 172.28.1.x Mary Ranger Extender is 172.28.1.4 Joe Wifi is 172.28.2.x If I connect to Mary, I can access the Garage Camera and Light Switches If I connect to Bob, I can also access the Garage Camera and Light Switches and all devices connected to Bob If I connect to Joe, I cannot access the Garage Camera or Light Switches, but I can access any device connected to Bob If I connect the Garage Camera and Light switches directly to Bob, I can access them from Bob and from Joe I'm thinking I need a Route set up in pfSense. But then again, I'm thinking I don't have a clue what going on. Any advice? P.S. I believe switching the Range Extender to a Wired Access Point would probably solve this problem, but running cable to the Garage is a PITA. Thanks!

  • Discussions about traffic shaping and limiters

    3k Topics
    16k Posts
    stephenw10S
    I don't believe it is the same root cause. That is fixed in 2.8.1-beta. https://redmine.pfsense.org/issues/16282

  • Discussions about DHCP, DNS Resolver (Unbound), DNS Forwarder (dnsmasq), and general DNS issues

    7k Topics
    43k Posts
    guiambrosG
    @webdawg said in KEA DHCP missing "Register DHCP leases in DNS Resolver...": Is 2.8.0 community working with KEA and DNS Resolver? Yes, I am on 2.8.0, and KEA now works well with DNS resolver. The DNS server now resolves client.mydomain.xx for leases received via KEA DHCP server.

  • Discussions about IPv6 connectivity and services

    2k Topics
    20k Posts
    M
    @JKnott because the way Scaleway has configured their IPv6 is that SLAAC will only get you the /128 IP6 address scaleway allocated to Proxmox Whilst you can get /64 IP6 address spaces (What Scaleway call "flexible IP6), but to use these you have to assign this as a static IP6. I'm aware that Scaleway may not following IP6 "best practice" - however, we have to work with what the ISP provides. Matthew

  • Discussions about IPsec VPNs

    6k Topics
    24k Posts
    B
    I have a hub and spoke setup using IPSEC policy routing (tunnel mode, not VTI mode). Currently my “spoke” sites have a P2 in their tunnel to the “hub” that is 10.0.0.0/8 (all my sites have lans that are 10.X.0.0/16, replace X with a different number per site). The P2s in the hub site obviously list each spoke site’s LANs as remote networks and 10.0.0.0/8 as a local network. This enables traffic to move not only from any spoke to the hub, but also allows traffic to pass from any spoke to any other spoke by transiting through the hub. This has worked very seamlessly. However I am looking at making some on premise services have more redundancy. This is centered mostly around radius authentication and domain controllers. I’d like to have a situation where the “spokes” have direct tunnels to three “core” locations, while still using the current “hub” as a transit site for spoke to spoke traffic and as a “core” location with redundant infrastructure. It occurs to me that just adding two additional tunnels for each spoke might not be a good idea. The P2s of the new tunnels will have each core site listed as a remote network. The 10.0.0.0/8 will remain for the links to the hub but this will obviously overlap with the new core site P2s. What are the potential issues with this? I have considered going to VTI + OSPF for this and I’m not really interested in it. I can run it in a lab with no issue, but in production all my sites have HA/CARP running. VTI + OSPF involves adding an Interface Assignment for every vpn tunnel. It’s already aggravating enough getting the physical interfaces and vlan interfaces added in exactly the correct order for HA to work. I am extremely uninterested in complicating that problem further to the point I am willing to abandon the entire project if it’s the only way. My only solutions are policy IPSEC with overlapping P2s if that will work without issues or OpenVPN + OSPF (this config seems to work without making manual interface assignments but it’s OpenVPN and, therefore, slow). Has anyone tried policy ipsec in this configuration? Does it work? Does it work but with issues?

  • Discussions about OpenVPN

    10k Topics
    53k Posts
    yon 0Y
    @Antibiotic said in OPENVPN DCO pfsense 25.07.1: @yon-0 f you ever connect to older OpenVPN servers (e.g., 2.4.0–2.4.4), you’ll need to disable DCO on your client to fall back to DATA_V1: The DATA_V2 format in OpenVPN is a streamlined, secure packet structure designed for use with AEAD ciphers (like AES-GCM or ChaCha20-Poly1305) and Data Channel Offload (DCO). It replaces the older DATA_V1 format and is required for kernel-level acceleration and modern encryption. When OpenVPN prepares a DATA_V2 packet: It selects an AEAD cipher Generates a Packet ID (used as part of the nonce) Encrypts the payload and attaches the Auth Tag Sends the packet with Opcode, Peer-ID, and encrypted content No IV or HMAC is needed — AEAD handles it all internally. Generates a Packet ID (used as part of the nonce) Sends the packet with Opcode, Peer-ID, and encrypted content how do it?

  • Discussions about Captive Portal, vouchers, and related topics

    4k Topics
    19k Posts
    johnpozJ
    Yeah this use to be an issue, where once a new release came out updating packages could install package from new release even if you were on old.. But I thought that was addressed while back. From my understanding you shouldn't see new packages available for version Y when you are still on X.

  • Anything that does not fit in other categories related to the webGUI

    2k Topics
    10k Posts
    M
    @marcosm Thanks for the info. "Do not wait for a RA" was not checked. I checked it, enabled DHCP6 Debug, and rebooted the system. I'll watch for a recurrence of the behavior reported here.

  • Discussions about wireless networks, interfaces, and clients

    2k Topics
    11k Posts
    provelsP
    @opticalc Intel.

  • Discussions about monitoring via SNMP

    197 Topics
    609 Posts
    C
    I figured it out . My firewalls had an old unused OpenVPN client connection on it that was unstable and every time it reconnected, it got a new IP address causing pfsense to restart all packages, and since it took down SNMP, we wouldn't get alerted about the interface going down either... So this issue is solved now

  • Discussions about pfSense documentation, including the book

    186 Topics
    1k Posts
    opnwallO
    As a volunteer translator, I suggest that the official website update the template files of the online translation (https://zanata.netgate.com/) in a timely manner, or open the function of uploading po or mo files to replace the translation templates that are still in pfsense 2.50.

  • Topics related to developing pfSense: coding styles, skills, questions etc.
    1k Topics
    6k Posts
    fabricioguzzyF
    Re: Looking for PfSense Github 2.8.0 branch. Where is the 2.8.0 branch on github?

  • Discussions about playing network-based games behind pfSense from consoles, PCs, etc.

    427 Topics
    3k Posts
    L
    @BMD Good to hear it’s stable now.

  • Discussions about virtualizing pfSense in hypervisors such as AWS, VMware, Hyper-V, Xen, KVM, qemu, etc

    2k Topics
    12k Posts
    P
    @geovaneg It may not be related but whilst the PVSCSI is traditionally more performant, i've used the LSILogic SAS controller on my installs without issue. I believe it is also mentioned in the docs.

  • Discussions about pfSense hardware support

    8k Topics
    69k Posts
    stephenw10S
    You don't see the hwpstate_intel device detected in the boot logs?

  • Discussions about collaboratively raising money for a feature. To start a thread you must offer a starting price and be very specific on the feature you would like to see.

    457 Topics
    6k Posts
    J
    Rereading this I realize I didn't provide much context or frame the issue very well, and since I can't edit I'll post what the OP should have started with here. From the pfSense Docs: Captive Portal in pfSense software forces users on an interface to authenticate before granting access to the Internet. Where possible, the firewall automatically presents a login web page in which the user must enter credentials such as a username/password, a voucher code, or a simple click-through agreement. Users have made many requests for something similar, but for authorizing access into the intranet, instead of out to the internet. This is often called a "reverse portal". This would be useful for e.g. setting up MFA for wireguard vpn connections or requiring login to access a different segment of the local network. Unfortunately, despite being nearly identical in implementation, netgate explicitly states that their captive portal feature is not capable of acting as a reverse portal, aka authorizing access to the local intranet. One of the challenges with reverse portals is how to know when the user has disconnected and needs to reauthenticate. Here I propose a design where the user has to keep a browser tab with an open tcp connection (SSE with heartbeats) connected to the firewall to for the pass rule to be enabled; when the connection closes the pass rule is disabled and they will have to reauthenticate.

  • Categories that are no longer active, but are present for reference

    10k Topics
    64k Posts
    stephenw10S
    Yes this needs to be addressed. But I would argue that if you can set the pppoe password you already have a high level access and could break things far more easily.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.