Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Popular
    Log in to post
    • All Time
    • Day
    • Week
    • Month
    • All Topics
    • New Topics
    • Watched Topics
    • Unreplied Topics
    • All categories
    • 7

      Dynamic DNS (DDNS) fails to obtain public IP

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS
      39
      0 Votes
      39 Posts
      623 Views
      7

      @johnpoz Ok, well thank you anyway John
      Tas

    • Bob.DigB

      25.07.r.20250709.2036 First Boot WireGuard Service not running

      Watching Ignoring Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots
      36
      0 Votes
      36 Posts
      377 Views
      Bob.DigB

      @stephenw10 I made some further changes. I removed the gateway for that problematic tunnel and also removed keep alive etc so that it is not expected to be running at start.
      That didn't changed anything for me. At next reboot, gateways are down as is WireGuard. So it seems more of a general problem, although no one else is reporting it...

    • C

      Port Forwarding stopped working after upgrading to 2.8.0

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      52
      0 Votes
      52 Posts
      1k Views
      stephenw10S

      Cool. Yup there was a backend issue last night. It should be fixed now.

    • S

      Upgrade from 2.7.2 to 2.8.0 Failed and now /boot/efi/ empty

      Watching Ignoring Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
      28
      0 Votes
      28 Posts
      279 Views
      S

      @stephenw10 Unfortunately I am going to have to wait till I can bring down the network to test. If I take it down now and it doesn't come back up I will be having some hell to pay from the family...lol. 😃

    • H

      crowdsec

      Watching Ignoring Scheduled Pinned Locked Moved pfSense Packages
      30
      0 Votes
      30 Posts
      1k Views
      dennypageD

      @Zermus said in crowdsec:

      It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it.

      I always viewed ELK as overly complicated. Graylog is much more manageable, although the console isn't as nice. Work in progress.

    • L

      Gateway monitoring still not OK

      Watching Ignoring Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots
      22
      0 Votes
      22 Posts
      502 Views
      dennypageD

      @stephenw10 said in Gateway monitoring still not OK:

      I would still expect to have seen dpinger try to ping and show loss rather than pending.

      /etc/inc/gwlb.inc:

      // dpinger returns '<gwname> 0 0 0' when queried directly after it starts. // while a latency of 0 and a loss of 0 would be perfect, in a real world it doesnt happen. // or does it, anyone? if so we must 'detect' the initialization period differently..
    • E

      Router advertisement not sending default gateway

      Watching Ignoring Scheduled Pinned Locked Moved IPv6
      21
      0 Votes
      21 Posts
      389 Views
      P

      @Euroguy said in Router advertisement not sending default gateway:

      So, followup after a reinstallation of the system

      Short answer is, things now seem to work.

      Glad to see you got it up and running :)

      I get both DHCP4 and 6 clients with leases now (although status of lease seems broken, always showing black down arrow even though lease is active and remote machine is up and active

      I see that from time to time too. I think there are some timers that you can tweak (can't recall which ones though) that determines how long it takes without a "sign of life" before the client is marked as offline. For IPv4 there's an ARP timer ... and for v6 it should be an equivalent NDP timer. Can be set in System / Advanced / Tunables once you find out what they are called :)

      DHCP6 server fails as DHCP requests / Discovery is done on fe80::/10 and that is not considered to be LAN it seems. I had to add a LAN allow rule for fe80::10 to ff02::/16 like this for DHCP6 to work:
      e98b2093-2534-4c7e-9c09-6d54251d537d-image.png

      That rule shouldn't be needed, it is part of the automatic rule set added by pfSense. I get those by means of pfSense magic: (check in /tmp/rules.debug)

      pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000000463 label "allow dhcpv6 client in WAN" pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier 1000002551 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier 1000002552 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier 1000002553 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier 1000002554 label "allow access to DHCPv6 server" <snip>

      Update:
      the timer tweak I used a long time ago was

      net.link.ether.inet.max_age=60

      which make the cached ARP-entry lifetime 60 seconds, I wanted clients to go offline faster. Default is 1200s. See https://man.freebsd.org/cgi/man.cgi?query=arp&sektion=4

      24319ba3-b5d5-4add-b251-9993249ff5a6-image.png

    • A

      DNS Block and Redirect for IPv6

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS
      21
      0 Votes
      21 Posts
      244 Views
      johnpozJ

      @Gertjan oh I missed that - my bad.

    • M

      Netgate Documentation on DNS over TLS and NOT using DNSSEC

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS
      17
      0 Votes
      17 Posts
      207 Views
      johnpozJ

      @tinfoilmatt said in Netgate Documentation on DNS over TLS and NOT using DNSSEC:

      I've never encountered any problems

      And what have you gained by asking for something that has already been done.. You mention you leave 0x20 off for performance - but want to do a bunch of queries for dnssec that make no matter?

    • J

      Should my dhcpv6 clients also get a /64 address?

      Watching Ignoring Scheduled Pinned Locked Moved IPv6
      17
      0 Votes
      17 Posts
      102 Views
      J

      Still trying to debug this.

      Interesting fact: when those /128 dhcpv6 leases are handed out, pfsense+ status shows that there are no current dhcpv6 leases. Notice that the addresses of those leases match the range specified in dhcpv6 server settings for the interface (::1000 to ::2000).

      What could be the reason for this? Addresses from specified pool, but not from this server? So from... ISP server?

      Tried to increase priority to "high", no difference.

    • J

      Gtek 2.5G (Intel I225 Controller) PCI-E x1 Network Card not recognized by the pfsense

      Watching Ignoring Scheduled Pinned Locked Moved Hardware
      14
      0 Votes
      14 Posts
      187 Views
      GertjanG

      @johnytb said in Gtek 2.5G (Intel I225 Controller) PCI-E x1 Network Card not recognized by the pfsense:

      can you explain to me what exactly is this interface that you show here ?

      That's pfSense most important interface 😊
      The one that works when even all your NICs don't work.

      Its called : the console, which could be a serial connection, or, if you have VGA/HDMI build in, it could be that and a (USB) keyboard.
      Or : If the LAN NIC is working, you 'ssh' into your pfSense using a SSH client like putty or classic 'ssh'.

      Keep in mind : what happens when you have a disk drive issue ?
      => pfSense can't boot.
      => Network interfaces will all by down ...
      You the the console (serial or VG/HDMI/Keyboard) access.

      For command line commands I use the ... command line = console (or SSH) access.

    • P

      pfSense Plus 25.07 Beta Now Available

      Watching Ignoring Scheduled Pinned Locked Moved Messages from the pfSense Team
      28
      4 Votes
      28 Posts
      2k Views
      brezlordB

      UI Update output.

      >>> Updating repositories metadata... Updating pfSense-core repository catalogue... Fetching meta.conf: . done Fetching data.pkg: . done Processing entries: . done pfSense-core repository update completed. 5 packages processed. Updating pfSense repository catalogue... Fetching meta.conf: . done Fetching data.pkg: .......... done Processing entries: .......... done pfSense repository update completed. 733 packages processed. All repositories are up to date. >>> Setting vital flag on pkg...done. >>> Setting vital flag on pfSense...done. >>> Renaming current boot environment from 25.03 to 25.03_20250719205419...done. >>> Cloning current boot environment 25.03_20250719205419...done. >>> Removing vital flag from php83...done. >>> Upgrading packages in cloned boot environment 25.03... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (10 candidates): .......... done Processing candidates (10 candidates): .......... done The following 10 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: if_pppoe-kmod: 25.03.b.20250515.1415.1500029 -> 25.07.r.20250715.1733.1500029 [pfSense] pfSense: 25.03.b.20250515.1415.1500029 -> 25.07.r.20250715.1733.1500029 [pfSense] pfSense-base: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense-core] pfSense-boot: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense-core] pfSense-default-config-serial: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense] pfSense-kernel-pfSense: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense-core] pfSense-pkg-Nexus: 25.03.b.20250515.1415 -> 25.07.r.20250715.1733 [pfSense] pfSense-pkg-System_Patches: 2.2.21_1 -> 2.2.21_2 [pfSense] pfSense-repoc: 20250419 -> 20250520 [pfSense] unbound: 1.22.0_1 -> 1.23.0 [pfSense] Number of packages to be upgraded: 10 The operation will free 12 MiB. 214 MiB to be downloaded. [1/10] Fetching unbound-1.23.0.pkg: .......... done [2/10] Fetching pfSense-pkg-System_Patches-2.2.21_2.pkg: ......... done [3/10] Fetching if_pppoe-kmod-25.07.r.20250715.1733.1500029.pkg: ... done [4/10] Fetching pfSense-pkg-Nexus-25.07.r.20250715.1733.pkg: .......... done [5/10] Fetching pfSense-kernel-pfSense-25.07.r.20250715.1733.pkg: .......... done [6/10] Fetching pfSense-base-25.07.r.20250715.1733.pkg: .......... done [7/10] Fetching pfSense-25.07.r.20250715.1733.1500029.pkg: .......... done [8/10] Fetching pfSense-boot-25.07.r.20250715.1733.pkg: .......... done [9/10] Fetching pfSense-default-config-serial-25.07.r.20250715.1733.pkg: . done [10/10] Fetching pfSense-repoc-20250520.pkg: .......... done Checking integrity... done (0 conflicting) [1/10] Upgrading unbound from 1.22.0_1 to 1.23.0... ===> Creating groups Using existing group 'unbound' ===> Creating users Using existing user 'unbound' [1/10] Extracting unbound-1.23.0: .......... done [2/10] Upgrading pfSense-repoc from 20250419 to 20250520... [2/10] Extracting pfSense-repoc-20250520: .. done [3/10] Upgrading if_pppoe-kmod from 25.03.b.20250515.1415.1500029 to 25.07.r.20250715.1733.1500029... [3/10] Extracting if_pppoe-kmod-25.07.r.20250715.1733.1500029: .. done [4/10] Upgrading pfSense-boot from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [4/10] Extracting pfSense-boot-25.07.r.20250715.1733: .......... done [5/10] Upgrading pfSense-pkg-System_Patches from 2.2.21_1 to 2.2.21_2... [5/10] Extracting pfSense-pkg-System_Patches-2.2.21_2: .......... done [6/10] Upgrading pfSense-pkg-Nexus from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [6/10] Extracting pfSense-pkg-Nexus-25.07.r.20250715.1733: .......... done [7/10] Upgrading pfSense-kernel-pfSense from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [7/10] Extracting pfSense-kernel-pfSense-25.07.r.20250715.1733: .......... done [8/10] Upgrading pfSense-base from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [8/10] Extracting pfSense-base-25.07.r.20250715.1733: ... done ===> Keeping a copy of current version mtree ===> Removing schg flag from base files ===> Extracting new base tarball ===> Removing static obsoleted files [9/10] Upgrading pfSense from 25.03.b.20250515.1415.1500029 to 25.07.r.20250715.1733.1500029... [9/10] Extracting pfSense-25.07.r.20250715.1733.1500029: .......... done [10/10] Upgrading pfSense-default-config-serial from 25.03.b.20250515.1415 to 25.07.r.20250715.1733... [10/10] Extracting pfSense-default-config-serial-25.07.r.20250715.1733: [10/10] Extracting pfSense-default-config-serial-25.07.r.20250715.1733... done Failed
    • I

      NAT broken after Reboot

      Watching Ignoring Scheduled Pinned Locked Moved NAT
      14
      0 Votes
      14 Posts
      611 Views
      P

      @iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself!

      Hopefully your setup will remain stable going forward.

    • JonathanLeeJ

      Port 0 and IPv4 Great... but hey what about IPv6 or inet6?

      Watching Ignoring Scheduled Pinned Locked Moved Firewalling port 0 pfctl -sr inet6 ipv6 acl
      15
      0 Votes
      15 Posts
      294 Views
      JonathanLeeJ

      @johnpoz This even does this with the newest CE edition inside of UTM virtualized environment outside of the 2100s

      Screenshot 2025-07-17 at 10.15.51.png

      It is not just the 2100s this is set up for standard stuff everything else works with it just the status page

    • P

      Now Available: pfSense® CE 2.8.0-RELEASE

      Watching Ignoring Scheduled Pinned Locked Moved Messages from the pfSense Team
      112
      12 Votes
      112 Posts
      19k Views
      stephenw10S

      You can just start a new thread in General pfSense Questions.

    • T

      Reboot gets stuck at "Installing Nvme Lens"

      Watching Ignoring Scheduled Pinned Locked Moved Official Netgate® Hardware
      13
      0 Votes
      13 Posts
      314 Views
      T

      @stephenw10 Thanks for letting me know there were backend issue, I think it would be helpful if Netgate posted an announcement when there are issues, maybe some details, and an ETA to restore service.

      It would save a little headache for some of us.

    • R

      pfSense 2.8.0 full iso/img

      Watching Ignoring Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
      64
      1 Votes
      64 Posts
      12k Views
      P

      Recently done four of them. Two upgrades from 2.7.2 and two net installed. All went ok & reinstalled packages after.

      I agree an iso would be useful but I’ve managed without.

      Next one will be an ESXI vm, so will try both methods on that.

    • LaxarusL

      if_pppoe with frequent connection losses due to ISP connection making firewall unstable

      Watching Ignoring Scheduled Pinned Locked Moved Development
      27
      0 Votes
      27 Posts
      767 Views
      stephenw10S

      You can set the size it rotates at and the number of files to retain in the log settings at Status > Logs > Settings. As long as you have the space you should be able to increase it.

    • N

      [2.8.1.b] Multiple limiter issue

      Watching Ignoring Scheduled Pinned Locked Moved Development
      11
      0 Votes
      11 Posts
      489 Views
      stephenw10S

      Ah OK I see, the names threw me!

    • mav3rickM

      OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances

      Watching Ignoring Scheduled Pinned Locked Moved OpenVPN
      12
      0 Votes
      12 Posts
      135 Views
      M

      @mav3rick said in OpenVPN on 2 pfsense instance with HA - service is running on both pfsense instances:

      So setting openvpn to bind only to the CARP VIP works fine for me

      Multi-WAN with HA there?
      If so, it would be a better idea to run openVPN server on localhost instead.
      This would allow it to receive connections from all WANs.

      No need to select a VIP, just forward packets from the WANs VIPs to localhost.
      You can use DNS, thus the client would connect to the WAN that is UP.
      Or
      You can use two remote entries in the .ovpn, with timeout lets say, 2 seconds.

      Then, just create the NAT rule to access the firewall-2, using the SYNC address as previously mentioned.