Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Popular
    Log in to post
    • All Time
    • Day
    • Week
    • Month
    • All Topics
    • New Topics
    • Watched Topics
    • Unreplied Topics
    • All categories
    • G

      Intervlan traffic being blocked

      Watching Ignoring Scheduled Pinned Locked Moved Firewalling
      42
      0 Votes
      42 Posts
      522 Views
      johnpozJ

      @greatbush well you can ping other interfaces on pfsense, just not the 172.16.64 one.

      At a loss.. You have no floating rules.. And looks like your rule triggered and state are created there in that top rule you posted trying to talk to it.

      You have no floating rules - and no current vpn tunnels..

      Yeah at a loss to what would cause that.

      Can you talk to any of the other 172.16.x interfaces you have via the route table you sent..

    • 7

      Dynamic DNS (DDNS) fails to obtain public IP

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS
      46
      0 Votes
      46 Posts
      958 Views
      M

      @revengineer yeah my issue is different from yours than, but we actually don't know if @70tas 's is. They are using xfinity also so it could be the same issue as mine.

    • Bob.DigB

      25.07.r.20250709.2036 First Boot WireGuard Service not running

      Watching Ignoring Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots
      37
      0 Votes
      37 Posts
      642 Views
      Bob.DigB

      @stephenw10 Today I rebooted the host (Hyper-V) and had no problem at all. Don't know if this points towards being a weird virtualization issue... But then, why would WireGuard be effected...

    • S

      Upgrade from 2.7.2 to 2.8.0 Failed and now /boot/efi/ empty

      Watching Ignoring Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
      28
      0 Votes
      28 Posts
      415 Views
      S

      @stephenw10 Unfortunately I am going to have to wait till I can bring down the network to test. If I take it down now and it doesn't come back up I will be having some hell to pay from the family...lol. 😃

    • C

      Port Forwarding stopped working after upgrading to 2.8.0

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      63
      0 Votes
      63 Posts
      1k Views
      C

      so i kinda got it working... i spent hours fiddling

      under the general setup i set up

      10.0.0.243 for the one PIA VPN
      10.0.0.241 and i set it to WAN and i tried also none

      i guess when you set to none that means whatever gateway is avaliable will use it??

      ive tried again using 1.1.1.1 for WAN but i find it leaks the cloud flare on the vpn which i truly dont understand as i always figured the ip address you give is specific to that gateway and not share over all the connections..

      so i testing with the 2 pia vpn ips.. for now it seems to be working but will see by tommorow.. i been testing stuff all day so ill let you know how i make out

    • D

      Strange behavior with gateway

      Watching Ignoring Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
      25
      0 Votes
      25 Posts
      329 Views
      stephenw10S

      @chpalmer said in Strange behavior with gateway:

      ???

      When the default gateway is set to a failover group the 'Default' column in the gateways list should show the tiers. But in this screenshot it doesn't: https://forum.netgate.com/post/1221365
      That's unexpected.

    • J

      Should my dhcpv6 clients also get a /64 address?

      Watching Ignoring Scheduled Pinned Locked Moved IPv6
      26
      0 Votes
      26 Posts
      274 Views
      J

      @JKnott said in Should my dhcpv6 clients also get a /64 address?:

      @Gertjan said in Should my dhcpv6 clients also get a /64 address?:

      In a pure SLAAC setup you could even disable the DHCPv6 server. (Never tried this, I hope I don't say stupid things here)

      I have never enabled it. Just enable RDNSS to provide the DNS server address. That's the Enable DNS setting, under DNS configuration, on the Router Advertisement page.

      That approach seems to work: just stopped dhcpv6 servers on all interfaces, and addressing and net functionality seems unchanged.

      Well, that is simple. Thanks!

    • A

      DNS Block and Redirect for IPv6

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS
      21
      0 Votes
      21 Posts
      270 Views
      johnpozJ

      @Gertjan oh I missed that - my bad.

    • G

      VPN Performance bei S2S

      Watching Ignoring Scheduled Pinned Locked Moved Deutsch
      17
      0 Votes
      17 Posts
      1k Views
      micneuM

      @gtrdriver said in VPN Performance bei S2S:

      Die Rechner auf denen PFSENSE läuft sind recht peformant ich kann mir nicht vorstellen dass die CPU hier das begrenzende element ist.

      Kannst du mal bitte trotzdem die genauen daten der eingesetzten Hardware nennen, hat die Hardware Realtek NICs?

      Ich haben 2 x Netgate 6100 an GLAS 1 Gbit/s symmetrisch und die macht das ordentlich mit OpenVPN (habe jetzt keinen iperf, deshalb kann ich keine werte liefern). Privat habe ich meine Netgate 6100 und die macht an meinem Internet Zugang mit PPPoE auch einen guten job.

    • M

      Netgate Documentation on DNS over TLS and NOT using DNSSEC

      Watching Ignoring Scheduled Pinned Locked Moved DHCP and DNS
      17
      0 Votes
      17 Posts
      265 Views
      johnpozJ

      @tinfoilmatt said in Netgate Documentation on DNS over TLS and NOT using DNSSEC:

      I've never encountered any problems

      And what have you gained by asking for something that has already been done.. You mention you leave 0x20 off for performance - but want to do a bunch of queries for dnssec that make no matter?

    • P

      pfSense® CE 2.8.1 Beta Now Available!

      Watching Ignoring Scheduled Pinned Locked Moved Messages from the pfSense Team
      14
      6 Votes
      14 Posts
      765 Views
      R

      @reberhar Piece of cake.

      Really fast with no problems.

    • luckman212L

      New Tunable: kern.crypto.iimb.enable_aescbc on fresh install

      Watching Ignoring Scheduled Pinned Locked Moved Plus 25.07 Develoment Snapshots
      14
      0 Votes
      14 Posts
      261 Views
      dennypageD

      I enabled my iimb by hand. Seems to work fine on my 6100.

      FWIW, the current documentation indicates that the default value of kern.crypto.iimb.enable_aescbc is 1 (enabled), although it has a warning that iimb can be slower than qat for cbc. I don't use cbc, so it doesn't matter in my case.

      I think the documentation is incorrect or outdated (at least for the 6100), as the code in /etc/inc/config.console.inc explicitly sets kern.crypto.iimb.enable_aescbc to 0.

      FWIW, there is also an interesting note on the qat/iimb trade-off earlier here. YMMV

    • J

      Gtek 2.5G (Intel I225 Controller) PCI-E x1 Network Card not recognized by the pfsense

      Watching Ignoring Scheduled Pinned Locked Moved Hardware
      14
      0 Votes
      14 Posts
      298 Views
      GertjanG

      @johnytb said in Gtek 2.5G (Intel I225 Controller) PCI-E x1 Network Card not recognized by the pfsense:

      can you explain to me what exactly is this interface that you show here ?

      That's pfSense most important interface 😊
      The one that works when even all your NICs don't work.

      Its called : the console, which could be a serial connection, or, if you have VGA/HDMI build in, it could be that and a (USB) keyboard.
      Or : If the LAN NIC is working, you 'ssh' into your pfSense using a SSH client like putty or classic 'ssh'.

      Keep in mind : what happens when you have a disk drive issue ?
      => pfSense can't boot.
      => Network interfaces will all by down ...
      You the the console (serial or VG/HDMI/Keyboard) access.

      For command line commands I use the ... command line = console (or SSH) access.

    • I

      NAT broken after Reboot

      Watching Ignoring Scheduled Pinned Locked Moved NAT
      14
      0 Votes
      14 Posts
      649 Views
      P

      @iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself!

      Hopefully your setup will remain stable going forward.

    • O

      pfSense throughput performance disparity

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      13
      0 Votes
      13 Posts
      162 Views
      GertjanG

      @OracPrime

      If you use "pppoe" as a WAN connection method, the upstream device, the Fritsbox, is just a modem type device ...

      One of the advantages (probably the only one) of using pppoe on the pfSense WAN : the pfSense WAN interface uses the real outside world IPv4.

      No need to 'dmz' or 'NAT' or 'redirect' anything to pfSense. Everything will reach the pfSense WAN interface.

    • T

      NAT Reflection Issue with Dual WAN Setup in pfSense 2.7.2

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      13
      0 Votes
      13 Posts
      182 Views
      stephenw10S

      Yes as long as it matches the traffic against a rule that's above the policy routing rule that will work.

    • H

      Does pfSense do any kind of resets every hour?

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      13
      0 Votes
      13 Posts
      134 Views
      GertjanG

      @hansolo77

      Checking what pfSense does every hours sharp - or some other regular moment, is a good start.
      But don't stop there !
      Check also : all devices connected to your pfSense LANs ! as these can all do something at that very moment.

      ISP love to sell you numbers. Like 'a 1 Gbit/sec connection just for you'. If the country where you live has some enforced consumer rights movements, these ISPs add now at the bottom of the contract "... or whatever we have avaible for you".
      After all, ISP tend to hookup up entire roads, cities, etc to one main equipment with, guess what, a limited, up front determined throughput. For example : you all share the same 100 Gbits very expensive router/switch.
      If more then 100 clients are hookup up to this expense router, then ... you get it : what happens when every all these clients, all their devices, do 'something' at xx sharp ? So you have to check all of them (which you probably can't do) - or disconnect them all while you are testing.
      You can even go one level higher, and check all the POP of your ISP ....

      Inspecting the cron list is one thing.
      You still have to use the console or better, the SSH access, and use menu option 8, and type 'top'.
      Make sure the list is sorted at 'CPU usage'.

      Use also this command :

      ps aux

      and look for the process that mention minicron, these are also timed processes.

      On my pfSense :

      [25.07-RC][root@pfSense.bhf.tld]/root: ps aux | grep 'minicron' root 89370 0.0 0.1 13980 2484 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh root 89826 0.0 0.1 13980 2480 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 300 /var/run/ipsec_keepalive.pid /usr/local/bin/ipsec_keepalive.php root 90216 0.0 0.1 13980 2500 - I 18Jul25 0:00.17 minicron: helper /usr/local/bin/ipsec_keepalive.php (minicron) root 90313 0.0 0.1 13980 2476 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts root 90699 0.0 0.1 13980 2500 - I 18Jul25 0:00.01 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts (minicron) root 90868 0.0 0.1 13980 2504 - I 18Jul25 0:00.20 minicron: helper /usr/local/bin/ping_hosts.sh (minicron) root 91166 0.0 0.1 13980 2480 - Is 18Jul25 0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data root 91830 0.0 0.1 13980 2504 - I 18Jul25 0:00.00 minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data (minicron) root 84792 0.0 0.1 14076 2688 0 S+ 08:49 0:00.00 grep minicron

      The "/etc/rc.expireaccounts" is an hourly process, and afaik it doesn't communicate, and takes a split second to execute.

      Normally, with a vanilla pfSense (no addons, no pfSense packages) there is no 'download every hours xx Mbytes' process.
      pfSense will update some small files ones a month, will check up with the Netgate update servers to see if there are pfSense or package updates avaible, but this will not create big loads of traffic, and last probably for a second or two.

    • C

      if_pppoe problems with php-fpm causing loops. (resolved)

      Watching Ignoring Scheduled Pinned Locked Moved General pfSense Questions
      53
      0 Votes
      53 Posts
      1k Views
      C

      @w0w I am seeing indications in the log it isnt going down as you suggested, as an example dpinger stayed running on static pid, logging almost every second ping failures. Also no switch of gateway, when the switch criteria is "down" state. (my phone was left in all night as a internet uplink).
      If its failing to go to a down state, it would make some sense as to why a manual restart works and leaving it alone doesnt. As the obvious question is what is different between me restarting it manually and it trying to restart itself, there must be a difference.

      When I intervened dpinger exited on signal 15.

    • M

      Private WLAN

      Watching Ignoring Scheduled Pinned Locked Moved Development
      11
      0 Votes
      11 Posts
      838 Views
      stephenw10S

      OK so it looks like you had two issues:

      The installer didn't work as you expected it to but you were able to get 2.8 installed and booted.

      The resulting install didn't behave as you expected. That's independent of the installer and 2.7.2 would have behaved identically in that situation.

      So after install you assigned two interfaces, pfSense names them WAN and LAN but any interface can be anything. And you configured them both to be DHCP since both subnets already have a DHCP server?

      The typical subnet conflict that users hit when installing behind another firewall if that pfSense uses 192.168.1.1/24 as the default LAN address and that subnet is also used by the upstream firewall WAN side.
      I assume you didn't hit that since both subnets already existed in your network so must be using different subnets? What are they?

      However you then say you set the LAN back to a static address? Presumably in the same subnet?

      By default pfSense creates firewall rules on the LAN interface to allow access to the webgui there. That applies whether the LAN is static or DHCP.

      How exactly were you trying to connect? From where?

    • JonathanLeeJ

      pfsense-tools.git clang gcc

      Watching Ignoring Scheduled Pinned Locked Moved Development clang gcc pfsense-tools
      12
      0 Votes
      12 Posts
      199 Views
      JonathanLeeJ

      If anyone wants to test this out

      https://github.com/pfsense/FreeBSD-ports/pull/1420

      I did get it to fully compile with the adapted Makefile they disable SMB_LM that has been removed