Recently Active Topics

pfs+ lost access to the plus pfs+ update streams.

pfstyro — Thu, 16 Apr 2026 14:01:33 GMT

A major IT meltdown on my homelab has left me having to rebuild the entire thing from backups. Fortunately I am religeous about backups so it only took a couple of hours - but the one outstanding issue is that both my pfs+ licenses are failing to be recognised on their respective machines. I can now only access the CE edition. Both virtual machines report the pfs+ activation is recognised.

How do I get back onto the pfs+ stream?

TIA

Netgate 6100 Crash and reboot

hulleyrob — Thu, 16 Apr 2026 14:01:29 GMT

@stephenw10 oh wow really, I couldnt see anything in the logs what should I be looking for/at?

OpenVPN Crash after update

Gertjan — Thu, 16 Apr 2026 14:00:33 GMT

@PJHaan said in OpenVPN Crash after update: Does anyone have an idea what could be causing this? We'll have to come over and check your OpenVPN (server) log page ...... ? What do you mean with "appears to" ? And if it crashes ... what were the condition ? Who restarted the OpenVPN server ? Sorry, with the info you've supplied I can't find a probable reason. 900 connected users ... wow, that impressive. The local computer hobby club, or is these remote workers ? I do presume Netgate doesn't 'delete' all the forum post mentioning failing OpenVPN servers from here. So the good news is the bad news : "OpenVPN server" is just fine, it's your settings. So, can you tell us more ? edit : is this the same OpenVPN server as mentioned here ? Overhere you were running 25.x

Netgate 6100 Upgrade Available LED

micneu — Thu, 16 Apr 2026 13:58:48 GMT

@nonick Ich habe keine Antwort auf deine Frage, mich interessiert nur, warum du bei der 25.11.1 bleiben willst.

KEA DHCP continuously rebooting with error message after 24.11 upgrade and switch from ISC

SteveITS — Thu, 16 Apr 2026 13:56:54 GMT

@ulcha If by chance you have an old config which you reinstalled with ZFS, ensure log compression is off since ZFS also does compression. That was frequently a reason for bzip taking longer than expected. But yes rotation every minute would also be a problem. Switched back to ISC DHCP server. Just...get rid of the extra Kea process...?

Updates taking over an hour

stephenw10 — Thu, 16 Apr 2026 13:55:42 GMT

Hmm, interesting. Yes if you have a partial IPv6 setup that can cause problems if it's still preferred over IPv4 (the default). But that shouldn't have changed since 25.11.1. Unless perhaps your ISP started handing out v6 info in the mean time. Otherwise I'd check for issues in the route perhaps? Given you're seeing it across several sites I'd look for commonality. All the same ISP for example.

Please assist me with settings

netpt — Thu, 16 Apr 2026 13:53:42 GMT

If I’m not mistaken, the issue you’re facing is not caused by your configuration but by a limitation in the Asus router firmware. Even with NAT disabled, firewall disabled, and correct static routes, an Asus router operating in Router Mode does not allow routing from the WAN interface toward the LAN network. The WAN interface always treats the upstream device (pfSense in your case) as “Internet”, which means it blocks any attempt to reach LAN clients in the 192.168.50.0/24 subnet. This is why you can ping the Asus WAN IP from pfSense, but you cannot reach any clients behind it. If you need full communication from pfSense to the devices behind the Asus, the only supported solution is to run the Asus in Access Point Mode, so it becomes part of the same LAN (192.168.10.0/24). For the use case you described (Portainer, Docker, InfluxDB, Grafana), a separate subnet is not required. In AP Mode all services will be directly reachable, and pfSense’s Telegraf can send metrics to InfluxDB without any routing or NAT-related issues.

Upgrade 25.11.1 -> 26.03 on SG-4200 fails

stephenw10 — Thu, 16 Apr 2026 13:50:40 GMT

Hmm, if it fails because if that you should see an 'out of space' alert generated on the dashboard. But glad that allowed it to continue.

Stuck on 26.03 RC

Lazer13 — Thu, 16 Apr 2026 13:32:29 GMT

@stephenw10 Ah indeed I overlooked that one. If you also provide links in the doc to the correct one for plus it would be a lot clearer. (and helpful :))

Suricata Blocks Page

SteveITS — Thu, 16 Apr 2026 12:55:09 GMT

@Petrixx using https://docs.netgate.com/pfsense/en/latest/development/system-patches.html. Add a patch and paste in the code, then apply. IIRC all the defaults are OK.

No DHCP Server for newly added OPT interface

AndyRH — Thu, 16 Apr 2026 12:52:17 GMT

@Udbytossen I knew to look because I have done the same thing...

Is this possible with Tailscale?

luckman212 — Thu, 16 Apr 2026 12:51:29 GMT

@keyser good questions! I have Tailscale disabled right now on my 6100 while I wait to see if there will be any news on 16784, so I didn't get to try these yet. But my initial thought is it would probably be preferred to use Tailscale's native Serve feature to provide ingress to your RDP servers from other tailnet-joined devices. This way you get the benefit of their granular ACLs, logging etc. Any reason not to go that route?

SURICATA Ethertype unknown

SteveITS — Thu, 16 Apr 2026 12:14:34 GMT

@stephenw10 I think they’re responding to me re the new HTTP header alerts. I wasn’t intending to hijack the thread, just say to watch out for them, too. My overall point was to “yes and” the topic because normally one does not need to watch for excessive blocking with a Suricata upgrade. I would guess something in detection changed and/or new rules are triggering often. To answer your question it’s a lot of connections to (and also from as I recall) the web servers. Like 10x normal blocking, without actually counting.

X-ray VPN implementation in future releases of pfSense+

kingpin — Thu, 16 Apr 2026 08:39:56 GMT

@Сергей-3 In your case, the gateway IP should be 10.100.94.53, just like the TUN IP. To restore the TUN IP, restart the Xray instance. By the way, that's what I was saying, I had to tinker with hev-socks5-tunnel, but tune2socks worked right away. Still working on fixes...

Netgate 8200 - Thermals

zaphanathpaneah — Wed, 15 Apr 2026 22:35:15 GMT

@tsmialek This is 3 years late but I just need to say. The reason for the temps, besides the obvious, ambient temp is probably too high and the fan cannot compensate. But the material the heat sink is made of matters. Aluminum has a thermal conductivity of 237 W/m.k while copper has a thermal conductivity of 401 W/m.k. It is why heat sinks typically are made of copper. The downside is copper is more expensive. So the point is if the heat sink at the base of the unit was made of copper it would pull heat away more efficiently, though there is the risk that if the fan can’t cool the heat sink fast enough then all the components besides the cpu would be at risk of damage. Not a mechanical engineer here but …just a small note. The noise in the 8200 is like a low wining noise that is just annoying. Can’t believe Netgate thought this was acceptable. In a data center or closest it would be ok but for small business or home use, yeah…not ideal. At this point swapping out the fan is an appealing thought. But if it gets damaged in the process then it’s an expensive venture. If i damage it I would buy a 6100 instead.

Пакет Xray-core для pfSense CE (VLESS + Reality, selective routing)

kingpin — Wed, 15 Apr 2026 22:31:32 GMT

Всем привет.

Хочу поделиться своим аддоном для pfSense CE:
https://github.com/pdazcom/pfSense-pkg-xray

Это пакет для интеграции Xray-core в pfSense CE с нормальным GUI в веб-интерфейсе.
Основная задача — удобно поднимать VLESS + Reality и использовать selective routing через стандартные механизмы pfSense: Aliases / Firewall Rules / Gateway.

Что уже есть:

GUI для настройки подключений и инстансов
поддержка VLESS + Reality
multi-instance
группы подключений
подписки с автообновлением
ротация соединений с выбором рабочего узла
диагностика, URL test, логирование
watchdog и автоподнятие

По сути, трафик маршрутизируется штатными средствами pfSense через policy-based routing, без необходимости городить сложную routing-логику внутри самого xray-core.

Проект вырос из идеи порта os-xray из OPNsense в pfSense, но с адаптацией под pfSense CE.

Если кому интересно — буду рад фидбеку, тестам и замечаниям:
https://github.com/pdazcom/pfSense-pkg-xray

Guide to filtering web content (http and https) with pfsense 2.3

keyser — Wed, 15 Apr 2026 18:31:01 GMT

@aGeekhere I really think it would be great if you could find the time to publish a full guide that can followed towards the stated goals. Such a setup is very difficult to create and would take A LOT of trial and error and error. Here’s crossing my fingers for a guide

pfSense Plus 26.03 Release Now Available!

SteveITS — Wed, 15 Apr 2026 14:29:00 GMT

I said in pfSense Plus 26.03 Release Now Available!: Suricata: https://forum.netgate.com/post/1240644 (prevents Blocks page crash) IMO, those running Suricata should also look for: https://forum.netgate.com/post/1241305

NOT working with OVH end point since 2025

Gertjan — Wed, 15 Apr 2026 11:24:32 GMT

@zimnysbrain The bad news : Setting up acme.sh with the correct settings is close to rocket science. And the good news : the pfSense acme.sh packages is used daily by the thousands. If it didn't work, people wouldn't have their certificates, and then things will go bad very fast. Have a look for yourself here : you saw some one mentioning something ? I have many domain names with OVH (EU), so I decided to ask for a certificate for a domain name "test.test-domaine.fr" - I do own => rent "test-domaine.fr" from OVH. First, after reading the official OVH acme.sh notice : https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api#3-authentication-the-api-key I quickly created/found the 3 things needed : [image: 1776250268164-950c3548-42b5-4aa9-a322-2a13abf08bb9-image.png] [image: 1776250346724-6996b61c-7fcd-478b-848a-f44eafd48253-image.png] and I hit 'Issue'. [image: 1776250318306-aeacae9b-f89c-4139-af4b-a9303d73b201-image.png] As I'm a bit more stupid then avarrage today, I totall forgot that, although I rent the domain name 'test-domaine.fr' from them, I removed all the extras, like : they don't do my DNS, I do my own DNS. Which means I have to talk:negocaite to my own domain name server, not OVH ... So the isseuing failed with a "invalid domain" which I should read as : "domain ok - but can't do DNS zone modification for you". So it couldn't add the TXT challenge, etc But : no authorization issues. Btw : the DNS-OVH API script, the official source file here was last modified 6 month ago. The pfSense version was synced like yesterday - PfSense acme.sh package version 1.2. I presume you use the same version. Do you mind telling what your issue is, give details ? With all the juicy details, andf you can find them here /tmp/acme/test-domaine.fr/acme_issuecert.log (where test-domaine.fr has to be changed with your domaine name) @zimnysbrain said in NOT working with OVH end point since 2025: is also the answer NOT updated OVH api which changed from the beginning of 2026 I copied this file, the original dns_ovh.sh on my pfSense, in the /root/ folder. Then : [26.03-RELEASE][root@pfSense.bhf.tld]/root: ll dns_ovh.sh -rw-r--r-- 1 root wheel 8324 Apr 15 13:15 dns_ovh.sh [26.03-RELEASE][root@pfSense.bhf.tld]/root: ll /usr/local/pkg/acme/dnsapi/dns_ovh.sh -r-xr-xr-x 1 root wheel 8324 Apr 13 15:48 /usr/local/pkg/acme/dnsapi/dns_ovh.sh* [26.03-RELEASE][root@pfSense.bhf.tld]/root: diff dns_ovh.sh /usr/local/pkg/acme/dnsapi/dns_ovh.sh [26.03-RELEASE][root@pfSense.bhf.tld]/root: conclusion : the pfSense acme.sh package contains the latest - identical 'official' "dns_ovh.sh" file. Also : In the past, when things were 'manual', I could use the instructions and get a certificate 'by hand' == using command line. acme.sh is a command line tool after all. Goto /usr/local/pkg/acme/ and start from there. That should work, and I have an indirect proof : if it didn't you would have found others here talking about it.

6100-upgrade to 26.03 and can no longer log in via GUI or SSH

stephenw10 — Wed, 15 Apr 2026 10:05:45 GMT

Yeah seeing the login page but nothing after that usually implies a PHP issue. I'd guess it either stopped entirely or all the PHP processes were tied up. Check the system logs when it happened.