Reposting here because Mods on PFSense forums decided to lock the post because they got butthurt about facts being presented on their lack of Quality Control on features they want to force users to migrate too before its ready. I'm 100% this post will get taken down or locked also but whatever. The way they acted in this post https://www.reddit.com/r/PFSENSE/comments/1gg6p2y/comment/lusx2p6/?context=3 is shameful and should be pointed out. I'm migrating to OPNSense anyways. Do what you will.

Below is the original post.

Regardless of what PFSense says about ISC DHCP, the fact they tried to deprecate it internally and provided users notifications to switch to Kea before it was stable is a fucking joke.

Swapped to it a few weeks ago due to an internal PFSense Alert I received saying ISC is Deprecated and to move to Kea. (see imagine below) Been having tons of issues with my system ever since. Come to find out Kea DHCP keeps randomly stopping and is unable to restart on its own with Service Watchdog. Swapped back to ISC DHCP and problem has been resolved ever seen.

Even some of this articles are over 8 months old and these problems still exist...

If they know Kea is unstable why are they pushing alerts to users telling them to switch over to Kea? They literally have cases open on this issue and they know its a problem. First case opened on PFSense over 18 months ago...

https://redmine.pfsense.org/issues/14977

https://www.reddit.com/r/PFSENSE/comments/195vhz0/kea_dhcp_service_constantly_in_stopped_state_cant/

https://forum.netgate.com/topic/184129/how-to-revert-to-isc-dhcp-server-immediately

EDIT:
Because I'm sick of repeating myself I'm putting this here.

Yes I know PFSense didnt create or maintain ISC/Kea. That isnt the point of this post. The point of the post is dont push notifications to your PFSense users to switch to Kea while you have open tickets without solutations and you KNOW ITS UNSTABLE.

And yes I know they pull from updates from FREEBSD branch. However, its their job to make sure those updates work properly on their software/hardware. ONPSense has no issues with KEA yet tons of reported issues with it on PFSense. This indicates a PFSense issue, not an KEA issue. Thats on Netgate.

So like I said. Dont push alerts to users to move to Kea when you KNOW IT UNSTABLE. THAT IS THE POINT.

https://preview.redd.it/05hux8kcn4yd1.png?width=1477&format=png&auto=webp&s=d5a4faaa20248f67b3c82a3cb205eb329c6996db

Hi all.

Im getting alot of collisions on my LAN part of the network.

After restoring settings, i see alot of settings being messed ud.

Could one with a Netgate 4200 tell me what their default LAN settings are please?

Im looking for hardware settings in system/advanced/networking

We're honored to announce that pfSense software has received 35 awards in the G2 Fall 2024 Report, including top rankings in multiple firewall and VPN categories. Thank you to our amazing customers for the stellar reviews!

Learn More: https://www.netgate.com/blog/pfsense-g2-fall-2024

Hey guys I’m using Netgate 6100 ( running Version 24.03-RELEASE ), can someone help me figure out how to schedule a reboot every once in a while from the dashboard.

I have to upgrade from a Netgate 1100 which I cannot use the web GUI to log into. When I attempt to navigate to 10.0.0.1, which is the gateway to the router, I get no response from the Netgate (ERR_CONNECTION_TIMED_OUT). Unfortunately, the Netgate had a few configurations that created some port forwards as well as VLANs for specific IPs. I did not create this configuration and thus do not have the documentation to build a new config for the Netgate 4200 I'm installing.

Does anyone know of a way for me to access the config of the Netgate 1100 without doing a factory reset (which would erase the config I want access to)?

Check out our latest blog post! It dives into how to optimize your network security and conserve address space using TNSR software. Learn about configuring point-to-point links with /31 and /127 network masks for both IPv4 and IPv6.  

🔗 https://www.netgate.com/blog/using-tnsr-software-to-conserve-address-space-and-improve-security

The job description can be found at https://www.netgate.com/jobs/production-support-analyst

Do you want to be a member of our renowned TAC team? Does a 12-hour shift with 7 days off every 2 weeks sound appealing? Want to be a member of a fantastic customer-facing team? If your skill set fits the requirements, please send your resume and cover letter to hr@netgate.com

I'm new to home networking. I bought a Netgate 4200 thinking it could also serve as providing my wifi without additional access points since I've never needed them before.

I typically only Reddit lurk so this is a brand new account.

Trying to create a good home network piece by piece and clearly bit off more than I could chew with this one (thought buying the Netgate appliance would be EASIER). I had an OpenWRT pre-flashed device that was simple but broke after a year.

Edit: if I purchased an Access Point, would TacLite support be enough to walk me through setting it up?

with one AP I can still have multiple networks (one for each: VPN, work, iot devices)?

I am running with 23.09.1-RELEASE. But today after my ISP did an upgrade and the router/modem Sagemcom 3890 was restartet and got a new IP the wan interface doed not manage to get this IP. I have restartet both Sagemcom 3890 and the netgate 2100 multiple times. It works fine to directly connect the mac to the ISP router and I get a real IP. It also works fine to connect my Deco BE65 router directly to the Sagemcom 3890, bypassing the netgate firewall. 

How can I find out what goes wrong? I have tried changing network cable but it ends up the same.

https://preview.redd.it/0cs5hbhq56nd1.png?width=1208&format=png&auto=webp&s=9c66e52ef4d3e1dc84b9055e257a4d3769c86cc2

https://preview.redd.it/g6efy8jr56nd1.png?width=2414&format=png&auto=webp&s=a4fb16565961a43de47d37d12937f3f380a95988

I'm running Pfsense CE bare metal on a self assembled box with an

• i5 7600K
• 16 GB DDR4 RAM
• Intel I350 Quad Port

There are roughly 10 VLANs on it, a handful of firewall rules, some NAT rules, DHCP and a DNS forwarder. I'm doing no heavy packet inspection whatsoever.

I've recently swapped out my Intel X520 DA2 cards for Mellanox ConnectX-5 MCX516A as I've upgraded to a 25 GBit/s WAN connection. I was able to achieve a stable ~9.3GBit/s up/down with the Intel cards. It didn't work as smooth with Mellanox and I actually got worse speeds. After some time of tweaking I'm now at ~15 GBit/s up/down while the CPU sits at rougly 50% utilization.

The speed however varies from test to test. Sometimes I only get 10 down and 15 up, sometimes its the other way around (usually neither are below 10). I've ran some tests without my pfsense and I'm constantly able to achieve 22-23 GBit/s up/down, so I'm pretty sure my ISP is not the culprit here.

Is there any hope in trying to tune it more to achieve speeds closer to line rate? Has anybody done that with comparable hardware? I've read there are software limitations due to the packet processing running in kernel mode instead of userland. I'm just wondering if it makes sense to pour more time into it.

I wanted to try out TNSR and found a blog post here: https://www.netgate.com/blog/tnsr-home-lab but it seems I'm not able to find the homelab version for it.

Thankful for any suggestion

In the age of automation, CLI remains crucial for network engineers. TNSR software router offers an industry-standard CLI, making it easy for experienced engineers to configure and troubleshoot.

Here is a new technical resource to help anyone master the TNSR Command Line Interface (CLI).

Read Now: https://www.netgate.com/resources/mastering-the-tnsr-command-line-interface-cli

We're thrilled to share an in-depth Q&A session featuring our Lead Engineer, Leon, and our VP of Marketing, Glen. In this engaging conversation, they discuss the innovative Multi-Instance Management feature in pfSense and what it means for network administrators and businesses. 

Watch now: https://youtu.be/41gqqgA9zeM

Hello :)
I have not been using PFsense since before Netgate time, but Im looking at an Netgate appliance to use on my home network.

I been looking at the 2100 as it seems to be powerfull enough and not costing too much here in Norway, but I was wondering why is it the only one who has an switch built in?

I know PFsense is mostly about separate ports for separate networks, but there must be a reason why the 2100 has an switch on the 4 "lan" ports

Hello Professionals

I'm seeking your help with an issue on my Netgate 1541 RAID. Recently, I've been getting "pfr_update_stats: assertion failed" errors. This is preventing me from browsing or accessing shared storage on my network. I've tried rebooting the device and upgrading from version 23.09.1 to 24.03, but the problem persists. Could anyone here explain what this error means and how I can fix it? Thank you.

Console view

https://preview.redd.it/trtf1sy2ogkd1.jpg?width=540&format=pjpg&auto=webp&s=10dbfcc689a6c8cc3c39f2e3e9e383c6ea9fae3d

WebUI view

https://preview.redd.it/3xugziu6ogkd1.jpg?width=960&format=pjpg&auto=webp&s=2e0e2900e2bb52ca4f335662536e7146d20a6224

I've got a single license bound to a mini computer. I've got another one coming that uses much less power. Can I just remove Pfsence from the older one and use the License on the new router?

Hey everyone! I have a very simple request, and I'm happy to read about it. I have an 1100, and I am just doing some testing. I have two IPsec tunnels. I made them a gateway group and made it the default gateway. Both tunnels are up, and everything seems cool. I'd like to verify with you that it means LAN traffic is going out that route by default, and then I would also like to block traffic going out WAN if IPSec is down.

In this particular case, IPv6 has to stay disabled (don't flog me too hard). So, upstream was disabled, the v6 gateway deleted, and v6 DHCP disabled.

VTI, route-based tunnels 1 and 2 are up on phases 1 and 2. You can reach the other side of the tunnel.

Thank you so much.

We’re excited to announce important updates to the integration of Kea DHCP into pfSense software, adding support for DHCP High Availability and improved support for registration of DHCP hostnames with the Unbound DNS Resolver. With the release of pfSense Plus software version 24.08, users who require DHCP HA support or DNS resolution of DHCP hostnames can now migrate from the ISC DHCP backend to the Kea DHCP backend.

Key benefits include:

• Simplified Setup: Kea DHCP uses a single, global HA configuration, which is easier to set up and manage than ISC DHCP's per-interface configuration.
• More Reliable Failover: Kea operates in "hot standby" mode, providing more reliable failover, especially when booting a secondary node.
• IPv6 Support: Those using IPv6 will benefit from HA support for DHCPv6, a feature not available with ISC DHCP.
• Improved Security: Kea DHCP supports optional TLS encryption for HA traffic, enhancing the security of your DHCP setup.

Learn more here: https://www.netgate.com/blog/improvements-to-kea-dhcp

Hurricane Electric has added TNSR® software to the list of supported operating systems on their tunnel broker service, making the process of setting up IPv6 tunnels fast and easy for TNSR software customers.

Learn More: https://www.netgate.com/blog/hurricane-electric-tunnel-broker

Attempting to reinstall pfSense on a 6100 appliance and following the How To guide in the documentation. However, I’m not having any luck with the unit recognizing the flash drive (even when loading the boot menu with F2). I have tried a SanDisk and PNY. Is there a trick to get it to work?

I've been using pfSense CE for years and wanted to the pfSense+ route. So I purchased a Netgate 4100.

Wanted to do a fresh install but currently there is no active internet connection available so using the Netgate installer is a no-go. I've read a lot of forums posts about the awesome support of Netgate and if you create a ticket with them you can receive an offline image as long as you have a Netgate device with Netgate ID.

Created a ticket and within 20 minutes I had a reply.... Though it was not the message I was hoping for. They no longer provide ANY customer an offline image. You NEED to use the Netgate installer and have an active internet connection. Offline installations cannot be done anymore. So preparing a (Netgate) device offline before shipping it to a customer is not something that can be done anymore...

We are excited to announce the launch of the Netgate 8300 MAX Security Gateway and Secure Router! Designed for government, medium to large businesses, xSPs, and MSP/MSSPs with high connectivity and stability requirements, the 8300 MAX is available with either pfSense Plus® or TNSR® software.

Highlights:

• 32 GB DDR4 ECC memory
• Two internal 500W hot-swappable power supplies
• 11 independent network ports (1G, 2.5G, and 10G)
• 512 GB NVMe SSD storage
• Expandability to 25G and 100G ports via PCIe slots
• TAA compliance

Learn more and get it now at the Netgate Store!

Netgate 8300 MAX with pfSense software: https://shop.netgate.com/products/netgate-8300-max-pfsense-security-gateway

Netgate 8300 MAX with TNSR software: https://shop.netgate.com/products/netgate-8300-max-tnsr-secure-router

#Netgate #pfSense #TNSR #Firewall #Router #VPN

I have the impression that the device gets very hot (obviously due to the passive cooling).

Should add a few thick thermal pads below the motherboard to help with heat transfer? I feel like it's a huge wasted opportunity by netgate to not utilize the bottom plate as another heatsink. What do you guys think?

pfSense® software from Netgate® received 32 awards in the G2 Summer 2024 report! 🎉

These include Enterprise, Mid-Market, and Small Business awards in categories such as Best Results, Best Relationship, Best Usability, and Most Implementable for both the Firewall Software and Business VPN groups.

Thank you to our customers for your support!

Learn More: https://www.netgate.com/blog/pfsense-g2-summer-2024

I was looking for a new Router for our small company and noticed that the Netgate 4200 has far superior VPN perfomance listed on the website compered to its larger (more expensive) cousins. I was thinking about getting a 6100 just for the 10G port, but since VPN is the most important use case for us (almost exclusively home office), I think I will sacrifice a little inter VLAN Routing performance and bond 2x 2.5G and enjoy better VPN performance.

Netgate 4200

IPERF3 VPN: 3.20 Gbps
IMIX VPN: 1.05 Gbps

Netgate 6100

IPERF3 VPN: 1.77 Gbps
IMIX VPN: 0.552 Gbps

Netgate 8200

IPERF3 VPN: 3.24 Gbps
IMIX VPN: 0.810 Gbps

Does this also reflect in real life? We would have a mix of IPsec and Wireguard (s2s) connections. I am almost decided on the 4200 since its a really good fit. If it had a 10G port it would be no question.

This is a regularly scheduled release of TNSR software including new features, upgrades, and bug fixes.

New features and enhancements include:

• TNSR ARM64 image for AWS & Azure
• Multiple Remote Access VPNs
• RADIUS Assignment of Client Virtual IP Addresses
• Multiple Remote Access VPN Client Connections for a Single User
• CLI Improvements
• Logging Enhancements
• Core Technology Upgrades

Netgate TNSR is a high-speed (exceeding 100 Gbps) virtual router and VPN aggregator. Businesses can deploy TNSR as a Netgate hardware appliance, Bare Metal Image, or a Network Virtual Appliance on Amazon Web Services and Microsoft Azure.

Learn more: https://www.netgate.com/blog/netgate-releases-tnsr-software-version-24.06

A vulnerability (CVE-2024-6387) in OpenSSH allowing pre-authentication remote code execution has been patched in pfSense® Plus and pfSense CE software. Users of pfSense software are advised install or update the System Patches package under System > Package Manager, and subsequently navigate to System > Patches and apply all recommended patches. After all recommended patches have been applied, restart the sshd service. For more information on this issue, please read the advisory linked above.

As detailed in the report, this bug is a regression of a previously patched vulnerability (CVE-2006-5051), which was introduced in October 2020.

Quoting the report: The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk.

As pfSense software is not a glib-based Linux system, this vulnerability does not apply. FreeBSD has issued a Security Advisory noting that it may be possible to exploit the underlying bug to produce a different vulnerability.

As a reminder: SSH is not enabled by default in pfSense software. With the default ruleset, SSH (if enabled) is only accessible by clients on the LAN.

Any advice to improve this panel? Update: I recently added the AC Infinity MULTIFAN S2, a quiet 120mm USB blower fan. It reduced the CPU temperature by over 10 degrees Celsius.

https://preview.redd.it/89rigvm6kggd1.jpg?width=372&format=pjpg&auto=webp&s=c8a6710d7e32bb3f07ea0f64d1372a984f502c50

https://preview.redd.it/n3480dg4iz9d1.jpg?width=1292&format=pjpg&auto=webp&s=82f46934aa824bb6edd905ea8256154206186de3

Hey all! Just kinda wanted to ask as I don't see where I can find something like this. Just wanted to know of some future plans for Netgate.

We are a partner, and I love the product (especially the 8300) you guys nailed that!

But for enterprise I am forced to use other vendors, because of layer 7 blocking and app/website controls. (K12) situations.

I saw that Opnsense has ZenArmor that looks to be a great product when we tested it and looks like they are really going after the checkpoints and the forigates.

Are there any plans for something like this in the future for Netgate?

Thanks yall

We are excited to announce the Netgate® 8300 powered by TNSR® software, our 100 Gbps+ Secure Router designed for service providers, virtual/remote offices, and businesses embracing edge-to-cloud applications that require extensive routing and VPN aggregation capabilities.

The Netgate 8300 delivers unmatched performance:

• 110+ Gbps of L3 Routing (iperf3-bidirectional) 
• 108+ Gbps of Access Control List Filtering (iperf3-bidirectional)
• 47+ Gbps of VPN throughput (iperf3-bidirectional)
• 500% increase in forwarding performance vs Netgate 1541
• 222% improvement in VPN performance vs Netgate 1541

Powered by:

• Intel Xeon D-1733NT eight core CPU with integrated Intel AVX-512
• 16 GB of DDR4 ECC memory in dual channel configuration (expandable to 32 GB)
• Highly expandable dual-power capable 1U chassis
• 4x10G SFP+ ports, 4x1G SFP ports, 3x2.5G ports
• Supports additional expansion via two PCIe card slots

To learn more, visit: https://www.netgate.com/blog/introducing-the-netgate-8300-secure-router

Get it now at the Netgate Store: https://shop.netgate.com/products/netgate-8300-base-tnsr-secure-router