/r/PFSENSE

Photograph via snooOG

The pfSense® project is a powerful open source firewall and routing platform based on FreeBSD. Developed and maintained by Netgate®.

The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface.

You can buy official pfSense appliances directly from Netgate or a Netgate Partner. You can install the software yourself on your own hardware.

We have a great community that helps support each other, but we also provide 24x7 commercial support.


Rules of Submission

Before asking for help please do the following:

  • Look over at our /r/pfsense wiki

  • Use a search engine like Google to search across the pfsense.org domain:

https://www.google.com/?#q=how+do+i+site:pfsense.org

  • If you are looking for help with basic networking concepts, please try /r/homelab or for more advanced, /r/networking.

  • Do not post items for sale in this subreddit. If you are looking to sell or buy used hardware, please try /r/hardwareswap.

  • This subreddit is primarily for the community to help each other out, if you have something you want the maintainers of the project to see we recommend posting in the appropriate category on our Netgate forum.


  • This is a community subreddit so lets try and keep the discourse polite.

    tl;dr: Be excellent with each other.


    Related Subreddits

    /r/netgate - home of the pfSense project

    /r/pfblockerng
    /r/sysadmin
    /r/networking
    /r/homelab
    /r/homenetworking

    /r/PFSENSE

    122,354 Subscribers

    1

    available packages not appearing in pfsense

    https://preview.redd.it/lyug3b4rlf4e1.png?width=1270&format=png&auto=webp&s=c18e2ce98f106e82f5329c1383edd4128524320c

    Hello,

    I'm trying to install some package in my pfsense but I'm not able to see the available packages in my pfsense.

    The used version is 23.09.1 although I installed packages before but now i cannot find them.

    I would appreciate any help you can give me.

    5 Comments
    2024/12/02
    12:51 UTC

    0

    Using WireGuard to connect to a VPN service

    I finally was able to setup and get a handshake from my Pfsense to the vpn provider(Privado) using WireGuard . (They don’t provide instructions). But when surfing the internet , some sites just won’t load. Google for example keeps asking for captcha, DuckDuckGo won’t load at all, my Apple email won’t connect, other sites work ok. Without going into too much detail, I have setup a WireGuard peer, tunnel, and gateway on my Pfsense to support this connection. I also have 2 outbound NAT configured for my internal network 192.168.1.0/24 . So the connections have been established but this odd website connections issues are puzzling me. Can anyone point me in the right direction ?

    1 Comment
    2024/12/02
    11:43 UTC

    2

    Can't access Web GUI

    I changed the LAN IP for a school assignment and right when I clicked "apply changes" it stopped responding. I tried every other way to fix this but haven't had any luck. Everytime I accessing it through new IP it doesn't work but when i factory reset and access through the default 192.168.1.1 ip it works right way.. Anyone had this issue before?

    4 Comments
    2024/12/02
    07:08 UTC

    0

    When my WAN Interface uses my public IP, I have no internet access. If I allow it to grab 192.168.x.x then I have internet access. What am I doing wrong?

    ATT Fiber modem set to pass through, basic firewall rules & tunneled connection over WG. I’ve been trying to solve this for months someone please help me lmao

    28 Comments
    2024/12/01
    23:47 UTC

    2

    Use pfSense as DNS server for Tailscale devices

    Hello everyone,

    I have Tailscale and pfBlockerNG running on my pfSense box, and would like to use it as the DNS server for my other devices running Tailscale.

    • Tailscale is up an running
    • pfBlockerNG works as expected on LAN
    • I have a Firewall rule to allow port 53 from the virtual Tailscale group

    Currently, the DNS server responds to queries from Tailscale devices with status: REFUSED. The DNS resolver is set up to listen on "All" interfaces, however the list does not contain Tailscale.

    I have seen tutorials to advertise the pfsense machine's IP, accept routes on all other Tailscale machines, and then set the 192.168.x.y IP as dns server, instead of directly using the 100.x.y.z IP. However I would like to avoid having to resort to that. The posts are 2 years old, maybe there is a way these days?

    Cheers

    2 Comments
    2024/12/01
    23:43 UTC

    2

    XG-7100DT replacement

    I have an XG-7100 DT which is coming to end of life this month. I want to upgrade to a similar format machine with two SFP28 and one or more 10G NICs. The closest thing I've found is the superserver e200-12d-10c, which has a Xeon processor and I can't find a source in Canada to purchase it from. Any suggestions either for an etailer or an alternative?

    0 Comments
    2024/12/01
    22:59 UTC

    5

    Policy Routing only working for TCP

    I've got a pfSense box running my network, with the main WAN connection running to the ISP. It's behind CG-NAT, so I've got a cheap VPS to handle inbound traffic, tunneled via WireGuard. All regular traffic is NAT'ed and sent out via the ISP like normal, and I use policy routing rules to define what should go out through the VPS. (Diagram attached) These are public IP ranges, so I have masked my prefix in the attached screenshots.

    There is a Host (x.x.x.136) on the LAN network on which I'm setting up a service which requires inbound connectivity on UDP 5198-5199, and I'm trying to set up policy routing to send the response traffic out of the WG interface. The IP address used for these UDP streams must match the source IP address used on TCP 5200, so I've set up a policy rule to route this out of the WG interface as well. (Screenshot of LAN rules attached) There are no floating rules in this setup.

    Here's the problem: Only the rule for TCP 5200 seems to be working. Traffic destined for TCP 5200 is properly routed out of the WG interface, but traffic destined for UDP 5198 and 5199 is sent out of the WAN interface. I set these up identically, aside from the protocol and port numbers, so I can't figure out why one works but the other doesn't. Furthermore, I have set a rule such that anything from x.x.x.136 should be sent out via the WG interface, but that doesn't even catch it.

    I'm out of ideas as to what could be going on here, so any help on this issue is appreciated.

    Network Diagram

    LAN Rules

    6 Comments
    2024/12/01
    22:29 UTC

    3

    Unable To Upgrade PFSense Firewall / PFSense Crashes On Updates

    Hello Everyone,

    I am currently running PFSense+ version 23.09. The system albeit is a bit overspeced but I have never had issues with it up until this point. The Firewall runs an Intel E3-1280 v6 with 32GB of RAM, and a 2x10GBe SFP+ card. You may have noticed that I said that the firewall is currently running 23.09. According to PFSense it is running the most up to date version of the operating system but if the system is changed from its current boot environment to one that is running the most up to date version of PFSense the firewall crashes every time on boot. I figured that the boot environments that the system had are corrupted and are of no use other than the boot environment running 23.09 as it seems to always fallback to that one.

    I was hoping that anyone had any tricks or ideas as to what I need to do to get the firewall on the most recent version of PFSense. I am at the point where I think a complete reinstall of the operating system may be needed but I don't want to do it yet.

    Current Version/Build that the system is running

    The boot environments page on the firewall. This was full of like 12 or so different boot environments so I cleared them all out except for the one that I know is currently working.

    https://preview.redd.it/k43ezxadba4e1.png?width=1801&format=png&auto=webp&s=6d8c9a3ed63938a6cf72c227da4fe8482c47d437

    When I try to view if there are any updates that need to be run I just see this on the update page...

    https://preview.redd.it/4kh968nwba4e1.png?width=1830&format=png&auto=webp&s=cf0872527258a441f8b9df974d36fc119933109f

    https://preview.redd.it/armauzzzba4e1.png?width=1763&format=png&auto=webp&s=f20c16f9f67e7cb639fc2e8295b087a9ebdf9e4a

    Any thoughts or ideas as to where I am going wrong is much appreciated.

    Thanks

    7 Comments
    2024/12/01
    19:00 UTC

    0

    Split Lock Errors with Multi-Core pfSense VM on Proxmox

    Hello everyone,

    I’m running pfSense 2.7.2 on Proxmox VE 8.3 and encountering persistent split lock traps in the Proxmox kernel when I assign multiple cores to the VM. The errors disappear when the VM is limited to 1 core.

    Key Details

    • Proxmox Kernel6.8.12-4-pve
    • Host Hardware: Asus NUC with Intel Core Ultra 5 125H
    • VM Configurations Tested:
      • 1 Socket, 1 Core: No errors (Stable).
      • Multiple Cores/Sockets: Split lock errors occur: prox kernel: x86/split lock detection: #AC: CPU 3/KVM/1408 took a split_lock trap at address: 0x7ef1d050; prox kernel: x86/split lock detection: #AC: CPU 1/KVM/1406 took a split_lock trap at address: 0x7ef1d050; prox kernel: x86/split lock detection: #AC: CPU 2/KVM/1407 took a split_lock trap at address: 0x7ef1d050

    Steps Taken

    1. Followed the pfSense Proxmox guide.
    2. Tested various CPU configurations (hostqemu64kvm64).
    3. Tried enabling/disabling flags like AES and hv.evmcs.
    4. Observed no improvement with NUMA enabled or by switching network adapters from VirtIO to e1000.

    Questions

    1. Is this a known compatibility issue with pfSense/FreeBSD on Proxmox/KVM?
    2. Are there any optimisations for running multi-core pfSense on Proxmox without split lock traps?

    Any advice or insights would be greatly appreciated. Thank you!

    3 Comments
    2024/12/01
    10:25 UTC

    5

    PC's on Lan have no internet - PFSense hosted via Proxmox

    Hi all, seeking assistance after reading the various posts but couldn't find a solution to my problem.

    An image of my current setup can be found attached.

    WAN is receiving an IP from the ISP and can ping the Internet no problem both via hostname and ip-address.

    However I cannot seem to access the internet via any PC's that are connected via switch. It appears to be a firewall rule however I can't quite seem to find the solution.

    PC's on the network via the switch can ping each other no problem (Thus the ability to access the web gui), but Internet is still not available.

    Some method's i've tried include:

    1. NAT Outbound Disabled
    2. Inputted the Adguard DNS into Services / DHCP / Lan
    3. Firewall - Disable all packet filtering (didn't help so I reverted)

    Hoping to find a solution as my previous one involved using a ASUS Router that can't keep up with all my IOT's in the house.

    https://preview.redd.it/zpg7nudlj74e1.png?width=928&format=png&auto=webp&s=2174d8def902f4b1511e02412a77270b544c8b42

    https://preview.redd.it/yowxvsdlj74e1.png?width=1099&format=png&auto=webp&s=99aa229a58a37a78363f1caa7f96305da1c09931

    Thanks for the help in advance.

    Cheers

    --Edited to include diagrams which didn't upload previously.

    Updated with Proxmox Setup. It is fairly simple as all VM's are using the Virtio-vmbr0 - PFSense is the only one with the additional VMB1 and VMBR2. I've disabled firewall across all of them in case that was an issue.

    10 Comments
    2024/12/01
    08:58 UTC

    4

    pfsense plus renewal notice

    Has anyone gotten a renewal notice for pfsense plus (just the SW on a white box)? I purchased this one year ago and netgate has not yet sent out a renewal notice.

    3 Comments
    2024/12/01
    05:44 UTC

    1

    Tracking down random 100% packet loss on WAN

    So this has been happening off and on, usually when I'm not home to see it but the WAN will die with 100% packet loss for a minute or so, sometimes longer and then eventually come back. Sometimes it took a reboot after 10min. I did try a few things previously, changing the monitor IP to 1.1.1.1 to see if that helped and also tried to reboot once a week. I think I tried to disable the monitoring action but I'm pretty sure that didn't work so I turned it back on.

    If I check the logs I do see:

    send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr 1.1.1.1 bind_addr __.__.__.__ identifier "WAN_DHCP "

    I'm not entirely sure what else to try or do, since like I said it usually happens when I'm not home and by the time I do get home it's been fixed. It is a bare metal install, 2.7.2-RELEASE running on a T620 (AMD RX-427BB) with an intel quad NIC and looks like it's happened 10 times in the last 30days checking the monitoring view. Services are dhcpd, dpinger, haproxy, iperf, ntpd, syslogd and unbound and installed packages are acme, haproxy and iperf.

    Everything looks good for system, temp and usages, nothing seems maxed out on the graphs when it is happening.

    5 Comments
    2024/12/01
    05:41 UTC

    0

    Dual WAN setup not working after WAN-I down.

    Hi, I have a new setup and config dual WAN setup. I found the issue when ISP-1(DHCP Connection) down, internet connection stop means web page not loading where ISP-2 up ( Static IP Connection). Any wrong config? Please correct me.

    4 Comments
    2024/12/01
    04:06 UTC

    27

    Goodnight old friend

    I tried logging into my SG-2440 to change a few firewall rules, and it froze after I clicked the login button, then dropped internet to the house. I manually restarted it, but the red status LED turned solid the moment it turned on, then after a minute or two, it would power itself off. Several online sources stated this was unfixable.

    Bought a 2100 and configured it to mirror my old 2440. A decade of rock solid reliability. You will be missed, and thought of fondly.

    10 Comments
    2024/11/30
    01:01 UTC

    4

    bandwidth limits without a defined gateway?

    This video was very helpful in setting up bandwidth limits: https://www.youtube.com/watch?v=iXqExAALzR8

    The issue I'm now having being, the pfsense machines in question have been switched to use "ospf' routing instead. While pfsense is smart enough to route to the internet this way, the previous entry as defined in Firewall / Rules / Floating no longer has an external gateway! The effective gateway is dynamically determined via ospf.

    While I do know the specific ip addresses that CAN be used (ie. the ospf peers we've created elsewhere), I cannot pick simply the 'Default' despite the description:

    "Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.

    Gateway selection is not valid for "IPV4+IPV6" address family."

    Choosing that 'default' option and trying to save gives the error:

    The following input errors were detected:

    Please select a gateway, normally the interface selected gateway, so the limiters work correctly

    What can I do to rectify? Surely I'm not the only one needing to both use ospf for routing AND limit speed?

    1 Comment
    2024/11/29
    21:41 UTC

    5

    Integrate pfSense with Grafana to view IP logs.

    Hi everyone, I started working with pfSense recently, but I'm trying to integrate it with Grafana or another application so I can view the access logs of each IP to see what each one is accessing. I made a roadmap and was using these programs: 'Squid, rsyslog, Elasticsearch, Grafana, Logstash, and Kibana.' However, I'm lost trying to integrate all of them together and pull the pfSense logs into Grafana. Just one more thing, I'll be creating some dashboards for the things I want to analyze. Can anyone help me, please?

    2 Comments
    2024/11/29
    18:50 UTC

    0

    No Internet Access on Ubuntu Desktop with pfSense Setup

    Hi everyone, I’m facing an issue with my network setup where my Ubuntu desktop cannot access the internet. Here’s a quick overview of my setup and what I’ve tried so far:

    Network Setup:

    •	pfSense is configured as my firewall/router.
    •	LAN interface: 172.17.0.1/24
    •	NAT and firewall rules seem correct.
    •	My Ubuntu desktop is connected to the LAN with:
    •	IP: 172.17.0.100
    •	Gateway: 172.17.0.1
    •	DNS: 8.8.8.8

    What works:

    •	I can ping 8.8.8.8 from the Ubuntu desktop without any packet loss.
    •	I can ping 172.17.0.1 (the pfSense gateway) without any issues.
    •	I can also ping 8.8.8.8 directly from pfSense.

    What doesn’t work:

    •	I cannot ping domain names from the Ubuntu desktop.
    •	DNS resolution fails, even though I’ve configured 8.8.8.8 as the DNS server.

    What I’ve tried:

    1.	Flushed DNS cache on Ubuntu.
    2.	Edited /etc/resolv.conf to set nameserver 8.8.8.8 manually.
    3.	Disabled systemd-resolved and reconfigured DNS settings.
    4.	Checked pfSense NAT and firewall 
    5.	Verified that DNS settings in Ubuntu’s network manager are set to 8.8.8.8.

    Despite these efforts, the issue persists. It seems like DNS queries from the Ubuntu desktop aren’t being processed correctly, but I’m unsure if the problem lies with the desktop, pfSense, or a combination of both.

    11 Comments
    2024/11/29
    10:56 UTC

    4

    understanding difference between adguardhome and pfblocker

    hi,

    if read often "pfblockerNG can do the same like AGH, it is all about the lists". Now i'm running AGH and on my test pages i get 99%/98% and 92 Points. I thought, i copy all the lists from the AGH config yaml to a pfblockerNG group and switch off AGH. the result is <80% with pfblocker.

    where does this serious difference come from? I just want to say, pfblocker also has more lists active.

    thx

    2 Comments
    2024/11/28
    22:01 UTC

    4

    More than one IPSec tunnel phase1 is fine, but adding another phase1 prevents an existing tunnel from re-establishing a connection

    I have a couple of different tunnels set up with IPSec in host-to-host config, which all run stable and without obvious problems.

    When I add a new tunnel phase1 (con10), all other phase1's stay connected, but as soon as I drop the con5 connection and try to re-establish it, it keeps on attempting to connect, but never succeeds. I can drop any other tunnel and it will immediately reconnect on the first try, but the last one previously added does not connect again.

    If I disable the new con10 phase 1, then I can reconnect the con5 tunnel.

    I have put the ipsec.log here.

    It records what happens when I do the following:

    1. con10's status is disabled.
    2. con5's status is enabled and connected
    3. I enable con10 and con5 stays connected
    4. I then disconnect con5. It immediately attempts to reconnect, but fails and just shows "connecting" in the UI IPsec status
    5. I then disable con10 again and con5 connects immediately.

    BTW: Where is a disabled ipsec tunnel's config stored? Even a grep of the content of the pfSense is unable to locate it?? When I enable the tunnel it's added to /var/etc/ipsec/swanctl.conf, but from where?

    The config of both con5 and con10 are below:

    con5 {
                    # P1 (ikeid 5): Client5
                    fragmentation = yes
                    unique = replace
                    version = 2
                    proposals = aes256-sha256-modp2048
                    dpd_delay = 10s
                    rekey_time = 25920s
                    reauth_time = 0s
                    over_time = 2880s
                    rand_time = 2880s
                    encap = no
                    mobike = no
                    local_addrs = 197.214.xxx.yyy
                    remote_addrs = 196.250.xxx.yyy
                    local {
                            id = 197.214.xxx.yyy
                            auth = psk
                    }
                    remote {
                            id = %any
                            auth = psk
                    }
                    children {
                            con5 {
                                    # P2 (reqid 3): RC01 network
                                    mode = tunnel
                                    policies = yes
                                    life_time = 3600s
                                    rekey_time = 3240s
                                    rand_time = 360s
                                    start_action = trap
                                    remote_ts = 192.168.0.0/24
                                    local_ts = 192.168.152.0/29
                                    esp_proposals = aes256-sha256-modp2048
                                    dpd_action = trap
                            }
                    }
            }
    
    con10 {
                    # P1 (ikeid 10): Client10
                    fragmentation = yes
                    unique = replace
                    version = 2
                    proposals = aes256gcm128-sha256-modp2048,aes256-sha256-modp2048
                    dpd_delay = 10s
                    rekey_time = 25920s
                    reauth_time = 0s
                    over_time = 2880s
                    rand_time = 2880s
                    encap = no
                    mobike = no
                    local_addrs = 197.214.xxx.yyy
                    remote_addrs = 165.165.xxx.yyy
                    local {
                            id = 197.214.xxx.yyy
                            auth = psk
                    }
                    remote {
                            id = %any
                            auth = psk
                    }
            }
    3 Comments
    2024/11/28
    21:43 UTC

    1

    Squid Guard LDAP Filter Issue

    I'm a Student learning to use PFsense. As a project, I was assigned to block access to certain pages by certain groups of Users. These Users are authenticated by AD on Windows Server 2019.

    I have Virtual Machines for PFsense, Windows Server (as the server and host manager of PFsense) and Windows 10 (to simulate one of the hosts on the network).

    I have installed both Squid Proxy and Squid Guard (I know both are not suported anymore, but it's only as part of the assignment). Authentication by AD works, Squid Proxy also works for all AD users, since it blocks access to any set URL.

    On Squid Guard im using http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz as the BlackList.

    The issue arrives while trying to use LDAP Filter on Squid Guard. If deactivated, all Users get blocked from any categories stated on the Blacklist (so the Blacklist and blocking by itself works). However, trying to use LDAP Filter to allow the use of AD Groups break Squid Guard, just making useless both Group and Common ACLs.

    Anyone has any solution to this? I'm specially worried since this have seem to be an Issue from quite a long time.

    0 Comments
    2024/11/28
    15:27 UTC

    0

    No KEA DHCP in logs since update to 24.11?

    I was just curious if it was just me. Netgate 4200 on pfSense Plus on 24.11 -- Kea is working fine but I just don't see DORA in the logs anymore for clients.

    I wasn't sure if intended or a bug. Curious what other see.

    Thanks in advance! :)

    1 Comment
    2024/11/28
    14:06 UTC

    3

    QinQ pfsense

    Anyone knows how I can pass the traffic from a firewall to another one via routed IPsec tunnel. I tried using QinQ when two firewalls were connected directly and it’s worked, but when I try to do the same thing via IPsec it does nothing. My idea is to pass dhcp traffic from one firewall to another so I can have the same vlan on both firewalls. How can I resolve it?

    16 Comments
    2024/11/28
    08:21 UTC

    0

    Best build for pfsense

    Hi all,

    I try to find the best mini itx motherboard for my 1u Rackmount case . What brand of cpu should I choose? Xeon celeron atom? I want low watt cpu but most powerfull for the os. If the board have 2 nic I need pci express for 10g card I want Nvme or sd card for the os of pfsense. How many ram 8 16 or 32?

    Thx for your help 💪

    5 Comments
    2024/11/28
    03:24 UTC

    1

    Odd issue with traffic shaper

    Hello everyone.

    I have a somewhat strange issue with the traffic shaper in pfsense. Current setup is as follows.

    I run pfsense on an older Untangle Z4W appliance along with an Aruba Instant On 1830 switch and an Aruba Instant on AP21 access point. I have Comcast Internet 500/25. If I don't have the traffic shaper enabled, I get full speeds on both wired and Wi-Fi. If I enable the traffic shaper in pfsense (right now I have it set to 450 download, 22 upload) I get the exact speeds I set the shaper to on wired devices. However, on Wi-Fi I cannot get greater than 200mbps download and greater than 15 upload. As soon as I disable the shaper the speeds on Wi-Fi go back to normal. So for some reason it seems like having the shaper enabled kills my Wi-Fi speed even worse than wired or what I have set the shaper to. Now I understand I'm not guaranteed to get the exact speeds over Wi-Fi especially, but it seems odd that it is affecting Wi-Fi so drastically. Anyone seen something like this before? Any suggestions on what I could try or check to get speeds more in line to what I set the shaper to be via Wi-Fi?

    16 Comments
    2024/11/27
    19:10 UTC

    9

    Just upgraded my EOL SG-3100 to 24.11. Seems okay so far

    For the SG-3100 curious: I just upgraded my obsolete SG-3100 from 24.03 to 24.11. So far it seems okay. The release info for 24.11 does not seem to mention the SG-3100 anymore, but I took a chance. In my case, my configuration is pretty "Plain Jane" so I don't need any of the no-longer supported packages like Suricata and Squid.

    3 Comments
    2024/11/27
    16:40 UTC

    3

    Issues renewing lets encrypt cert.

    I set up acme to renew my let's encrypt certs but it stopped working a few months ago.

    When I run the Issue/renew, the _acme-challenge dns record gets created in GoDaddy but i get an error saying the 'value wasn't set!'

    Im reading throught the logs and there is a line that shows response='{"code" : "ACCESS DENIED", "message" : "Authenticated user is not allowed access"}'

    Also a "given domain is not registered, or does not have a zone file".

    I cant figure it out what permission that is since it created the record without issues in godaddy.

    Thanks!

    4 Comments
    2024/11/27
    13:30 UTC

    Back To Top