I have a R220ii that has been faithfully running PfSense for the last 6 years. I need to re install pfsense on this server to upgrade beyond 2.7.0 and it is making me think that maybe its to replace this server with something newer as I am not sure how much longer this server will run. Is there any point replacing this with a R320. While only slightly newer it comes with raid and dual supplies. Are there any better recommendations?

|| || ||

Hey, I’m new to pfSense and more familiar with working on Sophos XG, so I’m looking for some help here.

What would be the best way to implement web filtering in pfSense, similar to how it’s done in Sophos? I’ve been researching, and I keep seeing mentions of pfBlockerNG and Squid with SquidGuard. But, if I’m not mistaken, pfBlockerNG focuses on filtering IPs and domains to block unwanted traffic, but it doesn’t provide the granular content filtering that I’m looking for.

On the other hand, I’ve tested SquidGuard, and it seems to work more like I need it to, but I can’t find many blacklist options except for this link: http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz. Plus, I read that Netgate has deprecated Squid and SquidGuard due to security issues, even though they’re still present in version 2.7.2.

Any guidance or advice you can provide would be greatly appreciated. Thanks!

I recently bought one of these Intel N100 4 port 2.5Gbps boxes to tinker a bit with my network instead of just having my Bell Giga hub do everything. I'm a bit of a noob to the software firewall game -- I was an early adopter to Smoothwall in the early 2000s but haven't really touch anything since. I've always heard about pfsense/opensense but never had a chance to tinker with it until now.

I'm in Ontario, Canada hence whey I have a Bell Giga Hub (it's a 1G fibre connection)

I have pfsense running within a proxmox vm on the box.

By default if I just connect a cable from Giga Hub to the pfsense box then everything works fine, but I think I'm getting double NAT since I have a local IP. (my guess). I can't really notice the speed difference but in theory it's not the greatest I'd assume.

https://preview.redd.it/cwf2pnc4h3yd1.png?width=592&format=png&auto=webp&s=a3e638096913fd8f792fcee51e18b4f8556fd036

https://preview.redd.it/wo127b65h3yd1.png?width=579&format=png&auto=webp&s=3221bc4ceff9160c8d693cf85fec093c890fd2c5

I've read in the forums to set my pfsense box as a advance DMZ, which I have and then I get the IP address to show up in my pfsense box :D ... all is good for a brief period of time and then I start to get massive packet losses. (see below) At first I thought it was the port issue or maybe proxmox. Trying a different physical port only fixes the issue for a brief period of time (maybe a day or so) and then it starts to drop packets again. I've also tried doing direct passthrough of each port from proxmox to see if that would help but I get the same results.

There isn't much options on the Bell Giga Hub to try. I've disabled WIFI and only 1 device is connected to the box physically. (see below screenshot)

I'm not sure what else to do, not sure if it's the pfsense box that can't handle it or Bell doesn't allow this after some time. I've read of some people getting it to work while others can't get the IP to pass though. I'm able to get the IP to pass to the pfsense but it doesn't stay :(

Any help is much appreciated. Thanks in advance.

https://preview.redd.it/xda5n72qj3yd1.png?width=1038&format=png&auto=webp&s=9da792c0f54d67db07d277a546ab98834381f45d

https://preview.redd.it/0wkb25qvj3yd1.png?width=1111&format=png&auto=webp&s=2d12ce569e319dc16a84e36e706d167a1119c084

https://preview.redd.it/4nlp7basn3yd1.png?width=1156&format=png&auto=webp&s=55f88904d24fe13e569e855b154fe77b7b49d7ed

https://preview.redd.it/wbo3pkkik3yd1.png?width=1397&format=png&auto=webp&s=3c08cfe2a2ad7687eac9a5c300f1b67180bef08f

My firewall does Geo Blocking, except on the VPN interface. The VPN endpoint (from what I'm told) sits in front of all the intelegent filtering capabilities.

Our vendor says, "Hey, we'll just sell you another set of firewalls to put in front of your firewalls?"

My thought is to do just that, but put PFsense in front just to use the geo blocking feature. Not Ideal, but until I can gain more knowledge of PFSense and convince my boss that it is just as, if not more capable than or "industry standard" firewall, it's the best idea I've come up with.

I am weighing up options to increase bandwidth (not speed).

I do not have any feasible options to upgrade PC or Switches (this is a work with what you got situation)

I have a few scenarios I would like some advice/input on please:

Entire network is limited to 1Gb

Dual WAN:

• WAN: FTTP 900 down 110 up
• WAN2: TBD (lets assume its equal to the WAN)

The below would mean I can have 2x 1Gb lanes (as long as they route down the correct roads) right?

https://preview.redd.it/ph0f490jo2yd1.png?width=1197&format=png&auto=webp&s=fb497b4e8b7ea2fac5944c476a14b3b42a83159b

So taking from the above and applying it to intervlan traffic:

Would the below mean I can still utilise WAN to its fullest and have a full Gb transfers between NAS A one vlan 10 and NAS B one vlan 20?

https://preview.redd.it/3sh7jrxnp2yd1.png?width=1197&format=png&auto=webp&s=3e0619f53201f1fd0f2150dd994c9d295dd7ed08

Then taking this a step further, If I split the vlans over the two interfaces (lan, iot and media on the LAN port -- and all other VLANs which will have heavy traffic on the VLAN port)

CCTV being on the LAN side wont be an issue as there is currently a 100Mbps buffer as the ISP is only 900Mbps

So LAN side would me more or less internet access only and VLAN side would be internet and node to node traffic

There will naturally be some cross talk but I am hoping the extra interface for VLANs increase the overall bandwidth available to play with.

Hope this makes sense.

thanks in advance.

Moving away from some 10 year+ old Endian boxes I built. Going to run pfSense. 1Gb WAN (copper for now). Mainly used for Site2Site VPN (WireGuard) and enduser VPN (OpenVPN) to stream surveillance cameras. No end users will be behind it, just NVR servers that are recording IP cameras.

What's the best hardware? Looking for something small and bulletproof. Rackmount would be nice but not necessary.

What would you buy?

Regardless of what PFSense says about ISC DHCP, the fact they tried to deprecate it internally and provided users notifications to switch to Kea before it was stable is a fucking joke.

Swapped to it a few weeks ago due to an internal PFSense Alert I received saying ISC is Deprecated and to move to Kea. (see imagine below) Been having tons of issues with my system ever since. Come to find out Kea DHCP keeps randomly stopping and is unable to restart on its own with Service Watchdog. Swapped back to ISC DHCP and problem has been resolved ever seen.

Even some of this articles are over 8 months old and these problems still exist...

If they know Kea is unstable why are they pushing alerts to users telling them to switch over to Kea? They literally have cases open on this issue and they know its a problem.

https://redmine.pfsense.org/issues/14977

https://www.reddit.com/r/PFSENSE/comments/195vhz0/kea_dhcp_service_constantly_in_stopped_state_cant/

https://forum.netgate.com/topic/184129/how-to-revert-to-isc-dhcp-server-immediately

EDIT:
Because I'm sick of repeating myself I'm putting this here.

Yes I know PFSense didnt create or maintain ISC/Kea. That isnt the point of this post. The point of the post is dont push notifications to your PFSense users to switch to Kea while you have open tickets without solutations and you KNOW ITS UNSTABLE.

And yes I know they pull from updates from FREEBSD branch. However, its their job to make sure those updates work properly on their software/hardware. ONPSense has no issues with KEA yet tons of reported issues with it on PFSense. This indicates a PFSense issue, not an KEA issue. Thats on Netgate.

So like I said. Dont push alerts to users to move to Kea when you KNOW IT UNSTABLE. THAT IS THE POINT.

https://preview.redd.it/05hux8kcn4yd1.png?width=1477&format=png&auto=webp&s=d5a4faaa20248f67b3c82a3cb205eb329c6996db

Additional Notes

I find it funny that the mod team locked my post because I was spitting facts and it hurt their feelings. Get over it. Everything you have done goes against common practices in I.T. and you know it. This is why OPNsense exists and why they moved away from Netgate, If this is how you respond to your userbase no wonder why OPNSense staff moved away from Netgate. Such as trash take to have on your users.

gonzopancho • 37m ago• Edited26m ago •Netgate

you've made your point, many times. rage-baiting for engagement is unwelcome here.

Who the is rage baiting? I simply created a post stating FACTS about how poorly your team handled this migration. Nothing about this is wrong or "rage bating" and dont need to "rage bait for engagement" when it already had engagement long before you showed up here.

gonzopancho • 48m ago•Netgate

"ONPSense" has no users? this is my surprised face

See how you respond when OPNsense is mentioned? To think that OPNSense has "no users" is a god damn joke and no body others than you said that. This is why they forked away from Netgate and so will I. Shady ass company ran by idiots.

gonzopancho• 55m ago•Netgate

presumably because he doesn't like "reading the Kea source code" because it is a "waste of valuable coding time."

You know what they say about assumptions right? Cute try though.

I do find it funny you commented on 4 of my replies than locked it before I could even reply to them. How did that work out for ya?

I was adding a failover WAN and gateway group and somehow broke my VLAN routing. I can no longer ping from my LAN 192.168.0.x to my Vlan5 subnet 192.168.5.x.

I'm guessing it's missing a rule under the LAN to route to VL5? I tried adding the 2nd rule here and I still can't ping to the VL5 subnet from LAN.

https://preview.redd.it/bji8vix280yd1.png?width=1162&format=png&auto=webp&s=cb0aa09ae9d0fe92fe673bf4ad1829a8b65a397a

Edit:

Per solutions below, this is my new ruleset, and it works. Thanks!

https://preview.redd.it/sfbjl7osb0yd1.png?width=949&format=png&auto=webp&s=82c38a4e557ab55605f4faf99d51804f4e3c671d

Basically what the title asks. I'm doing a project and I want to be able to have SiteB receive IP addresses from SiteA through an IPSec tunnel. I was doing some research and can't find anything to do this specifically on pfSense.

I am probably missing something silly.

I have a VPS with a static IP connected via WG to my homelab (no NAT). i have stood up a container im trying to NAT from the VPS. i am running BGP for route exchange. from the server network i can see my ip is the ip of the VPS. When creating a connection to the NAT'd port, pcap on the VPS shows the tcp SYN (CLOSED:SYN_SENT). pcap on in the homelab pfSense shows the SYN/ACK (SYN_SENT:ESTABLISHED). i checked the homelabs main WAN connection and the ACK is going out of it. so policy based routing is honored for traffic originating from the server subnet, but appears to be using the system routing table when the src is not a primary routing table.

I have tried all 4 combinations of Reply-To to no avail.
I have created a rule on the server interface with the DST port and GW for WG (dosnt catch traffic)
I have created a rule on the server interface with the SRC port and GW for WG (dosnt catch traffic)
i have created a rule on the server interface any/any, GW for WG (catches all the traffic originating on that subnet)

ideas appreciated

I live in apartment where I don't have access to my router and can't get routing to work on my pfsense box. I tried following a guide to make it a transparent firewall, but couldn't get that to work. Any advice would be appreciated!

((RESOLVED))

Hello,

Im using a Protecti FW4C – 4 Port Intel® J3710 with PFsence and i cant seem to get the 400Mbit Upload speed im paying for i cap out at 40Mbit, I am however getting the 1Gbit download speed no issue.

I have tied many things even resetting PFsense and i have tried OpenSense with no luck. i have confirmed its not an ISP issue also.

I really dont want it to be a hardware issue but im at a loss and not sure what else to try.

Any help would be much apreciated

Kind Regards

EDIT:

Turns out it was my ISP after a bunch of troublshooting and looking up hardware specs i called the ISP back they kicked my connection again so that the Modem could reshape itself.

Hello

Just wondering if in this scenario/setup introducing a LAGG will improve anything (or impact negatively?)

Virtual Router (Proxmox/pfSense)

• i5-9400T -- 4GB mem -- 32GB disk -- 4x 1gb Intel NIC

(internet connection 900Mbps down 110Mbps up)

• port1 LAN
• port2 WAN
• port3 WAN2
• port3 not in use

I have a patch panel to each of the major rooms in the house. Bedroom3 is not currently utilising any wired ethernet connection.

This got me thinking if I was to setup a LAGG for the LAN, would this reduce the potential bottleneck with having potentially more VLAN traffic in the future?

For the time being I could just unplug bed3 and move PVE2 to the last port so I could LAGG to the switch from ports 1 and 4 from the router.

would this have any impact good or bad my current setup?

Further food for though: currently WAN2 is just a backup line with poor connectivity, if/when in the future I am able to get a better backup line I would like to have space for it on the network for it to be utilised outside of just a backup line.

I'm guessing the LAGG would be more useful on that scenario?

on that note, has anyone setup a LAGG in pfSense? easy to do? worth it?

Any advice is appreciated.

Thank you.

https://preview.redd.it/did9g3ipuwxd1.png?width=700&format=png&auto=webp&s=6255d1955f0a506aa849bfd2acd78afd75b6fc79

Is there a way, that i can copy the ipsec Logfiles from pfSense to a Windows Share? I have some problems with one connection and a Script which checks it every 5 min. If Tunnel is down it restarts it and pings an Adress to check the tunnel. For further investigations i would need that logfiles, best option would be to have that directly in my Windows Share.

Is that somehow possible? On that Windows Server is no SCP running just SMB

Hi

just setup free radius for 2FA with Google

Every time I try to connect it just say Error failed Reason: wrong tokencode

I'm sure to enter the good PIN+token (like 1234+Token)

What did I miss ?

Thanks

I currently have my pfsense box in a double nat config and working on configuring on the lan side of my with my Nest Wi-fi Pro. I am planning on replacing the 3 "nodes" with something else possibly going back to Ubiquiti APs.

[ONT] -> passthrough -> [Nest Pro Node | (WAN port)] -> [Wireless]

-> [Nest Pro Lan]> [pfSense | (LAN port)] -> [Switch]

Is there anything to watch out for when moving the box and configuring the ONT into passthrough mode on the WAN side?

Currently I only have disabled "Block private networks" and "Block bogon networks" on pfSense's WAN interface.

My thought had been that I would set the DHCP to match my current Nest subnet since some of the ip's are set to static and then plug that ONT in on the WAN, and connect the new APs using the same SSID and password for the 2.4/5 Ghz networks so that the devices automatically rejoin.

Is there a way I can route all my VPN traffic via SSL port and using a Domain name (DDNS or something similar ). As I dont want to expose my public IP in openvpn Config.

I successfully setup a IPsec vpn using this guide https://www.youtube.com/watch?v=-GrWSnKnwgU with:

SiteA:

LAN 10.0.0.1

Lan 2

Lan 3

————-

SiteB

Lan 1

Lan 2 192.168.2.1

Lan 3

I want incoming connections on siteA:766 to be port forwarded to 192.168.2.100:766 over the ipsec tunnel

preferably i also want Lan 3 and lan 1 also be able to access 10.0.0.1 without adding extra ipsec configuration but using outbound NAT

it's been very hard to set this up and i have been trying for a total of 20+ hours if someone can help me on discord i would greatly appreciate it 1arrcy1

I am looking to setup PFSense as the router for my home network and I am trying to figure out what type of specs I need for the router. I am looking at a Protectli micro appliance. I have a Raspberry Pi running PiVPN for remote to my home network and NAS from outside the LAN. am looking to use PFSense as the router so I can setup VLANs and firewall rules.

How much RAM and processor would I need for the router? Is 4 GB enough or should I strive for 8 GB? I will just be using Gigabit networking with about 10 to 15 devices on the LAN.

Hey everyone,

Im hoping to get some advice on a Wi-Fi issue we’re dealing with. Here’s the setup:

We have Unifi access points a mix of LR and U6 Enterprise throughout the building, and normally on a busy day, we have over 400 clients connected to the Wi-Fi.

All clients connect to a single SSID which is on a /23 subnet managed by pfSense. This is the busiest subnet, with the most clients.

Our pfSense setup includes a total of five VLANs, each with a dedicated /24 subnet, except for this larger /23 subnet where we’re having issues.

Recently, we’ve been experiencing a problem where some clients connect but receive a 169.x.x.x IP address. When this happens, they have to disconnect from the Wi-Fi and reconnect for it to work.

We have a simplified firewall rule setup in pfSense to block inter-VLAN communication while allowing internet access for each VLAN.

Our DHCP server on pfSense is configured to handle this subnet, and there should be enough IP addresses available. However, it seems like some clients just can’t get an IP from DHCP right away. We’re not sure if this is a pfSense issue, something related to Unifi’s handling of DHCP requests on a busy network, or a configuration problem.

Has anyone else run into this with Unifi APs or pfSense? Any suggestions on things to check, troubleshoot, or specific settings that might help? We’d really appreciate any insights!

Thanks in advance!

pfSense v2.7.2

fw rules are being ignored and show in the logs as "@4 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103". Even if I create an easy rule from the logs it's still being blocked. It's not internet traffic, it's networks connected directly to the fw.

Proxmox Server wirh 128GB Ram. 1 onboard NIC 1Gbps

additional pci card with 4* 2.5Gbps NICs

1./ Updated host PC Bios

2./ Installed latest version of proxmox and updated.

3./ Created strong proxmox password.

4./ Passthrough of the onboard NIC to a Pfsense VM. (I gave up trying to get the other NIC card to passthrough). This 1Gbps Nic is connected to my fibre broadband as WAN. My fibre is max 1Gbps.

5./ Set up a VMBR1 bridge for the Lan and passed this through to pfsense , then plugged in this port to my unmanaged switch with my Lan devices on it.

6./ Set strong password on pfsense

7./ Left rule set pretty much at default. Added one or two rules on the LAN to block my IP cameras and Linux satellite boxes reaching the internet.

8./ Management port of pfsense is a separate port on the NIC that I only connect to directly with my laptop and on different subnet to everything else.

I've no managed switches for VLAN right now.

New to pfsense. is there any way to see all devices and what IPs they are using. Have tried arp table , nmap and ntopng.

in tools like fing on my mobile, I can see a list of all my devices then see what the Mac address is and the IPV4 and IPv6 addressed associated to the device.

looking at the firewall logs , I have to get the IP and then check it's DHCP reservation or arp etc. I thought if I created an alias , the alias name would show in the log files , but it doesn't.

I am trying to get PFsense running on a checkpoint 3200 model device but it will not boot after running the setup off a USB stick. I can boot to the USb and get everything configured but when it comes time to reboot it doesn't boot to the SSD. Any ideas?

does having more VLANs impact system performance at all?

My switches limit me to 32 VLANs which is more than enough.

Was thinking to use more VLANs for single virtual machines.

this would help me monitor/separate traffic but would mean much more management which I think I would be fine with seeing as pfSense lets you copy over rules so easily.

the question do more VLANs mean more work for the system? or is one vlan the same as 100? a tag is a tag right?

system in question is an i5-9400t 4 cores and 4gb allocated with plenty of room to spare more ram if needed though only using 9%

I pulled the below from chatGPT but wanted real life examples/experience from users

Yes, having more VLANs in pfSense can impact system performance, but the extent of the effect depends on several factors:

1. Hardware Resources: More VLANs require more CPU and memory resources to manage the additional interfaces and routing. If your hardware is underpowered, you might see a drop in performance.
2. Traffic Volume: If there’s significant traffic on multiple VLANs, the network throughput could be affected. Each VLAN adds overhead for processing packets.
3. Configuration Complexity: Managing many VLANs can lead to more complex configurations, which may introduce bottlenecks if not set up efficiently.
4. Switching and Routing: pfSense handles inter-VLAN routing, which can add load. If your network setup requires heavy inter-VLAN communication, this could further strain resources.
5. Firewall Rules: Each VLAN might require its own set of firewall rules, increasing the processing workload.

If you plan to implement many VLANs, ensure your pfSense box has adequate hardware resources, and monitor performance to identify any bottlenecks.

Thanks

I've been getting an error for an expired web certificate lately... Except I have no idea where this cert is coming from. It's a Let's Encrypt; it's my wildcard, but when I go to the certificates page, it is not listed.

The only cert I have is Valid From: Tue, 03 Sep 2024 Until: Mon, 02 Dec 2024 and shows as in use by

webConfigurator

User Cert

Acme (1)

But the cert being used when I access my firewall management page is From: Sat, 20 Jul 2024 Until: Fri, 18 Oct 2024.

So if the certificate I have is showing as in use by WebConfigurator and in date how is this other one being served up and how can I fix that or prevent that from happening?

I'm wondering if there is any way to remotely toggle or switch preconfigured settings in pfSense. I'm not looking at accessing the web gui, there's a lot of info about that and it's way too complicated for what I need. I just need a simple interface (web page or phone app) that could enable or disable preconfigured settings. I'm thinking like a button that would block/unblock YouTube, or disable internet for a specific device on my network.

Yes, I'm wanting a way that my wife and I can easily disable internet for my kids devices, and no I don't need parenting advice. Thanks!

Ray