At the time of writing the latest current stable pfSense CE firmware version is 2.7.2 but sometimes it is stuck at 2.7.0 and doesnt offer the update, web or CLI.

1. Perform a config backup (just in case) via the web interface

2. SSH to the IP and use the CLI menu

3. Attempt option '13) Update from Console' , which will probably fail with a message similar to: ERROR: It was not possible to determine pfSense-upgrade remote version

4. Back in console menu, select option '8) Shell' and enter the following commands:

   • pkg-static upgrade (may fail with error, if you receive an error with something like a kernel mismatch version run this command pkg-static upgrade -f and select Yes when asked to ignore
   • pkg-static set -v 0 pfSense-rc (this unsets the 'vital' flag on core files to allow upgrade)
   • pkg-static upgrade
   • Reboot, log in to the web interface and you should be on 2.7.2 firmware.

My "OFFICE" and "GUEST" VLANs have no clients associated with them as this is a new setup. I've noticed a small outbound spike on the traffic graphics for both networks. Running a packet capture reveals that spike is an ARP request. I've posted about this before and have been told it's both normal as my switch is just occasionally sweeping the network trying to identity devices but also this is unusual behavior and shouldn't be doing this. Is there a consensus based on what the packet capture reveals and the information I've provided if there is anything I should do or possibly reconfigure? Thanks for any help or insight into this.

OFFICE VLAN Gateway: 10.18.40.1

Home Network Layout: https://imgur.com/a/vscjn8P

OFFICE VLAN Packet Capture : https://pastebin.com/Gsw3HGLq

VLAN Traffic Activity: https://imgur.com/a/ACNjpC3

I installed proxmox server, tha aim is to install pfsense, am using USB to lan with ODU from isp, how can I access the proxmox directly inorder to install pfsense. The connection I used to connect is the only connector I have from isp to the USB to lan, any advice please. So I can be able to install pfsense and proxmox server.

Thank you all in advance.

I have a few VLANs and most things work fine the only thing I need connection between is my PC and phone which are on their own VLANs and the printer which is on an IOT VLAN. I really don't want to sacrifice the PC and phone VLAN but I understand that devices only search within the subnet they're in. Is there some sort of way to give the printer an IP that is discoverable in the other VLANs without taking it out of the IOT section or some other solution?

I have a pfSense setup that it's working perfectly fine. Vlans are properly configured, I can access my equipment, DHCP is working alright, etc... the only thing left is, my ISP modem is on bridge mode and once this mode is enabled I can only access it's admin page from the wifi connection it provides, but my idea is to disable the wifi connection from the modem and then access the management page from within the pfSense network.

https://preview.redd.it/xzfnf583d1xc1.png?width=2050&format=png&auto=webp&s=c4ba32c35f70185a9a339c227a2862ab1bfb3225

https://preview.redd.it/scrgjx9fd1xc1.png?width=434&format=png&auto=webp&s=d142b7d66e130d4cdd83af7eba2c9d0a3cd9e926

The first screenshot is from the ISP modem configuration page showing that the modem lan interface is configured to be 10.0.0.2. The second is my connection at the modem wifi showing that the router is 10.0.0.1, pfSense, and I got the ip 10.0.0.11 from the DHCP server. From this connection I can access pfSense, but when I'm connected on my regular wifi, using my own access points instead of the modem one, I cannot connect to the modem admin page, 10.0.0.2.

https://preview.redd.it/btdiyjqne1xc1.png?width=2018&format=png&auto=webp&s=9cc4b8b53073ffee417e8054c84648ad0df2acb9

The modem is connected to the switch directly with 2 ethernet cables. One at port 4, the wan port, and another one at a random port that will be the lan access.

Any ideas?

I have new information. I still can't access it from my access point connection. The configuration is the same, port4 of the modem is the wan and it is connected at the wan port of pfsense, port 1 is the modem lan port and its connected to the switch, and the switch is connected at the lan port at pfsense. Everything works but the access to the modem admin page.

What I discover is, I can
Now for my surprise, I canping/access the modem admin page from pfsense shell and at the ping section at the pfsense admin page.

https://preview.redd.it/w2o2gpz0d2xc1.png?width=1478&format=png&auto=webp&s=93521fb40800c1a2e378962d8f0125a7950c2c47

Ping from the lan subnet, where pfsense is:

https://preview.redd.it/rt8pib44d2xc1.png?width=2318&format=png&auto=webp&s=7b2a6a5681fc5452f3e4d4727a49ca926862c306

Ping from the vlan20, where I'm connected:

https://preview.redd.it/hsb4ahq7d2xc1.png?width=2342&format=png&auto=webp&s=c813144015e46f2601c4a6f44573910bbe789475

This are the firewall rules for vlan20:

https://preview.redd.it/i7iyod5ad2xc1.png?width=2362&format=png&auto=webp&s=325afcbb41d5cc3a2a5d1d21c43fae26c0ac355c

And this are the firewall rules at the lan:

https://preview.redd.it/hldqabwad2xc1.png?width=2354&format=png&auto=webp&s=817033c0d4b5355b16c4a3b04c5849373a84c3b5

Hey all,

I’m running pfSense on a Sophos XG85 with the current specs:

2.7.2 release (amd64) FreeBSD 14.0-CURRENT

BIOS Vendor: American Megatrends Inc. Version: 5.6.5 Release Date: Mon Mar 20 2017

CPU Type Intel(R) Atom(TM) CPU E3805 @ 1.33GHz 2 CPUs: 1 package(s) x 2 core(s) AES-NI CPU Crypto: Yes (active) QAT Crypto: No

Hardware crypto AES-CBC, AES-CCM, AES-GCM, AES-ICM, AES-XTS

Kernel PTI Enabled

MDS Mitigation Inactive

I’m on a FTTP 1000/50 plan. I’ve verified I’m getting close to 1g down at the NTD and at the Ethernet port which is patches into the WAN port on the Sophos.

I’ve disabled checksum, segmentation & large receive offloading.

Before coming to this thread I’ve performed multiple speed tests on my computer while patched directly into the LAN port on the Sophos and with no other load on the Sophos. It seems I’m getting a soft limiter at 400Mbps down, but I’m getting full upload speeds which is fine.

I’d really appreciate it if anyone could point me in the right direction.

TIA

Hi, as my old pfsense broke I need a new mini-pc to run it. Will run pfsense with pfblocker and probably suricata, telegraf

(If you don't know Galaxus is the like Swiss Amazon, as Amazon wasn't interested in sellling here at all. )

Tought of something like this: https://www.galaxus.ch/en/s1/product/shuttle-barebone-slim-dl30n16gbintel-n100-intel-n100-barebones-43305853

or

https://www.galaxus.ch/en/s1/product/zotac-zbox-ci337nano-n100-intel-ddr5-hdmi-dp-intel-n100-barebones-39075534

Or the DIY Build

A refurbished Lenovo Thinkcentre M720q Tiny with 4x 2.5 G NIC https://www.galaxus.ch/en/s1/product/t1a-m720q-intel-core-i3-8100t-8-gb-ssd-256-gb-refurbished-pc-42554633 And either this, or: https://www.galaxus.ch/en/s1/product/exsys-gmbh-4-port-pcie-network-card-25-gigabit-pci-e-x4-network-cards-23355452

https://www.galaxus.ch/en/s1/product/digitus-network-adapter-4port-rj45-rtl8125b-25gbits-server-nic-pci-network-cards-36041405

Are those ones good enough? Are the nic's compatible? Which nic should I choose? Thank you for any suggestiona

I am about to move to a new place and therefore am reconsidering my home server setup.

If possible, I would love to just have one computer for:

​

• Router (PFSense)
• SmartHome Integration (HomeAssistant)
• piHole/AdGuard Home
• NAS (openmediaVault)
• MovieLibrary (JellyFin)
• maybe in the future something else

​

I have a 1Gbit internet connection from my ISP, but for my NAS I would like to have 2.5gbit for my nap and maybe 2-3 devices that I regularly use with it. The network will have around 30 clients.

Which hardware can best serve these purposes? Is it possible/advisable to have one device for all these purposes?

The reason why I am asking here is because I am new to pfSense, but the supported devices, hardware selection for it is way harder than for all the other projects that I am already used to (all the other listed below router I am already using). I wouldn't mind tinkering myself if needed but a all in one Hardware solution is also fine for me.

On my research I found: Protectli, cwwk and Topton.

cwwk and Topton are not very user friendly when it comes to filtering for my needs, so maybe anyone knows a website to compare all products that might fit my needs too.

Thanks for your help!

So, to keep things short, we recently switched the Firewall from Arista/Untangle to PFsense v2.6.0 (I know there's an update, I'm going to update that at end of day today). However, since the change, our email server FQDN cannot be resolved by the firewall when accessed from within the network. the URL in question when used from endpoint pcs' web browser, it gives me the DNS rebinding error. after some tinkering and research, I realized it's definitely an issue with the DNS Resolver/Forwarder. HTTP and HTTPS requests both fail cause it wants to go to the pf-sense firewall login screen (auto switches to HTTPS) when it needs to go to the svr in question's web portal (also set to push HTTP requests to HTTPS).

Unfortunately I don't know or remember much about setting up the DNS Resolver/Forwarder to allow for the action I need it to do.

Any help would be appreciated.

(i posted yesterday, i have pending answers to some users, i'll try the suggestions later(unrelated post to this one))

i setup my first VLAN today with a unifi AP. i have basically no experience with subnets, so i don't know if that's a problem, or might cause a problem. The vlan tag works fine, when i connected to the AP i get the correct IP Adress range, and can access things on my other LANs, bbut i can't access WAN. on the interface section on the main page, the VLAN shows as active, bbut with n/a gateway. What might be the problem? what's going over my head? is it subnet related?

https://preview.redd.it/qluoajtjnuwc1.png?width=1237&format=png&auto=webp&s=5264646be497f2c346dbabeb2a62c998c918e882

it shares the interface with 10.23.23.1

https://preview.redd.it/ahm1w93dnuwc1.png?width=1342&format=png&auto=webp&s=27a890e71af682706c92f22c63b14fbd6aa69784

https://preview.redd.it/mffzm01bnuwc1.png?width=484&format=png&auto=webp&s=1cc7847e2fd45e0fb0f8f961bb86fbd44ce66339

GUYS I'M STUPID, THE GATEWAY TO THE VLAN WAS THE SAME AS THE PFBLOCKER DNSBL AFJGFRUIEGIIF

STILL, not i get a proper 10.69.69.1 on the interfaces page, but still no internet

TL:DR - Don't be stupid, don't make your vlan gateway the same as the DNSBL

2 totally different pfsense boxes both froze up in 2 days. 1 is bare-metal and other is virtual.

Yesterday morning at 1:50am one of my production pfsense boxes quit responding to pings on the lan and wan. It's running bare metal on a old latitude laptop, using the "router on a stick" setup. When I got there, opened the screen, nothing but a black screen. Reconnecting the network cable didn't help. ctrl+alt+del didn't cause it to reboot. Pressing power didn't cause it to shut down. No hard drive light activity. I had to force it off. Turned it back on, ran a memtest (passed). pfsense booted and it's been working ever since.

Today, 7:30am, a different production pfsense box quit responding to pings on the lan and wan. This one runs in hyper-v, with 2 virtual nics. hyper-v uses vlans to map the virtual nics to physical vlans for a "router on a stick" setup. I was able to pull up the console and see the menu but it would not respond to any keypresses, or ctrl+alt+del. Disconnecting the virual nics and reconnecting them didn't help. Reset it and it's working again.

I checked the log on both and there's nothing unusual, besides the gateway alarm detecting packet loss. They both continued to log stuff while in the frozen state. Both are version 2.7.2 CE, 2GB ram, and have been stable for years. The only time they get rebooted is for upgrades.

I have about 10 pfsense boxes in production. I guess we'll see if any more freeze up.

Can someone please clarify the essence of interface bound rules that is new in 24.03 and what to be mindfull off when going from floating rules to interface bound rules?

I would say that I prior to 24.03 had only interface specific rules, not using any of the floating interfaces. Interface as in physical ports and virtual interfaces (VLANs). I have a netgate 4200 and use 1 physical port for management, and then 2 separate ports for "trusted" vs "non-trusted" VLANs.

When I enable interface bound rules I can no longer SSH into my management VLAN. Without any changes to the FW-rules, if I change back to floating it all work again.

I have been trying to troubleshoot with additional rules but I can't seem to work out where the traffic is blocked. Any guidance pratical guidance on the difference in how rules are applied and what to be mindfull off is much appreciated.

I have a netgate SG-2440 and the current version of pfSense is 2.3.3-Release. I haven't used the device in several years

I'm connected to the device through the 5pin usb port on the back, and through terminal on my mac.

At first the device was in a boot loop, and a warning that "/ was not properly dismounted" was displayed.

I used fsck -y / several times, which seemed to fix the issue on the first reboot. I was able to access the UI settings. I chose the option to restore factory defaults and then I rebooted. Now, when the device reboots it loads all the way to "Bootup complete" and then hangs there without showing any options, and I cannot type in terminal. The same thing occurs in Safe Mode and in single user mode, although in safe mode I can access shell. I've again tried fsck -y / and nothing helps.

I really don't need to keep any settings on the device, hence the factory reset. I just want the easiest way to get the device back up and running. Is there something I can do through shell, or some other recommendation? or should I just get a flash drive and install through usb?

thanks in advance

Can pfsense give out other IP address though it's not on the same subnet as the scope it would be providing them for?

For this to work, would it be just a matter of setting up a vlan on the scope I require and just tag it through the primary lan connection? Or can the lan connection answer other subnet requests via dhcp helper on switches? There's an L3 switch connected to the lan side of the pfsense that is going to be doing some routing.

I have two pfSense setup and connected them with a wireguard tunnel.

Communication of everything behind the pfSense boxes works well but I have some problems with communication between the pfSense boxes itself. They are pf.home.foo (10.0.0.0/16) and pf.remote.foo (10.10.0.0/16)

From pf.home to pf.remote I can't ping unless I specify my source address

ping 10.10.0.1 PING 10.10.0.1 (10.10.0.1): 56 data bytes

and

ping -S 10.0.0.1 10.10.0.1 PING 10.10.0.1 (10.10.0.1) from 10.0.0.1: 56 data bytes 64 bytes from 10.10.0.1: icmp_seq=0 ttl=64 time=11.853 ms

When I check my routes I can see that it seems properly defined

10.10.0.0/16 10.250.0.2 UGS tun_wg1

If it would just be the ping, I wouldn't care that much but also dns lookups seem to fail from box to box, I get a timeout. I want to be able to lookup hosts on pf.remote through pf.home. For that I setup a domain override but it doesn't work. I tried to lookup manually from the shell but I only get a timeout when looking up from pf.home to pf.remote. I assume it's the same issue as with the ping...

The question is: What is actually misconfigured here?

Edit1: Digging a bit more and it seems the correct route is actually used

route -n get 10.10.0.1

route to: 10.10.0.1

destination: 10.10.0.0

gateway: 10.250.0.2

interface: tun_wg1

recvpipe sendpipe ssthresh rtt,msec mtu weight expire

Edit 2: Ok, I found the issue. My DNS resolver was also listening on the wireguard interface and therefor was used as the origin for requests. Only listening on the LAN for DNS fixed the issue

Hello

​

I'm a network technician in training and I need your help.

I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.

The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.

I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls in two different networks.

Can anyone tell me if it's possible and, if so, give me some advice on how to set up this VPN?

Thanks in advance ^^

​

P.S : i'm french, so my english can be a little bit clumsy.

I'm using pfSense on Netgate 2100 and I want to set it up as follows:

​

1. Block all Internet access for certain users on my network, but allow only 2 websites.
2. During a certain schedule, Internet should be allowed for the users above
3. All other users on the network should have Internet allowed for them normally.

I managed to define the users using their MAC addresses, but when I was never able to setup the firewall rules to do the above correctly, especially around allowing the 2 website.

I never thought this would be a challenge, I feel it's a simple setup, but I might not know how to do it.

I'm willing to hire an expert who can help me set this.

PS: I don't want to use Squid proxy, as it's deprecated. I want my setup to last 😊

Can you help?

I created 4 VLANS: Private, Office, IoT and Guest and currently only have clients on Private and IoT networks. I've noticed in the dashboard there is zero activity in the Guest VLAN as expected as illustrated with a flat graphical line. However, there is minor traffic activity displayed for the Office VLAN despite no clients on either network with exactly the same firewall setup. My Unifi network controller indicates no clients on that network and there are no DHCP leases for any IP on that network I can see in pfSense so I'm trying to understand what is possibly happening between Office vs Guest to create this graphical discrepancy?

Traffic Graph: https://imgur.com/a/J6eELRa

The update just finished, and I get 502 bad gateway when trying to connect to reddit.com, but I can visit any subreddit fine. All other websites seem to be okay.

Cant seem to find any information about this patch ?

It's a i5 3470, 4gb ram, and Intel i340t2 setup. I setup pfblocker with oisd and the default list. Other than that, still fairly stock.

It's probly something weird with DNS resolving or cachinhg. But the initial load of websites feels like it takes twice as long to happen now.

Any ideas or tests I could run?

I’ve heard if you want to run VLANs on a network and you want pfense to be able to monitor and protect all that traffic, you need the NIC on the pfense device to have a top speed matching, or exceeding, the top speed of your VLAN, ie - not just the WAN/internet speed, which I guess is how people normally size their pfense device requirements? (I’m new to this, so please correct me if I’m off base).

I have a 10 GbE/wifi 7 network with a number of devices meeting (or exceeding via link aggregation) that criteria. It is a non-starter to add a pfense machine if it’s just going to instantly bottleneck my setup.

FWIW, it makes sense to me that if you want to analyze traffic without majorly deprecating said traffic’s throughput, you’d want your analysis tools to be at least as fast as, if not much faster than, their target.

Would appreciate confirmation, though, as I move forward with with this project.

And if anyone is bored and looking to be of additional help, I’m curious about the following…

A)what does link aggregation bring to the party for pfense in a situation like this, is it supported?

B)would there be major benefit to be gained by using a quad port NIC in my pfense device since i have multiple LAN drops in my home?

I am sure I will have some more questions as I begin to put this ridiculously overpowered spare parts pfense machine together and ratchet it up into overdrive, er…more like overkill (yeah, definitely overkill: 12700k i7, 32 GB ddr5, z790 apex 🙃).

Thanks in advance!

Hello,

I have been tasked with swapping an ailing firewall at a client's site but have had a problem with the OpenVPN server.

The existing firewall is running PFSense 2.4.4 and simply downloading the config and uploading it to the new firewall, which is PFSense+ (I don't have the version number but can get it tomorrow) copied most data but unfortunately the VPN service would not run no matter what I did.

To combat this, deleted the VPN Server and created a new one using the existing certificate(s) and TLS key.

The VPN uses Client Specific Overrides to allow remote servers to communicate with a local server to transmit critical data into a SCADA system. These work on the old firewall with no issue.

When I created this new VPN server it would show correct connction in the logs:
"Apr 25 12:53:14 openvpn 27301 openvpn server 'ovpns1' user 'xxxxx' address 'xx.xx.xx.xx:6912' - connecting
Apr 25 12:53:14 openvpn 74576 openvpn server 'ovpns1' user 'xxxxxx' address 'xx.xx.xx.xx:6912' - connected"

Unfortunately, the IPs that the server seemed to be assigning the clients were incorrect. Some of them were using each other's IPs and some were using non-assigned IPs. They are set to increase the IP by .2 each time: client 1 being 10.0.0.2 client 2 being 10.0.0.4 etc. However, two of the IPs were 10.0.0.3 and 10.0.0.5 which should not be assigned at all. Of the four active clients they were assigned the four consecutive IPs from 10.0.0.2 - 10.0.0.5.

I have double and triple checked CNs and they are all definitely correct.

I'm sure there's something I'm missing, as the VPN Server settings are slightly different between PFSense and PFSense+ but any help would be greatly appreciated (either in getting the Client Specific Overrides working or just getting the service working with the existing VPN).

TIA

Does anyone use IPsec for remote access for their phones?

I know WireGuard is pretty much the standard in this sub, but most phones have a built-in IPsec VPN, so I wanted to give it a try.

I'm not finding detailed information on setting something like this up, so I was wondering if anyone had some guides.

Thanks.

Hi All,

Home user, on my own hardware, using PFS+, on 23.09.1. Going to System Update seems like it should show the update button but doesn't. Tried rebooting too, no change. I am registered, but don't have a paid subscription.

Update

License

root: pfSense-upgrade -dc

ERROR: It was not possible to determine pkg remote version

Updating repositories metadata...

Updating ntop repository catalogue...

pkg-static: An error occured while fetching package

pkg-static: An error occured while fetching package

repository ntop has no meta file, using default settings

pkg-static: An error occured while fetching package

pkg-static: An error occured while fetching package

Unable to update repository ntop

Updating pfSense-core repository catalogue...

pfSense-core repository is up to date.

Updating pfSense repository catalogue...

pfSense repository is up to date.

Error updating repositories!

ERROR: It was not possible to determine pfSense remote version

ERROR: It was not possible to determine pfSense-base remote version

ERROR: It was not possible to determine pfSense-kernel-pfSense remote version

Your system is up to date

'tis all I get.

​

https://preview.redd.it/8dotduaaxkwc1.png?width=1158&format=png&auto=webp&s=02dcfa078e4a0bcaec4bee805fef3e0b8699d301

Hi all,

When going to the System Update menu Im seeing this message "pfSense-repoc: no package 'name' pfSense-repoc: no pfSense ". Is it safe to proceed with the update or will this effect the upgrade process?

​

https://preview.redd.it/xzadun4brkwc1.png?width=916&format=png&auto=webp&s=7ce229eb828ea6b7131d9229fd4874a41e839a41