This video shows how to do it:

https://youtu.be/c88-byEL7UM?si=Ydo50mS-7eN_7hLV

I have a openvpn server that has been working for years. I don't know what happened but it stopped connecting. The logs said host not found. Using a no-ip domain (mydomain.ddns.net) After a phone reboot it will now connect but I can only access pfsense and no other servers on my home network.

I created an A record in cloudflare vpn.mydomain.com and setup ddns in pfsense which gets my current IP in green. Then I created a new openvpn server on port 1197,IPv4 Tunnel Network 172.16.4.0/24 and IPv4 Local network(s) 192.168.5.0/24, placed a firewall rule on the wan and openvpn networks. I get the message in the logs that the Initialization Sequence is Complete. I'm able to connect to the vpn on my iphone 16 but again only to the pfsense router on 192.168.5.1 on my local network.

Any thoughts on what the issue is?

Using pfSense - community version. 2.7.2

I need to block all the vpn client's on lan network, especially X-VPN.[ Which runs using port 443/tcp ]

How can I do reliably.

PS: I tried many different methods but none worked flawlessly. -- some of them as belo

a. On lan network allowed only on port http, https, icmp, blocking all other traffic using all protocols.

b. Used adguard / pihole

c. Configured suricata / snort [ used each of them separately ]

I do not wan't use squid etc...

can I get up to 1Gbps speed with a PFsense router/firewall on a zimaboard with a intel i350-T2 (2gigabit ethernet configured in LAN / WAN in my case)

I badly needed option 26 to specify MTU, which is easy on ISC and unavailable on Kea - even on 24.11.

Hey everyone,

Long time PFSense user, love the product. I have an existing device that has PFSense Plus on it running 24.11. The drive is starting to die and the device itself is getting long in the teeth. I brought a Protectli device that I want to migrate it to. Im fine with losing the PFSense Plus license and migrating to PfSense CE. The problem is, the current config revision of 24.11 is newer than the one supported by CE 2.7.2. I reached out to tech support, I understand they weren't able to swing the license and advised that If I was on 24.03 I would be okay because they share the same version (but I'm not). I understand it, they are a business so even that they responded at all was nice.

Do you guys have any suggestions? Can I somehow downgrade 24.11 to 24.03 so I could then create a new backup file that I could transfer? Any help would be appreciated.

My Netgate 2100 always seems to be at close to or at 100%. How do I correctly diagnose the culprit, as it can take up to 20sec to load the dashboard, as thus I assume everything else is struggling too.

It is fully updated, and the only added package that might be actually doing anything is HAproxy, which I have never got to work! I have had other packages installed in the past (pfblocker etc) but they are uninstalled. Could any of the disused packages' data be causing the CPU usage? It's just me and a few low bandwidth services here so actual local loads. Thanks

Hello friends,

I am considering getting into this stuff, but on both websites the "get started" pages discuss creating a bootable media device to then install the software to a target storage device.

I am confused because, well, from my limited understanding of things, I don't see why it can't just be a program within an existing linux/windows OS. It seems like I'll be made to run it within a vm, container, or whatever of that sort.

I've seen some mentions of virtualization / virtual environments on both sites installation pages. But that raises concerns - that it may become marginally more difficult to install / setup, and concerns of potential performance issues (throughput & latency).

My GOAL is to use an old DDR4 system, install whatever light Linux distro, install whatever NIC, and use it as my general home server. For hosting game servers, websites, my NAS RAID, etc.

So I... might assume... if the moden plugs directly to this machine, it then wires into the virtual machine running pfSense... and then the host OS connects to the internet through some kind of virtual ethernet connection between the host OS and the virtual pfSense router. Just sounds... quite a bit complicated.

Hopefully I made it clear what I'm worried about.

Is it possible to have a VLAN interface used as a Gateway on pfSense? I have a secondary ISP modem on a different switch located in another area and would like use it as a failover in pfSense.  

Hello guys,

I need some help with my Japan Nifty 10G IPoE internet conection that uses MAP-E, i am trying to get it to work on pfsense even to i know there not yet support for it i heard that some people managed to get it working setting certain vlan on wan and changing the dhcpv6 prefix ? Is anybody familiar with this that can help me get it working ?

Thank you !

Hi everyone, I have a PF Sense box running PF Sense 27.2. The PF Sense box is a small Lenovo Idea Centre Desktop that installed a PCI-E Intel i350 4 port network card. I have the build-in Ethernet port on the desktop set as the WAN port and the ports on the Intel network card set as the LAN ports. I have a desktop computer Running Windows 10 connected to One of the Ethernet ports, an HP printer, an Xbox One, and an old ASUS RT-87R router connected to the Intel I350 Ethernet card. The ASUS Router is set to Access Point mode so I can use WIFI. When I try to add the printer to my computer and the printer are both connected to ethernet the computer cannot find the printer. Both the computer and printer are getting different IP address assigned by the PF Sense Box. I can't ping the printers IP address from the desktop computer. If I login to the PF Sense box I can see both the desktop computer and the Printer under Status < DHCP Leases and if go to Diagnostics < ARP table. I tried swapping the cable that goes from the printer to the pf sense box. I tried manually assigning the printer an unused IP address and turning on DHCP on the printer. I tried resetting the network settings to the factory defaults on the printer. If I unplug the ASUS router ethernet cable I have the same problem. Every other device works fine on my network. If I connect the printer and the desktop Computer both to WIFI I can print. Please let me know what I can do solve this problem. Have a great day!

Hi all,

I have spent too much time trying to figure this out on my own and I am very very lost.

What I am trying to acheive:

- A local network where i can run my IP camera(s) without them being able to access the www

- A home server that I can use for testing purposes (I'm a developer by trade) and some private websites that do not need to be publicly available.

- A way to access the above resources from the outside world (a VPN)

What I have:

I went ahead and bought a Lenovo tiny m720q with an additional 4 slot network card, which brings it up to 5 network interfaces total. It currently runs Proxmox with 2 VMs:

1. PfSense 2.7.2 which I'm hoping will solve all my networking issues.

2. Ubuntu 24.04 which I would like to be able to remote desktop to. The idea is that I could remote desktop to this and access my IP camera(s) from there using ZoneMinder or something similar.

3. A NordVPN subscription which might be able to help me connect via PfSense?

On the LAN side of the PfSense I have things working pretty much how I want. The IP camera is connected via one port which can only be accessed from the LAN side of the pfsense. The port that the camera is connected to cannot access the www. So far so good.

My problem currently is remote access. I have tried two approaches without luck: Setting up an OpenVPN server on PfSense and setting up an OpenVPN client using NordVPN as the server.

According to the OpenVPN client on my desktop machine (which is on the WAN side of the PfSense) I can connect succesfully to the OpenVPN client I have set up on PfSense. However I can't get access to any of the ip's that work on the LAN side in PfSense.

So.. My two questions are:

1. The OpenVPN Client that I have attempted to set up says that it's connected but I can't ping anything on the LAN side of the PfSense. What am I missing?
2. Am I even on the right track here? Or is there an easier way to (securely) access the LAN side of the pfsense VM remotely?

Sorry about the wall of text but I'm not sure exactly what details to provide and which to leave out here.

Thanks in advance to anyone taking the time to read this...

I believe this is a great course and exam for a technician to attain certification. I passed this back in 2023 and recently did the re-certification. The cost is minimal considering the training you will receive. Sure it is self led, but the information is provided for you to absorb and especially the lab process will leave you with a working set of recipes that can solve most any config issue you might run into with the pfSense plus firewall. I won't give away any trade secrets here but if you plan on taking this exam, be caught up on your OSI model, subnetting, binary conversion as well as the general firewall config options that come as default. The set of slides given in the pfSense cert website highlight many of the key areas of focus, but do read the current documentation as well since numbers can change over time. This was not the easiest cert I've attained over the years, but also was not the most difficult. It's in a sweet spot and for the price, I believe worth it.

Hello everyone,

I’m experiencing an issue with my WireGuard setup and would appreciate any assistance.

Setup Details: • WireGuard Server Configuration: • Allowed IPs: Initially set to all local IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). • DNS: Configured to use 1.1.1.1. With this configuration, clients connect successfully and can access local network resources by IP. However, they cannot resolve local domain names. • Objective: • I want WireGuard clients to use the pfSense DNS Resolver to access local network services by their domain names.

Issue: • When I change the Allowed IPs setting on the WireGuard client to 0.0.0.0/0 to route all traffic through the VPN, DNS resolution stops working entirely. Clients can still access local network resources by IP and can ping the pfSense router, but DNS queries fail.

Current Configuration: • pfSense: • DNS Resolver: Enabled. • Firewall Rules: Configured to allow any-to-any traffic. • Static Route: Added from the WireGuard client subnet to pfSense. • WireGuard Clients: • Can access all pfSense subnets without issues. • Able to ping the pfSense router. • Unable to resolve DNS queries when Allowed IPs is set to 0.0.0.0/0.

Troubleshooting Steps Taken: • Changed the DNS setting on the WireGuard client to the WireGuard server’s IP address, but DNS resolution still doesn’t work. • Verified that the DNS Resolver on pfSense is set to listen on all interfaces. • Ensured that there are no firewall rules blocking DNS traffic.

I’m seeking advice on: 1. Why changing the Allowed IPs to 0.0.0.0/0 causes DNS resolution to fail. 2. How to configure the setup so that WireGuard clients can use the pfSense DNS Resolver to access local network services by domain name.

Any insights or suggestions would be greatly appreciated. Thank you!

Hi,

I have a pfSense with a WAN interface that has its public IP from a box in bridge mode. I want to add a Wi-Fi hotspot from the internet provider (E5576) via USB on the pfSense to have a backup internet connection.

I created a WAN2 interface that is configured in DHCP, and I'm getting a public IP in /8, but pfSense becomes inaccessible via the GUI due to a conflict since the IP is in /8 ?

How should I configure my WAN2 interface for it to work properly?

The E5576 is in bridge mode with the APN, username, and password already configured on it; I just need to connect it via USB or connect to it via Wi-Fi to get internet access.

I also have a failover configured with the gateways for WAN and WAN2.

Thanks!

Hi everyone,

I have four physical interfaces (WAN, LAN1-3), and I've tried creating rules to block access from LAN2 to LAN1. I checked a few tutorials, and it’s possible to choose the source and destination networks, but I don’t see LAN1 on the list for some reason. I suspect something isn’t configured correctly on the LAN1 interface, but I’m not exactly sure what it is.

I’ve created an alias as a template solution, but I’d prefer to set the network name directly on the destination.

I appreciate your help.

Interface

Interface

firewall rule

Hello! I am asking here first but I'm not sure if I'm setting the port forwarding wrong or if it's a DNS issue. I'm trying to forward ports 80 and 443 to my Traefik reverse proxy on 82 and 448. I know I'm missing a step somewhere. I just don't know where.

Below are my settings:

https://preview.redd.it/jhciottcs8ge1.png?width=2290&format=png&auto=webp&s=c3f4a54f9b343396db6ff523299aacdad0d3f272

https://preview.redd.it/8upsr1ucs8ge1.png?width=2322&format=png&auto=webp&s=94929e3c0f2b255ce84020e847a5177b0571ca30

https://preview.redd.it/jqsik2ucs8ge1.png?width=2112&format=png&auto=webp&s=425712428cbb1fd24d6a074814a00ea0a33dcc87

I also tried using just TCP in the port forward settings. I've checked that the Traefik alias does point to the Traefik IP. I have dynamic DNS through Cloudflare. When checking the ports, I see 80 and 443 open on ddns.mydomain.com and my public IP. However, I cannot access any of the sites that I have assigned the external entrypoint to. Cloudflare is set to DNS only for A record traefik.mydomain.com --> IP of traefik, ddns --> my public IP, and CNAME name = * and target = mydomain.com.

I also have PiHole internal DNS set up with A record traefik.mydomain.com --> IP of traefik and then CNAME records pve.mydomain.com --> traefik.mydomain.com, nextcloud.mydomain.com --> traefik.mydomain.com, etc.

I also did try just forwarding 80 and 443 to Traefik 80 and 443 and still could not access sites externally. I'm not sure what the next step to troubleshoot is.

Oh also, I have Proton VPN running through Wireguard on pfSense for whole network VPN but not sure how that interacts with this if at all.

Any guidance is appreciated. Thanks!

Hi

Inspired by a recent post here I checked the health of the EMMC on my beloved 4100 that’s been working beautifully since I installed it 7/2022.

Unfortunately this was the result

# mmc extcsd read /dev/mmcsd0rpmb | egrep 'LIFE|EOL'
eMMC Life Time Estimation A [EXT_CSD_DEVICE_LIFE_TIME_EST_TYP_A]: 0x0b
eMMC Life Time Estimation B [EXT_CSD_DEVICE_LIFE_TIME_EST_TYP_B]: 0x0b
eMMC Pre EOL information [EXT_CSD_PRE_EOL_INFO]: 0x01
#

Which I am guessing is because I was foolish enough not to setup remote rsyslog and audaciously install pfBlocker-NG.

I have ordered a 4200 MAX to replace the 4100 but it seems a shame to bin it and I don’t think I could sell it with a clear conscious.

I’m a home user with a 1Gb WAN1 connection and Starlink running redundantly on WAN2 for what it’s worth.

Any suggestions on what I do with the 4100? Alternatively, anyone in the UK want to take it off my hands?

Relevant Info: pfsense 2.7.2, uptime 33 days, running unbound as the resolver with encrypted queries to upstrem dns server as needed

I started having issues a few days ago, amazon product pages would take forever to load and only some text would show up.

but other sites would load just fine. thought maybe it was amazon. turned wifi off on my phone, those same pages that wouldn't load on my pc, loaded right away on cell network.

I had to fill out a medical form online, and while the page loaded, the form never would load, I went to my work pc and it loaded correctly right away.

Today while shopping on amazon, product pages would load, but the user review videos never would. so at this point, i have a gremlin somewhere. I set my DNS locally to google (8.8.8.8) and all that stuff that didn't work before, worked correctly now.

I'm upstreaming to quad 9 and i thought maybe they are having a problem or getting DDossed or something. so i set my upstream to cloudflare (re-starting unbound after each change) everything was working.. until it stopped. after a certain period of time, those same types of problems come back. if i go in and restart unbound, things are good for a bit until its not. so something is flakey with unbound, it's been fine forever until the last few days. how can i trouble shoot this?

TIA

SOLVED: Thanks for everyones reply, I was able to figure it out! Ill note I think there is still something I am missing but ill type this out with my current understanding. I thought I could use HAProxy to direct traffic internally without assigning a SSL cert. Once I added my domain specific certs and checked the boxes for Add ACL for cert CommonName and Subject Alternative Names everything just fell into place.

A follow up issue I had with a forth domain had to due to SSL cert that I was generating. For Domain4.com (also pointed at zeta) I created the cert as www.Domain4.com but on my Cloudflare I never added a CNAME for www. Once I added the CNAME for www this also worked after restarting the service.

o/ I have been stuck on this one for a little bit, hoping to get some ideas thrown at me.

My HAProxy seems to work with only one of my three domains and I am at a complete loss.

I have three domains pointed at my home and two webservers with a website for each domain (three websites / two machines). When opening port 80 directly I am able to confirm each website is accessible independently. When using HAProxy only one of my domains will get directed to the proper backend.

For example, lets call my domains Domain1.com, Domain2.com, Domain3.com

And for machines: machine1 and machine 2

Domain1.com will load correctly no matter what backend I point it to. If I set its backend to machine1, then it will load the proper webpage and if I set its backend to machine2, it again points to the proper webpage I have set up on machine2.

The issue is with Domain2.com and Domain3.com, I am not able to get these to load either backend.

The error I get is: ERR_CONNECTION_TIMED_OUT

Other notes:

https://preview.redd.it/amtmo9afw6ge1.png?width=692&format=png&auto=webp&s=038d82ec22258bb893cf17f38dd677243b0250dc

- All three domains are hosted on Cloudflare and are setup on PFSense with the Acme service

- I am using the Host matches expression in my front end and a million times over confirmed no trailing spaces, only copying and pasting the values

- My Frontend contains all three of these domains, however I even tested each domain independently and only Domain1.com would arrive to the pointed backend (working both for Machine1 and Machine2 as directed).

- If I point all three domains to a single backend, only the Domain1.com address arrives at the backend.

https://preview.redd.it/2go0uvgtc7ge1.png?width=960&format=png&auto=webp&s=d8ba775196bc96f1443809e0db23bae72015a894

I've tried looking in the logs to see what it says about the restart but it just shows the last 500 lines of the boot up.

Am I looking in the wrong place?

(Pfsense runs on a UPS backup, so it's probably not a power issue.)

Hi

I have a specific situation:

VLAN 1 should see mdns from VLAN 2

VLAN 3 should see mdns from VLAN 4

I can setup Avahi, select the 4 interfaces, but in that case, VLAN 1 will see mdns from VLAN 4. Which is not what I want.

How would one do this? It doesn't seem to be possible to run 2 Avahi services?

Thanks for any insight

Yesterday i went to update our Netgate 4100 from 23.0.9 to 24.11.

First step: made a backup of the current configuration (that would come in handy later on).

Second step: attached a computer to the serial console (that would come in handy later on, too).

Third step: reinstalled all packages that had updates, including the patches package. Applied all recommended patches and rebooted the device.

This is where it went wrong:

Following the output on the serial console, i could see, that the whole configuration was gone. Only the first LAN interface had an IP address attached to it. What i could also see was, that all packages were still there (ladvd, pfblockerng, apcupsd etc.)

Using the serial console, i chose option 15 from the (fortunately not password protected console menu). The "recent" configurations to chose from, were from 2023...

Solution:

I connected a notebook to the first LAN port and was able to access the web interface using the IP address shown in the output on the serial console. Then i got really lucky, because i remembered our default password, that was used at the time to set up devices. From there i could restore the backup from step one.

Afterwards i could update to 23.0.9.1 and then to 24.11. On the way pfblockerng lost the customer data for the Maxmind GeoIP database. This resulted in empty lists, so that noone could access the services provided behind this firewall. After reenting the information, everything went back to normal.

Conclusion:

Had this device been in any other location, i would have had to make a trip. Luckily for me it was just around the corner in our building. The whole process was not confidence inspiring at all.

Hello everyone,

I have a homelab and a NAS that do high-bandwidth things (e.g. doing remote backups and receiving remote backups). I want to deprioritise those devices' traffic, so e.g. I don't suddenly get bad Zoom call or streaming quality on all my other devices. I read the docs, and it should go as follows:

• Firewall > Traffic Shaper > Limiters
  • LAN-down (bandwidth of my internet connection download speed, other values leave at default)
  • LAN-down-80 (weight 80)
  • LAN-down-20 (weight 20)
  • LAN-up (bandwidth of my upload speed)
  • LAN-up-80 (weight 80)
  • LAN-up-20 (weight 20)
• Firewall > Aliasees > IP
  • Create alias "LowPriority" for IP of NAS and homelab
• Firewall > Rules > Floating
  • Low priority rule (Interface: Any; Source: Alias: LowPriority; Advanced In/Out pipe: LAN-up-20 / LAN-down-20)
  • High priority rule (Interface: Any; Source: Invert match: Alias: LowPriority; Advanced In/Out pipe: LAN-up-80 / LAN-down-80)

Does this sound about right? Did I miss anything or is there a better way to do this?

Cheers

Hey all,

Me again. I couldn’t think of a good title so that’s what it is.

Tl;Dr can’t get IP or access pfsense after setup

Long story:

A couple weeks ago, something on my network died. I knew this because, well, my network died.

I have a pretty flat network other than a pi-hole. So my setup was this:

My Arris cable modem (mine) connected to the WAN port of a netgate pfsense box. LAN port out to the switch (8 port Netgear). And opt cable to my pi-hole.

I set it up via a guide to integrate pi-hole into the pfsense. Everything worked great for a long time. A year or two at least. Then one day it just didn’t work.

So I’ve spent so many hours trying to get my ad blocker back up, trying to get my firewall back up, etc. I don’t even need the firewall I just want the damn as blocker.

So, I scrapped my pi hole and my netgate box and installed pfsense on a computer. While doing this, I’ve discovered that my modem is not a router. Now, I can’t access the gui of my modem because for some reason no password works, not even default password after resetting to default. As a solution, I have a netgear wifi/router. Used this. Everything is hunky dory but slow.

Now I can access my pfsense through the LAN connection. I got it set up and created a DHCP server from the LAN port. I also set a static for my pfsense and confirmed I was able to access the web configurator after the change.

I have this issue where whenever I try to remove the other router and connect the WAN and LAN ports on the NIC, I get nothing. Rebooted everything. Still nothing.

My issue boils down to DHCP not working correctly I think. I’m thinking the WAN port isn’t communicating with the LAN port and thus not actually handing out IP addresses, gateways, etc. doing ipconfig returns a 169.x.x.x address so I know I’m not getting any info from the pfsense.

I’ve also swapped cables to the other ports just in case I mixed them up.

What setting am I missing? Is this because I didn’t configure everything with the WAN and connected but using just the lan? I’ve reset to factory settings so many times I’m an expert at hitting 6 then Y.

Edit after resolving the issues: I found out the main issue I had was that if I unplugged my pfsense computer, the CMOS battery would die. When I plugged it back in, it would stop the booting process on the BIOS screen. Once that was resolved, I had another issue. I was unable to get a network connection. I connected a Keyboard and a monitor to the pfsense PC and was able to see I had a valid WAN and LAN IP address. I set the IP on my computer to the range of the pfsense and then was able to access the GUI. Once there, I figured out that DHCP server was disabled. I enabled that, connected everything properly and bob's your uncle (tell him hi from me!), it was working.

Now I need to finish configuring pfblockerng and I'm off to the races!

I am building a PFsense box. I am struggling to find a reliable dual port 2.5Gbps NIC. Would having 2 1-Port NICs (since i have 2 PCI Express slots) work? Or do dual port NICs offer an advantage when used as a router/firewall?

Hey everyone, I managed to snag a Bosgames 16GB N100 mini PC due to a pricing error... got it for $150 CAD (around $100 USD). The catch is, it only has a single 2.5Gb NIC. There’s an available PCIe slot, so I’m wondering... would adding a second PCIe NIC be more hassle than it’s worth? Or should I just spend a bit more on a proper dual-NIC device? Thanks!

I have been trying to make a network fully in VMware workstation.
For my pfsense i have two NIC's one is a bridged adapter and the second one is a host-only for LAN.
For some reason even if i do everything like i'm supposed to it just won't detect the link up.
I have tried disabling and enabling my physical NIC (Intel(R) Wi-Fi 6 AX200 160MHz) and nothing.
I have tried disabling Network Connections and re-enabling it but it still doesn't work.
Is there something wrong with my hardware maybe? I am desperate please help.

Hi I have been asked to add a 4G Router to a remote site as a failover WAN connection, I have configured a new interface to use DHCP and just plugged in the router, the system has already identified the routers gateway as a WAN, and I have configured a Gateway Group (WAN/tier 1 and WAN-4G/tier 2), and if I unplug the primary WAN it switches over without any issues.

However being the first time I have done this I (4G Router Connection) have a few questions:

1: How to I get the system to fail back once the primary has been restored, without rebooting the PFSense?

2: What do I need to do when dealing with the 192.168.x.x addressing in terms of interface settings and firewall rules or anything else I need to secure?

https://preview.redd.it/sqowswjjowfe1.png?width=582&format=png&auto=webp&s=89787de0f22dd9834a48c23371f6c4dcf159566e

There's a growing trend of devices running pfSense with eMMC-based storage dying in 2-3 years, and in some cases, failing in less than 1 year. eMMC storage is found in all Netgate devices other than the "MAX" versions, and also in many popular small-form-factor appliances. Typical eMMC sizes are 8-32GB and it is usually soldered to the board and can't be replaced.

Often, users are unaware that enabling additional logging or that many of the popular packages for pfSense, combined with these small storage sizes and technical limitations of eMMC, will result in accelerated wear out and sudden death of the storage. This can happen with SATA and NVMe drives, so it's a good idea to check them too.

When the eMMC storage is fully worn out, pfSense may continue partially working for a short while, unknown to the user, and then will become completely non-responsive , usually when a critical process needs to access the storage, or when the device is rebooted.

To check the health of your storage device from within pfSense, navigate to Diagnostics > Command Prompt and run these commands:

pkg install -y mmc-utils;

mmc extcsd read /dev/mmcsd0rpmb | egrep 'LIFE|EOL'

The Type A and Type B wear are hex values that you multiply by 10 to get a percentage. For example, 0x05 is 50%, 0x0a is 100%, and 0x0b is 110% wear.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/disk-lifetime.html

For more information, check out this thread on the Netgate forums:

https://forum.netgate.com/topic/195990/another-netgate-with-storage-failure-6-in-total-so-far