/r/PFSENSE
The pfSense® project is a powerful open source firewall and routing platform based on FreeBSD. Developed and maintained by Netgate®.
The pfSense project is a free, open source tailored version of FreeBSD for use as a firewall and router with an easy-to-use web interface.
You can buy official pfSense appliances directly from Netgate or a Netgate Partner. You can install the software yourself on your own hardware.
We have a great community that helps support each other, but we also provide 24x7 commercial support.
Rules of Submission
Before asking for help please do the following:
Look over at our /r/pfsense wiki
Use a search engine like Google to search across the pfsense.org domain:
https://www.google.com/?#q=how+do+i+site:pfsense.org
If you are looking for help with basic networking concepts, please try /r/homelab or for more advanced, /r/networking.
Do not post items for sale in this subreddit. If you are looking to sell or buy used hardware, please try /r/hardwareswap.
This subreddit is primarily for the community to help each other out, if you have something you want the maintainers of the project to see we recommend posting in the appropriate category on our Netgate forum.
This is a community subreddit so lets try and keep the discourse polite.
tl;dr: Be excellent with each other.
Related Subreddits
/r/netgate - home of the pfSense project
/r/pfblockerng
/r/sysadmin
/r/networking
/r/homelab
/r/homenetworking
/r/PFSENSE
Hello,
I'm trying to install some package in my pfsense but I'm not able to see the available packages in my pfsense.
The used version is 23.09.1 although I installed packages before but now i cannot find them.
I would appreciate any help you can give me.
I finally was able to setup and get a handshake from my Pfsense to the vpn provider(Privado) using WireGuard . (They don’t provide instructions). But when surfing the internet , some sites just won’t load. Google for example keeps asking for captcha, DuckDuckGo won’t load at all, my Apple email won’t connect, other sites work ok. Without going into too much detail, I have setup a WireGuard peer, tunnel, and gateway on my Pfsense to support this connection. I also have 2 outbound NAT configured for my internal network 192.168.1.0/24 . So the connections have been established but this odd website connections issues are puzzling me. Can anyone point me in the right direction ?
I changed the LAN IP for a school assignment and right when I clicked "apply changes" it stopped responding. I tried every other way to fix this but haven't had any luck. Everytime I accessing it through new IP it doesn't work but when i factory reset and access through the default 192.168.1.1 ip it works right way.. Anyone had this issue before?
ATT Fiber modem set to pass through, basic firewall rules & tunneled connection over WG. I’ve been trying to solve this for months someone please help me lmao
Hello everyone,
I have Tailscale and pfBlockerNG running on my pfSense box, and would like to use it as the DNS server for my other devices running Tailscale.
Tailscale
groupCurrently, the DNS server responds to queries from Tailscale devices with status: REFUSED
. The DNS resolver is set up to listen on "All" interfaces, however the list does not contain Tailscale.
I have seen tutorials to advertise the pfsense machine's IP, accept routes on all other Tailscale machines, and then set the 192.168.x.y IP as dns server, instead of directly using the 100.x.y.z IP. However I would like to avoid having to resort to that. The posts are 2 years old, maybe there is a way these days?
Cheers
I have an XG-7100 DT which is coming to end of life this month. I want to upgrade to a similar format machine with two SFP28 and one or more 10G NICs. The closest thing I've found is the superserver e200-12d-10c, which has a Xeon processor and I can't find a source in Canada to purchase it from. Any suggestions either for an etailer or an alternative?
I've got a pfSense box running my network, with the main WAN connection running to the ISP. It's behind CG-NAT, so I've got a cheap VPS to handle inbound traffic, tunneled via WireGuard. All regular traffic is NAT'ed and sent out via the ISP like normal, and I use policy routing rules to define what should go out through the VPS. (Diagram attached) These are public IP ranges, so I have masked my prefix in the attached screenshots.
There is a Host (x.x.x.136) on the LAN network on which I'm setting up a service which requires inbound connectivity on UDP 5198-5199, and I'm trying to set up policy routing to send the response traffic out of the WG interface. The IP address used for these UDP streams must match the source IP address used on TCP 5200, so I've set up a policy rule to route this out of the WG interface as well. (Screenshot of LAN rules attached) There are no floating rules in this setup.
Here's the problem: Only the rule for TCP 5200 seems to be working. Traffic destined for TCP 5200 is properly routed out of the WG interface, but traffic destined for UDP 5198 and 5199 is sent out of the WAN interface. I set these up identically, aside from the protocol and port numbers, so I can't figure out why one works but the other doesn't. Furthermore, I have set a rule such that anything from x.x.x.136 should be sent out via the WG interface, but that doesn't even catch it.
I'm out of ideas as to what could be going on here, so any help on this issue is appreciated.
Hello Everyone,
I am currently running PFSense+ version 23.09. The system albeit is a bit overspeced but I have never had issues with it up until this point. The Firewall runs an Intel E3-1280 v6 with 32GB of RAM, and a 2x10GBe SFP+ card. You may have noticed that I said that the firewall is currently running 23.09. According to PFSense it is running the most up to date version of the operating system but if the system is changed from its current boot environment to one that is running the most up to date version of PFSense the firewall crashes every time on boot. I figured that the boot environments that the system had are corrupted and are of no use other than the boot environment running 23.09 as it seems to always fallback to that one.
I was hoping that anyone had any tricks or ideas as to what I need to do to get the firewall on the most recent version of PFSense. I am at the point where I think a complete reinstall of the operating system may be needed but I don't want to do it yet.
Current Version/Build that the system is running
The boot environments page on the firewall. This was full of like 12 or so different boot environments so I cleared them all out except for the one that I know is currently working.
When I try to view if there are any updates that need to be run I just see this on the update page...
Any thoughts or ideas as to where I am going wrong is much appreciated.
Thanks
Hello everyone,
I’m running pfSense 2.7.2 on Proxmox VE 8.3 and encountering persistent split lock traps in the Proxmox kernel when I assign multiple cores to the VM. The errors disappear when the VM is limited to 1 core.
6.8.12-4-pve
prox kernel: x86/split lock detection: #AC: CPU 3/KVM/1408 took a split_lock trap at address: 0x7ef1d050; prox kernel: x86/split lock detection: #AC: CPU 1/KVM/1406 took a split_lock trap at address: 0x7ef1d050; prox kernel: x86/split lock detection: #AC: CPU 2/KVM/1407 took a split_lock trap at address: 0x7ef1d050
host
, qemu64
, kvm64
).AES
and hv.evmcs
.Any advice or insights would be greatly appreciated. Thank you!
Hi all, seeking assistance after reading the various posts but couldn't find a solution to my problem.
An image of my current setup can be found attached.
WAN is receiving an IP from the ISP and can ping the Internet no problem both via hostname and ip-address.
However I cannot seem to access the internet via any PC's that are connected via switch. It appears to be a firewall rule however I can't quite seem to find the solution.
PC's on the network via the switch can ping each other no problem (Thus the ability to access the web gui), but Internet is still not available.
Some method's i've tried include:
Hoping to find a solution as my previous one involved using a ASUS Router that can't keep up with all my IOT's in the house.
Thanks for the help in advance.
Cheers
--Edited to include diagrams which didn't upload previously.
Has anyone gotten a renewal notice for pfsense plus (just the SW on a white box)? I purchased this one year ago and netgate has not yet sent out a renewal notice.
So this has been happening off and on, usually when I'm not home to see it but the WAN will die with 100% packet loss for a minute or so, sometimes longer and then eventually come back. Sometimes it took a reboot after 10min. I did try a few things previously, changing the monitor IP to 1.1.1.1 to see if that helped and also tried to reboot once a week. I think I tried to disable the monitoring action but I'm pretty sure that didn't work so I turned it back on.
If I check the logs I do see:
send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% alarm_hold 10000ms dest_addr
1.1.1.1
bind_addr __.__.__.__ identifier "WAN_DHCP "
I'm not entirely sure what else to try or do, since like I said it usually happens when I'm not home and by the time I do get home it's been fixed. It is a bare metal install, 2.7.2-RELEASE running on a T620 (AMD RX-427BB) with an intel quad NIC and looks like it's happened 10 times in the last 30days checking the monitoring view. Services are dhcpd, dpinger, haproxy, iperf, ntpd, syslogd and unbound and installed packages are acme, haproxy and iperf.
Everything looks good for system, temp and usages, nothing seems maxed out on the graphs when it is happening.
Hi, I have a new setup and config dual WAN setup. I found the issue when ISP-1(DHCP Connection) down, internet connection stop means web page not loading where ISP-2 up ( Static IP Connection). Any wrong config? Please correct me.
I tried logging into my SG-2440 to change a few firewall rules, and it froze after I clicked the login button, then dropped internet to the house. I manually restarted it, but the red status LED turned solid the moment it turned on, then after a minute or two, it would power itself off. Several online sources stated this was unfixable.
Bought a 2100 and configured it to mirror my old 2440. A decade of rock solid reliability. You will be missed, and thought of fondly.
This video was very helpful in setting up bandwidth limits: https://www.youtube.com/watch?v=iXqExAALzR8
The issue I'm now having being, the pfsense machines in question have been switched to use "ospf' routing instead. While pfsense is smart enough to route to the internet this way, the previous entry as defined in Firewall / Rules / Floating no longer has an external gateway! The effective gateway is dynamically determined via ospf.
While I do know the specific ip addresses that CAN be used (ie. the ospf peers we've created elsewhere), I cannot pick simply the 'Default' despite the description:
"Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
Gateway selection is not valid for "IPV4+IPV6" address family."
Choosing that 'default' option and trying to save gives the error:
The following input errors were detected:
Please select a gateway, normally the interface selected gateway, so the limiters work correctly
What can I do to rectify? Surely I'm not the only one needing to both use ospf for routing AND limit speed?
Hi everyone, I started working with pfSense recently, but I'm trying to integrate it with Grafana or another application so I can view the access logs of each IP to see what each one is accessing. I made a roadmap and was using these programs: 'Squid, rsyslog, Elasticsearch, Grafana, Logstash, and Kibana.' However, I'm lost trying to integrate all of them together and pull the pfSense logs into Grafana. Just one more thing, I'll be creating some dashboards for the things I want to analyze. Can anyone help me, please?
Hi everyone, I’m facing an issue with my network setup where my Ubuntu desktop cannot access the internet. Here’s a quick overview of my setup and what I’ve tried so far:
Network Setup:
• pfSense is configured as my firewall/router.
• LAN interface: 172.17.0.1/24
• NAT and firewall rules seem correct.
• My Ubuntu desktop is connected to the LAN with:
• IP: 172.17.0.100
• Gateway: 172.17.0.1
• DNS: 8.8.8.8
What works:
• I can ping 8.8.8.8 from the Ubuntu desktop without any packet loss.
• I can ping 172.17.0.1 (the pfSense gateway) without any issues.
• I can also ping 8.8.8.8 directly from pfSense.
What doesn’t work:
• I cannot ping domain names from the Ubuntu desktop.
• DNS resolution fails, even though I’ve configured 8.8.8.8 as the DNS server.
What I’ve tried:
1. Flushed DNS cache on Ubuntu.
2. Edited /etc/resolv.conf to set nameserver 8.8.8.8 manually.
3. Disabled systemd-resolved and reconfigured DNS settings.
4. Checked pfSense NAT and firewall
5. Verified that DNS settings in Ubuntu’s network manager are set to 8.8.8.8.
Despite these efforts, the issue persists. It seems like DNS queries from the Ubuntu desktop aren’t being processed correctly, but I’m unsure if the problem lies with the desktop, pfSense, or a combination of both.
hi,
if read often "pfblockerNG can do the same like AGH, it is all about the lists". Now i'm running AGH and on my test pages i get 99%/98% and 92 Points. I thought, i copy all the lists from the AGH config yaml to a pfblockerNG group and switch off AGH. the result is <80% with pfblocker.
where does this serious difference come from? I just want to say, pfblocker also has more lists active.
thx
I have a couple of different tunnels set up with IPSec in host-to-host config, which all run stable and without obvious problems.
When I add a new tunnel phase1 (con10), all other phase1's stay connected, but as soon as I drop the con5 connection and try to re-establish it, it keeps on attempting to connect, but never succeeds. I can drop any other tunnel and it will immediately reconnect on the first try, but the last one previously added does not connect again.
If I disable the new con10 phase 1, then I can reconnect the con5 tunnel.
I have put the ipsec.log here.
It records what happens when I do the following:
BTW: Where is a disabled ipsec tunnel's config stored? Even a grep of the content of the pfSense is unable to locate it?? When I enable the tunnel it's added to /var/etc/ipsec/swanctl.conf, but from where?
The config of both con5 and con10 are below:
con5 {
# P1 (ikeid 5): Client5
fragmentation = yes
unique = replace
version = 2
proposals = aes256-sha256-modp2048
dpd_delay = 10s
rekey_time = 25920s
reauth_time = 0s
over_time = 2880s
rand_time = 2880s
encap = no
mobike = no
local_addrs = 197.214.xxx.yyy
remote_addrs = 196.250.xxx.yyy
local {
id = 197.214.xxx.yyy
auth = psk
}
remote {
id = %any
auth = psk
}
children {
con5 {
# P2 (reqid 3): RC01 network
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = trap
remote_ts = 192.168.0.0/24
local_ts = 192.168.152.0/29
esp_proposals = aes256-sha256-modp2048
dpd_action = trap
}
}
}
con10 {
# P1 (ikeid 10): Client10
fragmentation = yes
unique = replace
version = 2
proposals = aes256gcm128-sha256-modp2048,aes256-sha256-modp2048
dpd_delay = 10s
rekey_time = 25920s
reauth_time = 0s
over_time = 2880s
rand_time = 2880s
encap = no
mobike = no
local_addrs = 197.214.xxx.yyy
remote_addrs = 165.165.xxx.yyy
local {
id = 197.214.xxx.yyy
auth = psk
}
remote {
id = %any
auth = psk
}
}
I'm a Student learning to use PFsense. As a project, I was assigned to block access to certain pages by certain groups of Users. These Users are authenticated by AD on Windows Server 2019.
I have Virtual Machines for PFsense, Windows Server (as the server and host manager of PFsense) and Windows 10 (to simulate one of the hosts on the network).
I have installed both Squid Proxy and Squid Guard (I know both are not suported anymore, but it's only as part of the assignment). Authentication by AD works, Squid Proxy also works for all AD users, since it blocks access to any set URL.
On Squid Guard im using http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz as the BlackList.
The issue arrives while trying to use LDAP Filter on Squid Guard. If deactivated, all Users get blocked from any categories stated on the Blacklist (so the Blacklist and blocking by itself works). However, trying to use LDAP Filter to allow the use of AD Groups break Squid Guard, just making useless both Group and Common ACLs.
Anyone has any solution to this? I'm specially worried since this have seem to be an Issue from quite a long time.
I was just curious if it was just me. Netgate 4200 on pfSense Plus on 24.11 -- Kea is working fine but I just don't see DORA in the logs anymore for clients.
I wasn't sure if intended or a bug. Curious what other see.
Thanks in advance! :)
Anyone knows how I can pass the traffic from a firewall to another one via routed IPsec tunnel. I tried using QinQ when two firewalls were connected directly and it’s worked, but when I try to do the same thing via IPsec it does nothing. My idea is to pass dhcp traffic from one firewall to another so I can have the same vlan on both firewalls. How can I resolve it?
Hi all,
I try to find the best mini itx motherboard for my 1u Rackmount case . What brand of cpu should I choose? Xeon celeron atom? I want low watt cpu but most powerfull for the os. If the board have 2 nic I need pci express for 10g card I want Nvme or sd card for the os of pfsense. How many ram 8 16 or 32?
Thx for your help 💪
Hello everyone.
I have a somewhat strange issue with the traffic shaper in pfsense. Current setup is as follows.
I run pfsense on an older Untangle Z4W appliance along with an Aruba Instant On 1830 switch and an Aruba Instant on AP21 access point. I have Comcast Internet 500/25. If I don't have the traffic shaper enabled, I get full speeds on both wired and Wi-Fi. If I enable the traffic shaper in pfsense (right now I have it set to 450 download, 22 upload) I get the exact speeds I set the shaper to on wired devices. However, on Wi-Fi I cannot get greater than 200mbps download and greater than 15 upload. As soon as I disable the shaper the speeds on Wi-Fi go back to normal. So for some reason it seems like having the shaper enabled kills my Wi-Fi speed even worse than wired or what I have set the shaper to. Now I understand I'm not guaranteed to get the exact speeds over Wi-Fi especially, but it seems odd that it is affecting Wi-Fi so drastically. Anyone seen something like this before? Any suggestions on what I could try or check to get speeds more in line to what I set the shaper to be via Wi-Fi?
For the SG-3100 curious: I just upgraded my obsolete SG-3100 from 24.03 to 24.11. So far it seems okay. The release info for 24.11 does not seem to mention the SG-3100 anymore, but I took a chance. In my case, my configuration is pretty "Plain Jane" so I don't need any of the no-longer supported packages like Suricata and Squid.
I set up acme to renew my let's encrypt certs but it stopped working a few months ago.
When I run the Issue/renew, the _acme-challenge dns record gets created in GoDaddy but i get an error saying the 'value wasn't set!'
Im reading throught the logs and there is a line that shows response='{"code" : "ACCESS DENIED", "message" : "Authenticated user is not allowed access"}'
Also a "given domain is not registered, or does not have a zone file".
I cant figure it out what permission that is since it created the record without issues in godaddy.
Thanks!