Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - epionier

Pages: [1] 2 3 4 5
Messages from the pfSense Team / Re: pfSense 2.4.2-RELEASE Now Available!
« on: November 24, 2017, 10:05:18 am »
I run pfSense on ESXI 6.0 latest update. I removed "kern.vty=sc" of /boot/loader.conf.local (I had this VT issue with pfSense 2.4.0).

Then I upgraded via Shell to 2.4.2 and everything is working fine (No VT issue and no Framebuffer issue )

So thank you for your work!

One question remains: Is pfSense still based on PHP 5.6 and why is it not upgraded to the much faster PHP 7.1.2 or 7.2 (release date on 30 November)?

Messages from the pfSense Team / Re: pfSense 2.4.0-RELEASE Now Available!
« on: October 13, 2017, 11:09:52 am »
Thx for the release and your work!

I got the same boot problem under ESXI 6.0 Update 3a (latest version).

I made a snapshot in advance and reverted this way the corrupt 2.4 installation. I added the line as provided in boot.local.conf and then the update and boot went fine but there were some PHP errors / warnings. But the second reboot went fine and 2.4 is up and running.

Would be nice if there would be a post in the future when this problem is resolved and the line in boot.local.conf could be removed (if this makes a difference).

Traffic Monitoring / Re: ntopng v3.0.0 released
« on: June 22, 2017, 10:26:21 am »
I run pfSense on powerful hardware but with ntopng I still have the problem that ntopng from time to time is not accessible.

When I try to connect to https://localhost:3000 I often receive a failure in connection but the pfSense service page shows that the service is running.

Hope this problem will be solved wit 3.0.0 where it says ""better FreeBSD support"

Traffic Monitoring / Re: ntopng v3.0.0 released
« on: June 07, 2017, 07:13:15 pm »
Lets hope so because as far as I can see it is already in the FreeBSD Port:

Traffic Monitoring / ntopng v3.0.0 released
« on: June 01, 2017, 11:01:05 am »

ntopng v.3.0.0 release arrived today. It would be nice to implement the new version into pfSense in the near future as there are a lot of useful improvements like better FreeBSD support:

If anyone else has this problem. The ACL always_direct just means no caching but the connection is established via squid proxy.

The only solution I found is to bypass the proxy within the browser itself. There is a possibility to enter an exception for certain sites that  are excluded from the proxy. By the way, depending on the configuration of pfSense (e.g. if blocking all internet traffic except of squid) a firewall rule must be added to allow the certain IP to establish a connection to the certain site via a certain port.

Maybe someone will find this helpful.


we are using pfSense in the latest stable version plus the squid package. On the local PCs we are using Firefox with the squid caching proxy enabled for non-SSL plus SSL filtering (non-transparent mode) via man-in-the-middle-filtering. Everything works fine so far with caching via squid for SSL and non-SSL sites.

We now need a possibility to exclude squid usage for establishing a direct connection for certain sites / IPs to the PC. In short we need to bypass the caching proxy for certain sites / IPs.
The reason is that on the PC there is a USB smart card reader and a third party software component (authentification client software for a connection to a certain website).


We have to go to a certain website like If we press on this site "Login" this site needs to communicate with the software component on the local PC (which connects on the other hand to the local attached smart card reader).
If we visit the website now (with squid) we receive an error with a  "connection problem" between the website and the software component.
I have to use another brwoser that is not connected via squid to get it work.

So how can we bypass the proxy?

I believe I have to use: Package->Proxy Server->General Settings->General->Advanced Features->Custom ACLS (Before Auth) to enter a custom ACL for always_direct:

But I am not able to figure out what I have to insert in this box??

a) What exactly do I have to enter there?
b) How do I find the needed sites/IPs/ports to exclude? (edit: should be visible in the "real time" menu of squid)

Maybe someone is much more firm in this, help is highly appreciated ;D

Deutsch / Re: Squid stellt auf einigen Seiten falsche Zertifikate aus
« on: November 24, 2016, 01:16:35 pm »
Hast du das beachtet?

"Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection."

Ich gehe aber mal davon aus, dass du das schon eingestellt hast, da du sonst generell Fehler bekommen solltest.

Daher noch folgendes schrittweise:

1. Prüfe dass dein Zertifikat eine korrekte Angabe des pfSense Hosts bei "CN" hat.

2. Stelle auf "Accept Remote Certificate with errors" um, das hatte einige Fehler bei mir beseitigt. Der "Nachteil" der Einstellung ergibt sich aus der Beschreibung. Zudem deselektiere alles bei "Certificate Adapt"

3. Stelle das akzeptierende Interface nur auf dein LAN um

Deutsch / Re: Squid stellt auf einigen Seiten falsche Zertifikate aus
« on: November 23, 2016, 10:54:41 am »
Mit Squid die SSL Filterung zu benutzen bedeutet zwangsläufig, dass Squid sich mit dem Webserver und dessen Zertifikat verbindet und dein lokaler Browser mit Squid mit SSL, daher ist es schon richtig, dass das Zertifikat deines Squid Servers (internal) angezeigt wird. Es wird die SSL-Kette durch Squid unterbrochen um eben den INhalt filtern zu können.

Nur das von dir erstellte pfSense (Squid) Zertifikat ist wohl zum 11. September abgelaufen, daher kann keine Verbindung von Squid zum Server hergestellt werden, steht ja auch in der Beschreibung drin.
Daher musst du über den pfSense Cert.Manager ein neues Zertifikat erstellen mit einer längeren Lebensdauer. Dieses Zertifikat muss dann wiederum bei Squid in den SSL Filter Einstellungen ausgewählt werden.

As far as I can tell we ran into problems with Hardware TCP Segmentation Offloading (TSO) enabled, not on the LAN side but on the WAN side (VDSL).
pfSense is installed on an ESXI Host as a VM. LAN and WAN are a Intel i350-T4 card.
With TSO enabled I could not make any transfers with "larger" files anymore, e.g. we could not send E-Mails with an attachment via Outlook anymore.

I tried 2.4 Alpha testwise with latest Hyper-V Server 2016 TP5 as a Gen2 VM with Safe Boot disabled. ISO file:


When I power the VM on it displays the start screen of pfSense but when I try to install (Multi User and Single User) it is loading the kernel for one line and then the VM reboots and back to the start screen (loop). I tried all options but it will not go further.

How did you manage to get to the partition screen? Do you have a HDD already integrated in the VM?

Deutsch / Re: Virtualisierte pfSense frißt CPU?
« on: August 05, 2016, 12:46:28 pm »
Ich würde mal mit den erweiterten Netzwerkeinstellungen variieren, also TSO, LTO, Hardware offloading etc.

Deutsch / Re: Virtualisierte pfSense frißt CPU?
« on: August 04, 2016, 01:32:54 pm »
Kenne mich mit KVM nicht aus und würde dir als Hypervisor statt KVM zum Wechsel zur kostenfreien ESXI 6.0 Version anraten, die für deinen Zwecke alles abdeckt und kostenfrei ist.

Ansonsten würde ich versuchen bezüglich LAN-Ports kein Passthrough verwenden, sondern virtualisierte Netzwerkkarten.

Bei ESXI verwende ich statt den E1000 die VmxNet3 Treiber.


we are currently using ESXI 6.0 (without SR-IOV) and want to change to Hyper-V Standalone Hypervisor when Server 2016 will be released.

I read a lot about pfSense under Hyper-V but in respect to SR-IOV some questions remain. We could not use this feature under ESXI 6.0 because the igb-driver for the network adapter (Intel i350-T4) does not support SR-IOV.

In pfSense I will use under Hyper-V two non-legacy "NICS" of an Intel i350-T4, one bound to an external "WAN"-vSwitch and one to a external "LAN"-vSwitch. The management will be excluded from these vSwitches.

Upon creation of the vSwitches the decision has to made to use SR-IOV or not. So does pfSense current version support SR-IOV?
According to Intel:
FreeBSD is not listed as a supported Guest OS but there are virtual function drivers for FreeBSD (?)

If it is supported is there any configuration needed under pfSense settings?

If it is not supported are there any problems connecting pfSense to a vSwitch with SR-IOV activated (for other Windows Guests)?
Edit: This is resolved because I just saw that SR-IOV has not only to be activated on the vSwitch but also in the network adapter in the VM.

Kindly appreciated some help by some experienced Hyper-V users.

Pages: [1] 2 3 4 5