pfSense 2.3.3 Released

pfSensepfSense 2.3.3, which incorporates several stability and bug fixes, as well as fixes for a handful of security issues, and some new features, has been released. Among the new features are:

  • Several new packages:  tinc, cellular, LCDproc, TFTP Server
  • Improved input validation for several functions

You can read about the latest release at the official pfSense blog. You can read the full list of features and changes at the official pfSense documentation site.

pfSense 2.3.1 Update 5 Available

pfSense 2.3.1 update 5 is now available. This version incorporates 2 security fixes and 7 bug fixes.

pfSense multi-WANTimeline for recent pfSense updates:

  • 4-12-2016: pfSense 2.3 released. This incorporated several changes, including a new user interface, the deletion of several packages, the removal of deep packet inspection from the traffic shaper, and the elimination of the live CD (pfSense cannot be run from a CD or USB drive anymore).
  • 5-2-2016: pfSense 2.3 update 1 released.
  • 5-18-2016: pfSense 2.3.1 released, with a total of 103 bug fixes.
  • 5-25-2016: pfSense 2.3.1 update 1 released.
  • 6-16-2016: pfSense 2.3.1 update 5 released.

I will update the download links as soon as possible.


Breaking News: pfSense 2.2.5 Now Available

pfSense pfSense 2.2.5 is now available, with a number of bug fixes and some security updates. It is considered a low risk upgrade for those running 2.2.x. For those running 2.1.x and older versions, there are a number of significant changes which may impact you. You can read all about it at the official pfSense blog. I will upload the download links ASAP.

And while I’m writing this, I might as well take the opportunity to promote’s official mailing list. A few dozen readers have already subscribed. I don’t share our mailing list with anyone else, and traffic on the list is limited to one e-newsletter a week summarizing the latest pfSense news. And I’m even sending you a brief pfSense resource guide as an incentive to sign up.

This is also the eleventh anniversary of the pfSense project, so I want to take this opportunity to thank everyone who has worked on the project and who has helped ensure its success. You have made our lives immeasurably better.

I also want to thank everyone who has made purchases through’s Amazon affiliate link. Your purchases help keep the lights on at

UPDATE: I updated the download page to link to version 2.2.5.

Traffic Shaping in pfSense: Part Seven

Editing traffic shaping settings in pfSense.

Editing traffic shaping settings in pfSense.

After using the shaper wizard, you might find that the rules it generates do not fit your requirements. Fortunately, once the basic rules have been created by the wizard, it should be relatively easy to edit or copy those rules and create custom ones of your own.
The queues are where bandwidth and priorities are actually allocated. Each queue is assigned a priority from 0 to 7. When there is an overload of traffic, the higher-numbered queues are preferred over the lower-numbered queues. Each queue is assigned either a hard bandwidth limit, or a percantage of the total link speed. The queues can also be assigned other attributes that control how they behave. For example, they can be set up so they have low latency or they might have certain congestion avoidance algorithms applied. Queues may be changed by navigating to Firewall -> Traffic Shaper and clicking on the By Queues tab. A list of rules will apeear.

Editing queues can be a complex tast with powerful results. Still, without a thorough understanding of the settings involved, it is probably best to stick with the queues generated by the wizard and alter their settings.

The queue listings have changed somewhat in pfSense 2.2. Each queue is listed on the left side of the tab. Clicking on one of the queues will bring up a listing for each of that queues subordinate queues (one for each interface). Clicking on any of these subordinate queues will allow you to edit the settings for it. The screen capture at the top of this article shows the settings for one such queue. At the top of the page, there’s a check box which allows you to enable/disable the queue and its children. There are settings for the queue name, the queue priority (0-7), the queue limit in packets, and various scheduler options. There is also a field in which you can enter an optional description. At the bottom of the page, there are two buttons: a “Save“ button to save the queue and a “Delete this queue“ button to delete it. You should not attempt to delete a queue if it is being referenced by a rule.

External Links:

PF: Packet Queueing and Prioritization at

pfSense Setup HQ Mailing List Launched

In the first two days since I launched the official pfSense mailing list, several readers have already signed up. If you sign up for our mailing list, I’ll send you a brief pfSense resource guide that contains all the essentials on how to get up and running with pfSense.

Also, I want to thank everyone who has made a purchase through this site’s Amazon affiliate link. Your purchases on Amazon (which come from Amazon’s end of the sale and don’t cost you a cent) help keep the lights on here at

pfSense Multi-WAN Configuration: Part Six

pfSense multi-WAN

In the previous articles, we covered the basics of multi-WAN configuration with pfSense. In this article, we will cover how to tailor your configuration to your particular needs.

pfSense Multi-WAN: Bandwidth Aggregation and Service Segregation

One of the main reasons for configuring a multi-WAN setup is bandwidth aggregation. With load balancing, pfSense can help you accomplish this. The caveat, though is that if you have two WAN circuits of X Mbps each, you can’t get 2X of throughput with a single client connection. Each individual connection must be tied to only one specific WAN. This is true of any multi-WAN solution: you cannot simply aggregate the bandwidth of two Internet connections into a single large data pipe without some involvement from the ISP. With load balancing, since individual connections are balanced in a round robin fashion, you can achieve 2X Mbps of throughput using two X Mbps circuits, just not with a single connection. Applications that utilize multiple connections, however, such as many download accelerators, will be able to achieve the combined throughput capacity of two or more connections.

This the real advantage of load balancing: in networks with numerous individual machines accessing the Internet, load balancing should enable you to achieve near the aggregate throughput by balancing the many internal connections out all of the WAN interfaces.

In some situations, you may have a reliable, high-quality Internet connection that has low bandwidth, or high costs for excessive transfers, and another connection that is fast but is of lesser quality. In these situations, it may behoove you to segregate services between the two Internet connections by their priority. High priority services may include VoIP, traffic destined to a specific network such as an outsourced application provider, some specifid protocols used by critical applications, amongst other options. Low priority traffic can be defined as any permitted traffic that does not match the list of high priority traffic. You can set up your policy routing rules in such a way as to direct the high priority traffic (e.g., VOIP traffic) out the high quality Internet connection, and also direct the lower priority traffic out the lesser quality connection.

External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part Three

pfSense multi-WAN

Advanced Outbound NAT settings in pfSense 2.2.4.

Some multi-WAN configurations require special workarounds because of limitations in pfSense. This article covers those special cases.

Because of the way pfSense distributes traffic over multiple Internet connections using the same gateway IP, you will need to insert a NAT device between all but one of those connections. This is not an elegant solution, but it is a workable one.

pfSense can only accommodate one PPPoE or PPTP WAN connection. Therefore, OPT WAN interfaces cannot use PPPoE or PPTP WAN types. If you need to use PPPoE or PPTP, the best workaround is to use them on your modem or another firewall. Most DSL modems can handle PPPoE and either directly assign your public IP to pfSense or give it a private IP and provide NAT. Public IP passthrough is possible on many modems and is the preferred means of doing this.

pfSense Multi-WAN: NAT Rules

The default NAT rules generated by pfSense will translate any traffic leaving the WAN or an OPT WAN interface to that interface’s IP address. In a default two interface LAN and WAN configuration, pfSense will NAT all traffic leaving the WAN interface to the WAN IP address. The addition of OPT WAN interfaces extends this to NAT any traffic leaving an OPT WAN interface’s IP address. This is the default behavior and is all handled automatically unless Advanced Outbound NAT is enabled. The policy routing rules direct the traffic to the wAN interface used, and the outbound and 1:1 NAT rules specify how the traffic will be translated. If you require Advanced Outbound NAT with multi-WAN, you will need to configure NAT rules for all your WAN interfaces.

When using port forwarding with a multiple WAN setup, keep in mind that each port forward applies to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forward entries, one per WAN itnerface. The easiest way to accomplish this is to add the port forward on the first WAN connect, then click the plus button to the right of that entry to add another port forward based on that one. Change the interface to the desired WAN interface, and press the Save button.

1:1 NAT entries are specific to a single WAN interface. Internal systems can be configured with a 1:1 NAT entry on each WAN interface, or a 1:1 entry on one or more WAN interfaces and use the default outbound NAT on others. Where 1:1 entries are configured, they always override any other Outbound NAT configuration for the specific interface where the 1:1 entry is configured.

External Links:

Network Load Balancing on Wikipedia

pfSense Multi-WAN Configuration: Part One

pfSense multi-WANpfSense incorporates the ability to set up multiple WAN interfaces (multi-WAN), which allows you to utilize multiple WAN connections. This in turn enables you to achieve higher uptime and greater throughput capacity (for example, if the user has one 1.5 Mbps connection and a second 2.5 Mbps connection, their total bandwidth using a multi-WAN setup would be 4 Mbps). It has been reported that some pfSense deployments have used as many as 12 WAN connections, and pfSense may scale even higher than that with the right hardware.

Any additional WAN interfaces are referred to as OPT WAN interfaces. References to WAN refer to the primary WAN interfaces, and OPT WAN to any additional WAN interfaces.

There are several factors to consider in a multi-WAN deployment. First, you’re going to want to use different cabling paths, so that multiple Internet connections are not subject to the same cable cut. If you have one connection coming in over a copper pair, you probably want to choose a secondary connection utilizing a different type and path of cabling. IN most cases, you cannot rely upon two or more connections of the same type to provide redundancy. Additional connections from the same provider are typically a solution only for additional bandwidth; the redundancy provided is minimal at best.

Another consideraton is the path from your connection to the Internet. With larger providers, two different types of connections will traverse significantly different networks until reaching core parts of the network. These core network components are generally designed with high redundancy and problems are addressed quickly, as they have widespread effects.

Whether an interface is marked as down or not is determined by the following ping command:

ping -t 5 -oqc 5 -i 0.7 [IP ADDRESS]

In other words, pfSense sends 5 pings (-c 5) to your monitor IP, waiting 0.7 seconds between each ping. it waits up to 5 seconds (-t 5) for a resoibsem and exits successfully if one reply is received (-o). It detects nearly all failures, and is not overly sensitive. Since it is successful with 80 percent packet loss, it is possible your connection could be experiencing so much packet loss that it is unusable but not marked as down. Making the ping settings more strict, however, would result in false posiitives and flapping. Some of the ping options are configurable in pfSense 2.2.4.

In the next article, we’ll cover WAN interface configuration in a multi-WAN setup.

External Links:

Network Load Balancing on Wikipedia

Breaking News: pfSense 2.2.4 Released

pfSensepfSense 2.2.4 has been released, which incorporates multiple security and bug fixes. Some things you probably should know about this upgrade:

  • You can upgrade from any previous version straight to 2.2.4.
  • It is considered a low risk upgrade.
  • It is considered a high priority upgrade for users of IPsec 2.2x.
  • For users of 2.1.x and earlier versions, there are a number of significant changes which may impact you.
  • You can read all about it at the official pfSense blog. I will update the download links on the download page ASAP.

Reader’s Mailbag: 1-7-2015

I received an e-mail from a reader stating that even though he had an internet connection, he could not access the internet through his pfSense firewall. It occurred to me that there might be several reasons why this might be the case:

  • pfSense’s WAN interface isn’t connected to the uplink/modem.
  • The local network isn’t connected to pfSense’s LAN interface.
  • The WAN and LAN interfaces are set up correctly, but there may be another configuration issue (e.g., traffic between the WAN and LAN is blocked).

I am assuming the user’s setup (when functioning) looks something like this:

	LAN <-> pfSense box  <-> WAN <-> Internet

I advised as a first step to try to ping a server on the internet. If this is successful, then at a minimum, we know the WAN interface is set up correctly. If not, then we have a WAN configuration issue, which could be one of the following:

  • The network interface card (NIC) for the WAN interface is broken and needs to be replaced.
  • The WAN interface is functioning, but it is not connected to the internet (usually through a modem).
  • The WAN interface is functioning and is connected to the internet, but it has not been configured properly.

If the WAN interface is set up correctly, then we have other issues to consider. We have internet connectivity and can access the internet from our pfSense box, but not from the LAN. If we can ping another host on the LAN, then the LAN is functioning. If not, then we need to find out why; the issue could be a malfunctioning or misconfigured NIC and/or router or switch.

If we can ping other computers on the LAN, then the problem may still be a configuration issue with the router. We need to make sure the router is pointed towards the LAN; the default gateway address, wherever it is set on your router, needs to be set to pfSense’s LAN address. Also, if you are using your router to do DHCP, you need to make sure this is set up properly as well.

Another possibility is to have your standalone router configured as a wireless access point (WAP). In this case, you still need to make sure the default gateway is the IP address of pfSense’s LAN interface. You also need to make sure the uplink port on the router is connected to pfSense’s LAN interface. Since your router will not be doing DHCP assignment, you need to set up pfSense to do this. You can do this by going to Services -> DHCP server, clicking on the tab for the LAN interface, and clicking on the “Enable DHCP server on LAN interface” checkbox. At a minimum, you will want to define a “Range” for DHCP assignment (make sure it does not conflict with your router IP address or any of the IP addresses for pfSense’s interfaces). Press the “Save” button at the bottom of the page to save the changes.

If we know the router/switch is set up properly and the gateway is pointed towards the pfSense LAN interface, it may be possible that pfSense is somehow blocking traffic between the LAN and WAN. At this point, we probably should check the firewall rules and make sure this is not the case.

I think this should be a good start for anyone trying to troubleshoot a similar conncectivity issue, but it is not necessarily an exhaustive guide. If anyone has any further suggestions, I’d love to hear them.

External Links:

The official pfSense site

© 2013 David Zientara. All rights reserved. Privacy Policy