I spent a while figuring this out so writing it up for anyone else trying to do the same thing. My setup: AT&T Fiber as primary, Xfinity/Comcast cable as secondary, pfSense with a 4-port NIC. Goals were:

• AT&T handles all normal traffic (faster, unlimited)
• Xfinity handles Xfinity-specific traffic (Stream, etc.)
• Xfinity acts as automatic failover if AT&T goes down
• Xfinity Stream home network check actually works

The Setup

Step 1: Interface Assignment

In Interfaces > Assignments:

• WAN = AT&T Fiber
• OPT1 = Xfinity (rename it to WAN_XFINITY so you don't lose your mind)
• LAN = your internal network Make sure both WANs have gateways configured under System > Routing > Gateways.

Step 2: Gateway Group for Failover

System > Routing > Gateway Groups > Add:

• Name: WAN_Failover
• AT&T gateway: Tier 1
• Xfinity gateway: Tier 2
• Trigger: Packet Loss or High Latency Tier 1 = primary, Tier 2 = failover. Simple.

Step 3: Set Default Gateway

System > Routing > Default Gateway = WAN_Failover (the group, not the raw AT&T gateway directly)

This is important. If you set it to just the AT&T gateway, pfSense won't automatically fail over when AT&T dies. Always use the gateway group.

Step 4: Create the Xfinity IP Alias

Firewall > Aliases > Add:

• Name: Xfinity_Nets
• Type: Network (not Host, not URL Table) Add these Comcast-owned subnets:

​

96.96.0.0/16
96.99.0.0/16
96.104.0.0/16
96.113.0.0/16
96.115.0.0/16
96.118.0.0/16
96.192.0.0/16
162.150.0.0/16

These cover Comcast's streaming infrastructure. The 96.104.0.0/16 range is critical -- it covers the DRM license/home network auth endpoint (more on that below).

Don't bother with URL Table type aliases pointing at xfinity.com or xcal.tv -- those domains either don't have A records or resolve through CNAMEs and pfSense can't build a usable IP table from them.

Step 5: LAN Firewall Rules

Firewall > Rules > LAN -- create these two rules in this exact order:

Rule 1 (top): Route Xfinity traffic via Xfinity WAN

Action: Pass
Protocol: any
Source: LAN net
Destination: Xfinity_Nets alias
Gateway: WAN_XFINITY

Rule 2 (below Rule 1): Everything else via failover group

Action: Pass
Protocol: any
Source: LAN net
Destination: any
Gateway: WAN_Failover

Rule order matters. pfSense is first-match-wins top to bottom. If Rule 2 is on top, everything hits it and nothing routes to Xfinity.

Step 6: Outbound NAT

Use Hybrid mode. pfSense auto-generates NAT rules for both WANs and you don't need to touch anything. Just verify both WAN and WAN_XFINITY appear in the auto-generated rules section.

Verification

Check Xfinity routing is working:

traceroute xfinity.com

Hop 2 should show a comcast.net hostname. If it shows your AT&T gateway instead, your rule order is wrong or the alias isn't populated.

Check the alias table:

Firewall > Diagnostics > Tables > find Xfinity_Nets. All your subnets should be listed. If it's empty, something went wrong with alias creation.

Check interface traffic:

Status > Interfaces > watch WAN_XFINITY packet counters while browsing Xfinity content. They should increment.

The Xfinity Stream Part (This Took Forever)

Xfinity Stream does a home network check via a DRM license server at mds.ccp.xcal.tv. It validates your source IP is a known Xfinity subscriber. This is what returns the "not on home network" error.

The tricky part: mds.ccp.xcal.tv resolves through an AWS ELB hostname but the actual IPs are Comcast-owned (96.104.193.104, 96.104.196.17). So as long as 96.104.0.0/16 is in your alias, the auth request should route correctly through Xfinity.

If you're still getting "not on home network" after all this:

The most likely culprit is a stale DRM token cached in your browser from a previous session. This is especially common if you ever used Stream while connected directly to the Xfinity modem (bypassing pfSense). The cached token is tied to that old session and fails when re-validated.

Fix:

1. Clear cookies and cache for xfinity.com and xcal.tv
2. Use Chrome (handles Widevine DRM better than Safari for this)
3. Sign back in fresh
4. Try Stream again That's what finally fixed it for me after going through every other possibility.

Other things to check if still broken:

• Reset pfSense states after any alias changes: Diagnostics > States > Reset States
• Make sure your Xfinity modem is in bridge mode
• Run a packet capture on WAN_XFINITY while triggering the Stream error and confirm you see traffic to 96.104.x.x -- if you don't, the routing rule isn't matching

Traffic Flow Summary

Xfinity/Comcast IPs  →  Xfinity WAN
Everything else      →  AT&T (primary)
If AT&T goes down    →  Xfinity WAN (automatic failover)

Useful Diagnostic Commands (Mac/Linux)

Check which WAN a connection exits:

traceroute <destination>

Look at hop 2. comcast.net = Xfinity WAN. AT&T gateway IP = AT&T WAN.

Resolve a domain to IPs:

dig <domain> +short

Watch only Comcast-bound traffic:

sudo tcpdump -n -i en0 'net 96.0.0.0/8'

Watch only new connection attempts:

sudo tcpdump -n -i en0 'tcp[tcpflags] & tcp-syn != 0'

Happy to answer questions. The Xfinity Stream part specifically was a rabbit hole -- the HAR file analysis showing the 412 on mds.ccp.xcal.tv with error code 12007 was what finally identified the actual failure point.

Hello everyone,

I could use some help with configuring a new switch i just bought. Its a HP 1910-8g PoE+ (JG350A).

I can access the switch through the HP web gui via a LAN cable which is connected to my PC. Switch default IP is: 169.254.100.171

My PFsense LAN IP is 192.168.3.1

So when i go through the HP web gui wizard, i set a management manual/static IP of lets say: 192.168.3.9, which is outside of my pfsense LAN DHCP address pool. MaskLen i set to:24 and GateWay i set to pfsense LAN (192.168.3.1)

Then when i try to apply and save the changes, it says that "Request times out." And i cant login to the web gui using the new ip or the old one. I dont know what im doing wrong, i just want the switch to work as a simple switch right now. VLANs ill set up later once i get basic internet up and running.

So any help would be greatly appreciated :)

I've been using old PFsense, something like 2.4.X or 2.5.X. I have openvpn remote access (SSL/TLS) installed and with certs in the phones they connect magically onto my private network and onwards to my IPPBX. While this function is not critical but it makes the office phones very useful when you are on the road etc. of course the alternative is soft SIP phones

I've upgraded my PFsense once before and had nightmares with the VPN so I decided to stick with the old version. Recently I had some free time and I thought maybe with the help of an AI..... XD I might get it to work. After tinkering with it a few days, I've pretty much given up. I dont mind paying for a support to fix this but I fear its all pointless as my hardware are so old that I need to revert back to the old version

I hope someone here can give me a pointer or 2 as I've tried with both lowest RSA and SHA1 and it did not work.

Also seems like older pfsense are no longer available for download and if anyone has link to the older version it would be greatly appreciated

I've been using DHCP DDNS since shortly after Kea was released on the platform. I use it to update DHCP entries in Windows DNS. Obviously, it's a bit of a PITA since I have to manually modify config files in /usr/local/etc/kea and have crontab entries to keep them from being overwritten.

Does 26.03 now officially support DHCP DDNS from the GUI?

Setting up a new unit. Initial tests of Kea DHCP seem ok. Has anyone found that it is ready?

Since I'm setting up a new unit I'd rather roll with Kea from the start instead of dealing with any pains of switching later if possible.

Hello,

I realize this is the pfSense community and this is likely a GL.Inet issue, but im hoping somebody with a similar setup could help out. I am having one last hurdle with my remote travel setup that i just can't seem to figure out and was wondering if anybody here had any ideas.

The Plan: To be able to access my home lab while im traveling as if i had never left home.

The Setup: Home firewall runs pfsense and is acting as a wireguard server. GL.Inet Slate7 is acting as a wireguard client.

The Issue: Stateful connections from the Slate7 lan can access the home network. Stateless connections (like DNS queries for example) fail from the Slate7 lan. All connections originating from the home network to the Slate7 network fail.

On pfSense: Wireguard client shows as connected. Allowed IPs set for the Slate7 network. Static route for the Slate7 network has been set to the wireguard gateway. Firewall rules on the wireguard named tunnel are set to Allow Any Any.

On Slate7: On the VPN dashboard the wireguard client is green. On the VPN dashboard it's set so Lan network to subnet for home network is the wireguard config/tunnel. The Allowed IPs for the home network are also set in the WG config. The "Allow remote acces to Lan subnet" is checked. Also IP Masquerading is unchecked. In LuCi under the firewall section I have a entry for wgclient1 to Lan set to Accept, Accept, Accept. There is also an entry for Lan to Wan/wgclient1 set to Accept, Accept, Accept.

I really feel like this has to be a firewall block on the Slate, but i cant seem to figure what else to look for. Does anybody else have any ideas? I feel im so close.

Thanks in advance!

Has anyone been able to create dns entries in the kea dhcp so clients can be pinged by their hostname rather than by its IP?

Since moving to pfsense from DD-WRT, my Roku cannot update. One difference is that I also enabled pfblockerng. If I disable pfblockerng, the Roku updates properly.

I'm not sure how to go about monitoring the Roku's outgoing calls to see which hostname is being blocked that the Roku needs for updates.

How should I best go about trying to determine this hostname?

Thanks

Does the Netgate 2100 have the horrible "single" ethernet switch like the 1100?

I'm still learning so I need some clarification. I have DNS resolver enabled on my pfSense in forwarding mode (upstream servers 9.9.9.9 and 149.112.112.112 ). I also have "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers".

At this point should I redirect client dns requests so that all my local client devices that might query on port 53 are forced to reroute back to my localhost (127.0.0.1) which then forwards the query via TLS through port 853 to quad9 as my upstream server?

Logbook from weeks of fine-tuning pfSense. Weeks, not years, tips welcomed.

I have recently virtualized PFsense on proxmox and it has opened up my other machine for additional uses. So I now have 2 proxmox machines each with 10gb sfp+ ports. However I noticed when I backed up my config and moved to the virtual instance and restored there the naming of the interfaces and available ports made the restore not so smooth. I got it all running as normal but it got me thinking. If one proxmox machine goes down and I have to shift over to using the backup on my other proxmox server il run through the same interface mapping issue again. So how does everyone do this to keep moving PFsense VMs between machines without issues?

Hello Guys,

We are looking for a pfSense expert here in the Philippines who can conduct onsite training for our team.

The goal is to make our guys knowledgeable in pfSense administration, deployment, troubleshooting, and best practices. We also want them to clearly understand the capability differences and gaps between the open-source/community edition and the subscription/commercial features.

Training can be basic to advanced as long as it is hands-on and practical for enterprise environments.

If you are offering this service or can recommend someone, please send me a message. Thanks.

Hi all.

Currently running pfsense ce and have noted that if i have to reboot my syslog server, pfsense stops sending data to it until i go back into syslog settings and disable/re-enable the "send to syslog" setting and hit "apply".,

In the system logs, i can see a "udp send rejected" message when the syslog server gets shut down.

What i want to do is get pfsense to retry every 30 seconds to see if the server is still down, which feels a "sensible" way to do this.

I can't find anywhere to set this behaviour though - any ideas/pointers would be most appreciated!

ta

Hello! I'm relatively new to PF sense but I feel like I have a decent understanding of it at this point with how much troubleshooting I've done, but I really had a wall and nothing I have tried seems to fix it. So here's my situation:

I modified a thinkcentre m73 ( tiny form factor) to have an additional Ethernet port by using one of the built in mini pcie ports so it now has two ethernet ports. When I connect directly to the modem on my laptop I get 600 plus megabits per second and I should be getting 1 gig speeds but that's outside the point. When I plug in my router to my modem, no matter which Port I use, I cannot seem to get more than 100 Mbps when I do a speed test online. I've tried adding a USB ethernet port and for whatever reason that's still also doesn't get more than $100 and I have tried manually changing the speed in the console to 1000 versus 100. I still am not getting good speeds. I've done factory resets in PF. Sense to try and fix it but it feels like no matter what configuration I do with my ethernet ports. My internet speeds are through. My router are just really slow. I would really appreciate any more advice on things I could try or if anyone else's can run into this issue and has a fix. It feels like it is just something related to my router, but my CPU usage doesn't seem to be going more than 2% even when running speed tests.

Edit: I also ordered two different gbps USB ethernet nics and still have the same problem

Things I ruled out: the speed from spectrum because I'm definitely getting more than 100 megabits per second through the modem The ethernet cables My laptops ethernet port I think the ethernet ports themselves are fine since even with a USB port it's still not hitting more than 100mbps at best.

Something strange about the speed tests is it doesn't even hit 100, but it'll hit 60 and build up to generally around 80ish.

I'm on my second go-around with pfSense and I am being plagued with this problem on my iPhone (and my wife's). I found this post from a couple of years ago with the same problem. The solution was to forget the network and rejoin. That worked for me, for about 5 minutes and then the problem returned.

As far as I can tell, this only affects the iPhone devices. My laptop seems to be working ok. There is no problem connecting to other devices on the network.

I am using pfSense 2.7.2 with the standard firewall settings. The only rules I added were for my IP phones (I'm running FreePBX). I have Wireguard installed and that works as advertised.

Some background - The first time around I was on ATT fiber. I put the modem in passthrough mode. I started seeing this issue with the iPhones and thought it might be my Velop mesh system that was screwing things up. Eventually, I went back to using the ATT modem. I replaced the Velop system with a Unifi AP system and that has been rock solid. I do not have any DHCP servers running on the Unifi system. I just switched over to Spectrum fiber (1 gig symmetrical). Their modem is plugged directly into in the pfSense box (actually, a Proxmox server running pfSense as a VM). There is no Spectrum router or wifi involved. All my other (mostly wired) devices are running without any issues.

Any ideas where I should be looking to fix the problem?

I'm aware that PFsense is BSD based, but I'm still curious whether it's still effected by th Copy Fail or Dirty Frag vulnerabilities?

After switching providers, the new one cannot see the MAC on my WAN port. The lights go green, provider can see link, but cannot see MAC, so i cannot get DHCP IP. They tried manually entering my MAC but it still does not work. when I hook up a laptop with the same MAC (cloned) it works.

Please advise!

Looking for a VPN that’s affordable but still reliable for daily use and streaming movies from different regions

Mainly care about decent speeds and not getting spammed with captchas every hour

Any solid recommendations right now?