pfSense Diagnostics Tools - Network Analysis

pfSense provides a set of network diagnostics tools accessible through the Diagnostics menu in the web interface. These utilities enable connectivity verification, route analysis, packet capture, and inspection of internal firewall state without requiring SSH access. Each tool targets a specific diagnostic aspect - from basic reachability testing to real-time pf state table analysis.

Systematic use of diagnostics tools in a structured sequence significantly accelerates the identification and resolution of network problems.

Diagnostics Menu Overview

Tool	Menu Path	Purpose
Ping	Diagnostics > Ping	Host reachability testing
Traceroute	Diagnostics > Traceroute	Route analysis to a host
DNS Lookup	Diagnostics > DNS Lookup	DNS name resolution
ARP Table	Diagnostics > ARP Table	MAC-to-IP address mappings
NDP Table	Diagnostics > NDP Table	IPv6 neighbor table
States	Diagnostics > States	Firewall state table
pfInfo	Diagnostics > pfInfo	pf statistics
pfTop	Diagnostics > pfTop	Real-time active connections
Packet Capture	Diagnostics > Packet Capture	Packet capture
Command Prompt	Diagnostics > Command Prompt	Command and PHP execution
System Activity	Diagnostics > System Activity	Processes and load
S.M.A.R.T. Status	Diagnostics > S.M.A.R.T. Status	Disk health

Ping

The ping utility is accessible via Diagnostics > Ping and verifies remote host reachability while respecting pfSense routing and firewall rules.

Parameters

Hostname - IP address or domain name of the target host
IP Protocol - IPv4 or IPv6
Source Address - interface from which ICMP requests are sent. Source selection is critical when diagnosing Multi-WAN and VPN: a request from the WAN interface and from the LAN interface may follow different routes
Maximum number of pings - request count (1, 3, 5, 10)
Seconds between pings - interval between requests

Interpreting Results

Output includes round-trip time (RTT) for each request and summary statistics: sent, received, lost, minimum/average/maximum RTT.

Typical scenarios:

Result	Possible Cause
100% packet loss	Host unreachable, missing route, ICMP blocked at intermediate node
High RTT (>100 ms on LAN)	Link congestion, hardware issue
Unstable RTT	Losses on intermediate link, QoS issue
Request timeout with occasional replies	ICMP rate limiting on target host

Warning:
When selecting Source Address, note that ping from the WAN interface uses the public IP, while ping from LAN uses the internal address. When diagnosing VPN tunnels, select the interface whose IP address belongs to the tunnel address space.

Traceroute

The traceroute utility is accessible via Diagnostics > Traceroute and displays the packet path to the target host, showing each intermediate node.

Parameters

Hostname - IP address or domain name
IP Protocol - IPv4 or IPv6
Source Address - source interface
Maximum number of hops - maximum trace depth (default 18)
Reverse Resolve IP - reverse DNS resolution for intermediate node IP addresses
Use ICMP - use ICMP instead of UDP (some hosts block UDP probes)

Interpreting Results

Each output line contains the hop number, IP address (or hostname), and three RTT values. An asterisk (*) indicates no response from that node.

Typical patterns:

All hops visible - route is fully traceable, problem is at the target host
Asterisks starting from a specific hop - traffic is blocked at or beyond that node
Sudden RTT increase at a specific hop - link congestion between that node and the previous one
Inconsistent route - asymmetric routing or load balancing

DNS Lookup

This utility is accessible via Diagnostics > DNS Lookup and performs DNS name resolution using the DNS servers configured in pfSense.

Parameters

Hostname - domain name to resolve

Results

Output includes:

Resolved IP addresses (A/AAAA records)
DNS server that answered the query
Resolution time
Reverse DNS query results (PTR) for the resolved IP addresses

This tool is useful for verifying correct operation of the DNS Resolver (Unbound) or DNS Forwarder (dnsmasq) configured in pfSense. If results differ from expectations, check DNS settings in System > General Setup and the DNS Resolver configuration in Services > DNS Resolver.

ARP Table

The ARP table is accessible via Diagnostics > ARP Table and displays mappings between IP addresses and MAC addresses of devices on the local network.

Displayed Fields

Field	Description
Interface	Interface through which the device was discovered
IP Address	IPv4 address of the device
MAC Address	MAC address of the device
Hostname	Hostname (if resolved via DNS/DHCP)
Status	Entry state: permanent, reachable, stale, expired
Link Type	Connection type: ethernet

Use Cases

Detecting IP conflicts - two different MAC addresses for the same IP indicate a conflict
Device identification - determining a device MAC address by its IP (or vice versa) to match it to specific hardware
ARP spoofing detection - anomalous entries may indicate a MITM attack
L2 connectivity verification - absence of an entry for a host in the same subnet indicates a data link layer problem

NDP Table

The NDP (Neighbor Discovery Protocol) table is accessible via Diagnostics > NDP Table and serves the same function for IPv6 as ARP does for IPv4 - displaying mappings between IPv6 addresses and MAC addresses of neighboring devices.

Displayed fields are analogous to the ARP Table: interface, IPv6 address, MAC address, hostname, and state.

State Table

The state table is accessible via Diagnostics > States and displays all current connections tracked by the pf firewall.

Displayed Fields

Field	Description
Interface	Interface where the state was created
Protocol	Protocol: TCP, UDP, ICMP, etc.
Source	Source address and port
Destination	Destination address and port
State	Connection state (for TCP: ESTABLISHED, TIME_WAIT, etc.)
Packets	Number of transmitted packets
Bytes	Volume of transmitted data
Age	Entry lifetime
Expires in	Time until entry removal

Filtering States

The page provides a search field for filtering by IP address, port, or protocol. This enables quick location of all connections from a specific host or all connections to a particular port.

Removing States

Individual states can be removed using the button in the entry row. Bulk state removal is performed via Diagnostics > States > Reset States. Removing a state forcibly terminates the connection - the client will need to establish a new one.

Warning:
Mass state reset terminates all active connections through the firewall. This operation should only be performed when necessary - for example, after changing NAT rules when old states contain outdated translations.

Use Cases

Connection troubleshooting - verifying the presence or absence of an expected state
Anomaly detection - a large number of states from a single IP may indicate scanning or an attack
VPN monitoring - verifying traffic passage through a VPN tunnel
NAT analysis - verifying correct address translation

pfInfo

The pfInfo page is accessible via Diagnostics > pfInfo and displays comprehensive statistics for the pf (packet filter) subsystem.

Displayed Data

State Table - current and maximum state table entry count, utilization percentage
Counters - packet counters: match, bad-offset, fragment, short, normalize, memory, bad-timestamp, congestion, ip-option, proto-cksum, state-mismatch, state-insert, state-limit, src-limit, synproxy
Source Tracking Table - source tracking entry count
Limits - configured limits: states, src-nodes, frags, tables, table-entries
Timeouts - timeouts for various protocols and states

Use Cases

State table fill monitoring - approaching the maximum causes new connections to be dropped
Anomaly detection - high values for bad-offset, fragment, or state-mismatch indicate problems or attacks
Capacity planning - analyzing peak values to adjust limits in System > Advanced > Firewall & NAT

pfTop

The pfTop utility is accessible via Diagnostics > pfTop and displays the firewall state table in real time, similar to the top utility for processes.

Display Modes

pfTop supports several sorting and display modes:

Default - all states sorted by byte count
Long - extended format with additional fields
Queue - Traffic Shaper queue display
Rules - firewall rule statistics
Size - sorted by data volume transferred
Speed - sorted by current transfer rate
State - sorted by connection state
Time - sorted by entry lifetime

Use Cases

Identifying bandwidth consumers - sorting by Speed or Size reveals hosts with the highest traffic
Real-time monitoring - observing active connections during diagnostics
Rule analysis - Rules mode shows which rules process the most traffic

Packet Capture

The packet capture tool is accessible via Diagnostics > Packet Capture and enables recording network traffic for subsequent analysis. The functionality is based on the tcpdump utility.

Capture Parameters

Parameter	Description
Interface	Network interface for capture (WAN, LAN, OPTx, VPN)
Promiscuous	Capture all packets on the interface (not just those addressed to pfSense)
Address Family	IPv4, IPv6, or both
Protocol	Protocol filter: Any, ICMP, TCP, UDP, ARP, CARP, etc.
Host Address	IP address filter (source or destination)
Port	Port filter (source or destination)
Packet Length	Maximum captured packet length (snaplen)
Count	Number of packets to capture (0 - unlimited)
Level of Detail	Output detail level: Normal, Medium, High, Full

Performing a Capture

Configure filter parameters
Click Start to begin capture
Reproduce the problematic traffic
Click Stop to end capture
Review results directly on the page or download the pcap file

Downloading pcap Files

After stopping the capture, the pcap file is available for download via a link on the page. The file can be opened in Wireshark for detailed analysis using display filters, TCP stream following, and application layer protocol decoding.

Capture Recommendations

Specify the narrowest possible filters (host, port, protocol) to reduce data volume
Set a reasonable Count limit to prevent memory overflow
For NAT diagnostics, perform captures simultaneously on WAN and LAN interfaces (in two browser tabs) to compare addresses before and after translation
For VPN diagnostics, capture traffic on the physical interface (encrypted) and on the virtual tunnel interface (decrypted)

Command Prompt

This page is accessible via Diagnostics > Command Prompt and provides the ability to execute operating system commands and PHP code directly from the web interface.

Shell Command Execution

The Execute Shell Command field allows running any FreeBSD command:

# Check CPU load
top -b -n 1 | head -5

# View routing table
netstat -rn

# Check network interfaces
ifconfig -a

# View pf rules
pfctl -sr

# Check service status
sockstat -l

PHP Command Execution

The Execute PHP Command field allows running PHP code with access to the pfSense internal API. This is used for configuration debugging and operations not available through the standard interface.

Warning:
Command Prompt provides full system access with root privileges. Incorrect commands can render the system inoperable. This tool should only be used when necessary and with a clear understanding of the actions being performed.

File Upload and Download

The page also provides file upload and download functionality. This is useful for transferring configuration files, scripts, or diagnostic results.

System Activity

This page is accessible via Diagnostics > System Activity and displays the output of the top utility - a list of processes sorted by resource consumption.

Displayed Data

Load Averages - average load over 1, 5, and 15 minutes
CPU Usage - CPU consumption by category (user, system, interrupt, idle)
Memory Usage - RAM utilization
Swap Usage - swap space utilization
Process List - process list with PID, user, priority, CPU and memory consumption

Use Cases

Identifying resource-intensive processes - determining processes creating excessive load
Diagnosing hangs - checking process states (running, sleeping, zombie)
Memory monitoring - monitoring swap usage (active swap usage indicates insufficient RAM)

S.M.A.R.T. Status

This page is accessible via Diagnostics > S.M.A.R.T. Status and displays S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) diagnostic data for hard drives and SSDs.

Available Tests

Info - general disk information: model, serial number, firmware, capacity
Health - overall disk health assessment (PASSED/FAILED)
SMART Attributes - detailed attributes: temperature, reallocated sector count, power-on hours, power cycle count
Logs - error log and previous test results
Short/Long Self-Test - initiate disk self-diagnostics

Regular S.M.A.R.T. checks enable detection of disk degradation before complete failure.

Troubleshooting Methodology

A systematic approach to diagnosing network problems in pfSense:

Step 1: Identify Symptoms

Determine the nature of the problem: complete connectivity loss, performance degradation, intermittent failures, or a specific service issue.

Step 2: Verify Basic Connectivity

Ping the gateway from pfSense - verifies WAN connection functionality
Ping the target host from pfSense - verifies routing
DNS Lookup - verifies name resolution

Step 3: Analyze the Route

Traceroute to the target host - identifies the route break point
Select the correct Source Address to verify routing through a specific interface

Step 4: Check the Firewall

States - verify the presence or absence of a state entry for the problematic connection
System Logs (Firewall) - check whether traffic is being blocked by firewall rules
pfInfo - check whether the state table limit has been reached

Step 5: Deep Analysis

Packet Capture - capture traffic on interfaces for packet-level analysis
pfTop - check active connections in real time
ARP Table - verify address resolution at the data link layer

Step 6: Resource Analysis

System Activity - check CPU and memory load
S.M.A.R.T. - check disk health
Dashboard - assess overall system status

Related Sections

pfSense Monitoring Graphs - historical performance data visualization for trend identification
pfSense System Logs - event logs for detailed incident analysis
pfSense Firewall Rules - filtering rule configuration that affects diagnostics results

Last updated on 7, April 2026

pfSense Monitoring Graphs - Traffic and Resources