pfSense Packages

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Subcategories

Cache/Proxy

Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

3.7k
Topics

20.6k
Posts

M

@Antibiotic said in Squid error "FATAL: Unknown http_port option 'NO_TLSv1":

$sslproxy_options . = ",NO_TLSv1";

Did you manage to get this working? I just put a new SSD and re-installed and squid is now broken for me - looks like the same error
IDS/IPS

Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

2.2k
Topics

15.6k
Posts

J

It runs alongside pfSense as a package. The logs can be configured by way of the package.
Traffic Monitoring

Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

555
Topics

2.7k
Posts

S

PROTOCOL-DNS Microsoft SMTP excessive answer records buffer overflow attempt

Just Curious what this is and how to stop it in snort, I first thought someone was trying to get in but now I am not so sure as I changed my external IP and it happened straight away
on the new External IP. From what I can gather its something to do with a vunerability in dns but at a loss where to start, if its not an issue then fine but its happening a lot.
pfBlockerNG

Discussions about the pfBlockerNG package

2.5k
Topics

19.1k
Posts

F

@Klaus2314 said in Remove pfblocker settings without package installed?:

OK, bummer. So I basically have to setup the entire firewall from scratch to avoid pfb from starting with the old settings... wow.

Do you have console access when the box is unresponsive?
Make a backup of you config.xml. (preferably on a external medium)
Search in the config.xml for this:
<pfb_keep>on</pfb_keep>
change the "on" to "off"

then on the console:
pkg uninstall pfSense-pkg-pfBlockerNG-3.2.0_8
(I assume you have version 3.2.0_8)

Do it at your own risk - much safe is, even if the GUI is slow, to try do it via the GUI ...
UPS Tools

Discussions about Network UPS Tools and APCUPSD packages for pfSense

88
Topics

2.3k
Posts

P

Can you use the management card's web interface from a workstation?

User guide
ACME

Discussions about the ACME / Let’s Encrypt package for pfSense

478
Topics

2.7k
Posts

K

@tinfoilmatt it looks like I have finally gotten the certificate to pop up but now I am dealing with getting 503 Service Unavailable error. Do you know if this is an HAProxy issue or on the cloudflare side?

Screenshot 2024-12-05 at 12.51.02 PM.png
FRR

Discussions about the FRR Dynamic Routing package on pfSense

281
Topics

1.1k
Posts

P

I am attempting to replace a VyOS device with pfSense version 2.7.2 for a branch location.

Below is the current VyOS configuration for the branch device.
interfaces { ethernet eth0 { address 192.168.178.205/30 description MPLS hw-id 00:90:27:e6:23:78 offload { gro gso sg tso } } ethernet eth1 { address 10.168.120.130/29 description ILL hw-id 00:90:27:e6:23:79 offload { gro gso sg tso } } ethernet eth2 { address 10.168.100.146/28 description LAN hw-id 00:90:27:e6:23:7a offload { gro gso sg tso } } ethernet eth3 { address 172.16.32.1/24 duplex auto hw-id 00:90:27:e6:23:7b offload { gro gso sg tso } speed auto } loopback lo { } wireguard wg100 { address 172.17.0.2/30 description Towards_MPLS peer to-wg_peer { address 10.60.81.131 allowed-ips 0.0.0.0/0 persistent-keepalive 2 port 50000 public-key eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee } private-key yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy } wireguard wg500 { address 172.19.0.2/30 description Towards_ILL peer to-wg_peer { address 1xx.124.117.yyyy allowed-ips 0.0.0.0/0 persistent-keepalive 2 port 55000 public-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx } private-key yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy } } policy { prefix-list Extended_LAN { rule 10 { action permit prefix 10.168.110.0/24 } rule 20 { action permit prefix 10.168.100.0/25 } rule 30 { action permit prefix 10.168.111.0/24 } } route-map Extended_LAN { rule 10 { action permit match { ip { address { prefix-list Extended_LAN } } } } } } protocols { ospf { area 0 { network 172.17.0.0/30 network 172.19.0.0/30 network 10.168.110.0/23 network 10.168.100.0/24 network 10.168.111.0/24 } interface wg100 { bfd { } cost 10 } interface wg500 { bfd { } cost 30 } redistribute { static { route-map Extended_LAN } } } static { route 0.0.0.0/0 { next-hop 10.168.120.129 { distance 210 } } route 10.9.99.96/27 { next-hop 192.168.178.206 { } } route 10.60.81.128/26 { next-hop 192.168.178.206 { } } route 10.168.6.0/24 { next-hop 192.168.178.206 { } } route 10.168.100.0/25 { next-hop 10.168.100.145 { } } route 10.168.110.0/24 { next-hop 10.168.100.145 { } } route 10.168.111.0/24 { next-hop 10.168.100.145 { } } route 192.168.36.0/24 { next-hop 192.168.178.206 { } } route 192.168.64.0/24 { next-hop 192.168.178.206 { } } route 192.168.71.0/24 { next-hop 192.168.178.206 { } } route 192.168.73.0/24 { next-hop 192.168.178.206 { } } route 192.168.75.0/24 { next-hop 192.168.178.206 { } } route 192.168.81.0/24 { next-hop 192.168.178.206 { } } route 192.168.151.0/24 { next-hop 192.168.178.206 { } } route 192.168.153.0/24 { next-hop 192.168.178.206 { } } route 192.168.154.0/24 { next-hop 192.168.178.206 { } } route 192.168.161.0/24 { next-hop 192.168.178.206 { } } route 192.168.162.0/24 { next-hop 192.168.178.206 { } } route 192.168.163.0/24 { next-hop 192.168.178.206 { } } route 192.168.177.0/24 { next-hop 192.168.178.206 { } } route 192.168.179.0/24 { next-hop 192.168.178.206 { } } } }
My current frr.conf look like below
##################### DO NOT EDIT THIS FILE! ###################### ################################################################### # This file was created by an automatic configuration generator. # # The contents of this file will be overwritten without warning! # ################################################################### ! frr defaults traditional hostname AU99K7D8WSTK.aucbakola.local password AK0L@urb@N service integrated-vtysh-config service password-encryption ! ip router-id ! interface tun_wg1 description "ospfd: WG500_ILL" ip ospf network point-to-point ip ospf cost 30 ip ospf bfd ip ospf mtu-ignore ip ospf area interface tun_wg0 description "ospfd: WG100_MPLS" ip ospf network point-to-point ip ospf cost 10 ip ospf bfd ip ospf mtu-ignore ip ospf area ! router ospf ospf router-id redistribute static route-map Extended_LAN timers throttle spf 200 1000 10000 passive-interface tun_wg1 passive-interface tun_wg0 network 172.17.0.0/30 area 0.0.0.0 network 172.19.0.0/30 area 0.0.0.0 network 10.168.110.0/24 area 0.0.0.0 network 10.168.100.0/24 area 0.0.0.0 network 10.168.111.0/24 area 0.0.0.0 ! ip prefix-list Extended_LAN 10.168.110.0/24 10 permit ip prefix-list Extended_LAN 10.168.100.0/25 20 permit ip prefix-list Extended_LAN 10.168.100.0/25 30 permit ! route-map Extended_LAN permit 10 match ip address prefix-list Extended_LAN ! bfd ! line vty !
If I remove the ip ospf area 0.0.0.0 setting from the interface configuration, the connection works, but I still encounter some challenges. The main issue is that OSPF Network is now deprecated, and we cannot rely on manual configurations in frr.conf because they often get overwritten.

Additionally, the ip prefix-list Extended_LAN 10.168.110.0/24 10 permit configuration is sometimes overwritten.

Another challenge is that I am at the spoke/branch location and do not have access to the hub location device. It seems that pfSense relies heavily on GUI-based configuration.

Could you please suggest the exact configuration steps I need to follow to successfully connect the branch device to the network without requiring manual intervention? Thank you.

Below are current config in GUI.

sa.1.jpg sa.2.jpg sa.3.jpg
Tailscale

Discussions about the Tailscale package

76
Topics

430
Posts

M

Currently getting spammed by the TS plugin but I'm not sure what any of this could mean or even if there's an issue in my tailnet. For now i have disabled logging to syslog for TS but curious if anyone ran into these problems.

404f9d0c-0070-4c6a-a90f-e6ea6c264015-image.png
WireGuard

Discussions about WireGuard

636
Topics

3.4k
Posts

B

@droidus Looks like you have a rule problem in pfSense, not a WireGuard problem, so most probably misconfiguration of rules.

J

System Patches Package v2.2.11

• • jimp

1

5
Votes

1
Posts

512
Views

No one has replied
1

DNS Broken for pkg.pfsense.org

• • 10101000

3

0
Votes

3
Posts

12.2k
Views

J

https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2
R

Packages wishlist?

• • rds_correia

661

0
Votes

661
Posts

1.2m
Views

O

PRTG
L

Avahi Crash on pfSense 2.7.2

• • LukeT

5

0
Votes

5
Posts

85
Views

S

Hmm, not familiar. Backtrace:
db:0:kdb.enter.default> bt Tracing pid 87885 tid 100340 td 0xfffffe006a4e7ac0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe0063881830 vpanic() at vpanic+0x163/frame 0xfffffe0063881960 panic() at panic+0x43/frame 0xfffffe00638819c0 trap_fatal() at trap_fatal+0x40c/frame 0xfffffe0063881a20 calltrap() at calltrap+0x8/frame 0xfffffe0063881a20 --- trap 0x9, rip = 0xffffffff80ee0935, rsp = 0xfffffe0063881af0, rbp = 0xfffffe0063881ba0 --- in_joingroup_locked() at in_joingroup_locked+0x335/frame 0xfffffe0063881ba0 inp_setmoptions() at inp_setmoptions+0x11c6/frame 0xfffffe0063881d30 sosetopt() at sosetopt+0xb4/frame 0xfffffe0063881d80 kern_setsockopt() at kern_setsockopt+0xa5/frame 0xfffffe0063881de0 sys_setsockopt() at sys_setsockopt+0x24/frame 0xfffffe0063881e00 amd64_syscall() at amd64_syscall+0x109/frame 0xfffffe0063881f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0063881f30 --- syscall (105, FreeBSD ELF64, setsockopt), rip = 0x82687dd0a, rsp = 0x8203704f8, rbp = 0x820370550 ---
Panic:
<6>vlan0: changing name to 'ixv0.7' <6>ixv0: link state changed to DOWN <6>ixv0: link state changed to UP arprequest_internal: cannot find matching address Fatal trap 9: general protection fault while in kernel mode cpuid = 6; apic id = 06 instruction pointer = 0x20:0xffffffff80ee0935 stack pointer = 0x28:0xfffffe0063881af0 frame pointer = 0x28:0xfffffe0063881ba0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 87885 (avahi-daemon) rdi: fffff80003c2c480 rsi: 0000000000000000 rdx: 00000000000000a0 rcx: 0000000000000020 r8: 0000000000000000 r9: 00000000000000f8 rax: 14d81dff33337b20 rbx: fffffe006a4e7ac0 rbp: fffffe0063881ba0 r10: 0000000000000000 r11: fffffe006a4e7fe0 r12: 0000000000000000 r13: fffffe0063881c04 r14: fffff800797d9800 r15: fffff80003c2c400 trap number = 9 panic: general protection fault cpuid = 6 time = 1734052404 KDB: enter: panic
It's interesting that it seems to re-create the interface after boot. Did you resave something there?

I'd have to guess it's some hardware off-loading in the ixv driver causing problem there when it tried to jpin the multicast group.
What hardware offloading is shown as capable or enabled by ifconfig -m ixv0 or for ifconfig -m ixv0.7?
D

Email Reports WebGUI crashes when trying to edit the reports

• • Darkk

12

0
Votes

12
Posts

174
Views

D

@marcosm said in Email Reports WebGUI crashes when trying to edit the reports:

@Darkk You'll need to add and apply the diff yourself - it's not included.

I've applied the patch and it's working perfectly now.

Thank you!
S

WAF for pfSense/pfSense+ - eg. Coraza WAF via haproxy SPOE?

• • sandie

1

0
Votes

1
Posts

101
Views

No one has replied
N

Packages 24.11 Issue

• • NogBadTheBad

5

0
Votes

5
Posts

118
Views

M

@jimp said in Packages 24.11 Issue:

Plus 24.11 should be good now, the others are still rebuilding and will be fixed shortly.

Confirmed, thanks Jimp, 24.11 fixed already.
J

Vhosts

• • JonathanLee

1

0
Votes

1
Posts

43
Views

No one has replied
R

How to update to the latest Telegraf version

• • rocket

3

0
Votes

3
Posts

153
Views

R

Updated Nov 29-2024

pfsense 24.11 - Telegraf freebsd-15
pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.32.3.pkg

pfsense 2.7.2 - Telegraf freebsd-14
pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.32.3.pkg
A

Freeradius with PIN+OTP plus group membership in AD

• • aldomoro

1

0
Votes

1
Posts

35
Views

No one has replied
J

PIMD Invalid Interfaces?

• • jeffscott

3

1
Votes

3
Posts

70
Views

J

I've been able to confirm...

If the interface does not show in the PIMD Virtual Interface Table on the Status Tab, it gives the "Invalid phyint address" error in the logs. Sooo....

It appears that there is some limit that is preventing PIMD from seeing all the interfaces. The closest information I found is related to Linux and the limit is defined in the kernel...

I'm guessing even though I've been able to reverse my settings and avoid the errors in the logs, that any interfaces not shown in the Table are just ignored and are not participating in IGMP :-(
J

Squid Proxy Server Automatically Disables

• • jucelio_rosa

1

0
Votes

1
Posts

46
Views

No one has replied
1

Arpwatch reports bogons frequently

• • 1OF1000Quadrillion

19

0
Votes

19
Posts

7.0k
Views

J

another optoin to avoid 0.0.0.0 &169.254.0.0 spam is to igmore the mac-addr's
from arpwatch>settings, click the +Add button at the bottom
add any mac you don't want alerts for
F

Suricata Permit QUIC

suricata quic • • focaccio

6

0
Votes

6
Posts

167
Views

B

That alert is coming from the built-in QUIC-events rules that ship with the Suricata binary.

The events rules are simply informational in nature and don't indicate any malware or other compromise. I suggest disabling that rule or else using the "suppress by SID" feature on the ALERTS tab to prevent the alert the resulting block of a host.
R

Not able to find hash file of an old iso images

• • rajukarthik

3

0
Votes

3
Posts

74
Views

R

Hi Patch,

Thank you for your help.
C

FreeRadius or something else, for MFA without a PIN code?

• • Codefighter

1

0
Votes

1
Posts

49
Views

No one has replied
D

Crowdsec testing

• • disi1

1

0
Votes

1
Posts

274
Views

No one has replied
S

Snort Interface - The Green Arrow!

• • SixGun

1

0
Votes

1
Posts

70
Views

No one has replied
C

SIProxd Quick Howto

• • chpalmer

2

1
Votes

2
Posts

97
Views

C

Just a side note.. I have not always set the "proxy" in my client devices and it still would work.. but sometimes the client device would bypass the proxy and cause me issues.
E

HAProxy - Files

• • elucfol

1

0
Votes

1
Posts

68
Views

No one has replied

1 / 461