Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    @firefox I don’t think so, to be honest with you I am on an older version also. Just make sure you do the patch package and install all the system patches.
  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    M
    Hi, I had a problem with my home network today, so I checked pfsense and discovered that suricata had blocked the wan ip. After some tests and triggering some suricata alerts, the wan ip was blocked. I restarted pfsense and ran some more tests, but the problem no longer occurred. I then checked the wan interface settings and indeed the ip list does not include the wan ip, both now that it's working and before, when it was blocked. I'm using pfsense 2.8.0 and suricata 7.0.8_2. I use PPPoE to access the Internet.
  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.
  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    keyserK
    @jrey said in pfBlockerNG syslog logentries to remote SIEM: @keyser I so want to answer this, but then at the same time (no I don't) ... pfblocker using syslog messaging in real time. no tailing of files, no other packages, just code. Huuuh? That seems very very interesting I noticed your name in other posts around the forum where you seemed to be QUITE proficient at coding/developing. Are you by any chance considering involvement in developing and refining the pfBlockerNG package? It would be SO great if you are looking into adding native syslog to the pfBlockerNG package - or an easy workaround that does not require additional packages and “temporary” edits in files that does not survive service restarts or pfSense updates. Here’s that you will fill me/us in on the solution you are using to your Greylog - please, pretty please with sugar on top
  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.
  • Discussions about the ACME / Let’s Encrypt package for pfSense

    496 Topics
    3k Posts
    R
    @provels said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: This same mess happened to me, even w/o Acme, going from 25.07 to *.1. Blew, reinstalled w/ Crowdsec, blew again, reinstalled, clipped all the Crowdsec info from config.xml, restored config, back to normal. Crowdsec is a great concept, but I think I'm out. I never had this issue with Crowdec before the ACME update, even with updating from 2.7 to 2.8 there was no issues. In fact after restoring from a backup after the ACME update, Crowdsec reinstalled just fine, and this was before the recent release a couple days ago that contained a fix.
  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1
  • Discussions about the Tailscale package

    90 Topics
    606 Posts
    M
    @yobyot I've SSHed into pfsense and for the sake of testing I've simply run the command: tailscale up --auth-key=tskey-client-kQ_THE_REST_IS_A_SECRET\?preauthorized=true\&ephemeral=false --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=X.X.X.X/24 --advertise-tags=tag:pfsense Note the preauthorized=true and ephemeral=false I gave this key all permissions (temporarly as I just wanted to verify it's working) of course I had to register the tag used also in the ACL tags pane: https://login.tailscale.com/admin/acls/visual/tags so far so good
  • Discussions about WireGuard

    697 Topics
    4k Posts
    lvrmscL
    Same here. It started after I installed 25.07. Then it settled down by itself after a few days. It started again after upgrading to 25.07.1. WireGuard works fine (it merely connects to the remote site from this one). However, I am refraining from upgrading the remote, because if the 'service' does not start, I fear it will not listen to incoming connections, which would leave me in a difficult situation. The other topic I had opened before finding this: https://forum.netgate.com/topic/198449/25.07-release-amd64-wireguard-service-reported-stopped-yet-tunnel-trafic-clearly-is-ok
  • System Patches Package v2.2.20_1 / v2.2.11_17

    Pinned
    12
    12 Votes
    12 Posts
    3k Views
    S
    There are new system patches available (2.2.21), maybe I miss the announcement here... https://github.com/pfsense/FreeBSD-ports/commit/8ffb307ed8845ebeeba2d00f258fd51256d0e756 Yes I do... https://forum.netgate.com/post/1214795
  • DNS Broken for pkg.pfsense.org

    Pinned Locked
    3
    0 Votes
    3 Posts
    13k Views
    jimpJ
    https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2
  • Packages wishlist?

    Pinned
    661
    0 Votes
    661 Posts
    2m Views
    O
    PRTG
  • 0 Votes
    11 Posts
    2k Views
    fireodoF
    @jimp said in LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after: and I can never reproduce it in the lab. Hi, if you go to Diagnostics -> States and kill all states you get the "running wild" and flooding syslog lcdproc-client. (Maybe also of interest: LcdProc) Regards, fireodo
  • Zabbix 6.4.x required for pfsense 2.8.0-RELEASE

    4
    0 Votes
    4 Posts
    497 Views
    A
    @EngineerSB I went through the same challenge when upgrading our Zabbix server to 7.0. 5.0, 6.0, and 7.0 are LTS releases that get 5 years of support, whereas standard releases are only supported for 18 months. I've learned my lesson to only stick to major versions to avoid this issue. The easiest option that achieves a similar result is to only use the Zabbix 6.0 Agent, and change all items of type "Zabbix Agent" to type "Zabbix Agent (Active)". Also change the host to be monitored by Server instead of by Proxy. On the Agent, change the Active Server to be the Zabbix Server FQDN/IP (that the Proxy was pointing to) rather than the 127.0.0.1 localhost Proxy IP. This will achieve nearly the same behavior as using passive Zabbix Agent items via Proxy. The Zabbix Agent will communicate outbound directly to the Server and get the configuration, and the agent will garther data for all items of type Zabbix Agent (Active) and send the data to the server. Another option would be to copy the files from another firewall that still has the 6.4 packages installed.
  • statgrab package

    1
    0 Votes
    1 Posts
    100 Views
    No one has replied
  • Telegraf stopped working after update to 2.8.0

    1
    0 Votes
    1 Posts
    101 Views
    No one has replied
  • Avahi trying to broadcast on public interface?

    8
    0 Votes
    8 Posts
    395 Views
    dennypageD
    @clearscreen said in Avahi trying to broadcast on public interface?: I was just looking at mdns-bridge source code, but only realized now you're the author Yes. I'm also the maintainer of the pfSense Avahi package, which is why I felt compelled to write mdns-bridge. I’m not very familiar with mDNS, but I’m thinking of trying to implement one-way reflection (blocking either queries or broadcasts in a single direction). My motivation is to limit fingerprinting of my home network while allowing trusted subnets to see devices on less trusted subnets. Before I dive in, is there any technical reason this wouldn’t be feasible? Just want to understand if there’s a fundamental limitation and I figured I might as well ask you first. With mdns-bridge, you do not block queries or responses, but choose what mDNS names are shared by each network segment. Avahi uses a similar approach, but is limited to what in mdns-bridge terms would be a Global Allow filter list only. mDNS-Bridge is designed to give you detailed control of what mDNS names each segment is allowed to export or import, but I recommend keeping things simple if possible. I recommend starting with a Global Allow filter list to limit the overall scope, and exploring from there as needed. One thing to keep in mind, as noted in the mDNS-Bridge README filters that include hostnames are best used only in deny filters.
  • HA Proxy and 503 error on pfSense

    2
    0 Votes
    2 Posts
    230 Views
    V
    @RyanM said in HA Proxy and 503 error on pfSense: So let's say my domain is internaldomain.com Does domain resolve to your public IP in a public DNS? If it doesn't, you won't get a Let's Encrypt cert at all. Is HA Proxy good for what I am trying to do? So I have self-signed certs for several internal hosts/services. Yes. You can install self-signed certs on your backend servers and direct all traffic over HAproxy, even from internal. However, you must not enable "SSL checks" in the backend. The better way, however, would be to generate the internal certs with a CA on pfSense. Then you can confiugre HAproxy to trust the CA and accept the server certs. When getting error 503 "service not available", the backend either does not respond to heath checks or the service is not reachable, or something else in HAproxy is configured wrong. So first of all go to the stats page and check if the backend is shown up as "online". If not check the health check configuration.
  • 0 Votes
    5 Posts
    335 Views
    bmeeksB
    @aaronouthier said in Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.: Ok, so I've been researching the topic. It seems SO has an integration for PFSense. However, the FreeBSD implementation of Syslog is not optimal for this purpose, as mentioned above. Although I am comfortable with CLI Linux, I am effectively a Newbie with regard to BSDs. My next question is: What would be the least invasive method as far as the PFSense Box to export just the Suricata logs? I believe I saw an option to log to a Unix Socket. Would that be helpful coupled with something like Netcat? I'm not necessarily looking for help with such a feat, just wondering if such would likely be fruitful, or am I just chasing the infamous wild goose? I recommend exporting the EVE JSON log as that will be the most comprehensive. To export to a UNIX socket, change the EVE OUTPUT TYPE setting to UNIX socket. You will need to manually create the socket and give it a name. It will be up to you then to "receive" the socket data stream and redirect it elsewhere (seems you want it remote for your case to Security Onion).
  • Introduce openvpn-auth-oauth2 as pfSense package

    2
    0 Votes
    2 Posts
    163 Views
    A
    @cdal This could be a great security improvement ... It's the only way to do MFA with "LDAP/AD" backend for exemple (using oauth 2 proxy for exemple)
  • How to update to the latest Telegraf version

    9
    0 Votes
    9 Posts
    2k Views
    R
    @rocket Updated July 20-2025 pfsense 24.11 - Telegraf freebsd-15
 pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.35.1.pkg pfsense 2.7.2 - Telegraf freebsd-14
 pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.35.1_1.pkg https://www.freshports.org/net-mgmt/telegraf/#history
  • Updated PIMD package (beta)

    1
    0 Votes
    1 Posts
    190 Views
    No one has replied
  • pfSense-pkg-WireGuard removal failed!

    1
    0 Votes
    1 Posts
    147 Views
    No one has replied
  • 0 Votes
    1 Posts
    63 Views
    No one has replied
  • New widget for the official speedtest.net cli version.

    6
    4 Votes
    6 Posts
    1k Views
    A
    @ameinild Yes, I just confirmed at home that it is still working. I had some icon error right after install, but this seems to be fixed now.
  • crowdsec

    30
    0 Votes
    30 Posts
    2k Views
    dennypageD
    @Zermus said in crowdsec: It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it. I always viewed ELK as overly complicated. Graylog is much more manageable, although the console isn't as nice. Work in progress.
  • Installing sudo or nano issues?

    pfsensece sudo
    13
    0 Votes
    13 Posts
    730 Views
    w0wW
    @MrWhatZitTooya666 said in Installing sudo or nano issues?: "pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core", "pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-pfSense_v2_8_0", looks good. Try Forced pkg Reinstall https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html To forcefully reinstall all packages, take the following steps: Make a backup Clean the repository and forcefully reinstall pkg, repo data, and the upgrade script: pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade Force a reinstall of everything: pkg-static upgrade -f Review the list of changes and enter y to proceed Manually reboot the firewall
  • Main pfsense package is removed

    1
    0 Votes
    1 Posts
    195 Views
    No one has replied
  • Telegraf and Grafana Dashboards

    5
    4 Votes
    5 Posts
    2k Views
    Sergei_ShablovskyS
    Recently (May-Jun 2025) Grafana received a HUGE update (even possible to saying “reworked from scratch” because some fundamental changes made): from more closely integration with GitLab CVS and making the database abstraction layer to tabs, custom and dynamic dashboards and interactive elements. After some time of stagnation, “new Grafana” start to receive a real most asked and usable updates. Just look at this! With this new updates Your Grafana’s dashboard for pfSense receive a REALLY USEFUL FORM ! P.S. And personally I need to note that pfSense Dashboard lost their actuality because in Grafana You may receive more usable, dive-in-detailed, much more detailed and granulated, interactive view and (in some cases, more important than view) strongly secured user authentication scheme.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.