1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    F
    Hello, I use Squid as an explicit proxy, but I can't bypass the private destination IP addresses. Do you have any ideas?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    M
    Hi, I had a problem with my home network today, so I checked pfsense and discovered that suricata had blocked the wan ip. After some tests and triggering some suricata alerts, the wan ip was blocked. I restarted pfsense and ran some more tests, but the problem no longer occurred. I then checked the wan interface settings and indeed the ip list does not include the wan ip, both now that it's working and before, when it was blocked. I'm using pfsense 2.8.0 and suricata 7.0.8_2. I use PPPoE to access the Internet.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    572 Topics
    3k Posts
    keyserK
    @Antibiotic No it’s not possible with NtopNG as it is not a Netflow collector. You need nProbe for that which will “translate” recieved netflows into flows that NtopNG understands and can visualize (with very very little detail might I add as Netflows has no additonal information apart from sender/reciever and volume). The NtopNG package and the product in general is more geared towards visualising and recording traffic details from actual packet captures. This contains MUCH more metadata about the sessions than netflows (DNS names, protocol information and myriads of other things). But pffSense Plus has a builtin Netflow exporter if you have an external netflow collector on hand.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    G
    FYI, this bug is still present on pfSense v2.8.1-RC and pfBlockerNG-devel v3.2.8

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    500 Topics
    3k Posts
    GertjanG
    @gorkrul said in Let's Encrypt Cert via ACME ask for oathtool (PFSende 2.8): so, what could be the solution then? or what other best practice recommended? acme.sh uses a 'scripted' or 'automated' login against 'INWX'. If an 2FA is needed to passs through, then, afaik, you can't use that access - acme.sh won't be able to grab your phone and copy over the challenge code. I'm not a 'INWX' (dono what/who that is to be honest) but I advise you to go to their support (foruim, FAQ, etc) and xheck how other, using 'INWX', set their acme.sh. Their support page said : https://www.inwx.com/en/offer/api where acme.sh is mentioned as 'possible'. here is a list with open issues with INXW : https://github.com/acmesh-official/acme.sh/issues?q=is%3Aissue%20state%3Aopen%20INWX - maybe yours is there also ? My pretty broken advise would be : stop 2FA ....

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    608 Posts
    Y
    Well, I spent some time tonight playing around with this and I think I have it. Some suggestions for others: Generate the OAuth client in the Tailscale admin before anything else. Make sure to create the tag you'll need. One per pfSense instance (and clearly, one OAuth client per pfSense instance). Give the OAuth client the permissions you think appropriate. Very Important: make sure that you can generate an API key with the OAuth creds. The OAuth creds are, apparently, used by the CLI to generate an API key. The latter is what does the trick in tailscale up. Do this from the pfSense console: curl -d "client_id=kY5Mv4h8kQ11CNTRL" -d "client_secret=tskey-client-kY5[invalidchars]CNTRL-ZXo2FfBbb[moreinvalidchars]GVT" "https://api.tailscale.com/api/v2/oauth/token" If you don't get back something like this, you'll never be able to get it to work: {"access_token":"tskey-api-kM[lotsofinvalidchars]NTRL-[stillmoreinvalidchars]9YevL","token_type":"Bearer","expires_in":3600,"scope":"all"} Here's what worked for me if the above returned an API token: /usr/local/bin/tailscale up --auth-key=tskey-client-[greekedout]GVT\?ephemeral=false\&preauthorized=true --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=192.168.211.0/24 --advertise-tags=tag:[yourtaghere] Make sure you have the cron package installed. Then add a @reboot entry using the full path (see above). I also added a cron entry every six hours as if Tailscale is up, this command does not interrupt or reset any sessions. I've left some bytes of the creds in these examples to make it clearer where your full creds should go. The curl command requires the escape symbol (\) in the parameters that will be passed to the control plane. FWIW, I lost an hour or more because I had (God only knows why) set Tailscale on one pfSense instance to accept DNS. Do this and the router cannot resolve the control plane API endpoint. Dumb. And I own it. I don't know if this "fixes" everything. But it's a lot of work and it shouldn't be necessary. Somehow, this package to be useful needs to survive reboot without the need to go to these lengths.

  • Discussions about WireGuard

    699 Topics
    4k Posts
    S
    @Bob.Dig what's the right place?
Log in to post
Load new posts
  • jimpJ

    System Patches Package v2.2.20_1 / v2.2.11_17

    Pinned
    12
    12 Votes
    12 Posts
    3k Views
    S
    There are new system patches available (2.2.21), maybe I miss the announcement here... https://github.com/pfsense/FreeBSD-ports/commit/8ffb307ed8845ebeeba2d00f258fd51256d0e756 Yes I do... https://forum.netgate.com/post/1214795
  • 1

    DNS Broken for pkg.pfsense.org

    Pinned Locked
    3
    0 Votes
    3 Posts
    13k Views
    jimpJ
    https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2
  • R

    Packages wishlist?

    Pinned
    661
    0 Votes
    661 Posts
    2m Views
    O
    PRTG
  • H

    crowdsec

    31
    0 Votes
    31 Posts
    3k Views
    keyserK
    @Zermus Sorry to ressurect this thread, but I’m just wondering about how to best put Crowdsec to good use. I’m just at hobbyist on this issue, so I haven’t got the funds to shell out for the subscription level features of Crowdsec. This means use of the free tier and that leaves the question: Since Crowdsec already have their blocklists (max 3 on the free tier) available for download directly from a pfSense URL Alias (https://docs.crowdsec.net/u/integrations/pfsense), what are you looking for additionally with the dedicated Crowdsec package? The package is available, but not in the official repo’s: https://docs.crowdsec.net/docs/getting_started/install_crowdsec_pfsense/ But as I understand it there is no need to install the package if you intend to use the “small - remediation only” part. Is it because you expect the loganalyser engine to produce additional “near real time blocks” from the log analysis on your own pfSense? For that to be really usefull does that not more require the HAproxy package and nginx parts of pfsense to integrate the crowdsec blocking integration so it can do more than IP blocking? Does it really make sense to run the actual security engine on pfSense itself? Is it not better to run it on a VM or small server (Pi fx.) and ship pfSense logs to it using syslog? Any blocklists it might produce can then be updated på pfSense’ Alias lists with 5min intervals. Any additional blocking actions it decides would require the HAproxy, nginx plugins to actually make it more usefull.
  • M

    Arpwatch - flip flop notifications not suppressed

    1
    0 Votes
    1 Posts
    34 Views
    No one has replied
  • N

    LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after

    11
    0 Votes
    11 Posts
    2k Views
    fireodoF
    @jimp said in LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after: and I can never reproduce it in the lab. Hi, if you go to Diagnostics -> States and kill all states you get the "running wild" and flooding syslog lcdproc-client. (Maybe also of interest: LcdProc) Regards, fireodo
  • E

    Zabbix 6.4.x required for pfsense 2.8.0-RELEASE

    4
    0 Votes
    4 Posts
    753 Views
    A
    @EngineerSB I went through the same challenge when upgrading our Zabbix server to 7.0. 5.0, 6.0, and 7.0 are LTS releases that get 5 years of support, whereas standard releases are only supported for 18 months. I've learned my lesson to only stick to major versions to avoid this issue. The easiest option that achieves a similar result is to only use the Zabbix 6.0 Agent, and change all items of type "Zabbix Agent" to type "Zabbix Agent (Active)". Also change the host to be monitored by Server instead of by Proxy. On the Agent, change the Active Server to be the Zabbix Server FQDN/IP (that the Proxy was pointing to) rather than the 127.0.0.1 localhost Proxy IP. This will achieve nearly the same behavior as using passive Zabbix Agent items via Proxy. The Zabbix Agent will communicate outbound directly to the Server and get the configuration, and the agent will garther data for all items of type Zabbix Agent (Active) and send the data to the server. Another option would be to copy the files from another firewall that still has the 6.4 packages installed.
  • M

    statgrab package

    1
    0 Votes
    1 Posts
    237 Views
    No one has replied
  • A

    Telegraf stopped working after update to 2.8.0

    1
    0 Votes
    1 Posts
    253 Views
    No one has replied
  • C

    Avahi trying to broadcast on public interface?

    8
    0 Votes
    8 Posts
    720 Views
    dennypageD
    @clearscreen said in Avahi trying to broadcast on public interface?: I was just looking at mdns-bridge source code, but only realized now you're the author Yes. I'm also the maintainer of the pfSense Avahi package, which is why I felt compelled to write mdns-bridge. I’m not very familiar with mDNS, but I’m thinking of trying to implement one-way reflection (blocking either queries or broadcasts in a single direction). My motivation is to limit fingerprinting of my home network while allowing trusted subnets to see devices on less trusted subnets. Before I dive in, is there any technical reason this wouldn’t be feasible? Just want to understand if there’s a fundamental limitation and I figured I might as well ask you first. With mdns-bridge, you do not block queries or responses, but choose what mDNS names are shared by each network segment. Avahi uses a similar approach, but is limited to what in mdns-bridge terms would be a Global Allow filter list only. mDNS-Bridge is designed to give you detailed control of what mDNS names each segment is allowed to export or import, but I recommend keeping things simple if possible. I recommend starting with a Global Allow filter list to limit the overall scope, and exploring from there as needed. One thing to keep in mind, as noted in the mDNS-Bridge README filters that include hostnames are best used only in deny filters.
  • RyanMR

    HA Proxy and 503 error on pfSense

    2
    0 Votes
    2 Posts
    505 Views
    V
    @RyanM said in HA Proxy and 503 error on pfSense: So let's say my domain is internaldomain.com Does domain resolve to your public IP in a public DNS? If it doesn't, you won't get a Let's Encrypt cert at all. Is HA Proxy good for what I am trying to do? So I have self-signed certs for several internal hosts/services. Yes. You can install self-signed certs on your backend servers and direct all traffic over HAproxy, even from internal. However, you must not enable "SSL checks" in the backend. The better way, however, would be to generate the internal certs with a CA on pfSense. Then you can confiugre HAproxy to trust the CA and accept the server certs. When getting error 503 "service not available", the backend either does not respond to heath checks or the service is not reachable, or something else in HAproxy is configured wrong. So first of all go to the stats page and check if the backend is shown up as "online". If not check the health check configuration.
  • A

    Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.

    5
    0 Votes
    5 Posts
    621 Views
    bmeeksB
    @aaronouthier said in Looking for few pointers getting Suricata on PFSense to talk to my Security Onion box.: Ok, so I've been researching the topic. It seems SO has an integration for PFSense. However, the FreeBSD implementation of Syslog is not optimal for this purpose, as mentioned above. Although I am comfortable with CLI Linux, I am effectively a Newbie with regard to BSDs. My next question is: What would be the least invasive method as far as the PFSense Box to export just the Suricata logs? I believe I saw an option to log to a Unix Socket. Would that be helpful coupled with something like Netcat? I'm not necessarily looking for help with such a feat, just wondering if such would likely be fruitful, or am I just chasing the infamous wild goose? I recommend exporting the EVE JSON log as that will be the most comprehensive. To export to a UNIX socket, change the EVE OUTPUT TYPE setting to UNIX socket. You will need to manually create the socket and give it a name. It will be up to you then to "receive" the socket data stream and redirect it elsewhere (seems you want it remote for your case to Security Onion).
  • C

    Introduce openvpn-auth-oauth2 as pfSense package

    2
    0 Votes
    2 Posts
    188 Views
    A
    @cdal This could be a great security improvement ... It's the only way to do MFA with "LDAP/AD" backend for exemple (using oauth 2 proxy for exemple)
  • R

    How to update to the latest Telegraf version

    9
    0 Votes
    9 Posts
    2k Views
    R
    @rocket Updated July 20-2025 pfsense 24.11 - Telegraf freebsd-15
 pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.35.1.pkg pfsense 2.7.2 - Telegraf freebsd-14
 pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.35.1_1.pkg https://www.freshports.org/net-mgmt/telegraf/#history
  • L

    Updated PIMD package (beta)

    1
    0 Votes
    1 Posts
    310 Views
    No one has replied
  • M

    pfSense-pkg-WireGuard removal failed!

    1
    0 Votes
    1 Posts
    291 Views
    No one has replied
  • M

    HowTO - FreeRADIUS + Omada Controller + LAN ethernet + 802.1x computer authentication with cert

    1
    0 Votes
    1 Posts
    72 Views
    No one has replied
  • L

    New widget for the official speedtest.net cli version.

    6
    4 Votes
    6 Posts
    2k Views
    A
    @ameinild Yes, I just confirmed at home that it is still working. I had some icon error right after install, but this seems to be fixed now.
  • M

    Installing sudo or nano issues?

    pfsensece sudo
    13
    0 Votes
    13 Posts
    1k Views
    w0wW
    @MrWhatZitTooya666 said in Installing sudo or nano issues?: "pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core", "pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-pfSense_v2_8_0", looks good. Try Forced pkg Reinstall https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html To forcefully reinstall all packages, take the following steps: Make a backup Clean the repository and forcefully reinstall pkg, repo data, and the upgrade script: pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade Force a reinstall of everything: pkg-static upgrade -f Review the list of changes and enter y to proceed Manually reboot the firewall
  • S

    Main pfsense package is removed

    1
    0 Votes
    1 Posts
    340 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.