1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    I
    @andrew_cb said in haproxy 0.63_2 weird behavior, edits not working: @iSagen @TheCyborgWeasel The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend. Great! I will do this.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @NRgia said in Suricata on Pfsense: @bmeeks Thank you for what you did for Snort or Suricata. I'm not sure what you want me to do on Redmine, due to is a bug tracker. My question is for Product Management, which I will ask it here to be public: What is the plan for these 2 packages, Suricata and Snort? Thank you Yes, Redmine is for both bug reports and feature requests. Asking for the Suricata binary to be updated to the latest 7.0.11 version from upstream is a legitimate Redmine request. I would suggest simply asking for the binary version update instead of asking about future Netgate strategy (such as the support plans for the packages). Strategy discussions typically don't get very far because they deal with proprietary information or plans that a company may not want to publicly discuss. Redmine is where the Netgate developer team tracks all the code changes they make for pfSense. They will see Redmine reports much quicker than a forum post.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    J
    @keyser Clarify "it makes sense if the GEOIP DB has that size" are you referencing the asn data as I have shown or the maxmind data? the asn data takes all of 15 seconds to download and process. Not really any "magic" going on there, you can see the mmdb is only a download referenced and the asn.csv.gz is basically just unzipped. I can't comment on the maxmind data specifically because I don't use for my geo location. But I can see what the code should be doing. seeing your actual log file will help determine where your specific spike may be coming from, but if I had to guess from looking at the code and my timing with respect to the asn parts of it I would guess this is most likely to be an issue with the maxmind parts - timing should be in the log. can you change when it runs ? no, not directly, there is no way to do this without changing the code to target a specific time when it creates the cron job in the first place. No you can't change the timing of the cron job and have it stick, it will eventually just go random again. On the other hand, yes, because I changed the code here so it always creates the same "not so random" time.. runnning at same time every day since this code change first became available in the pfblockerNG update for 24.11 that came out months ago, well before 25.07 curious you originally said "noticed this after upgrading to 25.07 and pfb 3.2.7" were you running the "new" format of asn data before? (would have only been possible if you upgraded from 24.11 with the latest version of pfb installed) you would have entered and ASN key at some point to make it work. did you do that under the prior version and just now with 25.07) it's likely not significant, but then again .... That likely won't help your spike, other than moving it to a different time. I moved it here to a static ("not so random") time for other reasons, nothing to do with system load at the time.. Log files would be helpful. (just the snippet that applies to this time, from extras, error and pfblockerng logs there may be nothing in error or pfblockerng related to the time it is running. .

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    495 Topics
    3k Posts
    M
    @jimp said in updating to acme 1.0 breaks system beyond repair: need to restore from backup: While we do not deliberately break such configurations, if you install a package from unsupported repositories and they replace or mess with base system dependencies, then there is no telling what will break over time like this. Understood - thank you very much for the clarification. I need crowdsec though... and there are no official support yet. I don't mind reinstalling the system, it takes reasonable amount of time, unless I found netinstaller fails to connect to my pppoe which tripled the time of restoration. For that I have no explanation and it is obviously not related to the dependencies, but that's offtopic in this thread.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    595 Posts
    E
    Updated CE 2.7.2 to 1.86.2_1 Changelog pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tailscale-1.86.2_1.pkg Freshports

  • Discussions about WireGuard

    693 Topics
    4k Posts
    lvrmscL
    Strangely enough, checking the system 4 days later, I now see that Wireguard service is reported running! The last thing I did 4 days ago was to disable Wireguard service monitoring by the Service Watchdog. Anyway, even when it was reported stopped at first, 4 days ago, the tunnels were working flawlessly. Very strange. I will keep an eye on it.
Log in to post
Load new posts
  • L

    Schema for certificate to use om HAProxy and internal websites

    1
    0 Votes
    1 Posts
    342 Views
    No one has replied
  • M

    Arpwatch enhancements -> Interface descriptions and email with interface information

    1
    1 Votes
    1 Posts
    543 Views
    No one has replied
  • P

    SG-1100 with AVAHI - Issues with SamSung SmartThings?

    4
    0 Votes
    4 Posts
    666 Views
    P
    Well, I realized after typing it was probably a better idea if I had placed the question on the Avahi Forum. @tman222 , thanks for the input. As it turns out just as I was diving in to try to tackle the issue, a day after I posted it, it all started working with no additional changes...
  • T

    Changing FreeRadius Framed-MTU Attribute

    2
    0 Votes
    2 Posts
    1k Views
    T
    Hi all - just thought I would follow up and bump this to the top to see if anyone had any idea where in the FreeRadius package configuration I would need to make an adjustment for the Framed-MTU attribute. Thanks again for your help, I really appreciate it.
  • P

    Beginner SG-1100 - Available packages null or fail to install Avahi

    10
    0 Votes
    10 Posts
    2k Views
    chrismacmahonC
    We were a bit late on twitter, we don't do RSS feeds, nor really have much on our blog for service issues. We are hoping the delay on twitter has been corrected.
  • A

    This topic is deleted!

    4
    0 Votes
    4 Posts
    77 Views
  • BiloxiGeekB

    Abandoned packages

    2
    0 Votes
    2 Posts
    683 Views
    GrimsonG
    https://www.netgate.com/docs/pfsense/development/submitting-a-pull-request-via-github.html start from there.
  • A

    Block downloads based on file extension

    4
    0 Votes
    4 Posts
    4k Views
    C
    @cheonne not working for me
  • B

    workaround for bug in tinc package

    4
    1 Votes
    4 Posts
    1k Views
    B
    with the result that the OS seemed to totally mess up the interface names. $ ifconfig -l [...] tnc0 $ ifconfig tnc0 ifconfig: interface tnc0 does not exist $ ifconfig (considered as spam by akismet) For some strange reason ifconfig does not show an interface name in front of the colon. It than occurred to me that maybe a bloody carriage return character is involved. And indeed $ ifconfig `printf "tnc0\r" ` (considered as spam by akismet) [...] The reason for the \r was this one... $ file /usr/local/etc/tinc/tinc-up /usr/local/etc/tinc/tinc-up: ASCII text, with CRLF, LF line terminators while the default tinc-up script (when the text field is left empty) is /usr/local/etc/tinc/tinc-up: ASCII text This is the actual problem that caused all the trouble and that definitely needs to be fixed in the tinc package for pfSense. As a workaround I added comment signs # at the end of each line, to the \r character is not appended to the interface name, e.g. ifconfig $INTERFACE name tnc0 # After a reboot the interface was finally named correctly, however, after adding the "tnc0" interface in the web interface the next boot hang with Warning: Configuration references interfaces that do not exist: tnc0 and the interfaces have to be manually reassigned first. I than finally noticed that renaming of the interface isn't actually necessary and the problem was that the \r was also appended to the group name, i.e. "pkg_tinc\r". My final working tinc-up script thus reads ifconfig $INTERFACE 192.168.21.7 netmask 255.255.255.255 # ifconfig $INTERFACE group pkg_tinc # route add -host 192.168.21.7 -interface $INTERFACE # route add -net 192.168.18.0/24 192.168.21.7 # (sorry for the partial postings, but as a single post it was considered as spam by stupid "akismet")
  • D

    stunnel question

    3
    0 Votes
    3 Posts
    769 Views
    D
    Who wrote the stunnel package? Why is only ip 127.0.0.1 accepted and not other IPs in "Listen on IP" field?
  • D

    Having difficulties with Squid and SquidGuard

    2
    0 Votes
    2 Posts
    359 Views
    GertjanG
    Hi, Just a wild guess : try setting up from LAN (it still has the default rules ? ).
  • L

    bind 9.12 on pfsense

    10
    0 Votes
    10 Posts
    1k Views
    L
    pss if i make a query like: dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ;;## [root@temis ~]# dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.co.cu -x 200.55.178.24/29.30 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45248 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;30.24/29.178.55.200.in-addr.arpa. IN PTR ;; ANSWER SECTION: 30.24/29.178.55.200.in-addr.arpa. 1200 IN PTR ksmg.bicsa.cu. ;; AUTHORITY SECTION: 24/29.178.55.200.in-addr.arpa. 1200 IN NS ns1.bicsa.co.cu. ;; ADDITIONAL SECTION: ns1.bicsa.co.cu. 1200 IN A 200.55.178.28 ;; Query time: 287 msec ;; SERVER: 200.55.136.19#53(200.55.136.19) ;; WHEN: Fri Jan 18 14:20:58 2019 ;; MSG SIZE rcvd: 120 ;;## as i said if make a query: dig @ns2.bicsa.cu -x 200.55.178.30 it are refused so i missing some think ? or is is the correct behaivour or i had the name zone incorrect.. or i don't has been making the query correctly... sorry thanks in advansed.
  • J

    Which rules should be active is there enabling WAN and LAN interfaces on SNORT?

    3
    0 Votes
    3 Posts
    520 Views
    bmeeksB
    @john-the-ripper said in Which rules should be active is there enabling WAN and LAN interfaces on SNORT?: I am new to computer networking. I would like to setup SNORT for my small office. I was wondering what is the difference between enabling SNORT on WAN and LAN and Which rules should be active is there enabling WAN and LAN interfaces on SNORT? Thanks for your help in advance. Put Snort on the LAN interface only. Putting it on the WAN will just log a bunch of junk the firewall is going to drop anyway. Plus, as @NogBadTheBad said, on the WAN all of your LAN host IP addresses will show in alerts "after NAT", meaning they will have the WAN's public IP. This is not very helpful when you are trying to determine which local host triggered the alert. As for which rules, I suggest you do this to use a Snort Team provided IPS policy. Get a Snort Subscriber Rules account. There are free and paid versions. You have to register for both. The difference in the two is explained at the link you will find on the GLOBAL SETTINGS tab in Snort. You can also use this link. After you get your Snort Oinkcode, enable the Snort Subscriber Rules by clicking the checkbox and paste your Oinkcode into the box provided on the GLOBAL SETTINGS tab. Go to the UPDATES tab and click Update to get a fresh copy of the Snort rules. Be sure to wait until the pop-up modal dialog auto-closes before leaving the page. It will take several seconds to a minute or more to download the rules. Now click on the INTERFACES tab and add your LAN interface to Snort if you have not done that already. Leave things at their defaults initially. I recommend you do not enable blocking initially to give you some time to see what alerts your network generates. If you turn on blocking right away, expect some false positives and some headaches caused by blocking what are really OK things (those false positives). Save the new interface. You should get returned to the INTERFACES tab. Cilck the edit icon for your LAN and then click on to the CATEGORIES tab. Click the checkbox to "Enable IPS Policy" and then choose the "IPS - Connectivity" policy in the drop-down. Let that be it at first. That is a good starter set of rules put together by the Snort team. Click Save on the page. Return to the INTERFACES tab and click the "start" icon to start Snort on the LAN. Hover over the icons to see a pop-up tooltip of what each icon does. Wait for Snort to start. The icon will turn into a green gear when Snort is running. You're done for now. Let it run like that for a week or so to give you a chance to see what kinds of alerts you get. Decide if you are getting any false positives (those are very likely with some of the HTTP_INSPECT rules), and suppress or disable the false positive rules. There are numerous threads here about setting up Suppress Lists and which rules to disable in Snort. Search for them to get some Snort tuning advice from other experienced Snort users. After you get the rules tuned up, then you can go to the INTERFACE SETTINGS tab again for the LAN and enable blocking. Remember when you make changes on the INTERFACE SETTINGS tab, you need to restart Snort on the interface for the changes to take effect.
  • A

    pfsense / freeRADIUS

    Moved
    2
    0 Votes
    2 Posts
    521 Views
    NogBadTheBadN
    Do a radtest to verify its working:- root@unifi:~# radtest -4 andy password 172.16.0.1 1812 ClientSharedSecret Sending Access-Request of id 181 to 172.16.0.1 port 1812 User-Name = "andy" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 172.16.0.1 port 1812, id=181, length=34 Class = 0x61646d696e73 Service-Type = Administrative-User root@unifi:~# https://support.microfocus.com/kb/doc.php?id=7014552 You could also do a radsniff -x on pfSense.
  • L

    BIND DNS Package on pfsense

    1
    0 Votes
    1 Posts
    298 Views
    No one has replied
  • S

    BIND GUI is missing "advanced options"

    7
    0 Votes
    7 Posts
    1k Views
    S
    I reinstalled the package and it's there. [image: WId57Ne.png] I don't know why it wasn't in the first place but thanks for the help!
  • L

    Help with bind package and dynamic dns server by my own and ecme package

    2
    0 Votes
    2 Posts
    669 Views
    GertjanG
    @luisenrique said in Help with bind package and dynamic dns server by my own and ecme package: https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html To get you started : check out the link again. Read everything several times. Using a script or program (like nsupdate) locally, or remotely, works great but every bit counts here : one slightest error and your ko. The big hint is here https://www.netgate.com/docs/pfsense/dns/rfc2136-dynamic-dns.html - the last line : And that should be it. Assuming the firewall has connectivity to the name server, and there are no other access policies that would prevent the update, RFC2136 DynDNS service is now working. Should anything not work as expected, check the system log and/or the log on the name server. The last 6 six words will gie you the solution : check out bind's log files (they have to be set up of course). They tell you how the update went, and what failed.
  • M

    How do I know what's new in a pfSense package update?

    3
    0 Votes
    3 Posts
    490 Views
    M
    @jimp Ok, thank you!
  • T

    Using Pfsense in aws with Freeradius and AD accounts for mfa/otp functionality

    1
    0 Votes
    1 Posts
    404 Views
    No one has replied
  • B

    HAProxy Maint Mode Page

    4
    0 Votes
    4 Posts
    1k Views
    P
    @brailyn Well.. ssl/https uses 'mode tcp'. And haproxy will not send the errorfile in that case. To make haproxy respond with a http error response, you would need it to 'offload' the ssl traffic with a certificate. Or if you can supply haproxy with the certificate you could still pass the main traffic as-is with the sni frontend and send it to a second 'local frontend' that does the decryption of the https request if a backend is down to serve the error reply.. Together with a nbsrv acl to switch to that second 'error frontend' if the webserver is down.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.