1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    J
    @qupfer What did I bang my head over this strange 502 issue. Your solution did it! Thank you so much, even 2.5 years later!

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    M
    Hi, I had a problem with my home network today, so I checked pfsense and discovered that suricata had blocked the wan ip. After some tests and triggering some suricata alerts, the wan ip was blocked. I restarted pfsense and ran some more tests, but the problem no longer occurred. I then checked the wan interface settings and indeed the ip list does not include the wan ip, both now that it's working and before, when it was blocked. I'm using pfsense 2.8.0 and suricata 7.0.8_2. I use PPPoE to access the Internet.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    fireodoF
    @tinfoilmatt said in Failed or invalid Mime Type: [application/SIMH-tape-data|0]: (ASN data is IPinfo, not Maxmind) Thats correct but "GeoLite2-Country" is from Maxmind ... (that confused me) I'm considering simply adding "application/SIMH-tape-data" to the list to test. Thats what i tought too ... I'll try when I have the time for it ... Edit: I can confirm - adding "application/SIMH-tape-data" to the list at line 257 in /usr/local/pkg/pfblockerng/pfblockerng.inc did the trick - no more error! Edit: OK, problem resolved but I would like to know, whats the cause for that error! (SIMH-tape-data sounds like a "blast from the past" ...) Thanks a lot!

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    496 Topics
    3k Posts
    M
    And when you are on version 25.07.1 or 25.07 and then click on the reinstall button for the ACME package. It will downgrade. :) [image: 1755753389733-125fc31e-ef4f-4342-b364-48c2b03446c5-image.png]

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    599 Posts
    S
    Upgraded to 25.07 and facing the same issue. Tried the "tailscale up" command as suggested above but restarting the tailscale service kills the login again.[image: 1755715824513-tailscale_logged_out_25_07.jpg]

  • Discussions about WireGuard

    695 Topics
    4k Posts
    GertjanG
    @rosskan In theory, when you tunnel a 'VPN1' over another 'VPN2', VPN2 will see the originating IP as the one belonging to VPN1, not your real WAN IP. So far, ok. That said, when you subscribed to VPN1 and VPN2, you probably used your ISP IPv4 ^^ You installed the VPN1 (or2) application on your crappy laptop ?, if so, 'forget about it' ^^ 'as they know', the app is at an end point, and can see 'everything'. Don't forget that you pay for your VPN subscription, but you give them more then your money. They can see and use your data connection for 'data mining'. And they will make use of that data - by selling it. Why ? Because the share holders want a good financial result. If you need to connect two (your !) networks (or sites) together, use your own VPN solution. Don't use a commercial company. For example, take the ones you got with pfSense. If you really need to use that public network (aka : the Internet) to contact public servers, you are aware that the connection is already encrypted end-to-end ? That's what https is all about. 'http' doesn't really exist anymore / shouldn't be used. Also, you need to take other steps to be safe : you really should start with removing "windows 10" out of the equitation .... @rosskan said in What information can vpn provider see when I use wireguard?: does wireguard share the mac address of the ethernet port of the crappy laptop with vpn provider #2? MAC addresses travel on a local segment. Your laptop's MAC doesn't travel any further then the first hop, this is most probably your first router (gateway) like pfSense. Packet capture your traffic to check this. The Ethernet headers are not encrypted.
Log in to post
Load new posts
  • M

    FreeRADIUS 2 with EAP-TLS

    14
    0 Votes
    14 Posts
    10k Views
    P
    patched by me: https://github.com/pfsense/FreeBSD-ports/pull/632 With this patch, when you revoke a certificate you need to go to radius config -> eap and "SAVE" to regenerate the CA+CRL file. Next patch coult be add a funcion similar to openvpn_refresh_crls() that should be called from /usr/local/www/system_crlmanager.php when you update all the other CRLs. This is my 2nd day on PFSense, so first I need to see if there is a functions file dedicated to components not installed as default and then write the function. Any advice?
  • B

    Poll UPS [APC-Smart-UPS-1500] failed - Driver not connected

    ups nut apcsmartups1500 driver
    2
    0 Votes
    2 Posts
    3k Views
    B
    After a few USB re-plugs and restarts of pfSense it finally figure it out and started working.
  • W

    NUT Driver DummyUPS Device File

    1
    0 Votes
    1 Posts
    154 Views
    No one has replied
  • P

    FreeRadius + Captive Portal "Amount of Time" Problem

    17
    0 Votes
    17 Posts
    3k Views
    GertjanG
    @mustafa-azzam said in FreeRadius + Captive Portal "Amount of Time" Problem: But I have another question now .. when radius is running, the command (radius -X) will not run? Radius is a process you can see as a "server process". Golden rule : on one and the same system, you can have on ONE server process that listens to a determined port. So, if you launch "FreeRadius" using the pfSense GUI, you have a radius process runnin. Example, right now, on my pfSense : [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep radius 83839 - Is 0:18.74 /usr/local/sbin/radiusd 21455 0 S+ 0:00.00 grep radius As you know, it's easy to check what ports it's using. When I launch another, second radius process, it will bail out.
  • VeldkornetV

    gwled using high amounts of CPU on APU2

    1
    1 Votes
    1 Posts
    319 Views
    No one has replied
  • J

    Squid & Squid Guard block pages

    2
    0 Votes
    2 Posts
    348 Views
    KOMK
    No. This is just how it is for https connections.
  • N

    Python client library for FauxAPI available on PyPi

    1
    0 Votes
    1 Posts
    449 Views
    No one has replied
  • J

    Avahi - OpenVPN missing from deny interfaces

    7
    0 Votes
    7 Posts
    1k Views
    J
    @grimson Thanks! Didn't know about that widget... I've added it to my dashboard :) Some sort of built-in alerting would be good though. I just found this custom script another user wrote to alert on available system and package updates https://forum.netgate.com/topic/137707/auto-update-check-checks-for-updates-to-base-system-packages-and-sends-email-alerts
  • Y

    OpenBGPd not able to use prefix-set

    4
    0 Votes
    4 Posts
    585 Views
    Y
    @jimp said in OpenBGPd not able to use prefix-set: I can't remember if support for that is in FRR, but OpenBGPD is pretty much a dead end these days on FreeBSD (and especially pfSense). More than likely what you want to do can be done without much more effort on FRR. Thanks for the suggestions, I am new to FRR and looks really interesting, will for sure explore this in testing and see if we can make the transition. @biggsy said in OpenBGPd not able to use prefix-set: From what I can find prefix-set was introduced with OpenBSD 6.3 (released in April 2018). The FreeBSD version is old compared to the one in OpenBSD. Seem you are correct and that OpenBGPd on freebsd is far outdated and without the new prefix-set features :(
  • L

    i need something like fail2ban do on linux on pfsense or backend servers

    6
    0 Votes
    6 Posts
    774 Views
    L
    @nogbadthebad said in i need something like fail2ban do on linux on pfsense or backend servers: e the backend servers running any form of BSD, look here if they are:- thanks for reply!
  • T

    How to specify a non-standard mysql-Port in the Banyard2 configuration?

    1
    0 Votes
    1 Posts
    136 Views
    No one has replied
  • V

    Package unavailable

    3
    0 Votes
    3 Posts
    645 Views
    jimpJ
    The doc I'm linking is for upgrade troubleshooting but since upgrades and packages both use the same mechanism to pull info, this section is relevant to figuring out why you can't see packages, too: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#force-pkg-metadata-update
  • G

    What is the status of ARPWATCH package?

    1
    0 Votes
    1 Posts
    150 Views
    No one has replied
  • KoDaK

    [arpwatch package] Ignore VRRP/CARP traffic

    1
    2 Votes
    1 Posts
    357 Views
    No one has replied
  • fireodoF

    LCDProc multiple instances after packages restart

    10
    0 Votes
    10 Posts
    1k Views
    fabricioguzzyF
    @stephenw10 said in LCDProc multiple instances after packages restart: Steve I will give it a try.. Thanks Much Steve!! Fabricio.
  • marcellocM

    Mailscanner + spamassassin + clamav package

    313
    0 Votes
    313 Posts
    311k Views
    D
    @marcelloc Hi Marcelloc, i have postfix and mailscanner running on pfsense 2.4.4-p1, i got the following warnings: MailScanner[64731]: Clamd::ERROR:: UNKNOWN CLAMD RETURN ./lstat() failed: Permission denied. ERROR :: /var/spool/MailScanner/incoming/64731 Permissions looks fine, i did chown -R postfix:postfix /var/spool/MailScanner/incoming/, also chmod -R 6666 to the same folder. Runas user on MailScanner.conf and clamd.conf is postfix. Also mailscanner logs display syntax errors: Mar 6 16:09:51 pfsense2 MailScanner[56749]: Syntax error(s) in configuration file: Mar 6 16:09:51 pfsense2 MailScanner[56749]: Unrecognised keyword "deliversuspiciouspdf" at line 93 Mar 6 16:09:51 pfsense2 MailScanner[56749]: Unrecognised keyword "pdfidcommand" at line 84 Mar 6 16:09:51 pfsense2 MailScanner[56749]: Unrecognised keyword "pdfidtimeout" at line 87 Mar 6 16:09:51 pfsense2 MailScanner[56749]: Unrecognised keyword "scanpdf" at line 90 Mar 6 16:09:51 pfsense2 MailScanner[56749]: Warning: syntax errors in /usr/local/etc/MailScanner/MailScanner.conf. Please Help.
  • marcellocM

    Sarg package for pfsense

    467
    0 Votes
    467 Posts
    578k Views
    Y
    @marcelloc Hello, Marcelo: Do you know how to install SARG in Hello, Marcelo: Do you know how to install SARG in pfsense 2.4.4, FreeBSD 11.2-RELEASE-p3 ? Thanks, Yosvany
  • K

    Not able to download Snort Signature on Pfsense

    6
    0 Votes
    6 Posts
    1k Views
    bmeeksB
    You must have a valid Oinkcode subscription code. You can have either a free registered code or a paid subscription code. You must obtain the code from the Snort.org web site. Next, if you are running any type of RAM disk configuration on your firewall, make sure you have at least 256 MB of free space in the /tmp directory (and preferably up to 512 MB free). Snort needs available free disk space to download the rules tarballs and unpack them during the update process. Running out of space on /tmp will cause all kinds of weird errors. Look at the pfSense system log to see if any errors show up there related to disk space. P.S. -- the only way to tell if disk space was an issue is to review the system log. When the update process finishes (either successfully or with a failure), it will clean up behind itself and delete the files and sub-directories it created in /tmp. So simply looking at the dashboard disk space widget will not reveal the problem.
  • P

    Secure logging to external server

    3
    0 Votes
    3 Posts
    529 Views
    bmeeksB
    @pipetennathan said in Secure logging to external server: Incase anyone else is stuck on this, I found the solution. Posted it here: https://forum.netgate.com/topic/136998/how-to-send-snort-alert-logs-to-graylog-without-barnyard2/6 This is a great solution as Barnyard2 has not been well supported in recent years by its developer. You could almost call it "dead" in a manner of speaking. It is likely that at some point down the road Barnyard2 will be pulled from the Snort and Suricata packages.
  • wgstarksW

    Snort blocking all torrents

    10
    0 Votes
    10 Posts
    4k Views
    bmeeksB
    @rango said in Snort blocking all torrents: I can try to disable Auto flow bit rule. Is it as easy as disable by the rule itself? My hardware has nothing to do with it. It's 2.4Ghz Quad core intel i5 processor with 4gb of ram able to run encryption at ~300Mbps. Without snort package it runs correct. It's snort component do it but since p2p and policy is not enabled i'm puzzled what rule or which component is doing this. If an additional auto-flowbit rule is alerting, it will show up on the ALERTS tab. But note that when in blocking mode, every Snort alert results in a corresponding block of the IP address unless that IP is in a Pass List. And a block will not "slow down" traffic, it will completely stop it. So I continue to be puzzled by your statement that Snort "slows down bandwidth to a few kb/sec". If Snort rule blocks are the issue, the traffic would completely stop: not just slow down.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.