1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    D
    Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    S
    So since there is no version 25.03. There is an official 25.07 now but only get a 7.08.2 what happen to the rest up to Suricata 7.0.10 or 7.0.12?

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K
    @pulsartiger The database name is vnstat.db and its location is under /var/db/vnstat. With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @rasputinthegreatest said in pfBlockerNG not logging anything by default?: This IP does exist on my LAN but why it resolves some weird random desktop-sdshdsd.local? Then it's time to visit that device "192.168.1.85", and inspect it. pfSense was just replies on a DNS request coming from it. Loads of DNS request is 'normal' these days. Btw : buy yourself a big collection of connected devices (preference : 'foreign origin") and you wind up with loads of bizarre DNS requests. For example, a classic "Windows 11 Home" PC is already considered as 'bloated', which means that the list of all these xbox, candy store and other 'essential' processes is quiet big? And they all call 'home'. And ask yourself this question : "do you really know what users actually do with their devices" ? @rasputinthegreatest said in pfBlockerNG not logging anything by default?: Also no 192.168.51.5 exists on my network either Is "192.168.51.5" a typo ? It doesn't show up in any logs ... If your pfSense LAN uses the 192168.1.1/24 network, and a device connected to that LAN using the 192.168.51.5, it can't communicate. A network with statically assigned IP info (IP, mask/network, gateways and DNS) is hard to manage. That's why DHCP was invented, and activated by default for every device you buy. @rasputinthegreatest said in pfBlockerNG not logging anything by default?: I assume it is related to time servers? Why do you presume that ? Look them up and you'll see. "ntpns.org" is probably the NS server of ntp.org A lot of devices want to know the exact time. Even when DHCP can propose a time server - you can set up pfSense as a time server for your LAN devices - many devices will disregard this info, an insist in using their own hard coded time server source. For example, a Microsoft PC will default to time.microsoft.com, but you can set it to 192.168.1.1 or pfsense.your-sense-domaine.tld (which will point to 192.168.1.1 = pfSense). You could to do this for every LAN device. @rasputinthegreatest said in pfBlockerNG not logging anything by default?: .local addresses What is your pfSense domain set to ? @rasputinthegreatest said in pfBlockerNG not logging anything by default?: Its very mysterious and I only see this now with pfblockerNG. Set : Services > DNS Resolver > Advanced Settings : Log Level to : [image: 1754468971160-b17dd7a5-9427-497e-a3d0-5936024787b0-image.png] and save, apply. Now have a loo here : Status > System Logs > System > DNS Resolver or better : console : tail -f /var/log/resolver.log Don't forget to set back the Log Level to 1 !! ( !! ) as the resolver.log will get very big very fast. Conclusion : there is a lot of DNS traffic. These are all small packets, and finally just a small percentage of the total traffic.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    585 Posts
    L
    @veddy254 said in How to update to the latest Tailscale version?: @lbm_ said in How to update to the latest Tailscale version?: https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2_1.pkg pkg: An error occured while fetching package I would recommend verifying the DNS settings in PfSense and verifying date/time is correct. Barring that, try again later and see if it still fails. I was able to successfully run the command on my 2.8.0 install (I didn't install it because I've already installed it) so it seems localized. Interesting. After I (reinstalled) tailscale the /etc/resolv.conf was overwritten. So I just readded the DNS entries in the Pfsense WebUI, and not it worked. pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2_1.pkg Fetching tailscale-1.84.2_1.pkg: 100% 11 MiB 11.9MB/s 00:01 Installing tailscale-1.84.2_1... Newer FreeBSD version for package tailscale: To ignore this error set IGNORE_OSVERSION=yes - package: 1500054 - running kernel: 1500029 Ignore the mismatch and continue? [y/N]: y package tailscale is already installed, forced install Extracting tailscale-1.84.2_1: 100% And pkg info tailscale tailscale-1.84.2_1 Name : tailscale Version : 1.84.2_1 Installed on : Wed Aug 6 09:17:23 2025 CEST Origin : security/tailscale Architecture : FreeBSD:15:amd64 Prefix : /usr/local Categories : security net-vpn Licenses : BSD3CLAUSE Maintainer : ashish@FreeBSD.org WWW : https://tailscale.com/ Comment : Mesh VPN that makes it easy to connect your devices Shared Libs required: libthr.so.3 libc.so.7 Annotations : FreeBSD_version: 1500054 build_timestamp: 2025-07-30T02:26:16+0000 built_by : poudriere-git-3.4.2-12-g74a54a88 port_checkout_unclean: no port_git_hash : 275975297bc ports_top_checkout_unclean: no ports_top_git_hash: 0cd2c078c1e Flat size : 35.4MiB Description : Tailscale is a mesh VPN alternative, based on WireGuard, that connects your computers, databases, and services together securely without any proxies.

  • Discussions about WireGuard

    692 Topics
    4k Posts
    F
    Hi again, to be honest: I guess, I did not remember exactly what I did 2 years ago. May I was mistaken by the interface name opt2 because the SG-3100 has a physical port OPT1 and I mixed up physical and virtual names. The goal was to use 2 different tunnels, one for the mobile clients and one for the site-2-site connection. And now all is running in that way . Regards
Log in to post
Load new posts
  • L

    Squid 3 & reverse proxy?

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    marcellocM
    follow this thread http://forum.pfsense.org/index.php/topic,48347.0.html squid-reverse and squid3 is now merged. Try to use squid without transparent mode.
  • J

    HAProxy 1.4.20 for PFSense

    Locked
    2
    0 Votes
    2 Posts
    948 Views
    marcellocM
    @jwelter99: Anyone working on an update?  1.4.19 is available, but 1.4.20 adds some bug fixes and specifically fixes some FreeBSD related build issues. Haproxy pfsense package is on 1.4.20. What version of pfsense are you using?
  • T

    PFSense 1.3.2 + Squid + Lightsquid + Proxy question

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    T
    Thank you for the hint but there are no stupid questions as I have learned  ;) The new release of PFSense will come in 2 weeks with new hardware. Well I have read your post but I do not understand why these firewall rules should help. The rest is configured according to the manuals or posts in here but I do not understand why it stopped working
  • A

    How to block port 80 for some clients ?

    Locked
    7
    0 Votes
    7 Posts
    3k Views
    marcellocM
    @arushi: It works, but this users that i block on "Banned host addresses" can open the web pages with https (port 443) How can i close this port for this clients?? ;) Transparent proxy does not filter port 443. Create a firewall -> rule to block it.
  • G

    Sn0rt: what are 'good' rulesets to enable in the category tab? pls help.

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    G
    thank you very much kev. that is very good information. now to tweak everything.  :)
  • D

    Squid Guard, immediately disable local account on visiting blocked sites?

    Locked
    5
    0 Votes
    5 Posts
    1k Views
    D
    Oh I see.. Thanks!  :D I've been doing a bit of digging around in the pfSense source code and I think locking the account using exec("/usr/sbin/pw lock {$user_name} -q"); And setting the user's shell to "/sbin/nologin" should be sufficient. Does anyone know of an existing function / better way to do this? (guessing not as I stole my code from https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/auth.inc#L457)
  • K

    Snort/Oinkmaster - Maintaining Disabled/Enabled Rules After Update?

    Locked
    7
    0 Votes
    7 Posts
    3k Views
    J
    I've started using the Snort package a couple of days ago and this bug is really annoying… But I think I might found a semi-working solution for it. In /usr/local/etc/snort/rules are the categories such as snort_* and emerging-*. When I disable/enable specific rules in these files they will at least stay permanent for interface restart and updates when no new rules files are downloaded. But I guess these changes will be overwritten when new rules are actually downloaded (not just checked and no new files where found). But yeah... Not perfect, but at least the rules won't reset every 12 hour anymore. For some reason I don't seem to have a oinkmaster.conf file on my system at all? 2.0.1-RELEASE (amd64) with Snort 2.9.1 pkg v. 2.1.1. What's the current status of this bug btw?
  • M

    Squid start and stop imedialtely

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    M
    i solve it but i need now to flush cache content and removw all cache and i want to know if cach is working and chaching or not cause i have another prob. i remove pfsense and reinstalled it many times and install squid and light squid and in every time i found that lightsquid report is reporting that i use cache and specify the content that cached before the removing pfsense how does this work despite i was erase all hard disk content and reinstall pfsense from zero
  • B

    Freeradius2 removal breaks racoon (IPsec)

    Locked
    6
    0 Votes
    6 Posts
    2k Views
    C
    it doesn't happen with many packages anymore as we take some precautions to prevent it as much as possible, but it does happen on some, have to be careful when messing with packages. 2.1 uses PBI packages to eliminate such dependency hell.
  • B

    Click on the green arrow to start snort - nothing happens

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    B
    Uninstalled and reinstalled the Snort package, and now it works.  I can check under "Services" menu.  Service is running.
  • T

    Squid-reverse

    Locked
    77
    0 Votes
    77 Posts
    44k Views
    marcellocM
    Hi all, I've merged squid-rever and squid3 in only one package for pfsense 2.0 with reverse options in a brand new service-> reverse proxy menu. Check screen shots on it's thread http://forum.pfsense.org/index.php/topic,48347.0.html att, Marcello Coutinho
  • N

    Squid issues

    Locked
    6
    0 Votes
    6 Posts
    2k Views
    N
    no worries pod ;D Only thing i noticed still after restarting the server (Had to move the man cave about a bit) is what it was going to start HAVP, it still complains pw: unknown group havp, but when you go and look at the necessary file, the group is there Weird Should be done fairly shortly, I gotta head out shopping, so im gunna do some more work on this damn server after i get back
  • M

    Snort arp spoof processor pfsense 2.01

    Locked
    6
    0 Votes
    6 Posts
    4k Views
    M
    so any help plz
  • N

    Squid caching downloads

    Locked
    6
    0 Votes
    6 Posts
    3k Views
    N
    Ok discovered how i can be able to cache some of the youtube stuff, but need to know the best way to add what it says to squid: http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube?highlight=%28ConfigExamples%2FIntercept%29%7C%28ConfigExamples%2FAuthenticate%29%7C%28ConfigExamples%2FChat%29%7C%28ConfigExamples%2FStreams%29%7C%28ConfigExamples%2FReverse%29%7C%28ConfigExamples%2FStrange%29%7C%28ConfigExamples%2FExtreme%29%7C%28ConfigExamples%2FPortal%29
  • C

    AFP/SMB FileServer ontop of pfSense

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    stephenw10S
    Good call.  :) Steve
  • E

    The system returned: (61) Connection refused

    Locked
    4
    0 Votes
    4 Posts
    4k Views
    E
    Hi CMB and thanks for the reply. I mean, both Squid and Dolphin are creatures from the sea, so they should get well along…. ;D Why this doesn't happen with PHPBB3 which is running from exactly the same address (192.168.5.8  ), the parent folder is the same, they are in 2 different subfolder which i did even try to swap but the result was the same...the Squid is discriminating
  • C

    Snort Rule-Recategorization

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    K
    Snort on pfsense is currently 2.9.0.5 which is now end of life. You will still get emergingthreats rules but until someone updates the snort package to ideally 2.9.2.2 you won't receive any new VRT rules I am afraid.
  • M

    Snort filtering Tor exit node traffic, configuration help/advise

    Locked
    2
    0 Votes
    2 Posts
    5k Views
    K
    You can use the supress tab to filter the alerts and I would disable the ET-DROP, ET-TOR rules etc. You could use pfblocker and lists like emerging-blocklist and compromised etc .txt files in emergingthreats (firewall and block rules). You could set these to block outbound, inbound or both. Install pfblocker and enable these in the lists as .txt: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this is dsield, russian business network, botnet CnCs) http://rules.emergingthreats.net/blockrules/compromised-ips.txt http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt http://www.ciarmy.com/list/ci-badguys.txt
  • L

    Standalone squid server

    Locked
    12
    0 Votes
    12 Posts
    8k Views
    L
    @marcelloc: leave lightsquid/sarg on the second pfsense firewall with squid in transparent mode on lan + upstream configuration second pfsense with squid and report package Thanks. I'll have to look into this. I have never used or heard of sarg. As my pfSense main firewall is a VM, if i put the cache off onto anothe rbox like this, how much HDD space does pfSense actually need to work efficiently?
  • M

    Squidguard on 2.0 final

    Locked
    27
    0 Votes
    27 Posts
    18k Views
    R
    of course you need to make a cronjob with "/usr/local/sbin/squid -k reconfigure", got an pm to this, so, well you always need the full path in a cron job
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.