1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    V
    @spiker said in HAProxy Port Redirect Internal: I have the acme certs working just fine through HAProxy but I have to manually put in the destination port, in my case 10443. I have the front end set up to listen on the network in question and on port 443, and the backend set for 10443. What do you get exactly if you access port 443?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @NRgia said in Suricata on Pfsense: @bmeeks Thank you for what you did for Snort or Suricata. I'm not sure what you want me to do on Redmine, due to is a bug tracker. My question is for Product Management, which I will ask it here to be public: What is the plan for these 2 packages, Suricata and Snort? Thank you Yes, Redmine is for both bug reports and feature requests. Asking for the Suricata binary to be updated to the latest 7.0.11 version from upstream is a legitimate Redmine request. I would suggest simply asking for the binary version update instead of asking about future Netgate strategy (such as the support plans for the packages). Strategy discussions typically don't get very far because they deal with proprietary information or plans that a company may not want to publicly discuss. Redmine is where the Netgate developer team tracks all the code changes they make for pfSense. They will see Redmine reports much quicker than a forum post.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start: I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS I'll decode this one : @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start: Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+ Traffic, coming into LAN, from a LAN device (192.168.2.13 = your TrueNAS) going to a Chinise ( 116.147.64.181 ) Brazilian ( 177.72.195.114 - = next line ) was blocked by the "pfB_PRI1_v4" list. That's probably good thing ? ( ! ). Up to you to discover why your NAS should initiate connections to these countries. A NAS can go outside for maintenance purposes, for example to look for updates of it's system. These could be located anywhere of course. The GeoIP IP created a rule for you. How and where do you use that this rule ?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    594 Posts
    E
    @totalimpact Tailscale 1.54.0 is 2+ years out of date. Tailscale has made quite a number of changes since Tailscale 1.54.0, likely rendering it incompatible with their servers. I would consider manually updating the Tailscale FreeBSD package. FreshPorts does not maintain an archive of all the releases, only the latest compiled by the volunteer maintainers. The key to manually upgrading is knowing which FreeBSD version your pfSense release is running, i.e. 14 or 15. You can following along here.

  • Discussions about WireGuard

    693 Topics
    4k Posts
    lvrmscL
    Since my upgrade to 25.07-RELEASE (amd64) built on Tue Jul 22 22:24:00 CEST 2025 FreeBSD 15.0-CURRENT, on one end of my most important tunnel, the tunnel still works fine, but the pfSense GUI keeps reporting the service as stopped. I had to remove its monitoring from the Service Watchdog which was also trying to start it, without success. Yet the trafic flows correctly. I'm holding off upgrading my other boxes. Is there something I could do to help diagnose?
Log in to post
Load new posts
  • T

    Bandwidthd on cf-card? will it destroy my cf-card?

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • S

    Asterisk behind pfsense (no sound)

    Locked
    25
    0 Votes
    25 Posts
    17k Views
    S
    @marcelloc: Great news!!!  :) Some dsl routers has a 'sip Alg' option that break out sip comunication. I have no idea why. Maybe you have something like that on you network. Nope not here… I have cable... :) but its all resolved now.
  • Z

    Have you tried this?

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    Z
    Informative!I really appreciated it. I dont have any idea 'bout the sessions or caching sessions.I think should go deep on this. At least I know its possible,enough for now. Thanks for the help.
  • A

    Unbound error

    Locked
    16
    0 Votes
    16 Posts
    8k Views
    I
    You might also try looking for an error along the lines of BAD-TRAFFIC TMG Firewall Client long host entry exploit. That message is triggered by a bad traffic rule that looks for odd traffic on port 53, which happens to be DNS. If you have a lot of these in your alerts of blocked log, chances are that some or all DNS replies are being blocked by snort.
  • I

    FreeRadius replication

    Locked
    7
    0 Votes
    7 Posts
    4k Views
    marcellocM
    Varnish, postifix, haproxy. You do not need carp enabled to use it.
  • G

    Squid and AD authentication

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • A

    Snort install errors - pulling my hair out!

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    G
    emerging threats rules change all the time so if you enable a rule and later update the rule set there is always the possibility that you are attempting to load a rule that no longer exists in emerging threats. That will give you your error.
  • D

    [Help] Unable to make imspector work on PFSense 2.0-Release

    Locked
    7
    0 Votes
    7 Posts
    2k Views
    D
    Dear all, I figure out that the Y!M version 10.0.27 didn't use the default port 5050. After i update Y!M to another version, it use port 5050 and seem to be OK with imspector. Thread close, thanks all
  • M

    SQUID on DUAL WAN only use DEFAULT

    Locked
    8
    0 Votes
    8 Posts
    8k Views
    N
    Yes, you have to balance the web traffic from the localhost instead of the traffic for you lan clients.
  • R

    Problems with apcupsd and/or nut

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    S
    libwrap.so.6 is not part of a package, its part of FreeBSD. It appears the package you are attempting to use is newer then FreeBSD 7.0-Release, which 1.2.3 is based off of. ls -al /usr/lib/libwrap.* will show you what files you have. You probably have libwrap.so.5 Using ln -s, you may be able to link libwrap.so.6 to libwrap.so.5, and it may work. But it may also not work / melt your box / kill your cat… Otherwise, try installing the package for a 7.x variant (not sure when libwrap.so.6 was introduced)
  • marcellocM

    Jail on pfsense 2.0

    Locked
    4
    0 Votes
    4 Posts
    6k Views
    marcellocM
    thanks for you reply. ezjail is working much better then pfjctrl. If you are doing patches, means that you know what you are doing. backup your vm's, uninstall pfjctrl and install ezjail. ezjail-admin will help you creating new virtual machines with freebsd 8.1. follow ezjail build steps on a freebsd 8.1-p4 and you will have same version on pfsense and jails. As pfsense2 has been release there is no problem on migrating pfjctrl to ezail. I'll try to start it soon.
  • K

    Varnish for multiple CARP IP Interfaces distinct from WAN IP address

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    marcellocM
    Today the package listens on all interfaces at port you specified. To have multiple varnish, you can copy conf file and put a second daemon startup at gui advanced startup option. When using multiple varnish, you will need to name each one with -n arg. sample advanced startup options -n apache #set name on default daemon #startup second daemon /usr/local/sbin/varnishd \     -a :3129 \     -n squid \     -f /var/etc/squid.vcl \     -s malloc,2048MB \     -w 32,1024,300 I will find a way to change setup To let you choose interface and auto name them. Wait for pkg v 0.9. Thanks for your reply.
  • N

    SNORT issues in BRIDGE and VLAN'ed Environment

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • N

    Snort Problems Again !!!

    Locked
    5
    0 Votes
    5 Posts
    2k Views
    T
    Snort is working great here. 2.0 Release 64bit All pre-processors on Lots of rules enabled. Works after reboot. 2gb on a vnware vm. I did have to follow other posts by uninstalling/reinstalling to get it running the first time when we were in the RC stage.  Also if I had known so rules were only 64 bit, I would have installed 32 bit pfsense.
  • K

    OVPN Client Export installer error

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    L
    Apparently this is a recent issue.  There is a fix over here: http://forum.pfsense.org/index.php/topic,41180.0.html For those who dont feel like reading the thread (Please DO though– and COMMENT so that it gets fixed :D ), or for those from google: @gusdvg: Ok so I added an error handler to the openvpn-client-export.inc file such that warnings are not printed to the exe. Tried and it works again! If you want to try this, edit /usr/local/pkg/openvpn-client-export.inc and add these lines after the require_once lines at the beginning of the file: function ignoreError($errno, $errstr) {   //does nothing... } set_error_handler("ignoreError",E_WARNING); I guess the problem still remains if you need to add additional options, but I have little time at the moment and this patch will do for now.
  • R

    Snort on pfSense packet flow

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    R
    @marcelloc: Pfsense rules are set on source interface. The rule with destination To blacklist must be on lan. I set the rules up on the appropriate interfaces based on source and destination IP, but Snort sees (and then blocks) offenders that should be covered by these rules. The rule covering destination to blacklist is on the LAN interface. The rule covering source from blacklist is on the WAN interface. Still, Snort sees and blocks traffic covered by these rules. I still have these questions: Perhaps someone can clarify both the Snort alerting on hosts blocked by a firewall rule (Snort gets the packets first?), and Snort behavior in pfSense when a Blacklist and a Whitelist host are both involved in an alert.
  • K

    Ipblocklist blocking 0 networks-syslog error

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • F

    POP3 Filter

    Locked
    2
    0 Votes
    2 Posts
    3k Views
    marcellocM
    No, only for internal smtp servers. I think pop3 protocol is getting quite old. I'd prefer IMAP. Pop3 wastes bandwidth even using p3scan or other tool, you need to download all messages to then see if you want it or not. You can build a virtual machine an try to install freebsd p3scan package. if it works as you expect install on your firewall.
  • H

    Squid Guard Time Based ACL issues

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    H
    So I updated the firewall this morning from 1.2.3 to 2.0 and now the proxy is working 100%… Not sure what changed or anything but very happy with the new release. Thank you guys. Keep up the awesome work on a fantastic product.
  • S

    Facebook, Twitter Like button error in squidguard

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    marcellocM
    I saw the same thing at varnish report. Every time you apply settings, it will be included. Make report simple and it will never return.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.