1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    A
    @alexhen This sounds like the issue as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB
    @NRgia said in Suricata on Pfsense: @bmeeks Thank you for what you did for Snort or Suricata. I'm not sure what you want me to do on Redmine, due to is a bug tracker. My question is for Product Management, which I will ask it here to be public: What is the plan for these 2 packages, Suricata and Snort? Thank you Yes, Redmine is for both bug reports and feature requests. Asking for the Suricata binary to be updated to the latest 7.0.11 version from upstream is a legitimate Redmine request. I would suggest simply asking for the binary version update instead of asking about future Netgate strategy (such as the support plans for the packages). Strategy discussions typically don't get very far because they deal with proprietary information or plans that a company may not want to publicly discuss. Redmine is where the Netgate developer team tracks all the code changes they make for pfSense. They will see Redmine reports much quicker than a forum post.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    dennypageD
    @Leon-Straathof Data retention settings are handled inside of ntopng. Documentation here. Pay attention to the RRD note. Also, if you've turned on some of the slice and dice time series information (is off by default), I'd suggest turning them back off. These balloon the storage requirements and are of little actual use.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG
    @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start: I’m surprised to see in my logs only one blocked IP, which is related to my TrueNAS I'll decode this one : @jeremyc311 said in pfBlockerNG-devel 3.2.8 service pfb_dnsbl don't start: Aug 5 09:01:14,1770008712,bxe1,LAN,block,4,17,UDP,192.168.2.13,116.147.64.181,51765,51413,out,Unk,pfB_PRI1_v4,116.146.0.0/15,ET_Block_v4,Unknown,truenasr740,null,+ Traffic, coming into LAN, from a LAN device (192.168.2.13 = your TrueNAS) going to a Chinise ( 116.147.64.181 ) Brazilian ( 177.72.195.114 - = next line ) was blocked by the "pfB_PRI1_v4" list. That's probably good thing ? ( ! ). Up to you to discover why your NAS should initiate connections to these countries. A NAS can go outside for maintenance purposes, for example to look for updates of it's system. These could be located anywhere of course. The GeoIP IP created a rule for you. How and where do you use that this rule ?

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    dennypageD
    @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: Interesting. I would have thought the initial reboot, which occurred as part of the upgrade, would have done the trick, but it took a second reboot, just now, to get things working. Glad you have it sorted. There was no difference in the output of usbconfig show_ifdrv at any point -- before or after unplugging/replugging the USB cable, nor after rebooting. ... Question: What would tell me whether or not a driver was loaded? If there were an attached driver, it should have shown up with the show_ifdrv command. If you use the command and look at the other usb devices, I think they will show attached drivers. I don't expect to see a driver attached to the ups, because there is a quirk that tells the OS to ignore that device (and not attach a driver). Look for idVendor and idProduct in the above output. The Vendor ID for your device is 0764, which corresponds to Cyber Power Systems, and the Product ID for your device is 0601, which is registered as "PR1500LCDRT2U UPS" (don't sweat an exact match for the name). You can see the quirk with the following command: [25.07-RC][root@fw]/root: usbconfig dump_device_quirks | grep 0764 VID=0x0764 PID=0x0005 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0501 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE VID=0x0764 PID=0x0601 REVLO=0x0000 REVHI=0xffff QUIRK=UQ_HID_IGNORE [25.07-RC][root@fw]/root: Your device is third on the list. The HID_IGNORE quirk says to ignore the device and not attach a driver. @jhg said in NUT fails to start after 2.7.2 -> 2.8.0 upgrade: You might consider adding this resolution to the release notes for 2.8. LOL... sorry, I don't have input to the release notes (I don't work here). While I wrote and maintain various packages, including NUT, I'm still just a volunteer. Most packages are actually written by volunteers.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG
    @EChondo What's your pfSense version ? The instructions are shown here : [image: 1753262126227-1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png] A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate. @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy: I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess. No need to wait x days. You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    yon 0Y
    said in Please update frr on Pfsense+ to FRR 10.3: https://redmine.pfsense.org/issues/15785 now frr 10.4.1

  • Discussions about the Tailscale package

    90 Topics
    594 Posts
    E
    @totalimpact Tailscale 1.54.0 is 2+ years out of date. Tailscale has made quite a number of changes since Tailscale 1.54.0, likely rendering it incompatible with their servers. I would consider manually updating the Tailscale FreeBSD package. FreshPorts does not maintain an archive of all the releases, only the latest compiled by the volunteer maintainers. The key to manually upgrading is knowing which FreeBSD version your pfSense release is running, i.e. 14 or 15. You can following along here.

  • Discussions about WireGuard

    693 Topics
    4k Posts
    lvrmscL
    Since my upgrade to 25.07-RELEASE (amd64) built on Tue Jul 22 22:24:00 CEST 2025 FreeBSD 15.0-CURRENT, on one end of my most important tunnel, the tunnel still works fine, but the pfSense GUI keeps reporting the service as stopped. I had to remove its monitoring from the Service Watchdog which was also trying to start it, without success. Yet the trafic flows correctly. I'm holding off upgrading my other boxes. Is there something I could do to help diagnose?
Log in to post
Load new posts
  • M

    Snort: Failing messages - FATAL ERROR: Failed to Lock PID

    Locked
    7
    0 Votes
    7 Posts
    3k Views
    M
    Good to know; Thank you Cino!
  • W

    Ntop

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    If they both installed the exact same version of perl, it wouldn't be removed. You may have installed them at different times so they installed different (conflicting) versions of perl, so it took out one without realizing it was taking out the other. In the future we are working to completely isolate the packages and their dependencies from one another so they can't impact the base system or each other in that way, but it won't be happening for 2.0.
  • L

    Urlfilter

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    jimpJ
    The blacklists are not likely to work at all on NanoBSD. They are gone because /var is a RAM disk so it will be gone at reboot. The squidGuard package isn't coded to support them in that scenario.
  • N

    Squid slow to only some website…

    Locked
    4
    0 Votes
    4 Posts
    3k Views
    N
    well… I saw it was fast on my tablet... so It was related to my PC. I uninstalled BitDefender 2012... and tada! So... I will open a case at BitDefender. Thanks for the trick anyway! :)
  • A

    # pkg_add -r softflowd //File unavailable (e.g., file not found, no access)

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    A
    That did it ! Thanks Jim.
  • H

    How to Proxy only 1 of 2 Lan Intranets Connected to PFSense Firewall

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    H
    Thanks for your help. I didn't realize you could control select in the proxy interface box. Thank you guys. Legends.  8)
  • T

    ? for pfsense Developers

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    jimpJ
    No. All you know is the IP from the firewall log - at best you can guess the country with something like GeoIP but it's just a guess - you cannot get the URL unless you luck out and find that the IP actually reverse resolves to something meaningful. Many sites are hosted as virtual hosts, so there are 10, 100, 1000 "URLs" on a single IP address. The only way to know the URL is to sniff/proxy the traffic. You cannot get that from the IP. To do reverse DNS on the entire firewall log would take far too long to be practical, even just the part shown in the GUI. There is already a link (a little i) that will take you to Diagnostics > DNS with that IP if you really want to do a reverse lookup.
  • P

    Intercepting HTTPS Proxy

    Locked
    4
    0 Votes
    4 Posts
    7k Views
    jimpJ
    There are very hackish ways to hijack ssl but it involves installing a certificate on the client machine, which essentially completely breaks the trust of SSL in such a way to make it useless. (There are also rumors that China/FBI/NSA/CIA/etc have "special" trusted CA certs on sniffer devices that essentially do the same… but I haven't seen any real evidence, though it is a fun theory) If you don't control the clients, you can't transparently proxy ssl. If you do control the clients, you're much better off doing as Nachtfalke suggested and hard coding the proxy information on the clients. Then you don't need to hack anything or install any certificates.
  • K

    Squid, squid guard

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Z

    [Unbound]Error in system log after upgrading

    Locked
    12
    0 Votes
    12 Posts
    5k Views
    Z
    It should be no problem. I have installed the latest version. thanks for your quick help~~:)))
  • C

    Squidguard advanced source ACL ldap group lookup

    Locked
    3
    0 Votes
    3 Posts
    16k Views
    C
    Thanks for the response. Yes, that is correct, I want the user to be required to authenticate only if they try to go to a restricted site. For example, if a user navigates to http://someSiteThatIsRestricted.com it would prompt for a user name and password. If they are in a group in Active Directory that is allowed to go to that site it will of course let them otherwise they are redirected to a block page that tells them the reason. Thanks for the link. I have looked at that before but how do you do that in pfSense? I'm running a separate install to test with so I want to know how to do it even if it is not as secure and then I can decide whether to use a dedicated proxy instead of using pfsense for that. It is nice to be able to add functionality to pfSense through the packages because that allows for a more secure setup by default and the flexibility to customize it to fit almost any environment.
  • P

    Lightsquid users name

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    G
    Talking to a 2008 r2 box, if it's been configured in a domain with 2008 functionality is a no go for this. You get the warning during the promotion of the server to DC that it will break lots of open source stuff. Also if Squid is in transparent mode it's a no go. So what's your domain functionality set to? Are your users authenticating to Squid and if so what method are you using i.e NTLM How many users are we talking about?
  • F

    Help Me!! I need block download for extensions HTTP , FTP AND….

    Locked
    13
    0 Votes
    13 Posts
    9k Views
    F
    Steve thanks for the help As you know the squid3 not confirmed! The lock so I could do for l7. About UltraSurf had already read that document but so far the only way I found to be successful in blocking was blocking all networks. 99.224.0.0/11 63.241.6.64/28 63.242.0.0/16 63.240.0.0/15 218.168.0.0/16 125.176.0.0/12 122.118.0.0/16 69.64.144.0/20 211.109.128.0/24 59.120.0.0/14 59.112.0.0/13 97.112.0.0/13 71.192.0.0/12 219.137.112.224/27 203.112.80.0/20 162.138.0.0/16 170.201.0.0/16 156.40.0.0/16 61.224.0.0/14 61.220.0.0/14 59.120.0.0/14 59.112.0.0/13 220.136.0.0/13 220.132.0.0/14 220.130.0.0/15 220.129.0.0/16 118.168.0.0/16 122.120.0.0/13 118.168.0.0/16 122.120.0.0/13 71.208.0.0/12 61.231.0.0/16 218.160.0.0/16 61.62.74.0/24 72.25.64.0/18 66.245.192.0/18 64.62.138.0/25 64.62.128.0/17 125.224.0.0/13 Work but is not an efficient method because tomorrow there may be a new network.
  • F

    Block url that contain some text with lightsquid

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    jimpJ
    Lightsquid doesn't block, it just reports. SquidGuard is probably what you want, but it can't filter based on the text in the page, just the text in the URL itself. If you search the forum for SquidGuard you will probably find more useful information.
  • M

    Specific rules cause snort not to run.

    Locked
    8
    0 Votes
    8 Posts
    4k Views
    A
    How would one recompile a the zlib library from the Web Configurator? If it has to be done via command line, what is the pkg_add command that would do this?  ???
  • R

    IMspector not logging Gtalk chats. Please help!

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • T

    Dvserg P3Scan

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • T

    Chown -R -v havp Errors

    Locked
    9
    0 Votes
    9 Posts
    10k Views
    H
    @bluinside: Waiting for a bugfix… I have found this solution: make user "havp" (any password, I used "havp") using pfSense "User manager" from System menu than reboot and look into syslog. The error shuold be gone and the two Havp services should correctly start. :) Did this correct the issue?
  • C

    Snort Rules Download - 1.2.3

    Locked
    12
    0 Votes
    12 Posts
    7k Views
    H
    @compucoder: I bit the bullet and upgraded to 2.0 RC3 last night. So far it is working perfectly. Every feature I used in Snort before works. The updater works properly now too. I just did the 2.0 upgrade and it is using whichever version of Snort it had before and it all seems to be working fine. So far 2.0 seems like a good route to take. Have you looked at SNORT to see whats running, I have had an issue with SNORT not starting and refuseing to start doing it manually. I have tried reinstalling and uninstalling so far no go. I thing there is a bug with 2.0 RC3 and SNORT, also have had an issue with HAVP anti virus hanging the system. After hours of working with them, I removed both and all issues went away.
  • D

    Lightsquid with 2.0 RC3 - not showing anything - "SOLVED"

    Locked
    8
    0 Votes
    8 Posts
    11k Views
    P
    @jimp: pkg_delete -f perl-5.12.3, then reinstall the lightsquid package. i did that and reinstalled got same error i noticed that there is 3 version of perl loaded do i have to delete all of them perl-5.10.1_1      Practical Extraction and Report Language perl-5.12.3        Practical Extraction and Report Language perl-5.12.4        Practical Extraction and Report Language
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.