1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    LaxarusL

    I am trying to use a rule to whitelist ips for a specific backend in my frontend.

    Basically use the X backend, if the host matches xxx.com and ip is whitelisted in a pfsense defined ip alias list.

    The problem is I am using the Cloudflare proxy and need to inspect the CF-Connecting-IP.

    And to do that I am using Custom ACL like this

    req.hdr(CF-Connecting-IP) -f /var/etc/haproxy/ipalias_Allowed_IPs.lst

    The Alias is defined in the firewall named Allowed_IPs.

    But this list does not get created unless I use something standard like "Source IP matches IP or IP Alias". Is there another way to refer to the created Aliases so that they are created properly?

    The workaround for this is to create a dummy acl with "Source IP matches IP or IP Alias" that does nothing but it is not a good solution.

    Edit: One more thing, I noticed is, when the alias list is updated, this does not get reflected to the HAProxy lists in /var/etc/haproxy/ until HAProxy is restarted.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    S

    oh ok. Thanks again

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    W

    @Gertjan Thanks for the thoughts!!
    I find that most Windows PCs generate more traffic in general. There is lots of app and utilities that cause the traffic.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    98 Topics
    2k Posts
    J

    @dennypage said in NUT suddenly stops working every app. 6 minutes:

    Okay, that is entertaining to say the least. Does "66da6bc012db26058161" happen to be the locally generated password for local-monitor?

    I have not the slightest idea! Never seen this before!!!!

    Rest: Will be delighted to do so! Thanks for the instructions.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    492 Topics
    3k Posts
    GertjanG

    @luxor84

    Why editing the pork_burn.sh file ?
    You started with a more clean solution : a patch. Why not including a patch for pork burn file ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    B

    Hi,

    We are running 25.03-BETA and running into the issue of FRR and BGP processes disconnecting at the control level. It mitigates itself in BGP being stuck in the active state from the GUI and FRR point of view (even vtysh thinks so), while the BGP process is actively keeping the connection in the background. No routes are being populated into the routing table, but these are being announced as confirmed by our peer:

    Nothing in routing, BGP neighbor is active, so no routes should be in.

    10.206.238.225 4 65228 0 2309 0 0 0 never Active 0 Odido BGP via

    So far it looks good, but the session is already established:

    >>> tcpdump -i ipsec2 07:23:11.642870 IP 10.206.238.225.bgp > 10.206.238.226.49408: Flags [P.], seq 2440502671:2440502690, ack 2016892785, win 11, options [nop,nop,md5 shared secret not supplied with -M, can't check - 2ed14f304978416f8007afca427f988d], length 19: BGP 07:23:11.642939 IP 10.206.238.226.49408 > 10.206.238.225.bgp: Flags [.], ack 19, win 131, options [nop,nop,md5 shared secret not supplied with -M, can't check - 078b7005ba698e2b636e70eb2c37e234], length 0 >>> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS ... frr bgpd 76872 22 tcp4 10.206.238.226:49408 10.206.238.225:179 The FRR restart doesn't help: /usr/local/etc/rc.d/frr restart Stopping watchfrr. Waiting for PIDS: 2357. Starting watchfrr. [58970|mgmtd] sending configuration Waiting for children to finish applying config... [59017|zebra] sending configuration [59963|bgpd] sending configuration [61500|staticd] sending configuration [61157|watchfrr] sending configuration [59017|zebra] done [58970|mgmtd] done [61157|watchfrr] done [61500|staticd] done [59963|bgpd] done

    The BGP process ID 59963 is different from 76872!!!

    >>>> ps -ax | grep 76872 76872 - Ss 0:02.09 /usr/local/sbin/bgpd -A 127.0.0.1 -F traditional -d 62041 0 S+ 0:00.00 grep 76872 >>>> sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS ... frr bgpd 76872 22 tcp4 10.206.238.226:49408 10.206.238.225:179

    After killing the process, restarting the FRR, and checkign for the traffic and routes:

    >>> kill -KILL 76872 >>> ps -ax | grep 76872 21650 0 S+ 0:00.00 grep 76872 >>> /usr/local/etc/rc.d/frr restart Stopping watchfrr. Waiting for PIDS: 88383. Starting watchfrr. [27380|mgmtd] sending configuration [27540|zebra] sending configuration [28677|bgpd] sending configuration Waiting for children to finish applying config... [27380|mgmtd] done [30560|staticd] sending configuration [30405|watchfrr] sending configuration [27540|zebra] done [28677|bgpd] done [30560|staticd] done [30405|watchfrr] done >>> ps -ax | grep bgp 11708 - Ss 0:05.87 /usr/local/sbin/bgpd -A 127.0.0.1 -F traditional -d 31648 0 S+ 0:00.00 grep bgp >>> tcpdump -i ipsec2 07:31:08.709787 IP 10.206.238.225.bgp > 10.206.238.226.26294: Flags [P.], seq 1180140056:1180140117, ack 3799507337, win 11, options [nop,nop,md5 shared secret not supplied with -M, can't check - d6b2c0bac2ebb8cf1058d365224d4c5c], length 61: BGP 07:31:08.709850 IP 10.206.238.226.26294 > 10.206.238.225.bgp: Flags [.], ack 61, win 131, options [nop,nop,md5 shared secret not supplied with -M, can't check - 9dec3ac243f71d5f90e285627b2cd9e5], length 0 >>> show bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt Desc 10.206.238.225 4 65228 3 494 5 0 0 00:00:48 4 5 Odido BGP via >>> show bgp ipv4 unicast Network Next Hop Metric LocPrf Weight Path *> 10.204.50.4/32 10.206.238.225 0 65228 ? *> 10.204.50.12/32 10.206.238.225 0 65228 ? *> 10.204.52.4/32 10.206.238.225 0 65228 ? *> 10.206.238.192/27 0.0.0.0 0 32768 ? *> 172.27.0.0/16 10.206.238.225 0 65228 ? >>> netstat -rn ... B>* 10.204.50.4/32 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44 B>* 10.204.50.12/32 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44 B>* 10.204.52.4/32 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44 B>* 172.27.0.0/16 [20/0] via 10.206.238.225, ipsec2, weight 1, 03:42:44

    Did anyone see anything like it? We could've lived with the BGP down and no routes, but it is announcing, and the traffic is being expected on the wrong interface in the destination FW.

    Regards

  • Discussions about the Tailscale package

    86 Topics
    560 Posts
    D

    @smurph82
    pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.0.pkg
    Latest

  • Discussions about WireGuard

    684 Topics
    4k Posts
    S

    QR code for pfSense WireGuard will be awesome!

Log in to post
Load new posts
  • jimpJ

    System Patches Package v2.2.20_1 / v2.2.11_17

    Pinned
    12
    12 Votes
    12 Posts
    2k Views
    S

    There are new system patches available (2.2.21), maybe I miss the announcement here...
    https://github.com/pfsense/FreeBSD-ports/commit/8ffb307ed8845ebeeba2d00f258fd51256d0e756

    Yes I do...
    https://forum.netgate.com/post/1214795

  • 1

    DNS Broken for pkg.pfsense.org

    Pinned Locked
    3
    0 Votes
    3 Posts
    13k Views
    jimpJ

    https://forum.netgate.com/topic/115789/pkg-pfsense-org-appears-to-be-dead/2

  • R

    Packages wishlist?

    Pinned
    661
    0 Votes
    661 Posts
    2m Views
    O

    PRTG

  • G

    Telegraf on PFsense Error

    13
    0 Votes
    13 Posts
    212 Views
    P

    @gm2005fl that's great news, and very useful information for those of us (i.e me!) not realising there are different versions InfluxDB :)

  • R

    HA proxy with ssl

    4
    0 Votes
    4 Posts
    103 Views
    R

    @Gertjan said in HA proxy with ssl:

    not mail.contose.com.

    @Gertjan I have 2 isp and mail.contose points to those ip addresses and MX. I am using a linux mail server. I have a DV cert installed on each server. for my web server I have added the following:

    f12dc686-bf5e-4470-893e-fe8317269460-image.png

    6940d697-2a2b-4945-b93b-535c91cf9676-image.png

    and the default backend for that rule is httpswww-copy

  • L

    Constant arpwatch bogon reports .... related to my own network !!??? (*strange andannoying!!*)

    29
    0 Votes
    29 Posts
    2k Views
    dennypageD

    @johnpoz said:

    but seems to me that is lack of configuration on arpwatch part. Should be able to tell it hey on igb0, that also has igb0.10 and igb0.20 since your too stupid to understand that .10 network is for the .10 network only and not .20 - don't mark networks abc you see on igb0 or any of subs as bogon.

    So does arpwatch allow for this config, but its not exposed in the gui? Where I can tell it - hey if you see networks A,B(vlanX) or C(vlanY) on the parent interface - not to report it as bogon?

    No, Arpwatch does not offer any vlan configuration. Arpwatch itself allows you to say net/cidr (nothing to do with vlans) should be considered local, but it is not exposed in the pfSense package.

    I take it andwatch allows for this - and will be able to configure it, I would think it could be auto figured out to be honest if you tell it to listen on igb0 and igb0.x and igb0.y etc..

    No, ANDwatch does not offer any vlan configuration either. ANDwatch does allow you to specify extensions of the pcap filter, so in theory you could exclude vlan tagged packets if your implementation allowed it, but this would be OS/bpf/pcap build dependent.

    From my pov, best practice is to avoid the whole situation by not mixing tagged and untagged traffic on physical interfaces.

    YMMV.

  • N

    LCDproc Looses Connection - Restarting service Fixes but goes down again shortly after

    7
    0 Votes
    7 Posts
    1k Views
    fireodoF

    @jimp

    Hi,

    as far as I know the lcd driver (LCDd) is connected to the display via USB/Serial/Parallel but the lcdproc process is connected to the driver in this way:

    Bind=127.0.0.1 Port=13666

    Extract from pfctl -ss:

    lo0 tcp 127.0.0.1:20639 -> 127.0.0.1:13666 ESTABLISHED:ESTABLISHED lo0 tcp 127.0.0.1:13666 <- 127.0.0.1:20639 ESTABLISHED:ESTABLISHED

    So there could be a possibility to loose connection when states get killed ... IMHO (If I'm wrong please correct)

    EDIT: I cleared all states and this made the lcdproc also to loose connection flooding the syslog. After restarting lcdproc all fine again.

    Regards,
    fireodo

  • H

    Install OpenRTSP on pfSense

    4
    0 Votes
    4 Posts
    226 Views
    johnpozJ

    @heavymetalforever78 pfsense can for sure run on 1gb of ram - and other VMs could run on far less.. I have both a 2.8 vm and a 24.03 vm running on my nas, they only get 1GB each, etc.

    Don't try running some type 2 VM, run something like esxi or proxmox or something on the hardware..

    To be honest if your goal is a NVR - get an actual NVR.. They use very little power, and are not all that expensive. I see some on amazon for like 60 bucks.. You would have to add some HDD.. but how much can a 2 or 4TB disk cost these days?

    Trying to use your "firewall" as your everything box is never a good idea.

  • M

    TFTP Server WAN Interface

    1
    0 Votes
    1 Posts
    87 Views
    No one has replied
  • asacocoA

    LCDProc crashes - exceeds max allowed memory size

    1
    0 Votes
    1 Posts
    133 Views
    No one has replied
  • E

    Zabbix 6.4.x required for pfsense 2.8.0-RELEASE

    1
    0 Votes
    1 Posts
    118 Views
    No one has replied
  • F

    Longstanding FreeRADIUS EAP-TLS security bug on validating client certificate common name

    9
    1 Votes
    9 Posts
    2k Views
    F

    Confirmed still an issue as of May 2025 with pfSense CE 2.8.0 and FreeRADIUS package version 0.15.14

    I also updated the Redmine bugtracker: https://redmine.pfsense.org/issues/11054

    Can this security vulnerability please get some attention? Wi-Fi supplicants are able to join an 802.1x WPA2-Enterprise network without the username in the client certificate validated at all.

  • H

    crowdsec

    2
    0 Votes
    2 Posts
    228 Views
    Bob.DigB

    @hescominsoon I don't think so and there is no real need for it on a firewall. Run it on your server(s), if you think, it is worth it.

  • R

    How to update to the latest Telegraf version

    8
    0 Votes
    8 Posts
    1k Views
    R

    @rocket

    Updated May 23-2025

    pfsense 24.11 - Telegraf freebsd-15

    pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/telegraf-1.34.2.pkg

    pfsense 2.7.2 - Telegraf freebsd-14

    pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/telegraf-1.34.4.pkg

    https://www.freshports.org/net-mgmt/telegraf/#history

  • R

    Zabbix proxy 7 don't start on pfsense 24.03

    1
    0 Votes
    1 Posts
    130 Views
    No one has replied
  • D

    Package Notes does not exist???

    2
    0 Votes
    2 Posts
    241 Views
    GertjanG

    @DominikHoffmann

    24.03 ? A Beta version ?

  • J

    Zabbix Agent 7

    3
    0 Votes
    3 Posts
    912 Views
    M

    @jwilli5646

    I see it is still the fact (May 2025), any update about Zabbix agent 7?

  • A

    Pfsense Package License

    4
    0 Votes
    4 Posts
    507 Views
    S

    @MarinSNB Not sure, but I would guess you're likely to run into a problem if the Plus router is a newer FreeBSD version. The config sync could be a problem too because there are versions of the config file.

    https://docs.netgate.com/pfsense/en/latest/releases/versions.html

  • F

    Ignore MAC OUI in Arpwatch?

    1
    0 Votes
    1 Posts
    165 Views
    No one has replied
  • A

    Arpwatch - sent wrong arp op 5

    6
    0 Votes
    6 Posts
    460 Views
    dennypageD

    Arpwatch has no way to suppress protocol errors such as this. ANDwatch, a pending package to replace the Arpwatch package, allows suppression by way of pcap filtering.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.