1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    reza3swR

    @Gertjan
    Hello,
    Thank you.
    I had exactly the same issue, and your solution helped me fix it.

    Ask ChatGPT

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    101 Topics
    2k Posts
    J

    NUT version is 2.8.2_5 (I've already tried reinstalling the package)

    NUT seems to think it can't find the UPS, but usbconfig shows it to be present:

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/rc.d: usbconfig ... ugen0.5: <PR1500LCDRT2U UPS Cyber Power System, Inc.> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (2mA) ...

    Below is the console log attempting to start NUT from the command line.

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/rc.d: ./nut.sh stop stopping NUT [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/rc.d: ./nut.sh start starting NUT Network UPS Tools - UPS driver controller 2.8.2 Network UPS Tools upsd 2.8.2 fopen /var/db/nut/upsd.pid: No such file or directory Could not find PID file '/var/db/nut/upsd.pid' to see if previous upsd instance is already running! Network UPS Tools - Generic HID driver 0.53 (2.8.2) listening on 127.0.0.1 port 3493 USB communication driver (libusb 1.0) 0.47 listening on ::1 port 3493 Can't connect to UPS [CyberPower-1500] (usbhid-ups-CyberPower-1500): No such file or directory libusb1: Could not open any HID devices: no USB buses found No matching HID UPS found upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it Driver failed to start (exit status=1) Found 1 UPS defined in ups.conf Network UPS Tools upsmon 2.8.2 kill: No such process UPS: CyberPower-1500 (primary) (power value 1) Using power down flag file /etc/killpower

    Also

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/nut: more ups.conf [CyberPower-1500] driver=usbhid-ups port=auto [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/nut: egrep -v '^#' nut.conf MODE=none

    and this, which singles out the usbhid-ups driver as the problem:

    [2.8.0-RELEASE][admin@janus.jhmg.pvt]/usr/local/etc/nut: /usr/local/libexec/nut/usbhid-ups -a CyberPower-1500 Network UPS Tools - Generic HID driver 0.53 (2.8.2) USB communication driver (libusb 1.0) 0.47 libusb1: Could not open any HID devices: no USB buses found No matching HID UPS found upsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    690 Topics
    4k Posts
    J

    I've read through some other posts about this, but they either didn't say whether the proposed solution worked or they were very convoluted and difficult to understand. Here is our scenario: We have 6 locations--Las Cruces (LC), Sunland Park (SP), El Paso (EP), Abilene (ABI), Fort Worth (FW), and Plano (PL). LC and ABI have software that is accessed by the other 4 locations via VPN. There are WireGuard VPNs set up between LC and those 4 locations (SP, EP, FW, PL), and ABI and those 4 locations (SP, EP, FW, PL). There is also a WireGuard VPN connection between LC and ABI. LC and ABI have 2 internet connections. SP, EP, FW, and PL each have one internet connection.

    If the primary internet connection goes down at either LC or ABI and failover occurs to the secondary internet connection, is there a way to set up the WireGuard VPN connections so that they also failover without purchasing some 3rd party application?

    Thanks.

Log in to post
Load new posts
  • N

    Snort log sending to Splunk

    2
    0 Votes
    2 Posts
    4k Views
    N

    Okay , found it !
    If it can help someone :
    The snort logs are included in the firewall logs so if you redirect your logs to a syslog server in >Status>System Logs>settings>remote server splunk will catch them.
    But you have to allow incoming logs from udp port 514 in splunk

    Now the question is .. how to correctly parse snort logs in splunk because the log format seems to have changed recently and I can't find any support on the net

  • T

    Visual Delay Pool Monitoring in Squid?

    1
    0 Votes
    1 Posts
    755 Views
    No one has replied
  • M

    Postfix forwarder otherMailbox ldap search

    1
    0 Votes
    1 Posts
    676 Views
    No one has replied
  • M

    2.2.1 - mailreport: empty graphs

    2
    0 Votes
    2 Posts
    808 Views
    arrmoA

    Hi,

    No idea how to fix it (sorry!), but to confirm - same issue here! Seems to have broken in v2.2.2.

    Thanks.

  • J

    Pfblocker not blocking?

    13
    0 Votes
    13 Posts
    4k Views
    BBcan177B

    @wheemer:

    I have PFBlockerNG enabled and I have russia, china and hong kong blocked.

    However my emails software is still saying it's blocking chinese IPs that are trying to brute force password hack me.

    I can also still browse chinese websites even though I have in and out blocked.

    Hi wheemer,

    Do you have any "Firewall Pass Rules" above the Block/Reject Rules that would allow those IPs thru? Floating Rules are processed first (top to bottom), then the Interface Firewall Rules (top to bottom) and typically on the First Rule Match thats found.

  • N

    Stunnel won`t start after pfsense restart!

    14
    0 Votes
    14 Posts
    5k Views
    V

    I just encountered this issue today.

    I reinstalled the stunnel package and still was not able to launch stunnel.
    I ssh-ed into my pfsense box and did

    find / | grep stunnel

    the result from the above command lead me to examine /usr/local/etc/rc.d/stunnel.sh

    cat /usr/local/etc/rc.d/stunnel.sh

    which returned

    #!/bin/sh # This file was automatically generated # by the pfSense service handler. rc_start() {         /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf } rc_stop() {         killall stunnel } case $1 in         start)                 rc_start                 ;;         stop)                 rc_stop                 ;;         restart)                 rc_stop                 rc_start                 ;; esac

    This suggested that /usr/local/etc/stunnel/stunnel.conf is used as the configuration file so I followed with

    cat /usr/local/etc/stunnel/stunnel.conf

    to examine the file, which in turn showed

    cert = /usr/local/etc/stunnel/stunnel.pem chroot = /var/tmp/stunnel setuid = stunnel setgid = stunnel

    Manually running the following on the command line

    /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf

    confirmed that stunnel was exiting because there was no actual tunnel endpoints set up.

    So I went back to the WebGUI under Services > Stunnel, and took a look at the Tunnels tab where I had 3 tunnel endpoints configured. I figured that clicking the edit button on each entry and then clicking the save button would repopulate the /usr/local/etc/stunnel/stunnel.conf file so I clicked 'edit' and subsequently 'save' for each of my tunnel endpoints.

    As a precaution I navigated to the Certificates tab and did the same edit-save procedure for each of my three certificates.

    I then went back to the command line and made sure my clicking around had an effect. I ran

    cat /usr/local/etc/stunnel/stunnel.conf

    and was glad to see that my clicking around the GUI wasn't in vain; the file was populated with configuration parameters defining my endpoints.

    I then manually started stunnel from the commmand line with

    /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel.conf

    and my stunnel is up and running again (also shows green on the Status > Services section).

    I haven't yet restarted the firewall and don't know if the solution will persist or not.

    Best regards,

    V

  • GruensFroeschliG

    MOVED: Reverse proxy, SSL Offloading and IPS/IDS with one nic?

    Locked
    1
    0 Votes
    1 Posts
    511 Views
    No one has replied
  • GruensFroeschliG

    MOVED: SquidGuard regulate by IP address

    Locked
    1
    0 Votes
    1 Posts
    428 Views
    No one has replied
  • RuddimasterR

    PfBlockerNG XMLRPC Replication error

    8
    0 Votes
    8 Posts
    3k Views
    D

    @foetus:

    And unless there has been a change since 2.2 and up, only the build in admin user works for XMLRPC sync. (other packages suffer the same limitation).

    Bingo. https://redmine.pfsense.org/issues/809

  • G

    Postfix forwarder - relay all domains

    5
    0 Votes
    5 Posts
    1k Views
    GertjanG

    Have you tried to shorten the path ?
    Have the [ our own Web server which generates very specific emails ] deliver the mails directly to your [ our trusted SMTP relay provider ] ?

  • D

    MOVED: Using regular expressions for blacklisting in Squidguard

    Locked
    1
    0 Votes
    1 Posts
    465 Views
    No one has replied
  • T

    Internal Exchange ===> Outgoing Smarthost ====> Postfix Forwarder the answer?

    4
    0 Votes
    4 Posts
    1k Views
    M

    @turbogizzmo:

    I have a internal Exchange server on a different subnet that needs to send emails out a different gateway. Exchange is picky about the number of NICs and routing changes so I wondered if sending via a smart host would be the cleaner answer and if thats something the Postfix package can achieve?

    Yes, it's possible to set up the Postfix Forwarder as a smart host. After setting it up to relay outbound mail through your provider, you essentially need to tell Postfix to permit SMTP mail relay from your trusted internal host (the Exchange server). The easiest way to do that it so add your local subnet(s) (e.g. 172.16.0.0/16) or specific IP addresses (e.g. 172.16.0.1/32) to mynetworks.

    Here's my full solution for pfSense 2.2 from another thread. Hope that helps!

  • D

    MOVED: Squid 3.4.10_2 https caching running pfSense 2.2.2 anyone?

    Locked
    1
    0 Votes
    1 Posts
    666 Views
    No one has replied
  • D

    MOVED: pbirun taking all the available CPU on 2.2.2

    Locked
    1
    0 Votes
    1 Posts
    463 Views
    No one has replied
  • B

    Ntopng compiled with sqlite?

    6
    0 Votes
    6 Posts
    3k Views
    K

    in what directory does ntopng store the information? I tried looking in /usr/pbi/ntopng-i386 but nothing :(

  • D

    MOVED: HAVP does not start

    Locked
    1
    0 Votes
    1 Posts
    570 Views
    No one has replied
  • P

    Sarg: Blank Reports

    11
    0 Votes
    11 Posts
    3k Views
    S

    Man I am not sure how I didn't catch it either.  I searched all over these forums but I must not have been using the right keywords.  Thanks for the heads up.

  • iorxI

    NUT SNMP UPS and Eaton SNMP-card?

    6
    0 Votes
    6 Posts
    3k Views
    iorxI

    Yeah, your right. Working to get 2.1.4 working is the wrong way around. The install has allot of OpenVPN tunnels through out the country so I have hesitated a bit to replace it. Need the UPS support bolted on to this version for protection until their 2.2.2 is ready for prime time.

    I've now tried the 2.2.2 and NUT works as it should . No problem at all! :)

    Thank you!
    Brgs,

  • GruensFroeschliG

    MOVED: Squid (2 and 3) transparent on 2.2.2 invalid request

    Locked
    1
    0 Votes
    1 Posts
    468 Views
    No one has replied
  • B

    Check_mk_agent not working on 2.1.5

    7
    0 Votes
    7 Posts
    2k Views
    8

    The last working version is http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/check_mk_agent.freebsd;hb=e13899bde8bdafe13780427811c8153c59be807f. Versions after that introduced the get_cached function, which is not supported by sh.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.