1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    JonathanLeeJ
    @jucelio_rosa I use plus

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @vicking said in No blocks on IP: Is it a bad idea to have the action set to deny both instead of inbound only? Question is squarely for admin. Per the infoblock which explains, in part, the "Deny Inbound", "Deny Outbound", and "Deny Both" actions: 'Deny' Rules: 'Deny' rules create high priority 'block' or 'reject' rules on the stated interfaces. They don't change the 'pass' rules on other interfaces. Typical uses of 'Deny' rules are: Deny Both - blocks all traffic in both directions, if the source or destination IP is in the block list Deny Inbound/Deny Outbound - blocks all traffic in one direction unless it is part of a session started by traffic sent in the other direction. Does not affect traffic in the other direction. One way 'Deny' rules can be used to selectively block unsolicited incoming (new session) packets in one direction, while still allowing deliberate outgoing sessions to be created in the other direction. In other words: When set to "Deny Inbound", incoming connection requests from WAN hosts are blocked and therefore no state will be created. However a LAN host can still establish state to an otherwise listed IP. If set to "Deny Outbound", outgoing connection requests from LAN hosts are blocked and therefore no state will be created. However an incoming connection request from an otherwise listed IP to an 'open' WAN port can still establish state. If set to "Deny Both", both incoming connection requests and outbound connections requests are blocked and therefore no state will be created regardless of connection direction.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    C
    @dennypage Nicely done sir!

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    H
    @RNM-0 Thanks for your comment and sharing your fix. Unfortunately I don't want to take down pfsense and downgrade versions. I'm currently fine at the moment since I'm using Tailscale and that works. I also fixed the other crash I was having with pfblocker by changing a line code that wasn't pushed out under this version. Hopefully the stable release won't take too long to release but it appears there's still some open bugs that need to be fixed before that happens, and ironically, both the pfblocker and wireguard issues aren't on that list of bug fixes.
Log in to post
Load new posts
  • I

    Freeradius2 not starting on boot

    2
    0 Votes
    2 Posts
    605 Views
    T
    IIRC this was caused by storing and reading the nas list in Sql db. Disable this and store your nas in a static config file. If this is indeed the case.
  • C

    MOVED: Squid and SquidGuard not starting

    Locked
    1
    0 Votes
    1 Posts
    416 Views
    No one has replied
  • N

    Packages for NanoBSD pfSense

    2
    0 Votes
    2 Posts
    674 Views
    N
    Check out https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.10.xml and search for "<noembedded>true</noembedded>" I think that is the right pkg_config file.
  • S

    FreeRadius users per client

    1
    0 Votes
    1 Posts
    723 Views
    No one has replied
  • E

    PfBlockerNG: IPv4 Lists - List.txt Download from internal web server fails

    8
    0 Votes
    8 Posts
    4k Views
    E
    @fragged: So you are trying to download a file from an internal server using your pfSense's WAN IP? Why? The problem you are seeing is NAT reflection. Just simply use the internal hostname or IP of the webserver. Good point fragged… but i have to use the external domain name as the webserver uses the host header names to direct the request to the correct website on the server. pfsense is port forwarding port 80 to the internal LAN IP of the web server. The domain name is used to direct which hosted site the webserver responds to. The webserver is fully configured and working with several domains associated with it. the default webserver is usually disabled, i only enabled it for teting this issue. So dumping a txt file on the default website is not possible for live work. just seen BBcan177's reply too.... stand by i will just test using the url with host name, doamin and IP address etc. to see what works and what does not. oh...  for reference 1:1 NAT is disabled console Results for: fetch -o testfile.txt "URL" ----Test Group 1---- using ip                            URL= h-t-t-p://x.x.x.x/pfsense/mylist.txt                                                works ok using Hostname                        h-t-t-p://localservername/pfsense/mylist.txt                                works ok using Hostname and domain    h-t-t-p://localservername.mydomain.co.uk/pfsense/mylist.txt      works ok ----Test Group 2---- using domain                            h-t-t-p://mydomain.co.uk/pfsense/mylist.txt                                  Fails. using www.domain                  h-t-t-p://www.mydomain.co.uk/pfsense/mylist.txt                        Fails. ----Test Group 3---- ping  domain                      ping mydomain.co.uk                                  resolves ok. ping  www.domain              ping www.mydomain.co.uk                        resolves ok. Test group 1 all point to internal IP of webserver.... these all work so internal DNS lookup fine. Test group 2 all point to WAN IP of router.... these all fail when used from the router console. Test group 3 all point to WAN IP of router.... these all work ok when used from the router console ping. **Moment of Inspiration! Added "www" as a host pointing to the internal lan ip of the webserver in the DNS forwarder. I can now resolve www.mydomain.co.uk to the internal ip of the web server.** I think the key here is that the web server uses host headers to identify the website to access. it expects to see "www.mysite.co.uk" in full. so "mysite.co.uk" will not return a result. hence the first test in group 2 failed and now works with "www" added. pfsense now resolves www as an internal ip and at the same time has the full correct host header. If this had not of worked my next step would have been.. Setup DNS to return a different result internally to externally, split-horizon DNS as BBcan177 suggested. found this in the forum if this helps anyone…. https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F Thank you very much for the info and advice... very much helped keep the brain cells working. Thank you all. 18gr .22 800fps  ::)
  • W

    Syslog-ng php interface doesn't allow rule ordering

    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • ?

    Freeradius.inc file changes

    2
    0 Votes
    2 Posts
    812 Views
    P
    Disclaimer: I have not thought for a moment about FreeRadius and what the actual changes are here. Principle: This is an Open Source project. The project code is on GitHub https://github.com/pfsense/pfsense and https://github.com/pfsense/pfsense-packages If you are into gory backend code and OS patches, there is also pfsense-tools for which there is an extra hoop to jump for access. It is very easy to create a GitHub account if you do not already have one. Then for small things you do not need to install Git on your own device, just use the GitHub web interface. Drill down to the file in question, click the pencil to edit, make your changes, put a decent title and description of what and why it is "a good thing", save, press the button to make a pull request. Those in charge of reviewing will be nice to you on your first try (I hope)
  • laterdazeL

    PfBlocker failure after 2.1.5 -> 2.2.1 upgrade

    7
    0 Votes
    7 Posts
    2k Views
    BBcan177B
    @laterdaze: Indeed, the max table entries was set to 300K, a hold over from pfBlocker tuning no doubt.  Setting it to 2M resolved the memory allocation problem.  Specifying the list action as "Deny Both" causes the packets count to increase to something more like what I was seeing with pfBlocker. Again, thanks for all that… Glad you got it all sorted out  :)  .. Pls read this thread to see if you really need "Deny Both/Deny Inbound" Rules. https://forum.pfsense.org/index.php?topic=86212.msg501258#msg501258
  • stephenw10S

    MOVED: squid + squidguard with wildcard expressions for youtube

    Locked
    1
    0 Votes
    1 Posts
    647 Views
    No one has replied
  • F

    Pfblockerng

    3
    0 Votes
    3 Posts
    1k Views
    F
    Thnx 4 the hint.  :) worked fine
  • K

    PfblockerNG a little help

    4
    0 Votes
    4 Posts
    2k Views
    R
    I'm setting up a network to help with some training and I've just spent all day trying to figure out how to allow traffic only from the UK to the OpenVPN port. Finally figured it out thanks to your screen grab doktornotor  ;D pfSense has a bit of steep learning curve for me but I'm getting there. Hopefully the new book will be out soon, I better start saving. I've just registered to show my appreciation so I'll extend my thanks to BBCan177, the pfSense team and all contributors to these boards and the wiki. Keep up the good work guys, it's certainly appreciated  8)
  • I

    Lắp Mạng Internet FPT Thủ Đức, Tp Hồ Chí Minh

    1
    0 Votes
    1 Posts
    831 Views
    No one has replied
  • D

    Post 2.2.1-RELEASE upgrade breaks nrpe

    2
    0 Votes
    2 Posts
    881 Views
    P
    Cross reference here: https://forum.pfsense.org/index.php?topic=90700.0 sudo also has the same problem.
  • ?

    FreeRADIUS: Firewall rules required for proxy?

    3
    0 Votes
    3 Posts
    4k Views
    ?
    Solved. In answer to the question, there are no special firewall rules required.  RADIUS authenticates over port 1812 (accounting is 1813) and the proxy listener that proxy messages are sent from is listening on port 1814 (there is a port 1816 for service status requests, but it does not appear to be necessary).  Since the proxy listener initiates the request from the pfSense installation, no outbound rule is required on the VLAN#2 interface, and no special inbound rules are required for the response. As to what was wrong, if you are going to setup a proxy.conf file on your pfSense installation, make sure you add a proxy interface entry under interfaces. It seems that by default the FreeRADIUS implementation puts the proxy listener on the first interface address that is not the localhost.  In my case it placed it on the 10.1.1.1 address for VLAN#1 as that was the first entry under the interfaces list.  Do not try to use src_ipaddr in proxy.conf, it won't stop the default listener setup, and will typically result in the listener from this setting being assigned to a random port each time the RADIUS service is started. Without the proxy interface entry, although the kernel routes the requests to the correct interface, it doesn't do anything to check the validity of the source IP for the interface listening address (apparently a well known issue).  As a result, it was sending the packets out on to VLAN#2 from 10.1.2.1, but since the listener was on 10.1.1.1, the packets went out with the wrong IP address. I now have a working FreeRADIUS proxy on my pfSense interfaces, with the actual authentication handled by a Kerberized RADIUS installation within a DMZ VLAN. Regards, Rob.
  • GruensFroeschliG

    MOVED: Snort Fatal Error

    Locked
    1
    0 Votes
    1 Posts
    554 Views
    No one has replied
  • marcellocM

    Asterisk-gui port submitted to freebsd ports

    15
    0 Votes
    15 Posts
    11k Views
    N
    does anyone have a working Asterisk GUI? When i go to http://MyIp:8888/gui/static/ I get: Access Denied You do not have permission to access the requested URL. Asterisk Server http.conf [general] enabled=yes enablestatic=yes bindaddr=0.0.0.0 bindport = 8888 prefix = gui enablestatic = yes –---------------------------------------- manager.conf [general] enabled = yes webenabled = yes port = 5038 bindaddr = 0.0.0.0 [admin] secret = admin read = system,call,log,verbose,command,agent,user,config,read,write,originate write = system,call,log,verbose,command,agent,user,config,read,write,originate ipermit=0.0.0.0 some one that know how to fix??
  • Cry HavokC

    MOVED: Can Squid be limited to IP instead of subnet?

    Locked
    1
    0 Votes
    1 Posts
    451 Views
    No one has replied
  • Cry HavokC

    MOVED: HAproxy in a failover setup - Secondary firewall dashboard widget can't connect

    Locked
    1
    0 Votes
    1 Posts
    464 Views
    No one has replied
  • Cry HavokC

    MOVED: HAProxy 1.5 and HSTS

    Locked
    1
    0 Votes
    1 Posts
    500 Views
    No one has replied
  • Cry HavokC

    MOVED: HAProxy 1.5 and OCSP

    Locked
    1
    0 Votes
    1 Posts
    450 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.