Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    cyb3rtr0nianC

    @bmeeks So after upgrading to the newest PfSense 2.8.0 everything is now working like a charm!

    Suricata no longer seems to strip off tags like it did before! Which means I can now use my network segmented by VLANs and still use the benefits of Suricata Inline IPS! Very niiize!

    I checked in the Alerts section and it is indeed generating the correct alerts from the different VLAN sections, I put Inline IPS on the parent interface of all the VLANs.

    I assume this is because the FreeBSD version is also updated with the new PfSense 2.8.0 version?

    Because before, as soon as I selected Inline IPS mode, my entire VLAN tagging would break and nothing was reachable until I switched back to Legacy mode.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    W

    @qinn
    Sent him an email Dan an email to the address on his site.. Not sure what is happening, my Teams stopped working. Disable it/turn it off and the problem went away.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    99 Topics
    2k Posts
    K

    @elvisimprsntr thanks for your suggestion. I will give it a try.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    GertjanG

    @EChondo

    What's your pfSense version ?
    The instructions are shown here :

    1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

    A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

    @EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

    I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

    No need to wait x days.
    You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    89 Topics
    574 Posts
    A

    Hello,
    I am unable to get the Tailscale package to work. The page at VPN > Tailscale > Authentication is stuck. It displays the error "Tailscale is not online," but also shows a "Logout and Clean" button, with no option to log in.
    link text

    This state persists even after performing the following troubleshooting steps:

    Rebooting the pfSense router.

    Completely uninstalling and reinstalling the Tailscale package multiple times.

    Clearing browser cache and using a private browser window.

    Toggling the main "Enable Tailscale" checkbox in the settings.

    Checking the logs, which show the service gets a "terminate" signal and shuts down cleanly; it does not crash.

    Manually trying to delete the state file with rm /var/db/tailscale/tailscaled.state, which failed because the file does not exist.

    It appears that the package's configuration is corrupted in a way that persists even after reinstallation. Can anyone advise on how to perform a complete manual cleanup of all Tailscale files and settings?

  • Discussions about WireGuard

    689 Topics
    4k Posts
    P

    @patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

    I will try and do some packet capture to see if that reveals anything.

  • NTOP question

    2
    0 Votes
    2 Posts
    643 Views
    jimpJ

    Use ntopng rather than ntop. Its main screen focuses on immediate/current traffic usage.

  • Bacula version compatibility issue

    4
    0 Votes
    4 Posts
    3k Views
    jimpJ

    That should be possible in theory. The FreeBSD ports tree has both available still, sysutils/bacula-client is 7.0.5, sysutils/bacula5-client is 5.2.12

  • Squid Proxy with HTTPS Inspection downgrades SSL/TLS Ciphers

    3
    0 Votes
    3 Posts
    2k Views
    L

    @marcelloc:

    You mean client to squid cipher or squid to web server?

    I meant both connections. AFAIK sslproxy_cipher is for Squid <-> web server, and https_port is for Squid <-> web client. It doesn't hurt to keep both connections with strong SSL/TLS modes.

  • Ldap group Search filter for users in other OU's

    1
    0 Votes
    1 Posts
    674 Views
    No one has replied
  • 0 Votes
    33 Posts
    19k Views
    E

    Have you restart the firewall.

  • Snort keeps blocking my WAN

    6
    0 Votes
    6 Posts
    1k Views
    bmeeksB

    It should not be blocking your WAN IP unless Snort is not getting restarted when your WAN IP changes.  Remember that Snort only reads the Pass List contents once at startup.  It stores the contents in a memory array and refers to that array when getting ready to block an IP.  If the IP is in the memory list, it is not blocked.  If it's not in the memory list, it is blocked.  But this memory list is only created at startup and is not updated again until Snort restarts.

    The BOTH selection should be fine.  You can change it if you wish, but depending on the direction of traffic, it may not help with your blocking problem.  I think that issue is caused by Snort not recognizing your WAN IP updated.

    If you WAN IP changes and Snort does not restart, you can get a block.  You should see some system log entries when your WAN IP changes.  Look for a line near the IP change message that says "…restarting packages...".  If you don't see that line, and your IP changed, that's going to be the problem.  You would next need to determine why the packages did not restart.  Have you applied any manual patches to pfSense itself?

    Bill

  • How to backup configuration in readable text?

    5
    0 Votes
    5 Posts
    1k Views
    jimpJ

    ^ These things.

    If you have a good editor, it may already have base64 en/decoing built in.

    I use UltraEdit. All I have to do is select some text and use Edit > Decode base64.

    Notepad++ Has Plugins > MIME Tools > Base64 Decode

    There are scripts for Kate, and probably many other editors out there.

  • [Solved] Issue installing squid and squid guard

    12
    0 Votes
    12 Posts
    3k Views
    KOMK

    I've seen this behaviour before as well.  It's almost as if there are some operations in the package being done out of order, such as copying a library file to a dir that doesn't exist and then later creating that dir.  Fails on first install because the dir wasn't there, but succeeds on second try because the dir got created at the end of the first failed install.

  • Custom SquidGuard Error Pages Redux

    5
    0 Votes
    5 Posts
    2k Views
    KOMK

    I haven't tried that.  The problem with editing the local file is that any changes will be blown away during an upgrade.  The posts I linked to suggested just including the function in an external file so that you only had to add the include statement to the updated sgerror.php.  I know I should move the KOMerr.php out of /usr/local/www but I wanted to get it working at a basic level first.

  • Snort GUI misleading v- 2.2

    3
    0 Votes
    3 Posts
    954 Views
    C

    Thanks that worked perfectly.

    cjb

  • Testing snort alerts

    2
    0 Votes
    2 Posts
    939 Views
    bmeeksB

    @tsolrm:

    What sort of things would cause snort to throw an alert?

    I am trying to test its functionality so I need a few test cases that would prove that it works.

    Thank you

    Enable the Emerging Threats scan rules category, then scan the firewall (on the interface where Snort is running) from a host running nmap.  That should generate some alerts for MySQL probes, VNC probes and a handful of others.

    Bill

  • 0 Votes
    3 Posts
    780 Views
    P

    @marcelloc:

    As you're forwarding it via firewall nat/rules, just create a no nat rule before with your client ips.

    Thank you, Marcello!

    So, if I understand correctly, I create a rule that instead of forwarding the client's IP outgoing traffic from port 80 to port 8080 on the LAN interface (like I have with DansGuardian), I create a rule to forward port 80 outgoing traffic on the LAN interface to port 3128? so even if the proxy is set to bypass traffic from that IP in transparent mode, it will still force HTTp to be proxied, and HTTPS to be bypassed?

  • Snort suppress list not working ?

    5
    0 Votes
    5 Posts
    2k Views
    bmeeksB

    @godtor:

    Solved, i was missing the "Choose a suppression or filtering file if desired" option.. my bad sry :)

    And after choosing that file and saving the change, remember to restart Snort on that interface.

    Bill

  • Strange snort's portscan detection

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B

    Snort puts the interface in promiscuous mode so it's seeing any traffic on the selected interface.

  • 2.2 update(amd64) UnboundDNS package missing from package list

    2
    0 Votes
    2 Posts
    490 Views
    BBcan177B

    In 2.2, Unbound is part of the base pfSense software. Look in the GUI menu for "DNS Resolver".

  • 2.2 Update Woes - Squid/Squidguard/vnstat

    10
    0 Votes
    10 Posts
    3k Views
    C

    try squidguard-dev instead of squidguard3

    there is an issue with the libs after reboot but search for my post on how to correct it if you still need squidguard

  • Installation of haproxy-devel

    3
    0 Votes
    3 Posts
    987 Views
    marcellocM

    pbi is the feebsd port part of the package.

    You will need all package gui config files to be downloaded and manual edit of config.xml to include menu and execute install script that most packages has.

    gui files are under github https://github.com/pfsense/pfsense-packages/tree/master/config

    I suggest you creating a local repo instead of manual package install.

  • [Solved] NUT not working with 2.2 RC (amd64)

    3
    0 Votes
    3 Posts
    1k Views
    W

    Well, I've figured this one out…

    I was doing a full reinstall of 2.2 (to cope with my architecture switch problem), with a complete config.xml on an USB drive. An ingenious way to do it an it works like a charm. However with a full install with config.xml on USB, none of the packages are reinstalled. Installing NUT manually afterwards creates the problem with it not starting. Removing and reinstalling the package does not help, NUT still wont start.

    However, after the full install I forced an upgrade with the same version, 2.2 Release AMD64, from an update image. This time the packages are reinstalled properly and NUT works perfectly again, with the old settings present in config.xml, without doing anything.

    This process triggered a battery calibration on my SmartUPS 1400 over serial that I cannot explain, but that is another issue.
    It works now.

  • MOVED: ipsec 2.2 - loss of fragmented packets

    Locked
    1
    0 Votes
    1 Posts
    429 Views
    No one has replied
  • [RESOLVED]squidGuard redirect causing squid fatal error

    6
    0 Votes
    6 Posts
    2k Views
    C

    good to hear!!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.