Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    N

    Can I use pgblockerng aliases in Haproxy?

    80758505-9bad-4dad-a80b-c159be1045a2-image.png

    If it was a firewall rule, typing pfb would produce a dropdown to select.

    Here it has to be written, but will it work? Is it supported?

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    bmeeksB

    I saw where the Netgate kernel developer updated the Suricata package in the pfSense 25.07 development branch to work with the new kernel PPPoE driver. But so far as I know that updated package has not been migrated to 2.8 CE.

    Here is the commit into the DEVEL branch: https://github.com/pfsense/FreeBSD-ports/commit/68a06b3a33c690042b61fb4ccfe96f3138e83b72.

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    571 Topics
    3k Posts
    K

    @pulsartiger
    The database name is vnstat.db and its location is under /var/db/vnstat.
    With "Backup Files/Dir" we are able to do backup or also with a cron.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    GertjanG

    @AlexK-0 said in Can't receive GeoIP databases updates anymore, banned:

    Days ago, I received from MaxMind an email, notifying me that my country has been banned to receive GeoLite City database updates.

    You've found a reason to use a VPN.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    99 Topics
    2k Posts
    K

    @elvisimprsntr thanks for your suggestion. I will give it a try.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    493 Topics
    3k Posts
    johnpozJ

    @MacUsers

    https://help.zerossl.com/hc/en-us/articles/360060119933-Certificate-Revocation

    edit: oh you prob out of luck

    You can revoke any certificate issued via the ZeroSSL portal. Currently, certificates issued via ACME can not be revoked from inside the portal - please follow the instructions of your ACME client for revoking those certificates.

    the gui in pfsense does not have the ability to revoke - you prob have to move the certs to something you have certbot installed to and revoke that way.

  • Discussions about the FRR Dynamic Routing package on pfSense

    294 Topics
    1k Posts
    R

    I had a similar issue with Routed VTI over IPsec recently. FRR lost its neighbors after rebooting or when a tunnel went down. It never re-discovered it automatically. Only restarting FRR (either in GUI or via CLI) brought the neighbors back.

    When I manually added those under the OSPF neighbors tab in the GUI it seems to solve the problem as well.

  • Discussions about the Tailscale package

    88 Topics
    573 Posts
    luckman212L

    For 25.07 RC, this worked for me (run sh first)

    [25.07-RC][root@r1.lan]/root: sh # export IGNORE_OSVERSION=yes # pkg add https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.84.2.pkg # service tailscaled restart # tailscale up # tailscale version 1.84.2 go version: go1.24.4 # tailscaled -version 1.84.2 go version: go1.24.4
  • Discussions about WireGuard

    689 Topics
    4k Posts
    P

    @patient0 Thanks for further suggestions. The tunnel is definitely up and so I don't think this is a CGNAT issue after all. WAN firewall rule is in place for UDP on port 51823 (otherwise the tunnel wouldn't work, right?). I can ping from client 1 -> client 2 and visa versa and also ping all points in between like you suggest. I just can't open an HTTPS connection from pfSenseB from Client 1 using a browser. But I can do this the other way round i.e. from Client 2 to pfSenseA

    I will try and do some packet capture to see if that reveals anything.

  • NTOP question

    2
    0 Votes
    2 Posts
    643 Views
    jimpJ

    Use ntopng rather than ntop. Its main screen focuses on immediate/current traffic usage.

  • Bacula version compatibility issue

    4
    0 Votes
    4 Posts
    3k Views
    jimpJ

    That should be possible in theory. The FreeBSD ports tree has both available still, sysutils/bacula-client is 7.0.5, sysutils/bacula5-client is 5.2.12

  • Squid Proxy with HTTPS Inspection downgrades SSL/TLS Ciphers

    3
    0 Votes
    3 Posts
    2k Views
    L

    @marcelloc:

    You mean client to squid cipher or squid to web server?

    I meant both connections. AFAIK sslproxy_cipher is for Squid <-> web server, and https_port is for Squid <-> web client. It doesn't hurt to keep both connections with strong SSL/TLS modes.

  • Ldap group Search filter for users in other OU's

    1
    0 Votes
    1 Posts
    672 Views
    No one has replied
  • 0 Votes
    33 Posts
    19k Views
    E

    Have you restart the firewall.

  • Snort keeps blocking my WAN

    6
    0 Votes
    6 Posts
    1k Views
    bmeeksB

    It should not be blocking your WAN IP unless Snort is not getting restarted when your WAN IP changes.  Remember that Snort only reads the Pass List contents once at startup.  It stores the contents in a memory array and refers to that array when getting ready to block an IP.  If the IP is in the memory list, it is not blocked.  If it's not in the memory list, it is blocked.  But this memory list is only created at startup and is not updated again until Snort restarts.

    The BOTH selection should be fine.  You can change it if you wish, but depending on the direction of traffic, it may not help with your blocking problem.  I think that issue is caused by Snort not recognizing your WAN IP updated.

    If you WAN IP changes and Snort does not restart, you can get a block.  You should see some system log entries when your WAN IP changes.  Look for a line near the IP change message that says "…restarting packages...".  If you don't see that line, and your IP changed, that's going to be the problem.  You would next need to determine why the packages did not restart.  Have you applied any manual patches to pfSense itself?

    Bill

  • How to backup configuration in readable text?

    5
    0 Votes
    5 Posts
    1k Views
    jimpJ

    ^ These things.

    If you have a good editor, it may already have base64 en/decoing built in.

    I use UltraEdit. All I have to do is select some text and use Edit > Decode base64.

    Notepad++ Has Plugins > MIME Tools > Base64 Decode

    There are scripts for Kate, and probably many other editors out there.

  • [Solved] Issue installing squid and squid guard

    12
    0 Votes
    12 Posts
    3k Views
    KOMK

    I've seen this behaviour before as well.  It's almost as if there are some operations in the package being done out of order, such as copying a library file to a dir that doesn't exist and then later creating that dir.  Fails on first install because the dir wasn't there, but succeeds on second try because the dir got created at the end of the first failed install.

  • Custom SquidGuard Error Pages Redux

    5
    0 Votes
    5 Posts
    2k Views
    KOMK

    I haven't tried that.  The problem with editing the local file is that any changes will be blown away during an upgrade.  The posts I linked to suggested just including the function in an external file so that you only had to add the include statement to the updated sgerror.php.  I know I should move the KOMerr.php out of /usr/local/www but I wanted to get it working at a basic level first.

  • Snort GUI misleading v- 2.2

    3
    0 Votes
    3 Posts
    952 Views
    C

    Thanks that worked perfectly.

    cjb

  • Testing snort alerts

    2
    0 Votes
    2 Posts
    939 Views
    bmeeksB

    @tsolrm:

    What sort of things would cause snort to throw an alert?

    I am trying to test its functionality so I need a few test cases that would prove that it works.

    Thank you

    Enable the Emerging Threats scan rules category, then scan the firewall (on the interface where Snort is running) from a host running nmap.  That should generate some alerts for MySQL probes, VNC probes and a handful of others.

    Bill

  • 0 Votes
    3 Posts
    780 Views
    P

    @marcelloc:

    As you're forwarding it via firewall nat/rules, just create a no nat rule before with your client ips.

    Thank you, Marcello!

    So, if I understand correctly, I create a rule that instead of forwarding the client's IP outgoing traffic from port 80 to port 8080 on the LAN interface (like I have with DansGuardian), I create a rule to forward port 80 outgoing traffic on the LAN interface to port 3128? so even if the proxy is set to bypass traffic from that IP in transparent mode, it will still force HTTp to be proxied, and HTTPS to be bypassed?

  • Snort suppress list not working ?

    5
    0 Votes
    5 Posts
    2k Views
    bmeeksB

    @godtor:

    Solved, i was missing the "Choose a suppression or filtering file if desired" option.. my bad sry :)

    And after choosing that file and saving the change, remember to restart Snort on that interface.

    Bill

  • Strange snort's portscan detection

    2
    0 Votes
    2 Posts
    1k Views
    BBcan177B

    Snort puts the interface in promiscuous mode so it's seeing any traffic on the selected interface.

  • 2.2 update(amd64) UnboundDNS package missing from package list

    2
    0 Votes
    2 Posts
    489 Views
    BBcan177B

    In 2.2, Unbound is part of the base pfSense software. Look in the GUI menu for "DNS Resolver".

  • 2.2 Update Woes - Squid/Squidguard/vnstat

    10
    0 Votes
    10 Posts
    3k Views
    C

    try squidguard-dev instead of squidguard3

    there is an issue with the libs after reboot but search for my post on how to correct it if you still need squidguard

  • Installation of haproxy-devel

    3
    0 Votes
    3 Posts
    981 Views
    marcellocM

    pbi is the feebsd port part of the package.

    You will need all package gui config files to be downloaded and manual edit of config.xml to include menu and execute install script that most packages has.

    gui files are under github https://github.com/pfsense/pfsense-packages/tree/master/config

    I suggest you creating a local repo instead of manual package install.

  • [Solved] NUT not working with 2.2 RC (amd64)

    3
    0 Votes
    3 Posts
    1k Views
    W

    Well, I've figured this one out…

    I was doing a full reinstall of 2.2 (to cope with my architecture switch problem), with a complete config.xml on an USB drive. An ingenious way to do it an it works like a charm. However with a full install with config.xml on USB, none of the packages are reinstalled. Installing NUT manually afterwards creates the problem with it not starting. Removing and reinstalling the package does not help, NUT still wont start.

    However, after the full install I forced an upgrade with the same version, 2.2 Release AMD64, from an update image. This time the packages are reinstalled properly and NUT works perfectly again, with the old settings present in config.xml, without doing anything.

    This process triggered a battery calibration on my SmartUPS 1400 over serial that I cannot explain, but that is another issue.
    It works now.

  • MOVED: ipsec 2.2 - loss of fragmented packets

    Locked
    1
    0 Votes
    1 Posts
    429 Views
    No one has replied
  • [RESOLVED]squidGuard redirect causing squid fatal error

    6
    0 Votes
    6 Posts
    2k Views
    C

    good to hear!!

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.