1. Home
  2. pfSense Packages

Subcategories

  • Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

    4k Topics
    21k Posts
    tinfoilmattT
    @johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

  • Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

    2k Topics
    16k Posts
    DARAD
    Hello team, I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface. It leaves no logs in the System logs, it leaves no logs in suricata.log at /var/log/suricata/suricata_ovpns933787/suricata.log I tried launching it manually: # /usr/local/bin/suricata -V or # /usr/local/bin/suricata -c /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787 and I get this output ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8" Thanks in advance, Dara

  • Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

    573 Topics
    3k Posts
    dennypageD
    @kabeda If memory serves, that old version of ntopng did not run as user ntopng, but as user nobody. There are lots of problems in that old version. Anyway, check the ownership and permissions of /var/db/ntopng and make sure it matches the user that ntopng runs as. You may need to set ownership of the entire hierarchy. Example: /usr/sbin/chown -R nobody:nobody /var/db/ntopng However, the better choice would be to upgrade to a more recent version.

  • Discussions about the pfBlockerNG package

    3k Topics
    20k Posts
    tinfoilmattT
    @netboy said in is something wrong with pfBlockerNG?: After my post, I "changed" DNSBL -> DNSBL mode from "unbound python mode" to "unbound mode" and so far i have no issues. Terrible idea. Moving backwards in development history there.

  • Discussions about Network UPS Tools and APCUPSD packages for pfSense

    102 Topics
    3k Posts
    dennypageD
    @fjmp24 said in Notification: UPS ups battery is low: If I remove ignorelb directive, my UPS shuts down after 16 seconds This means your UPS is signaling a low battery. Either your battery is bad, or your UPS is bad. Most likely battery, but you never know. I suggest reaching out to Eaton support.

  • Discussions about the ACME / Let’s Encrypt package for pfSense

    503 Topics
    3k Posts
    M
    I am using the DNS-Update method I have to use a DNS-Sleep of 5 minutes to let the letsencrypt txt dns record update propagate. During this 5 minutes the acme-webgui times out. when the acme-webgui times out the Action list is NOT executed. How can I solve this ? Would it maybe be an idea to let the acme.sh script execute the actions in the action list as a post-hook instead of the web-gui? Or maybe add an option to add post-hooks in the webUI ?

  • Discussions about the FRR Dynamic Routing package on pfSense

    296 Topics
    1k Posts
    C
    This one has been tricky still not sure what to try. Any ideas?

  • Discussions about the Tailscale package

    93 Topics
    654 Posts
    C
    @luckman212, Thanks for your suggestion. I will check what I have in /usr/local/pkg/tailscale/state, and also the RAM disk settings others have brought up. I could learn more about where Tailscale and pfSense store system files. If I find anything worth sharing, I will let you know.

  • Discussions about WireGuard

    715 Topics
    4k Posts
    S
    @LaUs3r Yeah, I added those IPs, but after restarting pfSense, the WireGuard status says “handshake failed.” Also, when I do nslookup us-bos.prod.surfshark.com, I get two different sets of IPs. For example: • The first time I get 43.225.189.108 and 43.225.189.118 • The next time I get 149.40.50.216 and 149.40.50.290 So I was wondering can I add both sets of IPs, and put a “0” at the end of each, and use /24 for both IPs? I reached out to Surfshark support, and they sent me their official pfSense WireGuard setup guide see the guide here in the guide they mention 10.14.0.2 for static routes
Log in to post
Load new posts
  • B

    Squid3-dev transparent…again

    2
    0 Votes
    2 Posts
    807 Views
    marcellocM
    It works.
  • belleraB

    Squid - diskd bug (ipcs and ipcrm not available)

    8
    0 Votes
    8 Posts
    4k Views
    T
    For Squid3 (3.4.10_2 0.2.5), on pfsense 2.2 you need ipcs and ipcrm from a 10.1 base. The diskd text should reflect that, now it still refers to 8.3. diskd uses a separate process to avoid blocking the main Squid process on disk-I/O. To use ipcs and ipcrm on squid, Download livefs.iso from ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/ mount it and copy /usr/bin/ipcs and /usr/bin/ipcrm to your system and set them as executables. diskd uses a separate process to avoid blocking the main Squid process on disk-I/O. To use ipcs and ipcrm on squid, Download livefs.iso from ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.1/ mount it and copy /usr/bin/ipcs and /usr/bin/ipcrm to your system and set them as executables.
  • G

    FreeRADIUS “daily” issue

    6
    0 Votes
    6 Posts
    2k Views
    G
    Simply deleting /var/log/radacct/timecounter/db.daily and starting the service fixed the issue. The newly created db.daily is 64 KB, not 16 KB. So it looks like it got corrupted somehow. How do we prevent this from happening in the future? Thank you
  • R

    About haproxy-devel

    2
    0 Votes
    2 Posts
    843 Views
    P
    First add a backend, in there you can add multiple destination servers. To actually use it, you also need a frontend that uses the backend and listens on a port.
  • J

    Squidguard/Web Filtering Questions

    3
    0 Votes
    3 Posts
    1k Views
    J
    Thanks for your reply.  I definitely have some reading/digging to do but that link appears to contain helpful information for the active directory piece.
  • S

    Snort error: Could not create configuration reload thread

    11
    0 Votes
    11 Posts
    3k Views
    bmeeksB
    @johanstrand: Hi! I had it set to AC. I changed to AC-BNFA and it Went from 1.3GB to 380MB. Maybe this was the reason for the original problem. I am still suspicious of the rules because now (after resinstall) I can activate all rules using AC as the pattern matcher and snort starts without any problem and it takes about 1.4GB of RAM. I can not reproduce the reconfig thread problem. /Johan The AC pattern matcher will slowly gobble up RAM as it operates.  I have seen posts on other sites where users have had it gobble up 16 GB of RAM and more with a lot of traffic and rules. There is no appreciable difference in the performance of any of the pattern matchers on today's hardware.  AC-BNFA or AC-BNFA-NQ is the suggested setting, and I would advise to never change it. Bill
  • W

    Squid as parent for havp

    11
    0 Votes
    11 Posts
    3k Views
    marcellocM
    @webstor: Tried, couldn't fix it. Still the icap error. Maybe related only to amd64 ? Check your logs the icap is working on 0.2.4 version. There is a typo on clamav config check that i'll send a fix today.
  • M

    Revamp of an old closed question regarding uPnP proxy.

    1
    0 Votes
    1 Posts
    637 Views
    No one has replied
  • T

    Can snort be configured for a single interface or VLAN?

    5
    0 Votes
    5 Posts
    2k Views
    T
    Well I'm trying to eliminate any security measures from a certain lan due to bitching about the rules blocking stuff… so adding snort to the wan will probably cause more issues and they are not willing to troubleshoot.
  • I

    Apply different blocking level to different VLans

    7
    0 Votes
    7 Posts
    2k Views
    jahonixJ
    Surely I know and have used Squid as cache. But never more than that. Thanks for pointing me to it.
  • J

    Squid Reverse Proxy stops working when using Squid3 load balancing ACL

    2
    0 Votes
    2 Posts
    2k Views
    J
    I figured out how to fix the issue. First I had to learn some Squid bits and figure out how the Squid.conf is interpreted (ie. top-to-bottom for first-matched ACLs) and what some of the various "tags" mean. I found the following link quite useful to get some basics under the belt: http://www.deckle.co.uk/squid-users-guide/squid-configuration-basics.html After grokking the Squid.conf that was generated by pfSense, I figured out what the existing reverse-proxy configuration ACLs were (as it was needed to for the cache_peer_access tags). For those interested, you can use the "Edit File" function under the "Diagnostic" in the webconfigurator to browse to the generated Squid.conf file. In my case it was under: /usr/pbi/squid-i386/etc/squid/squid.conf Note: Yours may in in a different location if you use a different version or have the AMD64 version of pfSense. After figuring out how these are interpreted by Squid (i.e. the order, precedence, overrides, etc.) with the help of the above link, I understood what was needed. I looked up all the reverse-proxy ACLs generated by pfSense and create an tcp_outgoing_address tag for each using the LAN side IP (or DMZ side if that's where you are reverse-proxying to). For example, the following is what I ended up with. This must be placed above the bits for the random ACL to load-balance the forward-proxy. 192.168.0.254 is the IP of my LAN side interface: tcp_outgoing_address 192.168.0.254 OWA_URI_pfs tcp_outgoing_address 192.168.0.254 rvm_Extranet tcp_outgoing_address 192.168.0.254 rvm_Prototype tcp_outgoing_address 192.168.0.254 rvm_WebService tcp_outgoing_address 192.168.0.254 rvm_License # Put load balancing tags after setting the tcp_outgoing_address for reverse proxy tags acl fiftyPercent random 0.5 tcp_outgoing_address <<wan1-ip-here>> fiftyPercent tcp_outgoing_address <<wan2-ip-here>></wan2-ip-here></wan1-ip-here> The result is that for the reverse-proxy traffic goes to the specified LAN side IP , and then the remainder of all other traffic is load-balanced via the random ACL on the WAN IPs. Hope that helps anyone else who might run into a similar issue.
  • stephenw10S

    Shellcmd suggestion

    3
    0 Votes
    3 Posts
    1k Views
    M
    +1.
  • T

    Are there any conflicts with running Squid + Squidguard + snort?

    4
    0 Votes
    4 Posts
    2k Views
    J
    Running one firewall with pfSense 2.1.5 (AMD64) + Squid (2.7.9) + SquidGuard (1.5_1.1 beta) + Snort + pfBlocker and have no issues. Proxy is NOT transparent. Running another firewall with pfSense 2.1.5 (i386) + Squid3-dev (3.3.10 pkg 2.2.8) + SquidGuard (1.4_4 pkg v.1.9.5) + Snort + pfBlocker and have no issues. Proxy is NOT transparent. ClamAV is not enabled as I get ICAP timeouts. Both are stable and responsive. Hth.
  • TAC57T

    UPS Support - pfSense and a FreeNAS Server?

    7
    0 Votes
    7 Posts
    6k Views
    V
    Cool! Glad to hear! Those instuctions were directly from my own setup, so if you need any further assistance I'll help where I can.
  • T

    Set up Squid proxy for different network

    4
    0 Votes
    4 Posts
    1k Views
    M
    Use the setting upstream proxy.
  • N

    Freeradius not starting at boot when use mysql as database

    2
    0 Votes
    2 Posts
    1k Views
    N
    Can any one help me?
  • H

    Snort OpenAppID on the GUI

    7
    0 Votes
    7 Posts
    4k Views
    bmeeksB
    By the way, if you come up with a collection of working rules for OpenAppID that you think others would find useful, please share them here on the Forum.  This is a new technology, and group collaboration would be a good thing as folks learn and try it out. Bill
  • M

    Squid3 : Low downloads speeds and CPU overload

    1
    0 Votes
    1 Posts
    773 Views
    No one has replied
  • J

    FreeRadius users

    6
    0 Votes
    6 Posts
    1k Views
    J
    I found solution! On the user check attribute add Calling-Station-Id += 'mac adress', | Calling-Station-Id += 'mac adress', | and more if need… before I try syntax := and this not working..
  • G

    Suricata

    3
    0 Votes
    3 Posts
    1k Views
    bmeeksB
    Currently Emerging Threats offers no lower cost versions that I am aware of (excepting the free Open Source version you mentioned). You can use the Snort VRT rules with Suricata, but there are around 700 of those rules (if I remember the count correctly) that will not load because they contain keywords Suricata does not recognize.  They won't break Suricata, but any protection afforded by the non-loading rules will of course be sacrificed. Snort VRT does offer a home-use annual subscription for their latest rules.  It is $29.99 USD per year.  That's certainly cheaper than $500 USD per year. Many folks use a combination of the ET-Open free rules and a paid Snort VRT subscription.  Of course if you are a commercial enterprise, $500 per year is generally not considered an excessive expense for cyber security protection. Bill
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.